“Innocent before proven guilty” is the mantra retailers will be well served to abide by in tuning their fraud and security tools for the upcoming holiday shopping season. Dr. Stephen Topliss, VP of Global Services for ThreatMetrix, and MPD CEO Karen Webster recently did a live digital discussion of ThreatMetrix’s 5 Step Plan for how focusing on good consumers — rather than assuming the worst — can lead to both stronger data security and increased profit.
Yes, it may just be September, but the holidays will be here before we know it.
And as Dr. Stephen Topliss, VP of Global Services for ThreatMetrix, told MPD CEO Karen Webster at the start of the recent PYMNTS webcast, “How Retailers Can Prepare for the Holiday Season,” now is the perfect time for retailers to get busy planning how they’ll make the shopping season both profitable and safe. Cybercriminals on the digital hunting ground are hoping that retailers put off their security planning until the last minute. For retailers who are on such a track, that’s actually not a great idea.
Here’s why:
According to the NRF, nearly half of all online traffic to websites in 2014 was driven by smartphones — which themselves drove pretty big-ticket sales.
ThreatMetrix’s own data show that, during the 2014 holiday shopping season, 39 percent of transactions were conducted via mobile device (while 80 percent of that occurred on iOS).
There was a 15 percent overall growth rate in online shopping between 2013 and 2014.
The increase was more significant on key dates (Thanksgiving, Black Friday, the Nov. 29-30 holiday weekend), ranging between 20 and 30 percent.
ThreatMetrix identified more than 11.4 million fraud attempts in 2014 during the holiday season.
According to data that Topliss shared, an average of 20 million new mobile devices are being put in use per month (a growth rate he calls “quite staggering”).
And, because more consumers are using more mobile devices (thus creating more opportunities for fraud), Webster warns that those 11.4 million attempts might only be cybercriminals’ “warm-up act.”
Topliss concurred; he’s expecting more shopping and more buying this year, particularly given that consumers are “in a positive frame of mind” about the retail economy.
More shopping, more mobile devices, more opportunities for fraud.
So, the question for retailers then becomes, how can they distinguish between legitimate and fraudulent activities?
Topliss shared some statistics based on ThreatMetrix’s latest cybercrime report from Q2 2015, highlighting the 3 primary types of fraud and their risk factors:
– Payments – 3 percent
– Account Login – 3.6 percent
– Account Creation – 6.7 percent
80 percent of the events that ThreatMetrix monitors for its retail customers are not payments but logins, which Topliss says is reflective of the fact that customers are “becoming more and more concerned about logins into their existing accounts.”
The practice of fraudsters using stolen or synthetic identities, he adds, accounts for the percentage of account creation risk being double that of other two events.
Laying out ThreatMetrix’s forecast for the impending holiday shopping season, Topliss makes 4 predictions:
(1) An Increase in Account Takeover Attempts
Topliss explains that news about the proliferation of breaches actually leads to more attempts of the sort by cybercriminals, while the rise of the mobile channel has made customers more inclined to stop payment details with retailers than they have been previously.
(2) M-commerce Fraud Will Rise
The combination of the focus by retailers on conversion with relaxed rules on the mobile channel, Topliss attests, will lead to an increase in fraud risk.
(3) Uptick in Fraud to Due to EMV (as fraud moves online)
(4) An Increase in Bot/Scripted Attack Traffic
Topliss has already seen this activity increase over the last 6 to 12 months. He says that fraudsters will continue to rely on bots because they may be masked by “the sheer volume of good consumer purchase [being] so high on specific days” during the holiday season, such as Thanksgiving. Additionally, cybercriminals are applying more sophisticated bot attacks vis-a-vis the testing of compromised credentials on different retailer sites (not necessarily those from which the data was originally stolen).
In this first stage, there are a number of questions and related data that retailers should address regarding their customers, including:
– What do you know about them? (returning customer rates)
– How well do you know them? (transaction patterns)
– What’s their behavior like? (device/location/items of purchase)
– Can you distinguish them in your fraud tools?
Topliss says that ThreatMetrix has seen its “most successful retail customers” use existing fraud tools to look for good customers, rather than the inverse. This method allows payments to go through with the “least possible friction,” at which point review teams can look for suspicious activity in the remainder of the transactions.
Webster notes, “that’s good advice not just for holiday season, but in general,” as marketing teams and fraud teams can work together year-round to parse out good customers and profiles that can be used to distinguish fraud.
While this seems like the “most common-sense” of all the steps, Topliss notes that his company often sees customers forgetting this step.
To keep it front of mind, he recommends that retailers revisit analysis that was carried out in early 2015, and determine if all the recommendations have been implemented. Furthermore, retailers should examine the new risks for 2015, including, for example, if there’s a new mobile commerce channel in place or if the business is expanding internationally.
Retailers ought to examine what rules (such as spending limits for good customers) should/can be relaxed or tightened. If rules can safely be relaxed to the benefit of the business, retailers should focus on facilitating good customers: If there’s a likelihood they will spend more during the holiday season, it might be worth raising their limits.
Additionally, says Topliss, retailers need to determine when to activate and deactivate their temporary rule changes, focusing on date and time triggers that cover peak traffic periods.
Of course, “the problem,” says Topliss, “is that if fraudsters know what you’ve tweaked, they can work around that threshold.” To address this possibility, he points to the example of ThreatMetrix customers, instead of changing their threshold, introducing a random selection of higher-risk events that go through manual review. Fraudsters are “unable to predict that,” he notes.
Further questions and related data in this regard include:
– How do you currently monitor fraud levels? (look at things like review rates; how often the rules trigger; and if there’s an increase in high-level transactions)
– Can you react in real time?
– What would you like to be able to change quickly? (the more information you have and sooner you have it, the better you can react to something new)
Topliss gives the example of customers who will add extra rules into their policy that might not necessarily deal with fraud during holiday season, just to give more information for comparison purposes in real time.
Here, Topliss recommends that retailers look at what they have in place and how it compares to what the rest of the industry is doing.
– Use all available new rules/techniques (new systems bring new functionality; talk to vendors to find out latest)
– VPN detection; smart device detection
– mobile channel device identification
– mobile traffic – root/jailbreak detection (if the device is brand new and immediately altered, that’s a potential red flag)
– make use of global intelligence
Webster observes that a common thread in Topliss’ recommended strategy is that a retailer “flips the paradigm”: Instead of assuming that everyone is bad, they should understand that most are good, and try to suss out fraudsters from that point.
Topliss remarks that Webster’s point “leads very nicely” to the next one…
In the way that customers currently define their risk scoring, says Topliss, “there is very much the concept of rules that look for the bad and rules that look for the good.”
He presents bullet points of both methods. But taking the “good” route, he notes, leads to the creation of personas — or digital identity.
Topliss presents a slide that breaks down the moment-by-moment interaction of a customer with eCommerce on any given day. Each piece of the puzzle, he says, “represents a persona at each stage”; all of these join together to provide a “complete digital identity.”
He says that ThreatMetrix has ability to link all those things together. “Clearly, it needs to be done in an anonymized and encrypted way,” he admonishes, “but it allows the whole network [to] benefit from the information around that identity” in three general phases:
– establish trust with digital identity
– reduce friction and enhance user experience
– stop cybercrime
Webster expresses concern about the additional complexity that various devices and email addresses a customer brings to a relationship with the same retailer can create.
While acknowledging that digital identities “do become complex,” Topliss says that “the trick is” for a retailer to employ a system that it’s able to build that complexity into along with a ruleset or tool that enables them to extract that information in a simple way.
By utilizing a “tool that can look back across the history of a digital identity and immediately give [the retailer] a clue as to whether it makes perfect sense, or it’s nothing that’s been seen before and [they] should therefore raise the associated risk.”
“It didn’t scare us half to death,” Webster says, “but it did provide some sobering statistics on just what retailers are facing this holiday season. As they anticipate serving good customers, there’s always the bad guys that are looking to ruin the experience for the good ones.”
The entire webinar can be viewed here as well as below:
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More