Too Much Security? There’s No Such Thing

FIs Unable To Detect Fraudulent Activity

Retailers are retailers, not security experts. Too often, their best efforts can create friction at the point of sale for consumers, which leads to shopping cart abandonment and lost revenue, all while feeding the illusion of “too much security.”

It goes without saying that eCommerce security is paramount as cybercriminals get smarter and more creative. Between account takeovers, business logic abuse, loyalty and reward points fraud and other cybersecurity attack methods, companies are not only suffering financial damages but brand image damages too.

Yet surely there is a line — a point where the bell curve peaks and begins its downward plunge — a point where there’s simply too much of a good thing, and the friction introduced on the consumer side is no longer paying off in terms of revenue.

Not according to Angel Grant, director of Global Product Marketing and Strategy for cybersecurity firm RSA. “There’s never ‘too much’ security,” Grant said. “But there can be too-intrusive security. It’s not too much security; it’s focusing on the right security.”

So how does a merchant focus on the right security and prevent their customers from abandoning shopping carts? Grant said they must understand what they are fighting in a world of changing threats and changing defenses.

That’s why cybersecurity firm RSA recently teamed up with 451 Research to produce a white paper outlining how merchants can balance good business with good security and focus on what they really care about: making customers happy. Here are a few of the top things every eTailer should know about fraud in 2017.

  1. Card Not Present Fraud Is A Big Threat. EMV chip cards have made it more difficult and expensive for fraudsters to clone cards, so cybercriminals are focusing on channels where they don’t need to present one — namely, eCommerce. And buying stolen credit card digits is easier than ever. Cybercriminals aren’t even hiding the activity within the dark web anymore — just try searching “CVV” on Facebook to see how they’re transacting in plain sight. On top of that, phishing emails today may present official logos and names or even mimic the writing patterns of a CEO or other executive to trick recipients into clicking on malicious hyperlinks. These links lead to mocked websites where phishers await to capture log-in data.
  2. The Bad Guys Know How To Play The System. Cybercriminals have learned to abuse business logic, meaning they know the navigation paths around a website, the logic of how it is set up and the vulnerabilities to exploit. There are ways for honest customers to get discounted rates or coupons. A fraudster can use his knowledge of those vulnerabilities to compound discounts at the point of sale without being detected. For example, on a wireless transfer site, live approval may be required for transfers exceeding $10,000. A fraudster abusing the business logic of the site may initiate 10 transfers of $1,000 each to slip under the radar.
  3. Legacy Solutions Alone Are Not Enough Anymore. Legacy solutions are good at what they do and are still necessary, said Angel Grant. For example, web application firewalls are needed to filter inbound traffic and search for software defects. But they can’t detect an account takeover or business logic abuse. Today’s merchants need predictive analytics and behavior analytics tools to create deep entity profiles of their customers, which introduce more hoops for the fraudster to jump through and less for customers.
  4. More Solutions Aren’t Better Unless They’re Working Together. Rather than keeping their fraud solutions in silos, eTailers are better off centralizing their fraud management strategy so that the technologies they’ve invested in can complement each other. An independent survey by RSA showed that 57 percent of organizations were using four to 10 different tools within their anti-fraud operations strategy. Centralizing those tools would increase their fraud detection rates exponentially and, at the same time, would reduce customer friction and merchant expense to maintain the system.
  5. Solve These Core Problems And The Rest Will Follow. Merchants must be able to identify and respond to external threats — ideally, before they happen or in the early stages of an attack. They should invest in tools that will give them visibility into traffic across channels and trends between customers shopping online, whether those are registered customers or one-time shoppers. Memorize what “normal” looks like so that, when the inevitable fraud attack comes, it will be easy to spot. No breach is ever good news for the brand, but how a company prepares beforehand (or responds in the aftermath) can make a big difference.

The modern world isn’t kind to eTailers, but if they batten down the hatches, they can weather the fraud storm and reduce lost revenue.

“New attacks emerge every day,” said Grant. “That’s never going to stop. It’s just a matter of taking a look at that attack and applying or modifying existing technology to solve it.”

The Download: Web Threat Detection, fill out the form below:

    First Name*

    Last Name*

    Title*

    Company*

    Work Email*