As EMV is implemented worldwide, fraudsters are finding credit card fraud more difficult, so many are moving on to the more lucrative account takeover. In this version of identity theft, a fraudster gains unauthorized access to a customer’s account (ranging from banking and brokerage accounts to social media and store loyalty accounts), often through a data breach, malware or phishing. The fraudster then updates the account’s contact information so the victim no longer has control over the account. Often, the victim is unaware their account has been compromised.
This type of fraud is far more common than you’d think. Account takeover fraud was up 280% in 2015 and is expected to keep rising. Why the increase? Credentials are far more valuable to fraudsters than credit card data: Fresh credit card numbers may sell for $2 (while older numbers sell for just 50 cents), while login credentials can fetch more than $1,000 on the dark web.
Businesses who sell subscriptions often find themselves at a particularly higher risk for account takeovers. In these scenarios, merchants often become complacent because they have already established a relationship with the customer; as a result, if the customer becomes a victim of fraud, multiple fraudulent transactions can potentially be approved before the merchant realizes what has happened.
Arbitration occurs when an unbiased third party resolves a dispute between two parties outside litigation by hearing their evidence and testimony and making a ruling.
E-commerce merchants increasingly use online dispute resolution, a form of arbitration, to resolve problems with a transaction. PayPal, for example, has a Resolution Center in which PayPal researches a transaction based on the evidence provided by the buyer and the seller and makes a ruling in favor of one party.
Artificial intelligence (AI) – also called advanced machine learning – is everywhere these days, from chatbots to Amazon’s bi You Might Like” customer suggestion list. It was one of the top 10 strategic technology trends in 2016 according to Gartner, and few areas have leveraged it as fully as the fraud management industry. It lets even small businesses keep pace with the volume of transactional data coming and benefit from increased sales, reduced fraud and an improved customer experience.
When it comes to identifying fraudulent transactions, AI takes the available data, identifies trends and patterns to shopping behaviors, and learns how to more accurately separate the good transactions from the bad. While the system isn’t perfect, its accuracy improves as more data is fed back to it.
Authenticator services give an extra layer of protection to customers by confirming a customer’s identity during the log-in or checkout process. Two common ways to do this are:
- Challenge questions. Users may be asked a series of security challenge questions that only they know the answer to. If the challenge questions are correctly answered, users can continue signing in to a site.
- Biometrics. Some technology, like Apple’s iPhone, can be unlocked with a fingerprint. Other businesses may use other physical traits or behaviors that can’t easily be changed or copied, such as a retina scan or keystroke dynamics.
While authenticators may add friction to the customer experience, they can help customer accounts from being compromised, even if a hacker knows a password.
Online credit card purchases that are above a merchant-determined dollar threshold aren’t automatically approved. Instead, the merchant must first obtain authorization for the charge and ensure the credit card is approved for use and has sufficient funds for the purchase. This authorization process helps prevent credit card fraud.
The authorization request is sent from the merchant to the merchant’s acquiring bank; the request then goes to the card-issuing bank. If the transaction is approved, the purchase amount is deducted from the cardholder’s account and the customer receives a confirmation for the purchase. It’s a complex process that generally happens in a matter of seconds.
A declined transaction is often due to an AVS mismatch, an invalid CVV, a credit card that’s flagged as stolen or the issuing bank deeming the transaction to be too risky.
Address verification system (AVS) is a fraud filter many merchants use to prevent potentially fraudulent orders from processing. The system checks to ensure that the numerical portions of billing and shipping addresses a customer enters match those on file with the card-issuing bank; if they don’t, the transaction may be either automatically declined or flagged for manual review.
Unfortunately, AVS is one of the biggest reasons legitimate orders are declined. After all, who hasn’t forgotten to update their address after a move or made an online gift purchase during the holiday season and had it shipped directly to the recipient? Incorporating manual reviews of flagged transactions can help reduce the risk of false declines.
Big data refers to the volume of information a business collects and stores each day from a variety of sources, like business transactions, customer data, email correspondence and social media presence. E-commerce merchants can use this data to gain detailed insights into customer behavior and identify business trends.
In 2013, Target used big data to mail a 15-year-old girl pregnancy- and baby-related coupons after she had purchased unscented lotion at the store — a frequent purchase of pregnant women. The purchase behavior told Target something the girl’s family didn’t even know: The girl was indeed pregnant.
Every e-commerce retailer should be analyzing the data they acquire from their business. Not only will it help identify spikes in demand, customer trends and shopping patterns, but it can also help retailers refine their marketing strategies, improve customer service and boost sales.
Botnets, a combination of the words “robot” and “network,” generally refer to a malicious string of internet-connected devices that are used to steal data and compromise other computers and systems. These bots are created when a device is hacked by malware, enabling the hacker to take over the device and assist with activities like distributing denial-of-service (DDoS) attacks and emailing spam to thousands of users.
Some fraudsters install spyware on hacked devices to capture sensitive financial data that can be sold on the dark web. E-commerce merchants and larger businesses are frequent targets of these types of attacks; in 2010, a botnet compromised approximately 75,000 personal computers in nearly 2,500 companies and government agencies worldwide. As a result of the malware, hackers gathered user names and passwords for banking and email sites (like Hotmail and Yahoo); they also hacked into corporate servers storing sensitive customer financial data.
Card-Not-Present Fraud/CNP Fraud
A card-not-present (CNP) transaction happens when a customer makes a purchase by mail, by phone or online, where the customer is not physically present to show the credit card at the time of purchase. This payment method is convenient for customers and essential to online retailers — but it’s also vulnerable to fraud.
Cybercriminals steal credit card information — often by skimming or purchasing data on the dark web — and then use this information to make fraudulent purchases. These fraudsters often purchase high-value items, like electronics, to get the most “bang for their buck” before a cardholder realizes their account has been compromised.
The merchant is generally liable for the losses associated with CNP fraud, which includes loss of product, shipping expenses, fees and penalties, and damage to reputation.
Retailers are expected to lose $71 billion globally from CNP transactions over the next five years, due in large part to the transition to chip card (EMV) technology. As the window narrows for fraudsters to commit fraud using the data found on magnetic stripe cards, cybercriminals are flocking to the dark web to purchase stolen data and are looking for new ways to exploit website security vulnerabilities.
Customers making online purchases are often asked for their credit card’s CVV, or card verification value, as a way for e-commerce retailers to verify that customers possess the card they’re using for the purchase.
Although CVVs aren’t required for online transactions, they do provide an extra layer of security for the cardholder and the merchant. These three- or four-digit numbers are printed, not embossed, on the credit card, which means they don’t usually accompany stolen credit card information being sold on the dark web. And with the increased frequency of CNP fraud — projected to top $6.4 billion in 2018 from $3.1 billion in 2015 — merchants should take advantage of every security feature available to them.
When a cardholder identifies a questionable transaction on a credit card statement, the cardholder can file a complaint with the credit card issuer. If the issuer determines the cardholder isn’t responsible for the payment (e.g., if the card has been stolen, or if the goods were never received), the issuer will refund the original transaction amount back to the cardholder. The issuer will then reverse any payment previously made to the merchant and charge the merchant an additional fee.
This payment reversal plus fee is called a chargeback.
Chargebacks can be devastating to merchants: They lose the value of the product; they must spend time, money and effort researching and disputing the chargeback; and then they are hit with fees and penalties. Chargebacks cost merchants nearly$11.2 billion in lost revenue in 2015, and that amount is rising 20% every year.
When a customer opens a chargeback dispute, most acquiring banks immediately return the transaction amount to the customer while the dispute is researched. The bank will also automatically deduct chargeback fees from the merchant’s account.
According to LexisNexis, for every $1 in fraudulent chargeback losses, merchants must spend an additional $2.40 on restocking, replacements and fees. And that includes the chargeback fees assessed by the business’s acquiring bank and the credit card processor, which can exceed $75 per dispute.
While chargebacks were established to protect customers against the losses that arise due to both identity theft and unfair merchant practices, customers are increasingly taking advantage of the loophole that automatically favors customers during a credit card dispute. In these scenarios, the customer files a chargeback on a legitimate transaction so they can keep the product and receive a full refund on the original purchase.
This leaves the merchant on the hook for the lost revenue they would have earned on the sale, plus expensive chargeback fees — not to mention the potential loss of their merchant account if their chargeback ratio is too high.
Unfortunately, 86% of chargebacks are deemed fraudulent. If that weren’t bad enough, 40% of customers who file one fraudulent chargeback file another within 90 days.
For merchants who accept credit cards, chargeback insurance provides a 100% guarantee that protects the merchant in the event the fraud solution partner approves a transaction that turns out to be fraudulent and results in a chargebacks. Should this happen, the fraud partner pays the entire cost of the chargeback.
A good chargeback insurance program works just like any other type of insurance by covering the losses the insured party incurs after payment of a nominal premium to the chargeback insurance company.
Chargeback protection generally covers a portion of the losses a business might incur due to fraudulent transactions. Although chargeback protection works to limit fraud losses, it won’t reimburse merchants fully for chargebacks that happen. Instead, merchants receive invoice discounts based on pre-determined KPIs that aren’t met.
Chargeback protection can vary greatly by vendor. Some vendors don’t cover against any losses, leaving merchants responsible for any and all chargebacks and penalties, and instead simply offer tools to help monitor transactions and identify fraud.
Chargeback protection also doesn’t protect against damage to the seller’s reputation or against potential increases in payment processing fees that may occur as a merchant’s chargeback ratio increases.
A merchant’s chargeback ratio is the number of chargebacks compared to overall transactions for a given month. As the number of chargebacks against a retailer rises, so does the ratio.
It’s important to note that each card issuer calculates this ratio slightly differently. Visa, for instance, divides the current month’s number of chargebacks by the current month’s number of transactions. But MasterCard divides the current month’s number of chargebacks by the previous month’s number of transactions.
However, regardless of the issuer, businesses will want to keep their chargeback ratios low — ideally less than 1% of total transactions. A chargeback ratio higher than 1% puts merchants at risk of losing their banking services, higher program fees and a high-risk merchant status. Merchants with exceptionally high chargeback ratios may even lose their processing privileges entirely.
Unfortunately, even chargebacks a merchant wins are still counted against their ratio.
Agencies that collect and sell data related to an individual’s creditworthiness is called a credit bureau. While they have no direct say in whether a person is extended credit, credit bureaus collect valuable information that lets creditors decide how creditworthy an individual is.
Because credit bureaus handle such sensitive information, they’re particularly vulnerable to cyberattacks and breaches. In 2017, a security flaw at Equifax resulted in exposing an estimated 143 million Americans’ personal data.
Credit Card Fraud
Types of credit card fraud include identity theft, identity assumption and fraud sprees. Fraudsters may obtain a victim’s credit card data by buying the information on the deep web, by using skimmers at gas station pumps, or through corporate data breaches.
E-commerce has made it even easier for fraudsters to use this stolen data, and the average merchant experiences 206 successful fraudulent transactions monthly, with the average transaction value being $146. The true cost of credit card fraud for merchants is more than just the cost of lost merchandise — it also includes lost profits, bank fees and chargeback costs.
Cryptograms, or puzzles that consist of coded text, started off as simple entertainment in newspapers and magazines. But they’ve also been used to communicate military strategy and help secure credit card transactions.
When consumers use a chip-enabled credit card to make a purchase, the embedded microchip — or microprocessor — automatically encrypts a unique alphanumeric value for each transaction. These dynamic cryptograms improve data integrity and make it difficult for fraudsters to hack and decode credit card data and generate counterfeit cards to be used for in-store transactions.
Card verification values (CVV) are three- to four-digit numbers either on the back or front of credit cards that can help reduce the risk of credit card fraud. These numbers are printed on the card, rather than embossed or stored in the magnetic strip. As a result, requiring these numbers can minimize card-not-present fraud, since fraudsters will generally need to have the card in hand to have this information.
Requiring a CVV for every purchase can add another layer of security to online transactions. If the number provided by the customer matches what the bank has on file, the transaction can be safely processed. Some credit card issuers will even provide one-time-use CVVs for online purchases, further increasing the security of transactions.
American Express uses a four-digit card identification (CID) code, while MasterCard’s CVC2 and Visa’s CVV2 codes are three digits.
The dark web (also known as the dark net, deep net and deep web), is a hidden part of the worldwideweb that’s not indexed by traditional search engines like Google. Dark web sites use a layered network structure to encrypt web traffic within multiple layers and bounce traffic to random computers worldwide. Each bounce removes a layer of encryption, preventing anyone from matching the traffic’s origin with its destination.
A surprising variety of goods and services are available for purchase on the dark web, like credit card numbers, fake college degrees, contract killers, stolen Social Security numbers and more.
While there are an estimated 1 billion indexed pages on the Internet (based on 2001 research), there are an estimated – and astonishing – 550 billion pages on the dark web.
Data breaches occur when sensitive, protected or confidential data (like banking information, health data, passwords, or credit card information) is accessed or disclosed through unauthorized means.
Breaches can occur through weak passwords, determined hackers, phishing attacks, missing software patches and more. Data breaches don’t have to be big events like 2017’s Equifax breach. They can happen simply as a result of an unauthorized employee watching an authorized employee enter login credentials to a secure site.
U.S. data breaches topped 1,579 in 2017, up a whopping 44.7% over 2016’s record-high number. Businesses top the list (55% of the total breaches) of industries most at risk, with medical/healthcare (23.7%) and banking/credit/financial (8.5%) rounding out the top three.
Deep learning, a collection of machine learning techniques, is a multilayered approach to learning that lets human analysts feed a learning algorithm and vast amounts of data to a computer and then has the computer teach itself how to make decisions about that data.
The result: Deep learning uses an extensive neural network to ask (and answer) questions about the data and to extract numerical data, using the answers to solve problems that require thought and successfully manage the complexity of classifying datasets.
Amazon uses deep learning today to predict what consumers want to buy (even if the customers don’t yet know it themselves). Google uses it to better understand spoken requests and commands, and Netflix leverages deep learning to suggest what viewers should watch next.
Digital signatures help confer authenticity onto a digital message or a document, giving recipients the confidence that the message was created and sent by a trustworthy sender and was unaltered during transit. E-commerce merchants like online software developers frequently offer digital signatures to reassure customers that executable files or attachments are legitimate and aren’t malware.
These encrypted authentications are also common in electronic communications in which it’s important to be able to identify tampering (like emails from financial institutions). Digital signatures are legal equivalents to handwritten signatures in the United States and many other countries.
Smartphones can now function as digital (or mobile) wallets — storing or linking information found on such physical cards as medical cards, loyalty cards and credit cards. These digital wallets can even store boarding passes and gift cards, allowing people to carry far more data than they ever could in a physical wallet. And with a simple wave or tap of their phones, customers can complete transactions.
Digital wallets like PayPal, Google Wallet, the Amazon Wallet App and Apple Pay make it easier and faster for customers to make purchases online and at brick-and-mortar locations. Most mobile wallets use advanced encryption technology and passwords to protect against lost phones being fraudulently used for spending sprees.
As of March 2017, 32% of customers have used a digital wallet, with a projected global mobile transaction volume of $721 billion. The two biggest barriers to adoption so far have been that customers find it easier to pay with a physical card (45%) or they don’t believe digital wallet technology is safe (39%).
The Fair Credit Billing Act, created in 1975, established the dispute (or chargeback dispute) process that lets customers question the validity of a transaction that appears on their statement. These disputes may arise due to situations like unauthorized charges, merchandise not received, failure to cancel recurring charges or defective merchandise.
Customers may first contact the merchant directly in an attempt to resolve the dispute. If that fails, customers may file a chargeback with their credit card company to resolve the dispute.
For the 12 months ending Sept. 30, 2012, Visa reviewed approximately $765.9 million in disputed transactions — and 20% of this amount were likely fraudulent disputes, known as chargeback fraud.
Electronic commerce (e-commerce) refers to transactions that occur through an electronic medium between businesses and consumers. In common usage, however, e-commerce generally refers to buying and selling products over the internet and can be divided into three categories:
• Business to business (B2B)
• Business to consumer (B2C)
• Consumer to consumer (C2C)
E-commerce in the United States reached approximately $460 billion in 2017 — and that number is only continuing to grow.
The first e-commerce transaction was said to be a cannabis sale in 1971 or 1972 between students at the Stanford Artificial Intelligence laboratory and the Massachusetts Institute of Technology via the ARPANET. But Mrs. Jane Snowball, age 72, made history as the first online home shopper, when she ordered groceries from Tesco in 1984.
E-commerce applications, also called mobile apps, are types of application software that let customers browse and buy on mobile devices, like smartphones or tablets. They act similar to a retailer’s website, capturing payment information and processing transactions. Although they’re generally smaller in scope, they offer greater interactivity.
Simple apps let customers browse and make purchases; more complex apps might enable locationbased features and integrate with social media.
In 2017, 197 billion apps were expected to be downloaded, with apps becoming more popular than their desktop counterparts. By 2020, sales on e-commerce apps is predicted to account for 45% of the U.S. e-commerce market.
An e-commerce platform is software technology that lets e-commerce merchants open and manage an online storefront; sell products and services; and perform other functions, like send emails, integrate with social media and create loyalty programs. There are an estimated 12-24 million stores using e-commerce platforms to sell their products online.
Some of the most common platforms include BigCommerce, Magento, Shopify and WooCommerce. These platforms range from the simple and free to the complex and expensive; selecting the right platform depends on a merchant’s budget, goals and needs.
EMV (or “chip”) technology was developed by Europay, MasterCard and Visa (hence the name “EMV”) to help make credit card and debit transactions more secure. A microprocessor chip is embedded in these cards, and the chip interacts with a merchant’s point-of-sale systems to validate the card. As the new global standard for credit and debit cards, these new cards improve security by being nearly impossible to duplicate.
And that’s been bad news for fraudsters. MasterCard reported in November 2017 that EMV adoptions has caused fraud to decrease by 60% among the top five EMV-compliant merchants.
Although EMV has helped protect consumers from card-present fraud, it has done little to decrease online fraud rates. In fact, as criminals shift to the easier targets of e-commerce transactions, card-not-present fraud has been on the rise. Technology opens new opportunities for techsavvy fraudsters, making even cutting-edge solutions like EMV not enough to stop determined cybercriminals.
When e-commerce merchants need to securely transmit transaction data, including credit card information, they rely on encryption: coding data so only authorized parties can access it. Converting this regular data into ciphered (encrypted) data makes it difficult for an unauthorized third person to intercept the data and use it for illegal purposes. And even if the encrypted data is intercepted by a hacker, they’ll be unable to decode the information without the decryption key.
The big data breaches of 2017 — including the exposure of the personal data of 143 million Americans — illustrate the importance of merchants encrypting customers’ sensitive information and protecting it from falling into fraudsters’ hands.
False declines (also referred to as false positives) happen when a legitimate transaction is flagged by a merchant’s fraud protection system and is inadvertently declined. It often occurs because a cardholder trips a merchant’s fraud detection program (for example, making a large purchase that’s being shipped somewhere other than the customer’s billing address) and is wrongly identified as a fraudster.
False declines are surprisingly common: 40% of Americans have had a purchase transaction falsely blocked or questioned. And while false declines are embarrassing and inconvenient for customers, they’re also costly to merchants: False declines cost merchants more than $118 billion in sales yearly — 13 times more than losses to actual e-commerce fraud.
Fraud can refer to anytime a person gains something of value — ranging from money to physical goods to services — by engaging in deliberate criminal deception or omission.
There are myriad types of fraud — including investor, accounting, credit card and insurance fraud — but the end goal is the same: A criminal knowingly receives a benefit they’re not rightfully entitled to.
A fraud analyst monitors customer or business accounts and transactions to identify and prevent suspected fraud. Transactions may be flagged for any number of reasons, including transaction type and amount, shipping/billing address mismatch, or a higher-than-usual volume. If the analyst sees a high-risk or a suspicious transaction, they will flag it for further analysis, which may involve contacting the account holder or conducting more research.
Analysts must constantly study fraud prevention and chargeback trends and the evolution of fraudsters’ criminal techniques to ensure no instances of fraud slip by. These human analysts are often used as a complement to machine-learning algorithms to form a comprehensive approach to fraud prevention.
Fraud filters are tools merchants add to their e-commerce store to prevent potentially fraudulent orders from processing. Merchants can set up the fraud filters to either warn them of a potentially fraudulent transaction or cancel an order entirely if it fits certain criteria characteristic of fraud.
There are many different types of fraud filters; some of the more common ones include velocity, address verification system (AVS), card verification value (CVV) and purchase amount filters. Merchants must be careful about the order in which they apply these filters. If layered incorrectly, some rules may cancel out others, reducing the total amount of protection they offer.
While fraud filters are a popular and relatively inexpensive fraud protection strategy, they’re not foolproof: Fraud filters typically generate a false positive rate of approximately 25%.
After a criminal fraudulently takes something of value from a merchant, the merchant experiences a range of fraud losses, from the product itself to the fees and penalties associated with any chargebacks to the reputational damage associated with fraud.
Small businesses tend to take a bigger hit from fraud, especially those with fewer than 100 employees. These smaller companies are less likely than their larger counterparts to have the resources to invest in anti-fraud practices and technology. As a result, these smaller companies lose an average $155,000 yearly to fraud, while larger companies lose only $120,000.
Fraud Managed Services
Fraud managed services focuses on preventing fraud from happening, rather than merely reacting to fraud attacks.
With fraud managed services, a team of experienced analysts manages all aspects of the business’s e-commerce activity, actively watching transactions and implementing comprehensive chargeback management strategies to stop fraudulent orders before they’re approved. The fraud managed services provider may be liable for the fraud risk if a fraudulent transaction is approved. The typical organization loses an average of 5% of revenues due to fraud — translating to nearly $3.7 trillion of global losses annually.
Fraud Prevention Vendors
Every e-commerce business needs a fraud prevention solution, and many vendors are dedicated to monitoring and stopping fraudulent card-not-present transactions. Some vendors provide transactional analysis using advanced artificial intelligence (often as an outsourced solution); others use a managed services solution, in which a team of experts manages every aspect of an e-commerce business’s activity. Still other vendors combine the two for a hybrid approach to fraud management.
When evaluating vendors, merchants should compare the financial liability and level of service of multiple vendors. A matrix like the one below can be helpful.
Most fraud prevention vendors charge either a percentage of the transaction value or a fixed fee. Some vendors offer a chargeback guarantee that makes them liable for any costs if a fraudulent transaction is approved; others make no such guarantees. Some vendors automatically decline high-risk transactions, while other vendors only make the decision to decline a transaction after extensive manual review and customer contact.
Fraud Protection Software
Some merchants integrate fraud protection software into their prevention strategies. These automated software programs help businesses identify risky transactions in real time and reduce the impact of customer fraud. Using algorithms, the software scans transactions from multiple sources, uses past transactional data to analyze risk factors and flags transactions for further analysis.
These kinds of solutions are often budget-friendly for smaller businesses, but they’re not foolproof. Many solutions can result in an increased number of false declines, negating the savings realized through automated fraud protection.
Friendly fraud occurs when a cardholder disputes (or files a chargeback on) a purchase because they forgot they made the purchase, another family member authorized the purchase, or even because the customer misunderstood the merchant’s return policy. What differentiates this type of fraud from others is that these customers aren’t trying to be deceitful; they’re simply making an honest mistake.
Friendly fraud is also sometimes used to describe when customers make legitimate credit card purchases, receive the product or service, and intentionally file a chargeback with the intention of receiving a full refund and keeping the product. This type is fraud is more accurately described as chargeback fraud.
It’s estimated that e-commerce businesses lost $6.7 billion in 2016 to fraud; of that amount, $4.8 billion was due to friendly/chargeback fraud.
Payment gateways process credit card payments and other electronic payments for organizations, including e-commerce and brick-and-mortar merchants, transferring key transactional data between payment portals and the front-end processor or bank.
The payment gateway process is incredibly complex — it includes securing payment data according to PCI DSS standards, sending transaction data to the payment processor and processing the payment — yet it generally takes just seconds to complete.
While banks often serve as payment gateways, payment service providers — like PayPal and Square — can also fill this role. The right payment gateway can help assure customers a website is trustworthy and can provide a seamless purchasing experience; choosing the wrong service can result in a decrease in sales and a loss of customer confidence.
High-risk industries are those that are particularly vulnerable to online credit fraud and chargebacks, like merchants doing business in verticals such as gaming, adult entertainment, online gambling and travel. Because of this vulnerability, many credit card processors believe businesses in these industries are too risky to work with, leaving the businesses at the mercy of a high-risk credit card processor's less-than-desirable terms and conditions. They may find themselves stripped of even this agreement if the merchant can’t control their chargeback ratios.
Every merchant will be evaluated by different standards, but merchants with these characteristics may be labeled as high-risk:
- They’re a new merchant with little credit card processing history.
- They sell products or services to countries with a high incidence of fraud.
- Their average transaction value is more than $500.
- The merchant operates in an industry with high chargeback ratios.
A honeypot is a tempting set of data or an attractive computer system that lures fraudsters and counteracts their attempts to hack into or otherwise compromise an information system. Similar to a police sting operation, a honeypot acts as bait by appearing to be a legitimate part of a website; however, it’s actually being monitored by information technology professionals. Watching and recording this activity gives fraud prevention specialists insights into new modes of attack by fraudsters while also testing the security of network infrastructure.
There are two kinds of honeypots:
- Production honeypots are designed to look real; they’re also intended to keep a hacker busy while the system administrators ensure there are no other vulnerabilities in working production systems.
- Research honeypots let professionals analyze hacker activity in an effort to shore up a system’s defenses. Uniquely identifying information that’s “stolen” from a honeypot may also be used to track the stolen data and identify hackers.
Identity theft happens when fraudsters gather enough critical pieces of personal data about an individual (such as name, driver’s license number, date of birth and address) and pose as that person to open new accounts and make purchases. This may also be referred to as “true name identity theft.” A criminal can also use stolen information to hijack a consumer’s existing account (called “account takeover”).
The number of identity theft victims in the United States totaled 15.4 billion in 2016 (2 million more than in 2015) and bore a financial cost of $16 billion.
Each device connected to the internet has an Internet Protocol (IP) address, which is a numerical label that serves to both identify the device and provide its location. There are two types of IP addresses:
- Static The user configures this by editing a device’s network settings.
- Dynamic The device is assigned a new IP address each time it starts.
Merchants can use IP addresses to flag potentially fraudulent orders, like multiple orders shipped to different physical addresses but placed from the same IP address.
Some computer systems have the ability to “learn,” or make progressive improvements on a task based on algorithms and human input. This machine learning is frequently used with fraud software, allowing fraud prevention programs to make fast transactional decisions while minimizing risk exposure.
As machine learning systems find fraud patterns in purchase data, and as they assimilate new data, they can make increasingly accurate predictions and become quite effective at flagging fraud. Yet they can’t work alone. These machines still rely on current data and analysts’ insights to make wellinformed decisions.
An abbreviation for “malicious software,” malware is designed to damage computers, servers and even networks through computer viruses, ransomware, spyware and more. Installed malware on a victim’s computer can even capture the user’s keystrokes as they enter user names, passwords and emails. Fraudsters then use that data to access the accounts and use the funds to make fraudulent purchases.
McAfee Labs reported a record of 63.4 million new malware samples in fourth-quarter 2017 — that’s eight malware samples per second. Experts warn that malware is using new tools and schemes — like PowerShell, cryptocurrency mining and ransomware — to target vulnerable e-commerce businesses.
Manpower Direct Costs
This refers to the cost of the personnel who work directly on a particular job or are involved with the production of certain goods. For example, the salary paid a landscaper who mows lawns is a direct manpower cost.
Manpower Indirect Costs
Indirect manpower costs refer to the expense of employees who don’t produce goods or services themselves but may improve the efficiency of the production (like security guards or managers) or offer production support. In our example above, a salary for a mechanic who services the lawnmowers would be considered an indirect cost.
A merchant account is a special bank account that a merchant establishes with an acquiring bank that lets a merchant accept electronic payment card transactions and receive transaction funds. Businesses can select from a variety of merchant acquiring banks and often make their decision based on transaction costs. Merchants labeled high-risk may pay significantly more in fees and penalties.
Merchant Account Provider
Partnering with a merchant account provider (sometimes called a “merchant acquiring bank”) lets businesses accept credit and debit cards as forms of payment. While many merchants work with banks or financial institutions, other merchants may opt to work with providers like Square, PayPal or QuickBooks to process credit card transactions.
To find the provider that’s right for them, merchants should compare the services, fees and extras each provider offers. Businesses in high-risk categories will find themselves with fewer options.
Merchant Chargeback Insurance Provider
There are a number of online fraud prevention companies that offer a 100% guarantee that the merchant won’t be held responsible for the costs of fraudulent transactions, if the provider approves a transaction that turns out to be fraudulent and results in a chargeback.
A good chargeback insurance provider will always provide a final decision on whether to approve a transaction and will guarantee every transaction. But merchants must also understand that guaranteeing transactions isn’t enough.
Sure, merchants want to be confident that their provider will reimburse them for any costs incurred from a fraudulent chargeback. But merchants also need to know their vendor is thoroughly reviewing every suspicious transaction to determine its validity — not just playing it safe by declining every questionable transaction to avoid paying chargeback fees. In the end, it’s about finding a vendor that will optimize approvals while minimizing chargebacks.
Multichannel merchants focus on getting their products into the hands of customers, wherever they may be. Over the years, multichannel selling has expanded from brick-and-mortar stores, phone sales and catalogs to now include e-commerce sales made via apps, mobile devices, social media sites and online marketplaces.
Retailers selling in at least two channels enjoyed approximately twice the revenue of those who sold through only one. And merchants who sold on two, rather than one, online marketplaces averaged 190% more in sales revenue.
Near-Field Communication (NFC) Payments
Sometimes known as “contactless payments, NFC payments occur when two devices “talk” when they’re near each other and complete a transaction. Apple Pay, Android Pay and Samsung Pay are some of the most common NFC payment platforms.
While many smartphones have this technology built-in, merchants must purchase an NFC-enabled payments reader to accept contactless payments.
Because NFC mobile payments are dynamically encrypted, they’re considered a safe way to process transactions. Customers think so, too: The number of worldwide NFC payment users has skyrocketed from 5 million in 2012 to a projected 166 million in 2018.
Omnichannel merchants are looking to do more than just sell on every channel available to them. Instead, they want to create seamless shopping experiences, regardless of whether a customer is shopping on the Web, via an app or in a brick-and-mortar location. So omnichannel e-commerce focuses on fusing online and offline channels into a singular shopping experience with a consistent look and feel.
For example, 50% of customers want to be able to order a product via an app and pick it up in a brick-and-mortar store — and omnichannel e-commerce can deliver on that. And customers who can get this experience are more likely to be more loyal: Omnichannel businesses retain an average of 89% of customers, compared with 33% of businesses with multichannel strategies.
While the Internet has made it easier to complete daily tasks, like shopping, banking and booking vacations, it’s also made it easier for fraudsters to carry out their cybercrimes. Some of the most common online scams include phishing, disaster relief scams and lottery winner scams. Unsuspecting customers are asked for —and often release — personal data that’s then used to make fraudulent purchases.
Although 90% of U.S. individuals are vulnerable to online scams, 71% are more cautious than they used to be about shopping online.
Payment fraud refers to any fraudulent transaction a criminal executes that results in stealing a victim’s money, property or sensitive data. While traditional fraud prevention controls used to be enough to prevent payment fraud, fraudsters now engage in subtle behaviors to trick unsuspecting customers to release personal information.
With 86% of websites at risk of being hacked or compromised, merchants can’t take a chance with sensitive customer data getting into the hands of cybercriminals. That’s why every merchant handling payment cards must follow the 12 control objectives established by the Payment Card Industry (PCI) Security Standards Council. These objectives include security measures like:
- Installing and maintaining firewalls to protect cardholder data
- Encrypting cardholder data transmissions
- Regularly testing security systems and processes
A merchant’s transaction volume, card-handling method and security breach history determine how often and what kind of security audits and scans are required to establish compliance. Many merchants may be eligible to conduct a self-assessment, while larger merchants or those experiencing previous breaches will need to have an independent Qualified Security Assessor perform the audit.
Although compliance with PCI Data Security Standard has increased 167% since 2012, 80% of organizations are still noncompliant. And exposing customer data isn’t the only risk associated with noncompliance. Merchants can face substantial financial penalties, including hefty fees from the acquiring bank, costly audits and investigations, and the risk of merchant accountsbeing terminated.
The Payment Card Industry Data Security Standards (PCI DSS) were established in 2004 in response to increased data theft: More than 80% of data stolen in breaches is payment card data, and there were almost 42,068 data security incidents in 2017.
PCI DSS compliance focuses exclusively on implementing standards for keeping credit card data secure as it makes its way from a merchant to the credit card processor. Every merchant handling payment cards must follow the 12 PCI-established control objectives that dictate the encryption and transmission of credit card data.
The major credit card companies (Visa, MasterCard, Discover, American Express and JCB) formed an independent body in 2006, called the PCI Security Standards Council, to manage the ongoing evolution of the standards and to highlight ways merchants can improve payment security.
A common scam by fraudsters is “pharming” attacks, which are similar in nature to “phishing” attacks, with one important difference: Phishing attacks require victims to click on a link to take them to the fraudulent website, whereas pharming attacks automatically install malicious code on a computer and misdirect users to fraudulent websites. Because this code requires neither consent nor knowledge to execute, many victims don’t even realize they’ve been targeted.
Pharming attacks are increasing, in part because fraudsters are looking for new ways to collect sensitive personal data from Internet users who are learning how to avoid phishing attacks. In 2017, a pharming attack hit more than 50 financial institutions and customers in the United States, Europe and Asia-Pacific. Before it was stopped, the attack infected more than 3,000 computers in three days.
A form of social engineering and identity theft, phishing scams try to trick individuals into revealing personal information. Fraudsters typically contact victims by text, email or phone, posing as an authority figure or a seemingly legitimate company to get the victim’s confidential data.
Phishers may also install malicious software on computers, infect computers with viruses or even steal personal information off of computers.
Nearly 1.5 million new phishing sites are created monthly, and nearly 76% of businesses reported being a victim of a phishing attack in the last year. The average cost for a mid-size company? $1.6 million.
Point-to-Point Encryption (P2PE)
The PCI Security Standards Council established P2PE standards improve the security of credit card transactions. During the P2PE process, transactional data is securely encrypted at the merchant’s point-of-sale entry and continues until the final credit card processing point.
Many systems use public key encryption, symmetric encryption keys or hashing to disguise sensitive data as it progresses through the transaction life cycle. This layer of protection is used in addition to SSL encryption.
Merchants who use a P2PE-validated solution aren’t held responsible for any data loss, fees or penalties that may result from fraud.
Purchase Amount Filter
Fraud filters make it easier for e-commerce merchants to identify and respond to potentially fraudulent transactions. One of the most common is a purchase amount filter, which lets e-commerce merchants set upper and lower limits for transaction amounts. Any purchase that falls outside the range can be flagged and held for further review, processed as usual but trigger a report, or automatically declined. Because most merchants know their typical transaction size, setting the filter will notify them when unusual transactions occur.
Fraud filters can be extremely effective when used properly. But if a merchant layers multiple filters incorrectly, the filters may not work as intended, with some rules being overruled by others and decreasing the efficacy of the system.
Ransomware is malware that limits users from fully using their infected system until a ransom is paid. While traditional ransomware simply locks a screen or the user’s files, new crypto-ransomware encrypts files on the compromised system and provides a decryption key only after the victim pays the ransom. Users may inadvertently download ransomware when visiting compromised websites or by opening infected emails. The fraudster may request payment in cryptocurrency — although they sometimes ask for gift cards — but receiving payment is no guarantee the victim will receive the decryption key or have their files released.
In each quarter of 2016, fraudsters sent 500 million emails carrying ransomware downloaders that found their way onto 13.4 million computers. While not every payload successfully launched, it’s clear that fraudsters continue to use ransomware as a quick payday against their victims.
Merchants engage in risk management processes to identify, evaluate, analyze and prevent exposure to the risks that threaten capital and earnings. These risks come in many forms, including weatherrelated risks, liability judgments, employee theft and credit card fraud.
E-commerce merchants have become increasingly focused on securing their digital assets, including a customer’s personally identifiable information, and have implemented risk management programs that help them:
- Improve transaction approval rates
- Reduce false declines
- Decrease chargeback ratios and fraud-related chargeback costs
- Shorten response time
Skimming is the act of using hard-to-spot electronic devices or card readers at point-of-sale systems to capture and copy electronically transmitted account information from a valid credit or debit card. The fraudster then clones that data on a counterfeit card to make in-store purchases, uses the card information to place fraudulent online transactions or sells the data on the deep web.
In 2016, one man was arrested in California for placing skimmers in eight Wells Fargo ATMs. He captured data from almost 4,900 cards, created counterfeit cards and then stole nearly $500,000. Global losses from skimming topped $2 billion in 2013 and continue to grow.
A driver’s license-sized card that contains embedded circuitry is often referred to as a smart, or chip, card. They can be contact, contactless or both and are used for a variety of purposes, like identification, authentication and data storage.
Smart cards increase a card-present transaction’s security and convenience and are resistant to compromise from data hacks and fraud. These tamperproof cards use cryptograms to secure sensitive financial data (like today’s EMV-compliant credit cards); they can also carry personal health information, serve as keys, and store loyalty card information.
While smart cards aren’t currently used for e-commerce transactions, consumers in the future might have personal card readers that let them conduct secure CNP transactions at their desktop or over their mobile devices.
As one of the biggest security threats facing businesses today, social engineering tricks individuals into violating traditional security practices and divulging information or performing an action that compromises security. Fraudsters pose as authority figures to gain approved access to confidential data through nontechnical methods like phishing, pharming and pretexting.
Social engineering is used in more than 66% of all attacks by hackers. Phishing is the most common method of attack: Of the 294 billion emails sent daily, nearly 90% is spam and viruses. In 2013, Target fell victim to social engineering when fraudsters launched a phishing scam against an HVAC subcontractor for the company. The hackers obtained Target network credentials and stole 40 million credit and debit cards from the store’s point-of-sale systems.
Payment services like Apple and Android use tokenization to protect sensitive data, swapping out the personal information with randomly generated data. As a result, a customer’s actual credit card data is never used or accessed.
There are three benefits to using tokenization:
- The process is frictionless for and nearly invisible to customers.
- This technology helps protect against the theft of credit card information during the transaction process.
- It helps merchants comply with industry security standards like PCI DSS.
Tokenization is currently believed to be one of the best solutions currently available that can secure credit card transactions without significantly altering the cardholder experience.
Tor, which stands for The Onion Router, is free software that facilitates anonymous communication. By directing internet traffic through an overlay network of more than 7,000 relays, Tor makes it difficult to trace internet activity back to a user.
In 2012, there were just 500,000 daily Tor users; that number grew to more than 4 million just a year later.
The U.S. Navy created Tor’s original technology with the intention of protecting internet users from corporations’ — not the government’s — prying eyes. While there are some innocent users, the Tor network helps run the dark web, where many legal and illegal transactions take place.
Velocity filters monitor specific data elements (like email address, phone number and billing/ shipping addresses) and limits the number of transactions that a website can process in a certain time frame (e.g., an hour, a day) using this data.
Why might a merchant want to limit the number of transactions? When a fraudster gets their hands on credit card numbers from the dark web, they might start rapidly testing those numbers on a merchant’s site — looking to see which cards work. If a transaction goes through, the fraudsters often try to max out the card with more (and bigger) purchases.
The effective use of velocity filters relies on a merchant understanding their good customers and knowing how large and how frequent their purchases usually are.
Verified by Visa
Verified by Visa helps ensure the legitimate cardholder is the one making online purchases by working behind the scenes to analyze a customer’s purchase and compare it against usual payment behavior. If customers are using a new device, Verified by Visa may require a second authentication step — either a password or a code sent to the customer’s mobile phone — before the purchase is processed.
This extra layer of security, called 3-D Secure, is the same technology used in MasterCard SecureCode and American Express SafeKey. While the technology helps bolster customer confidence and reduce a merchant’s lost sales, it can’t protect against data breaches and isn’t 100% foolproof.