Experts are predicting big things for the 2018 holiday shopping rush.
eMarketer predicts that 2018 will be the first year in U.S. history that holiday spending officially crosses the $1 trillion mark. And even if spend doesn’t quite hit the heights forecast, it seems likely consumers and retailers will be rather busy between now and the end of the year transacting.
That is the good news.
The not quite as good news, according to Yinglian Xie, CEO and co-founder of DataVisor, is that fraudsters will also be very busy this season, and will be particularly active on the many online marketplaces that have proliferated over the last decade. As customer spending climbs on these marketplaces, Xie told Karen Webster, so too will attempts to defraud those marketplaces and the shoppers who use them.
The holiday shopping rush is when fraudsters seek to monetize the stolen credentials that they have patiently assembled over the months leading up to the holiday season. It's also when they use promotions to lure consumers into the fake storefronts on those marketplaces that they have spent months beefing up to look like the real deal.
Xie says that the story of fraud on these marketplaces is now quite complicated — and for many of the reasons that are quite expected.
Fraudsters are opportunists, she said, and the massive spike in commerce activity on marketplaces over the holiday season is a perfect way for fraudsters to hide in plain sight in these high-traffic environments. Merchants — and marketplaces — are less likely to “see” the spike in fraud activity when it happens in the context of an overall spike in transactions to start with.
“The same kind of big spike in fraud activity during normal traffic would probably cause more of an alarm,” she noted.
Moreover, she added, retailers’ systems are often more strained during the holiday season because people take vacations. Staffing shortages often mean fewer eyes watching out for threats, which means that reactions are not as fast as they could otherwise be, and communication channels are often less effective.
Meanwhile, she said, because consumers are more likely to expect larger-than-average credit card bills during the season, they are much less likely to spot fraudulent charges than they otherwise might be.
“Attackers are always trying to game the system in the easiest way possible,” Xie said, “so when you combine all the different strains consumers and retailers are under together, the holidays become a great time [for them] to target online marketplaces.”
The Season For Fraud Monetization
Fraud, Xie noted, is first and foremost a business for the people who do it for living.
“The ultimate motivation of pretty much all the professional attackers we face is financial,” she remarked. “They need to make money off of this.”
Doing that includes identifying opportunities that increase the odds of their success — and planning in advance. So, Xie told Webster, fraudsters do a lot of prep work in advance such as stealing credentials, mining data, and forcing big information leaks — things that are not themselves directly monetizable, but support the big “event.”
“The holiday season is a good time to cash out, and we often see it as the final stop for monetizing stolen information or credentials that have been taken previously,” she said, with the dark web offering a massive marketplace where this data can be found, sold, and then resold.
None of this is new — not the dark web, not the holiday uptick in fraud — all of this has been a known part of retail for the last several years, Webster noted. And yet the problem persists — and is by some arguments becoming more serious.
The trouble, Xie noted, is that understanding a problem does not necessarily mean one has put the right tools in place to sufficiently fight back.
Adopting Sufficient Tools
The most common tools in the marketplace fraud-fighting arsenal, Xie told Webster, are rules-governed systems that may use some level of guided machine learning in the hopes of heading off any major large-scale, high-level security failure. The problem with that, she notes, is that attackers are technologically advanced, inventive and pretty flexible. They are also highly persistent. The tools mostly in use to ward them off, Xie said, are all very well known to the fraudsters, and not well-suited to spotting new attacks proactively.
“It’s very difficult for old solutions to work effectively in anything but a reactive way.”
The solution, she notes, is an unsupervised machine learning system that can evolve along with the fraudsters it is up against — and spot novel and new frauds in the making and respond to them.
“Ultimately that is a critical capacity for all firms to be safer during the holiday season,” Xie told Webster.
But making that change can be tough — particularly on the eve of the holiday shopping season — even when marketplaces know they are staring down a huge uptick in fraud attempts on their systems at the same time as they are facing a big swell of legitimate shoppers.
Retailers are deeply hesitant — and understandably so — about deploying new systems at this time of the year, even though logically it’s the time of year they should be adding more protection. The fear of introducing friction that compromises conversions is just too high.
But waiting to address this during more “quiet times” actually makes merchants more vulnerable, Xie said, because that spike of fraudsters isn’t there, and they may feel that their systems have it handled.
The question of how marketplaces should address fraud, she said, isn’t about how they can push those decisions after the season is over — but how to push them up, well before their big shopping surges begin.
The Economy Of Trust
The modern consumer does not lack for choices, Xie noted. There are countless retailers and marketplaces looking to woo their spend every minute of every day. That makes it harder to create a loyal consumer — and even harder to hold on to one, making the stakes for marketplaces much higher than they’ve ever been.
That makes an episode of fraud more than a lost revenue issue — it can also make it a lost consumer trust issue.
And that is particularly true on marketplaces, she noted, where chargebacks from false purchases aren’t the only risk a merchant faces. There is also the increasing problem of phony merchants sneaking on marketplaces and selling goods that don’t exist.
“The impact there isn’t just a chargeback,” Xie said “but the overall trust in the image of the marketplace. The customer starts asking themselves if the marketplace is trustworthy, if the vendors are for real. Solving only for the chargeback fraud misses a very big point.”
For holiday 2018, she noted, the security ship has likely sailed, since most marketplaces and retailers don’t want to start making major changes during their busiest traffic season — and even if they did, they need time to implement change. But it will never be too early to prepare for holiday 2019, when fraud attacks will surely spike again. Coming out of this holiday season and moving into 2019, marketplaces need to upgrade their mindsets on this subject along with their tools.
“The mindset that is needed is about how we now have to fight fraud across every channel — and in an adaptive way, because we just don’t live in a stative cybersecurity environment.”