Smart chip-enabled credit cards make up about 81% of all credit cards in the United States, according to Aite Group’s “EMV: Issuance Trajectory and Impact on Account Takeover and CNP” report. Chip cards and the EMV standard (short for EuroPay, MasterCard, Visa) for debit and credit card payments in stores uses cards with microprocessor chips rather than the decades-old magnetic stripe technology, making it more difficult for criminals to commit fraud in stores. Those cards, however, have driven criminals to exploit online merchants’ security gaps. As a result, card-not-present (CNP) and account takeover (ATO) fraud are on the rise.
“The sophistication of attack methods is evolving to automated, machine-driven attacks—such as using bot networks infected with malware without the device user’s knowledge, device spoofing in which criminals evade device recognition to masquerade as legitimate customers, and location masking that disguises true location—to comprise merchants’ defenses,” says Glen Goldstein, senior vice president of technology, retail and e-commerce markets at TransUnion, a global risk information provider. “This is leading to more incidents of CNP and ATO fraud.”
To fight back, merchants must move beyond rules-based systems to embrace technology that can quickly respond to threats by incorporating information from digital and device layers to better identify fraud risks. “Digital layers can analyze behavior on a website from the moment of first interaction, looking for behaviors such as session velocity,” Goldstein says. “Device layers can analyze attributes of the device itself, such as geolocation and reputation.”
Many retailers still rely on static, single-layer tools to safeguard their transactions, Goldstein says. The most commonly adopted fraud detection tools still rely on verifying the address provided matches the one on file with the payment card, according to the 2017 report “Online Fraud Benchmark Report: Persistence is Critical,” by e-commerce payment management company CyberSource. “These static, rules-based tools can’t learn from new methods of fraud,” he says. “And they’re easily bypassed by sophisticated attack methods, putting merchants at risk.”
Retailers need to adopt next-generation, dynamic, multilayered fraud detection tools to combat rising payment fraud and to prevent evolving security threats. Multilayered tools use advanced techniques to inspect device attributes, such as malware infection, and detect true location of devices, deterring the use of device spoofing and location masking.
“As opposed to static methods of detection, dynamic tools use machine learning to learn from the patterns and behaviors seen on a merchant’s site,” Goldstein says. “These tools can identify deviations, such as abnormal session velocity or path to purchase in real time, helping prevent coordinated bot attacks.”
To win the fight against fraud, retailers can’t take on the task alone, Goldstein says. Instead, they should partner with a provider such as TransUnion that has access to the broadest and most actionable data sets available, through its IDVision Suite of Fraud and Identity Solutions. IDVision leverages these data sets with technology that examines the risk of individual transactions using machine-learning technology with a digital device layer to stay ahead of constantly evolving threats.
For example, a large U.S. company in the gift card space recently faced a sophisticated automated fraud attack, which led to a sharp increase in the number of fraudulent transactions flagged by its TransUnion fraud prevention technology. At one point, fraudulent attacks accounted for 92% of transaction attempts, but the technology caught the fraud, saving the company an estimated $165,000 in potential lost revenue.
“Our tools allow merchants to better identify real and fraudulent online transactions in real time so they can conduct business confidently in faceless channels,” Goldstein says. “As fraud continues to grow, this is becoming increasingly important for retailers.”
This article originally appeared in the Internet Retailer magazine March 2018 edition.