The move by retailers to online and mobile selling to survive the pandemic has resulted in a significant increase in digital fraud activity.
The “2020 True Cost of Fraud Study: E-commerce/Retail Edition” by LexisNexis Risk Solutions found this to be partly because some fraud control systems are outdated and partly because of increased transaction volume.
Successful monthly fraud attempts increased on average by up to 48 percent for mid-sized and large e-tailers in the United States and 27 percent for smaller ones, the study found.
“In most cases, the security frameworks have already been established, due in part to regulatory compliance requirements,” Matt Keil, director of product marketing at Cequence Security, told the E-Commerce Times. “What has changed due to the pandemic is the volume of traffic — which has increased — and the speed of innovation.”
Existing fraud control systems that physically verify a customer’s credit or debit card cannot cope with sophisticated new techniques, which include the creation of fake identities and attacks from globally organized and connected fraud networks sharing stolen identity information.
Additionally, consumer demand for fast online and mobile transactions makes authentication more difficult.
Businesses operating during the pandemic that had higher mobile purchase transactions with in-store pickup experienced more fraud volume and higher fraud costs because they had to rely on store employees for identity authentication — rather than solutions designed to detect mobile fraud, according to the study.
LexisNexis Risk Solutions surveyed 800 risk and fraud executives at retail and e-commerce firms in the United States and Canada, from February to April, for this study.
A botnet is a collection of devices connected to the Internet — PCs, servers, mobile devices — that are infected and controlled by malware to send email spam, engage in click fraud campaigns, and launch other types of attacks on the victim’s computer systems.
Mobile botnet attacks have increased because more people are shopping over mobile devices, and retailers are finding it difficult to distinguish between legitimate customers and botnets, LexisNexis Risk Solutions found.
Bot traffic “mimics people and tests user name/password combinations and credit card information on sites in a highly automated fashion,” Ameet Naik, security evangelist at PerimeterX, told the E-Commerce Times.
PerimeterX detects and protects against automated bot attacks in both mobile and Web applications.
“People used to worry about skimmers stealing information at an ATM or gas station pay point, and now that can happen any time you do business online.”
Approximately 58 percent of bot attacks on e-commerce sites are highly sophisticated, distributed, mutating bots, according to cybersecurity firm Radware.
How to Best Improve M-Commerce Security
Retailers “need to focus more on the application programming interfaces (APIs) that retailers are using to add elements like pickup and delivery, which may not have existed before,” Cequence’s Keil said.
An API is a computing interface that defines interactions between different kinds of software — what kind of calls or requests they can make, how to make them, what data they can use, and what conventions to follow, for example. It can be used to extend software’s existing functionality.
Mobile applications rely heavily on APIs to feed the same backend systems that support the Web applications, he noted.
“Attackers deconstruct the mobile app, then use automation to attack it,” Keil pointed out. “APIs are stateless and can include the entire transaction, making protection difficult.”
Rapidly deployed APIs that may not have followed the normal development, quality assurance, and publication process are targeted, said Keil.
Targeting mobile APIs is to be expected because that’s where e-commerce traffic is growing the fastest, PerimeterX’s Naik said. Attacking mobile APIs is simple and can leverage the same infrastructure and attack mechanisms as attacking direct APIs and Web APIs, he observed.
Protecting Retail Sites
Best practices for retailers would be “looking at the full consumer experience and applying risk-based multi-layered fraud controls to the appropriate step in order to reduce risk and fraud,” Chris Schnieper, director, fraud & identity at LexisNexis Risk Solutions, told the E-Commerce Times.
Layered security uses several components to protect a network’s security, with multiple levels of security measures, to ensure that every individual defense component has a backup covering flaws or gaps in other defenses. Think of it as Roman soldiers locking their shields when standing in battle formation.
Such controls include velocity checks and real-time scoring at the front end to determine the risk of the transaction; digital identity and behavioral biometrics to assess the customer browsing period; and additional authentication checks upon checkout or authorization.
Velocity checks look for fraud patterns within a specified period of time, such as heavy use of a credit card. For example, when fraudsters quickly make a number of purchases to max out a stolen credit card once they succeed with their first purchase.
Fraud scoring looks at each individual component of a credit card transaction to determine the probability that the transaction is unauthorized, fraudulent or comes from a stolen credit card or credit card number. This includes using an address verification service and the CVV2 — the three or four-digit number printed on the front or back of the card.
Your digital identity is based on the Web browser you use, your Web history, installed plugins, and information about your behavior online. Tracking that identity is one reason businesses install tracking cookies on the browsers of visitors to their websites.
Behavioral biometrics look at how people do what they do. That includes how people scroll or toggle between phones, how they type, and what they do when they visit a website.
Account Takeover Attacks
For example, website visitors who go straight to a login page without clicking on any other links or scrolling around the site are likely to be bots executing an account takeover (ATO) attack, Naik warned.
In an ATO attack, hackers use stolen personally identifying information, such as someone’s name, credit card number, street address, and/or social security number, to gain access to an online account.
“Investments in digital identity, behavioral biometrics, and other authentication tools are investments in e-commerce, and retailers can make to keep the total cost of fraud low in the long run,” Schnieper said.
Over half of the midsized to large merchants selling digital goods that responded to the LexisNexis Risk Solutions survey say they have fully implemented a layered approach that integrates cybersecurity, the digital customer experience, and fraud prevention efforts. Those selling only physical goods lag behind.
“Consider adopting automated Web application protection technologies that can leverage sophisticated machine learning engines to spot emergent anomalies in real-time and that block malicious visitors from scraping or attempting account takeover attacks,” Naik advised.
“Now is the time to be more vigilant than ever since, along with traffic spikes, Web attacks are on the rise.”