According to new research from ACI Worldwide, this holiday season we can expect to see a spike in online retail shopping fraud. Part of this is due to the fact that Americans are finding online shopping more convenient than its brick and mortar counterpart, but part can also be attributed to new Chip-and-PIN credit cards.
While the vast majority of retailers have invested in the new better-secured card readers, many of those same retailers are doing the bare minimum to identify and authenticate their customers who shop online, so fraudsters are naturally flocking to the ecommerce weak spot. And while there might not be a huge financial incentive to bolster security infrastructure, retailers that do will ultimately be rewarded with loyal customers who come back because they feel your online store is watching out for their best interest.
Trouble Brewing
The ACI Worldwide report also shows that online retail fraud attempts have increased 30 percent year over year. This includes a big increase in card-not-present (CNP) fraud attempts. One out of 86 transactions this year consisted of a fraudulent attempt. Last year that number was one out of 114. What’s more, the same report found that fraud attempt rates by value have increased by 33 percent compared to last year.
Mike Braatz, senior vice president, Payments Risk Management, ACI Worldwide said in the report, “When it comes to fraud, 2015 is likely among the riskiest season retailers have ever seen; and it is critical that they prepare for a significant uptick in fraud, particularly within ecommerce channels. Our findings suggest that merchants must be even more vigilant and shore up ecommerce fraud protocols, which may leave online shoppers more vulnerable.”
Protective Technology
The good news is that there are three technologies ecommerce channels can adopt today that will better protect customers and protect against online fraud attempts: proactive risk managers, contextual authentication and User-Managed Access (UMA).
A proactive risk manager, such as the type ACI produces, is a broad financial crime management solution that help card issuers, merchants, acquirers and financial institutions combat fraud and money-laundering schemes. They bill themselves as “a complete fraud detection solution” that manages risk across a financial institution’s business lines and customer accounts. The technology combines predictive analytics and a set of defined rules that allows fast, accurate and flexible response to the evolving and growing nature of fraud and money laundering. This technology is able to monitor cross-channel fraud, which protects any channel within retail and wholesale banks, merchant retail or processors. It’s able to spot trends using real-time and near-real-time analytics strategies. The proactive risk manager can protect against varying fraud types, including debit and credit card fraud, money laundering, online banking fraud, wire fraud, ACH/BACS fraud, account takeover and credit abuse. And it’s also able to minimize risk by accepting transactions from any channel within a retail or wholesale bank and providing an end-to-end, enterprise-wide fraud detection.
Contextual authentication is a new identity management technology that looks beyond the simple username and password login and actually understands the deeper context of a user’s activity on a website. Most online retail sites simply require a username and password to get past the firewall and access an account. While some retailers use two-factor authentication in the form of security questions as an additional security measure, these forms of security are still vulnerable to the likes of social engineering. The new, deeper form of contextual security works in the background to observe changing circumstances even after a consumer has been verified with a username and password.
With contextual authentication / authorization, another level of security further prevents against the rise of cyber threats. The ability to understand customers’ account interaction and geolocation allows companies to develop individual digital patterns that can quickly verify a legitimate user or identify a fraudster. In the event an anomaly is detected (for instance, an online account that is typically accessed during daylight hours on the US East Coast gets accessed from an IP address originating from China at 3am East Coast time), the software can stop the application until another form of authentication has been provided.
User-Managed Access (UMA) is an open standard that enables a consumer to control access to his or her personal data. UMA is based on a standard called OAuth that readers may be familiar with in circumstances such as “social login,” used in the process of letting consumers log in to websites (including retail sites) through their Facebook, Google, or PayPal accounts. Social login can even be a precursor to using PayPal for payment, along with supplying needed information such as shipping address and phone number. OAuth is convenient for recording that the user consented to supply this personal data and the payment itself – and consent is an all-important consideration these days as we learn that multinational and global retail firms must consider the regulatory environment around privacy as they do business with EU citizens.
UMA improves the fraud, security, and risk picture by letting retailers give customers the convenient ability to share sensitive personal data with other businesses and users selectively, without tempting those users into bad security habits such as sharing their passwords. UMA also provides a firm foundation for retailer compliance to the new consent regulations just around the corner. If you’ve ever used an online tool like Google Docs, think of how you can hit a “Share” button right when you decide that someone else needs to view – but perhaps not edit – a specific document. Now UMA can give that power and more to anyone who wants to share shipping data, dress measurements, wish lists, and other sensitive information – and it can protect even payment APIs across application ecosystems.
The 2015 holiday shopping season is already in full swing, but merchants looking to provide more secure online shopping experience in 2016 would do well to take a deeper look into all of these security measures in the new year.
Eve Maler is VP of Innovation & Emerging Technology in ForgeRock’s Office of the CTO