Along with Black Friday and Cyber Monday, fraud peaks between Christmas and New Year's Eve, the time when shoppers are most actively making purchases on a variety of devices. For hackers, this is an opportunity for their illicit activities to be lost in the volume of transactions.
In response, merchants have improved communicating with customers about the higher risk of fraud, providing concise aftercare, and having a business continually plan. These public-facing strategies, while important, pale in need to build up defenses behind the scene for evolving threats.
Ryan Wilk, fraud expert and director of customer success at NuData Security, says traditional credit card fraud that customers are familiar with, and which merchants have become better at thwarting, is much less valuable to hackers these days. Instead, more sophisticated attacks have taken off in the last year, and spike accordingly during the holidays. Sophisticated attacks are focused on account takeovers -- acquiring usernames, passwords, and other credentials that, given user tendencies to reuse logins on multiple sites, give access to many more accounts. From inside an email, a hacker can unlock a universe of passwords.
While a customer can grasp stolen card information, it is significantly harder to explain why they may now want to change their email address.
In a recent report by NuData, it was determined sophisticated takeover fraud is predominantly originating from outside the US with fraudsters likely purchasing lists of stolen username and passwords from data breaches. More importantly, over 90% of fraudulent logins with those credentials are scripted. This indicates criminals are developing organized programs in order to quickly and efficiently take action.
Scripted login attempts come down on ecommerce organizations swiftly and typically in high volume, marking it difficult to protect and detect in a timely manner. So how do you build up defenses when legitimate customers are being used to attack? And how do you heighten security without impacting interaction with the business?
According to Matthew Reeves, marketing director for NuData, the important thing is the way people are looking across the user base side by side. So when fraudsters try to log in with "Pass1" across all emails, you can pick up these events in parallel. When security picks up on clusters on fraud events they can attack at source rather than respond to individual risks. "Fraud detection is going to become increasingly about looking for scripts and bots in automation," adds Reeves. "Building that detection across every user at the same time will be a powerful measure to really find out if a human or script is at play."
Wilk adds that NuData is working with a number of large, global firms interested in incorporating behavioral DNA into their security. This means capturing the micro data in the path users take to checkout, the speed in which they clicked through pages, scrolled, even the cadence of typing in search fields. Understanding how users are interacting with the touch points of a websites with biometric information helps build a profile that can be measured against a script. "Behavioral analysis serves as a means of understanding how legitimate users truly act without interrupting their experience, thereby predicting and preventing fraud from occurring," wrote NuData in a communication on recent hacking trends.
For example, it's unlikely that multiple accounts set up in short period with the exact same behavioral DNA are legitimate -- it is indicative of a script to automate the process. Similarly, logins and purchasing transactions that follow the same transactional behavior are probably scripted. If multiple, perhaps thousands, of accounts are exhibiting the same, perhaps surprisingly efficient but otherwise innocent behavioral DNA, security can flag the accounts as suspicious and request further account validation.
"Fraud is very focused and goes right to checkout," says Reeves. "If you can look at path beforehand, ideally across users, you'll start seeing repeated pattern and that's the same thing. Browsing will expose massive attacks."
"Know who your users are so their passwords are less valuable," adds Wilk. "And decide before a transaction takes place if this looks like the correct user."
Location is less relevant
Reeves also wants merchants to acknowledge that some of the more traditional measures for detecting fraud are becoming irrelevant, including flags on location. This is being completely devalued not just because hackers can anonymize the location of their servers so easily, but because global transactions are more common and expected to rise. "Ten years ago if someone tried to buy from another country that was a flag, but that's getting harder because people do travel. Growing international commerce is going to make this more common."