It goes without saying that fraudsters follow the money. Since the U.S. lags behind other countries that have already adopted EMV card standards (so far, there are around 80 in total), it is only just beginning to see what those 80 other countries have already realized: As commerce moves online, so does crime.
And yet, as Vesta CMO Tom Byrnes noted, the percentage of commerce being conducted online is still relatively low. Despite everything happening in brick-and-mortar retail, from brands collapsing to shopping malls shuttering, the reality is that eCommerce still only makes up 10 percent of total retail spend in the U.S. Digital goods and online markets are still in their early days, believe it or not.
“The real story is, we’re just getting started,” Byrnes said. “The ceiling’s not even in sight. Amazon accounts for more than 40 percent of online retail spend, and the new brick-and-mortar builds for them are early days in a tectonic shift in the way retail operates in America.”
Shifting right along with it is the fraud landscape. Cybercriminals keep changing the predominant types of digital fraud and their trickiest strategies, keeping pure eCommerce players and anyone with an online retail presence on their virtual toes.
Countries that are further along in the EMV transition — about four years into the cycle, compared to two in the U.S. — have seen a 70 to 73 percent shift in criminal activity from retail point-of-sale (POS) settings to online channels. That’s because card-not-present (CNP) fraud is a much easier tactic, said Byrnes, since challenging a cardholder’s identity is more difficult online than in person.
New payment and delivery technologies have invited even more innovation from fraudsters, forcing retailers to up their defenses. Vesta’s Tom Byrnes said an annual study conducted by Javelin Strategy & Research showed companies spent 13 percent more on fraud defenses this year than last year and are investing 10 times more in fraud defenses than they are losing to chargebacks. In-house fraud shops are costing organizations as much as one-fifth to a quarter of their entire operating budget.
Surely there is a more efficient way to be using those funds?
Aside from streamlining and outsourcing, “there’s no silver bullet here,” Byrnes said. “The key to any effective eCommerce defense system is a layered defense.”
Byrnes walked PYMNTS through the latest threats and defenses.
The Modern Face of Fraud
Byrnes said there are three primary types of fraud: stolen credit cards, account takeover and friendly fraud.
The stolen credit or debit card is classic fraud. Unauthorized transactions are a bedrock of criminal activity on the web, Byrnes explained. The goal is always to steal and resell this data quickly. Credit cards go for around $0.25 on the dark web, he said — whereas a complete identity sells for a whopping $3.
Criminals often use these credentials to buy purely digital goods, such as concert tickets, so they can receive and resell the goods as quickly as possible, said Byrnes. Even if they list the tickets on StubHub for 50 percent off, they can still make hundreds of dollars off each ticket for certain in-demand events.
Byrnes said the rapid pace in this type of fraud is driven by the credit card’s short shelf life: Cybercriminals want to make the most of the stolen credentials before the real cardholder notices and cancels the card.
Account takeover certainly isn’t new, but it is on the rise. Breaches like the recent Equifax one aren’t making matters any better — although Byrnes noted that some of the information compromised in that high-profile breach may have been exposed earlier.
Account takeover happens when cardholder data is accidentally given to fraudsters, either through a breach or through a tricking mechanism like email phishing, spyware or malware. Unlike a credit card number, which can be canceled, the information stolen for account takeovers is static — things like cardholders’ names, birth dates and Social Security numbers, which never change.
Byrnes said criminals often sit on this type of information for a while. Again, it sells for around 12 times as much on the dark web and doesn’t expire. When they are ready to leverage the data, criminals may use it to open new accounts.
Or, they may burrow into existing accounts and change the shipping address using account passwords discovered during the initial hack. Since the hacker has the correct password, said Byrnes, this type of attack can be extremely hard to detect.
Finally, friendly fraud is one of the sneakier new methods, and the hardest one to fight, according to Byrnes. This is when a customer makes an online purchase with a legitimate card and then finds a way to get their money back while also keeping the goods.
Maybe the customer calls the bank to say they don’t recognize the charge, generating a chargeback for the merchant. Or maybe they claim the item was never delivered, was damaged, did not match the description, was returned and never refunded or was delivered despite the order being canceled.
In other cases, friendly fraud may be accidental: say, if a parent notices a large iTunes charge and disputes it, but, in fact, their child got a hold of their credit card and went on a music shopping spree.
Whatever the explanation, Byrnes said, “Friendly fraud is anything but friendly — and it’s the hardest fraud to fight, because some of these claims might be valid. There’s always a chance the customer might be honest.”
Unfortunately, said Byrnes, criminals are smart; they wouldn’t succeed if they weren’t. On top of these methods, which he said are reaching maturation after initially appearing on the scene a couple years back, there are newer methods of fraud being driven by advances in technology and customer service.
For example, eWallets have created a whole new “in” for criminals by letting them bypass the EMV chip reader at physical POS terminals. Instead, they are able to simply tap and pay with a digital version of the stolen card that they have uploaded into their mobile phone. To a card reader, this counts as a swipe transaction.
Byrnes noted that the eWallet strategy doesn’t work with the major mobile wallets — Apple and Android both have very secure digital wallets, he said. But banks sometimes issue their own white label eWallets, and, counterintuitively, these may not be as robust in terms of security and authentication.
Another new strategy is to abuse the “buy online, pick up in-store” (BOPIS) delivery option at hybrid retailers. Byrnes said this tactic works purely due to human trust and naivete: Since most American retailers are staffed by teenagers, these employees are more likely to trust an adult who shows up and claims to be collecting their order.
A 10-to-one fraud management to fraud loss ratio sounds expensive to those who’re not on the front lines fighting fraud. However, Byrnes said the ratio is comparing the wrong numbers. Rather than comparing spend to losses, it should compare spend to prevented losses.
Still, there’s no denying that organizations are spending more and more on fraud management as the years go by. One way to cut back, said Byrnes, is to consider outsourcing. In-house solutions are often spread across multiple departments, and the reason the cost is so high is simply that no one is looking at the aggregated cost.
In addition to the five or six departments involved, in-house solutions can also involve just as many outside vendors. It’s hard to shore up defenses when no one will admit where the weak spot is. A single-source solution is one way around that issue.
“Fraud is dynamic,” Byrnes concluded. “It’s asymmetrical. As soon as you get a defense in place, the fraudsters think of something new.”