No matter the attack vector, bad actors have a singular strategy in place when it comes to eCommerce fraud, Jason Paguandas, VP and GM, Merchant Security and Fraud, Carat from Fiserv, told Karen Webster.
“They want to accumulate as much data as possible, and even payment credentials,” he said, “so that they can best monetize that data through the ecosystem.”
Information, after all, is power — and the fraudster who gains access to consumer or bank-level information wields the power to wreak havoc.
No surprise, then, that we’ve seen “mass compromises” of customer-level data, device level data … and increasingly, non-traditional forms of data that are used to verify customers.
To be sure, some of the old tried and true methods are still being deployed by fraudsters — including phishing scams that uncover sensitive data used in account takeovers. But now, he said, criminals have been able to obtain biometric information and identifiers — such as voices (you likely have been on the receiving end of callers and numbers you don’t recognize on your cellphone) — in order to gain access to accounts.
And in a pivot akin to that old hockey aphorism of skating to where the puck is, fraudsters have also been targeting merchants’ digital wallets, as they have become enticing stores of value.
Merchants and financial institutions now have to be mindful of their own customers, too.
“We’re seeing a preponderance of what we in the industry call first-party abuse,” said Paguandas, who illustrated that refund abuse is accelerating. In some cases, the customer may have the best of intentions, as they’ve ordered a number of items that, once received, simply don’t satisfy their expectations or needs. But refunds, he said, have “hard costs” for businesses, as funds are returned to consumers, sales are lost, and restocking inventory takes time and money.
But there are ways for forward thinking merchants and financial institutions to bolster their defenses — keeping bad actors out and good customers (and orders) in the mix. To be sure, tokenization and data encryption help, but are not the be-all and end-all of fraud fighting efforts.
The wealth of data on hand, the individual level information that crosses the ecosystem in real time, Paguandas said, allows merchants to gain insight into the “typical” behaviors of those customers. Knowing that a particular individual might return an item once a quarter or purchase certain types of goods with regularity gives some indication of how they act and transact.
Anomalous behaviors (a stepped-up frequency of purchases, for example) can signal the merchant to scrutinize transactions more closely, sending it for manual review, perhaps, or denying a purchase outright. A consortium approach, he said, can serve up information about a bad actor — perhaps they use a certain device, operate from a certain IP address, or use a certain screen resolution or language as they navigate their devices — which can serve as a flag to others.
As merchants and banks link up with providers such as Fiserv — which he said acts as a “facilitation point” — they’re able to take a risk-based, tiered approach to stepping up authentication as needed. Fiserv, he said, offers client firms a risk “score” and can customize business rules applied to customers — parameters governing the number of transactions and other metrics for different types of customers, or even across different selling seasons.
“At a ‘9’ risk score (on a scale of 0 to 9) you might detect fraud at a 3-to-1 false positive rate,” Paguandas said, “and you might detect half of the fraud within a particular population.” The risk-based analytics and tailored approach, he said, finds the sweet spot between keeping fraudsters out and good transactions in.
As he told Webster, “When it comes to both good and bad customers, there is a wealth of data that merchants, banks, networks and acquirers all possess that helps us in this journey as we combat fraud.”