Fighting New Account Fraud Before it Gets to the Checkout

Many of the fraud losses stem from fake accounts that are created off season, silently aged, and then used during high-traffic days, where they can fly under the radar.

When ‘Holiday’ and ‘season’ go together merchants hear only one thing: “Fraud losses ahead!” With the holidays coming up, spotting fake accounts in a sea of legitimate users is next to impossible for retailers. Most businesses don’t have visibility into what accounts are used suspiciously until the fraud has already happened. Merchants find out about the loss, for example, when a chargeback comes in from a credit card owner whose payment information was used in an illegitimate transaction.

To make matters worse, U.S. credit card fraud losses are expected to exceed $12 billion by 2020 according to the Nilson Report. As for loyalty points, the other candy for bad actors, there is an estimated $225-$350 billion in unclaimed rewards, a sizable target for cybercriminals.

e-Tailers are starting to rack up for Black Friday and Christmas; the next dreadful seasons for fraud. Unlike brick and mortar stores where the clerk can see the customer and even exchange pleasantries with her, selling goods and services online can feel like being in a blackout. The information from the user is there, on the screen, but the question remains: are you really who you say you are?

This concern is justified. In 2017 alone NuData found that 36% of the new accounts created in 2017 were fake. When these accounts are not detected in time they are used to make fraudulent transactions.

Companies and Cybercriminals Getting Ready for the Holidays

The cybercriminal minions are hard at work to create realistic accounts with synthetic identities, using the information from the endless breaches. Although automation is the most used tool to create these accounts, we also see more human farms that attempt to bypass bot-detection tools. With human farms, cybercriminals can often get around technologies that look for automated patterns only.

As cybercriminals perfect their good-user disguise, it is harder for merchants to separate high-risk from low-risk traffic and, too often, companies opt for additional verification layers that frustrate legitimate users.

Separating not only machines from humans, but bad humans from legitimate ones is the most delicate challenge retailers and merchants are facing. Companies strive to provide a seamless user experience from account creation to checkout while weeding bad users out. But, how can one achieve this during the holidays?

Understanding Automated Threats

Automation is widely used to create new accounts due to its low barrier of entry and the ridiculously cheap software it requires. There are two main types of automated attacks: server-side scripting, where the script is designed to attack servers, APIs, and browser HTML; and browser-side scripting, a more complex type that includes GUI scripts, input replays, and input emulation.

However, these attacks always leave a trace, and it’s important for companies to have advanced tools that identify them. Every day, NuData sees mass-scale attacks trying to hide their location and device information, and constantly changing their IPs. Cybercriminals are very sophisticated, and it’s not unusual to see each IP used as little as five times in 24 hours during a mass-scale attack, making it harder for basic security tools to detect them.

When the Enemies Are Human

Even if the attacker is human, there are ways to spot the fly in the ointment. Human farm workers create new accounts over and over again, developing automation-like patterns – like Chaplin in Modern times, tightening the one screw repeatedly until he became a machine. It is this constant repetition of the same action that gives these attackers away.

Signals such as how familiar users are with the form, how fast they fill it out or what keyboard shortcuts they use are powerful risk indicators. This information helps companies weed out their fraudulent accounts and monitor those that need a closer look.

More human farm signals include skipping the optional fields in a form and copy-pasting the fields. By tracking the user patterns, cybercriminals can be spotted and blocked from the environment.

Protecting New Accounts

To differentiate holiday shoppers from holiday mobsters, some major eCommerce companies are using passive biometrics and behavioral analytics – technologies that monitor hundreds of online identifiers like how hard a person hits the keys on the keyboard, how they swipe from page to page or how they hold their device – to create the profile of a customer. With these technologies, companies detect suspicious behavior on new accounts.

Using these technologies merchants can trigger application speed bumps like SMS, email validation, or captchas for those suspicious new accounts. This weeds out imposters and allows merchants to offer rewards and other bonuses to key customers while stopping fraud before it hits the checkout.

 

 

Related to this blog I’m a small business; why would a million-dollar fraud ring bother targeting me?