As we enter 2021, the changes in consumer buying behavior brought on by the global pandemic are becoming the new norm. With lockdowns continuing into the New Year, and access to stores drastically restricted, online shopping is now, for many consumers, the primary retail channel. New terms such as BOPIS, (Buy Online Retailers Pickup in Store), have entered our everyday lexicon, and for many consumers they have no intention of going back to their previous buying habits.
With these new buying behaviors come associated changes in security and risk. Fraudsters are always seeking new opportunities to strike and the disruption in retail created by the pandemic of 2020 has also left the door open for new types of attacks.
For online retail, payment fraud is a loosely defined industry term covering any type of fraudulent transaction associated with the purchase of goods. For retailers, this includes not only transactions using stolen credit cards and credentials, but also lost or stolen merchandise and false return of goods. These costs as well as chargeback fees add up significantly for retailers
The increase in online retail has made fraud an easier target than it would be in-person. With online purchases, the fraudster does not need to visit a physical store nor present a physical credit card, making it harder for the retailer to verify that the purchase is legitimate. To detect payment fraud, online retailers must not only verify that credit card and payment information is valid but also that it is being presented by a legitimate customer.
This new normal for retail warrants a relook and an update on best practices for avoiding payment fraud. Identity theft is the fuel for payment fraud and online retailers need to be looking at additional signals to detect fraudulent activity with particular focus on user behavior, since unlike static credentials, user behavior is dynamic and harder to fake or steal. Best practices now call for incorporating device and user behavior in risk assessment for authenticating users and transactions.
Use of Stolen Credentials
For online retailers, the use of stolen credentials is a continuing and growing threat for payment fraud. Fraudsters get their hands on an individual’s credit card information and other related personal information and then make fraudulent purchases. With the large volume of personally identifiable information available on the Dark Web, fraudsters have easy access to information, and ultimately an easier time committing fraud.
Best Practice: Look beyond static credentials and incorporate dynamic fraud detection techniques such as behavioral biometrics that are capable of identifying anomalies in user behavior
The emergence of synthetic identities poses a new and growing threat to online retailers. Synthetic identities are created from pieces of real customer information (stolen or purchased) combined with fictitious information to construct a fake (synthetic) identity. Typically, a few smaller transactions are completed with the fake identity before attempting a larger payment fraud. Payment fraud using synthetic identities can go undetected longer since there is no real customer to complain or raise the alarm. Traditional defenses are not well equipped to detect this type of fraud.
Best Practice: Increase fraud detection at onboarding to catch synthetic identities before they open accounts: Check for inconsistencies in location behavior and stated home address
Mobile Device Integrity
The shift of online retail to mobile has been accelerated by the global pandemic. Use of contactless payments as well as BOPIS have made mobile devices the go-to method for online purchases. Fraudsters typically obscure their mobile device characteristics, faking their location using spoofing and mobile emulators. Online retailers should be checking for use of any of these tools as this is a tipoff of a fraudster’s order.
Best Practice: Verify device integrity as a starting point for fraud detection: Check for jail-broken devices, use of mobile emulators and location spoofing,
Fraudsters never reveal their real location. In 2021, online retailers should be upping their game on location behavior detection. Starting at onboarding, online retailers should continuously check correlation between stated home address and bill to address and user location behavior. More than 80% of legitimate users open new accounts from their home and within 24 hours more than 95% of users have visited their stated home address.
Best Practice: Implement continuous address verification to detect user behavior inconsistent with account information: Check user location behavior is consistent with stated bill to and ship to addresses.
With the increase of online retail, fraudsters are looking to capitalize on opportunities for financial gain from payment fraud. Best practices for fraud detection increasingly call for the use of user and device behavior to make sure that legitimate users are making legitimate purchases.