Hackers coming in through the front door
Why would anyone take the trouble to scale a fence and crowbar their way through a virtual back window when there's a much easier route to break in: unlocking the front door?
According to Akif Khan, director of products and services at CyberSource, by disguising themselves as legitimate customers, fraudsters are waltzing past the defences of online retailers and walking away with their products. He looks at the best way to defend against this without damaging the customer experience.
You don't need to break into an online shop to steal from it, not if you can pretend to be a real customer. Pull this trick off and you don't even need to carry the goods away: the retailer will deliver them to your door.
With the increasing availability of real customer data following a series of large breaches, fraudsters are no longer playing guessing games. Where they once had to string together snippets of stolen data, today they have a complete disguise and can appear almost indistinguishable from a completely legitimate customer.
Very basic fraud screens look simply at the customer's card data. Historically fraudsters may have only had some of this information – for example, copied from the front of a credit card – and filled in the blanks with their online resources or number generators, trying multiple variations across multiple stores until they succeeded in making a purchase. A number of measures have made this approach increasingly difficult for the fraudster.
Online merchants started requesting additional information, like the card verification number to thwart this approach; forcing the fraudster to obtain data from the back of the card as well. Linking transactions to the cardholder's address meant yet more data the fraudster had to replicate.
Adding velocity checking – looking at how many times the card had been used across a number of merchants within a given time frame – further reduced the chances of success for these scattergun attempts at fraud.
So fraudsters moved on, acquiring and using real card data, complete with card verification number and genuine cardholder addresses. Because they knew the card data was accurate they could focus on making smaller numbers of high value transactions and not worry about tripping velocity checks.
In response, merchants stepped up their game; matching IP addresses to customer locations and even applying basic ‘fingerprint' technology to the computers used to place an order, capturing an array of information about the device and matching it with previous transaction histories. This has been a sufficient level of protection for most merchants until recently, but today fraudsters are finding ways around even these checks.
One option for merchants is to increase the sensitivity of their range of tests, but this can carry risks. The false positive rate could potentially rise, leading to the unnecessary rejection of real customer orders and the acceptance of fraudulent ones. Usually each transaction that is considered suspicious will be manually reviewed, but flagging more transactions can impact the consumer's experience if this is not carefully managed.
Though it may result in more fraud attempts being identified, simply making current controls more sensitive may ultimately reduce profits and damage customer relationships.
It is worth noting that CyberSource's 2011 UK Online Fraud Report found that merchants' average order reject rate had indeed increased, yet the proportion of fraudulent orders that were accepted had also risen.
So what can merchants do? Organisations should consider bolstering their automated screening mechanisms by including more sophisticated fraud detection tools. The latest device fingerprinting technology includes ‘packet signature inspection' which has the ability to identify if a device is operating behind a proxy (used to disguise certain features or spoof a computer's true identity and location) or if it is displaying behaviour associated with machines under the control of another device (such as sending out spam, or scanning firewalls for weaknesses).
If these conditions exist, attempts can be made by the merchant's fraud screen (which incorporates device fingerprinting) to ascertain additional information about the controlling device, including whether or not it has been previously profiled by the technology and the reality of its IP and geolocation characteristics.
Combining and cross-referencing this additional data with the appropriate global data sources, such as feeds of known infected computers or global transaction history, can help to identify a fraudulent order, even if the address, card and IP information appear to be ‘clean'.
For example, it may detect if a particular device fingerprint has been seen with multiple credit card numbers, or if the same true IP address has been hidden behind multiple proxy IP addresses.
As ever with the fight against fraud, the fraudsters continue to evolve their practices, and so must the wider eCommerce community. Today ‘cleaner fraud' is just one of many threats, and with the price of a stolen identity so low, it is only a matter of time before more fraudsters migrate their tactics from brute force to subtle disguise.
Adding the sophistication of packet signature inspection to automated fraud screening can help give merchants the edge again in detecting fraud, and specifically in overcoming the challenge of ‘cleaner fraud'.
The latest edition of the CyberSource UK Online Fraud report shows that only seven per cent of merchants have yet implemented any form of device fingerprinting. If they are to recognise the difference between a customer and a fraudster in the future, it's a step that many merchants should consider taking.