Moving the Focus from the Check-Out to Account Creation
Online fraud, from the merchant’s standpoint, is concerned with somebody other than you spending your money online. As the purchaser, you have a credit card, the credit card has a secret code on the back which you only know if you possess the card. You type in your card information, your secret code, and then the retailer just needs to know if your credit card checks out. They left that task to the bank and credit card companies, and was the standard strategy as online shopping started to ramp up in the 90s.
Credit Cards as the First Pain Point
Since then, sales and marketing teams realized that asking the user for any additional information, like that security code, resulted in lost sales. Marketers within retail shopping portals constantly push for new ways to safely and securely store customer data in order reduce that customer friction and make the path to confirm order as smooth and speedy as possible.
But for each additional marketing-driven change, fraud teams felt the knock on effects in the way of new challenges. The architecture of online shopping changed fundamentally. Instead of checking the card at transaction, the test for is it really you or not shifts to the user account, which holds all your sensitive information secured by a password.
This creates a gap between the login screen and the confirm purchase button because the events are unconnected. And while both areas are technically secure, they open up the system to more flaws. So fraudsters try to steal accounts by guessing passwords – a strategy that often worked!
One Rule(set) to Rules Them All
Rules were used to tie the two. With the advent of the virtual shopping cart, merchant marketers needed a way to not just track sales but verify that the person making the transaction had the right to do so. Historically, retailers focused on the transaction itself because that was the pain point and because back then fraud happened individually, one transaction at a time.
The rules engine seemed like the answer, but as we discussed, retailers founds themselves building ever more complicated rules to assess whether or not a particular purchase was legitimate or fraud, and finding it still didn’t work. More restrictive rules also had the unexpected side affect of increasing false-positives, turning a legitimate users away and souring potential and long-term customers alike. In the end, fraudsters just got better at exploiting a system that created as many holes as it patched.
Data Breaches Break the Rules
All the rules won’t save you, though, when all the customer’s relevant information gets released. Wide scale data breaches make it easy for savvy criminals to bypass primitive rule, every hurdle, as usernames, passwords, credit cards numbers and personally identifying information are freely available. Now fraudsters can either pilfer legitimate accounts or make up new ones with the stolen data.
But the Internet’s come a long way, and where fraud used to entail one person making a series of bad transactions on a single stolen credit card, fraudsters think bigger — much bigger. These days the favorite tactic is seeding a site with hundreds or thousands of fake accounts well before any attempt is made to steal a dime.
Passwords are only one part of a modern, effect fraud prevention strategy. We must look beyond whether a password is correct when entered before approving a purchase, which means we need to take a closer look at account creation.
In this series, we’re going to look at the reasons why companies should be evaluating not just the purchase but go back and evaluate account creation — how it helps determine good users from bad and predict attacks before they happen.