Fraud Detection: Checkout versus Account Creation

In our last post, we asked the question why more online retailers don’t spend as much time monitoring account creation as they do monitoring the checkout experience. Gathering intelligence before making a decision should come naturally. We’ve shown how legitimate users, company marketers and even fraudsters do their research ahead of time and why.

We can tell a lot about a customer at the time of checkout, but it leaves a lot of information on the table.

In the online retail space, there are just two types of users — the good customer and the bad actor. Both come to your site looking to create an account but each has a very different reason to do so. And while it may seem like the effective solution to prevent fraud would be to check only when the potential for fraud exists, at checkout, it’s not.

But first let’s look at the specifics for how we tell a good user from a bad actor.

Verifying the Good User

Watching the customer at the point of checkout is standard operating procedure for most systems, but it basically checks the purchase against already stored details: the system will check to see if the credit is valid, will match shipping information against current IP and prior addresses, and the like. It’s very binary, pass/fail, and not always accurate. False positives allow fraudulent sales through and false negatives block legitimate sales and most are caused by just not having enough information to make the better decision.

When a would-be user creates an account on your site, it’s your first opportunity to understand the user. It’s more than just filing away their name, billing address and credit card numbers for later purchases. More robust systems track and match IP address against their entered location, record time of day, length of stay and any related information, like a marketing promo code used at the time of registration. State of the art systems track input speed and angle of the device.

Each time the user is on the site thereafter is another opportunity to study the customer and add more data to the profile. When do they visit? How often do they stay on the site? What pages do they gravitate to? What geolocations do they typically connect from? What devices to they use? Marketing can use this intelligence to build a better purchaser profile for targeted marketing, but that same information can be used to build a bullet-proof security profile of that user, too.

Observing the user as they create their account, as well as observing them through each subsequent visit, isn’t just a matter of ensuring they are a good customer for your benefit — it protects that customer should their account be the target of a hack. But if a non-authorized user has stolen credentials, how can you spot the intrusion unless you’ve been paying attention every other time the user has logged in to your site. You’ve got nothing to compare.

Identifying the Bad Actor

Observing from account creation through every interaction tells you as much about a bad actor as it does a good user.

The irony is that a bad actor is a lot less random than a real user. Fake accounts created en masse are created for a singular purpose and don’t have a human hand behind them. Even in small-scale operations, where fraudsters pick a team of individuals to carry out the fraud, there are enough specific behaviors that link these accounts together and are flagged by the system as suspicious. Whether they systematically create fifty accounts a day to lie fallow in the system in hopes of bypassing traditional rule sets or slam the system with a thousand new accounts at once, behavior is the key, striking indicator that these accounts are not legitimate. It makes it easy to lock them down into a limited user experience or be blocked altogether before they can initiate a massive attack.

Precision Decision Making Requires More Precise Data

Focusing on the checkout can work to reduce fraud, but only to a point. Online shopping continues to grow in popularity and scale, and it demands a more robust fraud prevention system that can look at the big picture, not just transaction to transaction scrutiny.

Increasingly, each business has its own triggers and warnings unique among their competitors that can only be understood by watching the entire user experience, from account creation through to checkout. The longer you look at all the data, the clearer the patterns of behavior of good actors versus bad agent becomes, letting you take the guesswork out of the equation.

In our next article, we’ll look at how more data — not just for the individual but in the aggregate as well — and machine learning can tie it all together.