To call an account takeover an “inconvenience” would be an understatement. But the fact is, the eCommerce industry is faced with the challenge of balancing the prevention of that very serious and potentially greatly harmful crime with something that is simply a matter of convenience: the customer experience at checkout. Account takeover fraud can cost merchants a lot, but so can losing customers.
When it comes to transactional security, to assume that everyone is a fraudster and subject every transaction to additional levels of authentication and scrutiny is not an option, for customers or for merchants. In an online environment, merchants are driven to eliminate friction – rather than introduce it – and do everything possible to expedite sales. Toward that goal, finding the right balance of speed and safety is essential.
Of course, that’s easier said than done, in light of increasingly sophisticated instances of fraud perpetrated by specialized cybercrime rings. Today, account takeovers total almost $5 billion and have risen 70 percent in the last two years. Despite precautions, cybercriminals always seem to find and exploit the weakest link.
Something needs to be done.
And that “something” is what Vince Lau, Senior Product Marketing Manager at ThreatMetrix, talked to MPD CEO Karen Webster about in a recent webinar.
WHAT HAVE WE BEEN DOING TO STOP CYBERCRIMINALS?
Lau opened the webinar by sharing the statistic that more than 1 in 4 (28 percent) of instances of identity fraud are a result of account takeover. As fraudsters are increasingly turning their ill intentions toward big-name eCommerce sites such as eBay, PayPal and Amazon, there is a “cascading” effect of identity fraud taking place that needs to be addressed.
“It’s very easy just to blame the criminals,” Lau remarked.
Easy, but not productive in terms of prevention. What Lau has done is looked at different types of technologies that have been and are being used to try to stop cybercriminals and determined, simply, that they’re “the wrong ones.”
DON’T ASSUME GUILT
When merchants assume that customers are “guilty until proven innocent,” explained Lau, it causes customers to get frustrated with their websites, which in turn leads to a loss of transactions and future business.
Lau pointed to a need for shifts in industry thinking, moving away from “trying to find the bad guys” and toward trying to determine how to accelerate customer checkout.
Besides better serving customers, there are other, less obvious benefits that will arise from this change in focus – such as alleviating the operational impact that results from tighter fraud reviews.
As far as “operating under suspicion” goes, Webster asked Lau if he believes the shift in thinking is being driven by the explosive volume of online transactions, mobile-based and otherwise.
Essentially, said Lau, what’s motivating the change is the friction caused by some of the transactions systems up front and on the back end.
“Once you turn them off,” he said, “you open the door for more orders,” but a lot of review checks that are currently in place “cripple businesses.”
To illuminate his point, Lau made reference to the famous quote, widely attributed to Albert Einstein: “The definition of insanity is doing the same thing over and over again, but expecting different results.”
HOW ACCOUNT TAKEOVER OCCURS
Lau talked the listeners through the three most common approaches to account takeover: data breaches, malware and phishing.
Data breaches are arguably the most “famous” (or perhaps infamous) mode of account takeover due to the headlines made by ones that recently occurred at Target and Home Depot. As Lau pointed out, large breaches even occur outside of eCommerce – such as the recent instance at Anthem.
They’re difficult to prevent, because big organizations inadvertently provide a lot of potential access points for hackers to enter their systems. Another obstacle in preventing data breaches is that consumers tend to reuse passwords.
Here, Webster mentioned how it is nigh impossible for a person to remember all their different passwords for different sites.
“It’s a big vulnerability,” she said, “but an understandable one,” and it needs to be addressed within the ecosystem.
Lau agreed, responding plainly: “You have to assume that your password will be compromised at some point.”
(“That makes me feel really good; thanks,” remarked Webster.)
To ease Webster’s (and the listeners’) concern, Lau stated that there are currently operational tactics being developed that can accurately determine if the password being used has been stolen.
Regarding phishing, Webster commented that today’s schemes are much more sophisticated than they once were, often no longer easily identifiable by once-common red flags like spelling errors.
Lau agreed, providing (in a slide) an example of a fairly sophisticated phishing text on a mobile phone. He pointed out that users are actually more prone to sharing personal identification on their mobile devices that they are via any other means.
As for malware, Lau stated that while “very effective” means of account takeover don’t have the bulk-damage effect of data breaches, it can certainly be a means to facilitate them.
While malware has taken a backseat to data breaches in the media, its growth rate, Lau shared, more than doubles every year – and those are just the instances we know about. There could be untold amounts of malware “in the wild,” he warned. And the threat continues to rise – particularly on Android devices, because Android is an open platform.
THE TROUBLE WITH TRADITIONAL METHODS
Lau described the two traditional methods for preventing account takeover fraud: on the front end, there’s a challenge question for password access when a device is not recognized; on the back end, there’s transactional review.
The problem with step-up authentication on the front end is that the customer experience suffers. As for transactional reviews on the back end, Lau explained that they cause all kinds of headaches for the merchant, because the process is very labor intensive. The customer experience is affected by the verification process, as well, as Lau illustrated by sharing the real-world example of a customer who had to wait over 20 hours for a transactional review to be completed.
Webster offered a key factor that can contribute to dissatisfaction with some eCommerce merchants, and that is customer expectation. When a consumer is used to Amazon, which is more or less frictionless – with nothing but a password required – the experience with other merchants can appear onerous by comparison.
A BALANCING ACT
Lau spoke about the need for a “balancing act” between fraud control and customer experience, explaining that it needs to be addressed holistically. When customers want immediate access to a merchant portal, that puts pressure on the IT team to deliver “anywhere, on any device, without security hassles.”
He warned, however, that “complaints cannot dictate excessive risk.” If a merchant opens itself to “tons of orders,” it could land itself in a very difficult financial situation with respect to fraud.
In order to pull off the balancing act, Lau attested that “[customer] identity should be considered far more strategically.” Not only is consumer identity an enabler for more productive operations, it is also a connection that can help identify unmet demand.
THE “SECRET SAUCE” OF THREATMETRIX
To this point, Lau unveiled what he called the “secret sauce” of ThreatMetrix: the Digital Identity Network.
As he explained, the Digital Identity Network provides a deep understanding of user devices and activities that can create “real time personas,” which – using the world’s largest repository of shared, anonymized identity and device recognition data – helps accelerate customers into a merchant’s website while filtering out cybercriminals.
When prompted by Webster to clarify exactly what he meant by “persona,” Lau explained that “persona ID is a combination of device and identity.” It is established by connecting an individual user with related attributes (such as email addresses, physical addresses, credit cards, IP addresses, and so on).
There are three main components of the Digital Identity network that allow it to distinguish a legitimate customer from a cybercriminal: device analytics, identity analytics, and behavior analytics, which Lau explained in detail.
CYBERCRIME GOES MOBILE
Lau shared the statistic that the average company loses $92.3 million a year to mobile fraud, a number that Webster described as “staggering.”
Mobile has proven to be a major challenge in the realm of fighting account takeover fraud because of what Lau describes as “three major buckets”:
1. Identification. Because of trouble related to data collection in the past, manufacturers and operating system providers have made it increasingly difficult to allow developers to uniquely identify mobile devices. They’ve given consumers more control in resetting them, and cybercriminals have taken advantage of this.
2. Jailbroken and Root Devices. Removing limitations and security controls around operating systems to gain access to things that were originally prohibited – such as restricted apps, and manipulation of elements within the phone (GPS, et al) – renders devices more susceptible to malware.
3. Malware Injection. Lau called this one a “really big threat to mobile.” He explained the dynamics have changed: in the past, getting malware on to a computer required certain permissions; but with mobile, it can be applied directly to legitimate applications and then go on to infect the device.
To deal with the issue of mobile, Lau explained that ThreatMetrix has developed Mobile SDK. It’s a lightweight SDK library for iOS and Android that can be easily integrated with any mobile app and allows for secure connection with a merchant’s mobile channel.
Choosing from the questions that were coming in from listeners of the webinar in progress, Webster posed to Lau the following:
“We know that cybercriminals are clever. After they’ve taken over an account, are they clever enough to change the information back to its original? Or are they working in such volume that they move on from one to another?”
Lau answered that both such cases exist. Some cybercriminals do try to cover their tracks, while others know they’re causing such obvious change that they just keep moving.
The next listener question related to “friendly fraud,” which occurs when a consumer falsely claims to have not received an online order and gets a refund:
“Would that go into a person’s profile on the Digital Identity Network?”
Lau remarked that “friendly fraud is very interesting.” The ThreatMetrix solution, he explained, comes in handy because – when a person claims not to have placed or received an order – the information on its database can better prove whether or not that’s true.
THE “MAGIC DATABASE”
Referring to the Digital Identity Network’s repository of information as the “magic database,” Webster pressed Lau to talk more about it, specifically with relation to how it gets smarter.
According to Lau, there are two aspects that contribute to the database’s robustness. First and foremost, the dataset grows perpetually richer as more is gathered. On top of that fact is the specific technology that ThreatMetrix is utilizing; Lau stated that the company is “constantly [building its] engineering efforts in regards to refining the correlation of events.”
In that regard, Lau kept things pretty vague, stating flat out that he was not going to disclose certain details at this stage.
“Don’t worry about it,” responded Webster. “It’s just us and a couple hundred thousand people. We won’t say anything.”
Despite those thoughtful assurances, Lau remained mum.
To listen to the full discussion, view the video below.