The seemingly incessant tsunami of data breaches, cyberattacks, identity theft, and all things cyber threat, has necessarily ratcheted up the cost of prevention.
Almost every day we hear of a new breach. Accordingly, as far as cost centers are concerned, who can argue that cyber-spend is not a wise investment?
Customers, brand, and market share are all in the crosshairs, so spend is eminently prudent. Yet, what if you could also use your interdiction efforts to turn the online fraud prevention cost center into a revenue generator? Put another way, what if the efforts expended to stop bad actors can simultaneously provide the benefit of greater top-line results? That small pivot can turn your fraud prevention efforts into cash!
Treat the Symptom to Stop the Pain
The reaction to a cyber event is predictable and remarkably similar irrespective of the victim. Let’s take online retailers, for example. First, retailers want to stop it from happening again. Usually, that response is manifested in technology investments, people and much more stringent access rules for people interacting with the affected website. The reaction is understandable, as the media, your board of directors, your boss, and most importantly, your aggravated customers, are all clamoring for assurances that the breach cannot happen again. Therefore, you scrutinize every single transaction that touches your website.
The upside is typically an immediate impact on stemming bad actor behavior and, in fact, fraud rates may diminish. The downside is, legitimate customers are, at best, inconvenienced and, at worst, abandon the retail transaction. In an online world where approximately 95 percent of transactions are legitimate and abandonment rates are close to 30 percent when too much friction is introduced, the lost revenue often exceeds the cost of fraud.
Equally problematic is the customer who was trying to buy from you has just clicked over to your competitor’s website to purchase the product he or she would otherwise have purchased from you.
The second reaction to a cyber event is to rely on IT to harden the affected assets or intellectual property (IP) to ensure that it is no longer vulnerable. While hardening IP is a prudent and necessary approach, more often than not, IP is not the target. Today, most bad actors are attacking e-commerce and other websites to steal and scrape digital identities. If a cybercriminal can get your identity, he or she can now potentially have access to everywhere and everything within your sphere of influence and commerce. The fraudster can get into email accounts, bank accounts, work networks, and the list goes on. So, while the initial reaction may be the tried and true approach to stopping the immediate pain, ignoring the new digital identity target may result in much more severe consequences than the loss of IP.
It’s all about your digital DNA
When you think about it, a digital identity is the gift that keeps on giving. With a clean credential, a new device and some social engineering, fraudsters can leverage the initial stolen digital identity to essentially go anywhere on the Internet. With global shared intelligence derived through interactions across a variety of websites, you have the benefit of information like email addresses, account markers, geo-locations, associated devices and relationships that will help inform you as follows:
- How my customer is interacting with the site. What is the device type? Is there anything anomalous with the device? Is it compromised? Is it a device?
- Who is the purported customer? What is the device and credential combination? Have I seen it before? Where have I seen it? How long has this association existed? What are related associations?
- Who is the customer behaving? Is the transaction type anomalous? Is there a new association that is acting in a new way?
Global shared intelligence that provides you this type of real-time information in an anonymous manner allows for correlation of the digital identity to the transaction so decisions can be made based on known behavioral and identity attributes rather than generalized reactions.
Avoiding Self-Inflicted Pain
Here are a few “gotchas” to avoid so your customers are protected and not alienated:
- Assuming customers are guilty until proven innocent – Rather than placing trust in returning customers, many retailers assume customers are guilty until proven innocent. This approach turns away customers if there’s the slightest hint of suspicious activity. The immediate result: lost revenue due to the incorrect labeling of users as fraudulent or suspicious.
- Adding step-up authentication – Step-up authentication includes SMS text messages or challenge question initiated when a merchant realizes the customer is using with an unrecognized device. E-commerce merchants assume if customers can answer the question, they must be authentic. The problem in this approach adds costs to the enterprise and friction to the customer. The immediate result: the cost of the SMS, the cost of the customer service calls to remediate inaccurate contact information and an aggravated customer.
- Relying on antiquated cybersecurity software – If your fraud prevention efforts are designed around perimeter security or based on early versions of device fingerprinting solutions, you will likely find yourself ill-equipped for the cyber challenges. Moreover, if your solutions are simply focused on hardening certain assets against unauthorized access, a fraudster with a clean device and good credentials will get in. The immediate result: a false sense of security and potentially exposed identities.
Printing Cash and Growing the Top Line
Using an approach that leverages digital identities and global shared intelligence to identify good customers in real time will reduce friction and the associated step-up costs without having to accept higher risks or fraud losses. The immediate impact: less transaction abandonment, immediate top-line revenue, less brand blowback, more returning customers, and less step-up authentication, reducing overall costs.
The key is turning your fraud prevention efforts into cash is to leverage a complete picture of your customers across all online activity, transparently and privately, to ensure you eliminate friction and minimize fraud – understanding their digital DNA as the ultimate identifier.
Frank Teruel is CFO at ThreatMetrix.