Today we have the advantage of staying connected wherever we are, which gives us the convenience of completing our holiday shopping from home or our working space at any time of day. This convenience, however, comes with a price, which can sometimes present itself literally. Cybercrime is prevalent in our daily news; stories that discuss the lack of security or how some fraudster managed to bypass security barriers in place can cause customers to wonder how secure they are when shopping online.
Due to the state of the economy, there exist a number of speculations surrounding the 2008 holiday season, one being the potential increase in the cost of retail scams. The goal of any e-commerce company is to save time and money while protecting legitimate customers. But how can you protect your customers and your bottom line at the same time? As the 2008 holiday season approaches, it is important to discuss the old and new threats that exist, and what solutions are available to help manage them.
E-commerce companies will always face similar types of fraud attacks; it is, in a way, the nature of the beast. As long as security barriers exist, fraudsters will try to get around them to get the product or information they’re after. This year is no different as fraudsters illustrate that you can, in fact, teach an old dog new tricks, as they have reshaped the typical “old” attacks.
Reshipping Schemes: In the past, fraudsters and cybercriminals would obtain a tracking number for an ordered item and would divert the delivery en route. This would leave the unsuspecting customer in the dark as to where their product went, resulting in a sunk cost to the merchant, who most likely would resend the product to keep the customer happy. Since some legitimate customers needed this service, there was no easy way to instruct a delivery company to refuse redirect deliveries. This led to the “pot luck” style scam, in which crooks would attempt to reroute packages by guessing tracking numbers. This proved to be a poor way to make money, as they could not guarantee the product they would receive.
This led to the creation of call-tag schemes, in which fraudsters use stolen credit card information to make a purchase, using all matching information to the credit card, including the address matched to the card. This enabled fraudsters to bypass all the fraud checks of the merchant.
By monitoring for the delivery of the item, the fraudster calls the credit card holder — posing as an employee from XYZ Company — to explain the delivery was a mistake. They claim they will pick up the item with a prepaid envelope to ship back for your convenience, and the charge will be removed from your credit card. Needless to say, the charge is not removed, and the fraudster succeeds in receiving the item they were after.
Phishing Scams: Although not new to cybercrime, phishing scams are making a comeback as companies experience mergers and acquisitions. Posing as the acquiring or merging company, fraudsters send out e-mails or letters directing unsuspecting customers to a mock site, one that looks identical to the expected site. After customers provide their user ID, or various other types of “confirmation” information, the site will show a denial of service (DoS) page, leaving the customer to assume the information was not received. This customer information, however, has been compromised.
e-Gift Cards: As people shift from physical gift cards to e-gift cards, personal information becomes readily available online, opening a door for fraudsters that did not previously exist. Using this information, fraudsters are capable of purchasing a number of gift cards of varying amounts and selling them online, frequently on auction sites. (A word of caution: gift cards that cost 10 percent less than face value may be too good to be true.) These transactions can be difficult to detect as fraudulent due to the total amount, especially when in the form of gift cards. It can also prove to be difficult to link gift card purchases to the fraudster completing the transaction.
With fraudster sophistication levels continuously on the rise, there exist new threats of fraud for e-commerce companies.
Fraud Rings: Fraudsters are getting better at fraud ring activities, causing many merchants to find it difficult to link transactions to find fraud. A recent example of a ring in action found fraudsters targeting various different merchants online, buying a high-end camera from one, memory cards from another and accessories and lenses from others.
Botnets: As people more frequently rely on technology, there exists an increased risk in the security of information accessed or put into a device. A botnet is a group of computers or mobile devices that run both autonomously and automatically. Although not always bad (since many bots can be a network of computers using distributed computing software), botnets are typically associated with malicious software or compromised computers.
Fraudsters and cybercriminals have become so advanced that they can create an army of bots to provide them with sensitive information in an organized and strategic manner, all of which can be controlled from either a single remote location, known as Command and Control, or like a hydra with multiple sources. Frequently, users of the bot machines, also known as victims of botnets, do not even know they are infected. This can result in the loss of significant, sensitive information, further resulting in the potential increase of fraudulent transactions.
Managing the Threats
What is important to note is there is no silver bullet to preventing and detecting fraud. There is no one technology to be implemented to make everything secure. The bad guys will end up with cash when they put time into it. This means we must be ever so vigilant in establishing our methods of security.
Given the highly competitive nature of the e-commerce industry, it is imperative for merchants to protect their customers and their brand. There are many possible lines of action that companies can take to detect more fraudulent transactions. Using a combination of multiple tactics is the most effective because it creates a complex net that fraudsters would have to negotiate. Here are 10 of the key approaches to fighting fraud through your organization:
- Check for billing and shipping address
- Increase device ID data
- Maintain standard checking systems
- Know that Internet protocol addresses can be spoofed
- Check for lazy keystrokes
- Be wary of anonymous e-mail addresses
- Check for ‘e-mail tumbling’
- Continue to conduct manual investigations
- Capitalize on discovering bad transactions
- Use free mapping tools
Although many of these approaches will raise red flags on suspicious transactions, focusing on only one or two will mean there are still many that can slip through the net. The parameters you choose to set as a business will depend on a wide range of factors — from the characteristics of your customer base to the capability of your fraud team — but within these 10 steps are approaches that will cut some fraud from your business.
Ori Eisen is the founder, chairman and chief innovation officer of security firm 41st Parameter.