Ryan Wilk, director of Customer Success, NuData Security
– Ryan Wilk, director of Customer Success, NuData Security, says:
E-commerce is on the rise worldwide, and mobile seems to be the method of choice. According to a forecast from Goldman Sachs, global e-commerce sales made via mobile devices are expected to top $638 billion in 2018. To put that in perspective, that figure was approximately the entire size of the world’s e-commerce market in 2013. And just in time for the holidays, Deloitte projects that online sales and mail orders will increase at least 13.5 percent this year, far more than the 4 percent to 4.5 percent growth expected for all retail sales during the season.
At the same time, online fraud and identity theft are soaring. In fact, identity theft is the fastest-growing type of crime. Despite this ever-growing threat, online merchants are not keeping pace in terms of their security measures. The detection of online fraud must undergo significant change if retailers hope to keep themselves and their customers safe.
Looking Back Instead of Looking Forward
Most e-commerce merchants are reacting to fraud threats rather than being proactive because they typically stack their fraud tools after the transaction. Only at the point of purchase is some type of fraud review preformed. This comes in the form of watching data points around the transaction, looking at PII (personally identifiable information) and crosschecking with PCI (payment card industry) data. Most e-commerce merchants today are looking at a device profiling data point, whether it is a device ID or a set of data points pulled from the browser that the device is connected to. Then, those data points are run through various modeling techniques, a score is received and a decision is made whether a transaction receives approval, review or rejection. The problem with this method is that it is not comprehensive: it takes a one-time snapshot at the end of a customer’s site visit, when the transaction takes place. Merchants are missing what is going on before the transaction occurred, so they don’t see the full session lifecycle. They also don’t see horizontally or vertically, through various identity libraries, how that customer acts over time.
It has been a best practice to use the credit card’s CVV code as a security measure at the point of purchase. However, as the e-commerce world perpetually seeks to remove customer friction, increase conversion flow, eliminate abandonment and entice further transactions, merchants chalk up fraud as an acceptable loss. Humans tend to take the path of least resistance, so if there is a barrier to completing the transaction—having to provide the CVV code, or otherwise—merchants worry that consumers may not complete the purchase. Removing the CVV security requirement makes it easier to transact online, but it also removes a warranted security measure. To provide an experience that is hassle- free for customers and doesn’t eliminate any potential transactions for merchants, e-commerce organizations need to find security controls that can run invisibly and effectively. In other words, merchants could be making use of a wealth of data to detect and prevent fraud, containing data points created by behavior activity prior to the point of purchase.
Looking Forward, Backward and Everywhere: Online Fraud Protection
To eliminate disruption in business operations, leakage of confidential data, damage to reputation, loss of revenue and customers, online fraud detection (OFD) and prevention help e-commerce merchants predict and prevent fraud and malicious behavior that occurs over the Web. This is performed by running background processes that analyze attributes like user behavior, site navigation, geolocation, device characteristics and transaction activity to determine the likelihood of a user being legitimate or fraudulent. Merchants are then able to compare this data against expected behavior with the help of machine learning or statistical algorithms, or rules that define “abnormal” behavior and activities.
Any system that wants to be a valid solution to a merchant needs to essentially be non-intrusive. In today’s world, a typical OFD implementation is completely seamless to the user. Rather than viewing a customer interaction as just a single snapshot, as happens with point-of-purchase fraud detection, OFD provides a high-definition movie, a fuller story of visitor behavior from beginning to end.
Knowing all of the touch points before the transaction is what differentiates OFD from other security measures. Did users log in properly? When did they register for their accounts? How did they register for their accounts? How did they interact with the site beforehand? If they were first-time users, did their transactions look like the traditional good behavior of how the website is used? Or, by the time they got to the transaction, did they do a number of things that were unusual? Was the account created in Vietnam and now the transaction is coming from Pennsylvania? For a return user, what times of day does the person typically use the site? What device do they traditionally log in from?
Merchants can determine typical user behavior by analyzing the data gathered from all of these touch points. If they see activity that is very different from the norm, merchants may be able to determine when an account takeover is happening and can hinder the transaction before checkout occurs. This data is particularly helpful when all the other data points around this transaction look like good data points; the transaction probably would have gone through without having this full view beforehand.
Analysis of overall good user behavior is extremely helpful, in addition to the behavioral profiling of individual users. An OFD approach should monitor user behavior prior to the login and registration, carrying on through when details of an account might be modified, to when a user would come back to see if the product could be retrieved. All those data points are examined to create correlations on how the users are interacting: does this user’s behavior match a previous behavior, or does something in this behavior not look right? This collective data helps merchants know what good user behavior looks like so that they can more easily spot fraudsters.
An All-Around Approach
Online fraud and identity theft are highly lucrative and require little effort for those in the know, which means that they are certainly here to stay. Online merchants need to constantly guard themselves and their customers from this malicious activity while offering an easy, enjoyable shopping experience. Some merchants have taken up the practice of not asking for CVV codes or not implementing other security measures, potentially putting everyone at risk in an effort to make more sales. However, this kind of risky behavior is not necessary thanks to the arrival of robust online fraud detection. OFD’s behavioral analysis and user profiles enable merchants to offer both better protection and a better purchasing journey.