Holiday theft: The art of hiding in the crowd

We looked back at what happened in the backstage of fraud during the holiday season and found some eye-opening stats.

Remember when we were all excited about the holidays, the friends and family gatherings, and the curling-up-under-the-blanket evenings? Now is time to look at the flip side of the coin: what did fraudsters do while we were opening presents or taking a well-deserved break, trying to snatch that 50% off Instapot or clearing out the driveway for sledding? They were working as if there was no tomorrow to make their yearly income in a week.

We dug down to see what actually happened during one of the busiest months for online transactions and, although we can’t say we were surprised, it was not pretty.

The Stats

Based on our client database, account takeover attempts increased by more than 400% from October to December. Mobile high-risk traffic also increased by 30% over the same period, with malicious smartphone activity reaching 52%, and turning mobile into the most fraudulent channel.

Smartphone is becoming the preferred device for fraud for many rings – this is a direct reflection of the customer trends. Mobile app payments are increasingly attractive to users. Experian’s The 2018 Global Fraud and Identity Report showed that more consumers own a smartphone (91%) than a laptop (83%), and one of the top activities on all devices is banking (88%), making mobile traffic a fast-growing channel.

But what does this growth mean? For a black-hat hacker, the equation is simple: growth = crowd = opportunity. Bad actors like crowded spaces: Just like pickpockets don’t slide their hand into your pocket in an empty waiting room, fraudsters also choose busy places to work, so they are not noticed and can disappear quickly into the crowd.

It is not surprising that bad actors would go after the new customer’s preferred device: mobile. The more customers using one channel, the harder it is for most companies to spot anomalies – without increasing false declines.

To thwart these fraud attempts, multi-layered solutions that monitor traffic from multiple angles including different devices are the best deterrent. Bad actors – same as customers – don’t like friction. If they have to work too hard to make a profit, they will move on to the next, less protected, target.

Multi-channel solutions that use machine learning observe fraud patterns and detect them as soon as they move from one device to the other. This way account takeover can be stopped even before it happens.

More Stats

But account takeover is not the only scheme stolen data has been used for. Data breaches have provided a bottomless pool of stolen records that is widely used to create synthetic identities. In 2017 we found that, across our clients, 35% of all new accounts were created from stolen identities – luckily, these accounts were closed before they turned into losses.

Today there is more data available than people on earth, so these numbers will keep going up. The Identity Theft Resource Center reported 1579 breaches in 2017, exposing almost 179 million records. This equals 340 records stolen per minute. That’s probably the same time you’ve spent reading this article. What if one of those is your client’s?

It’s not news that online authentication needs to change to survive the surge of fraud and secure customers and businesses. Companies are often hesitant about adding friction to their authentication methods, fearing it will drive customers away.

The good news is that millennials – who will soon be the biggest workforce in the world – are starting to prioritize security over convenience and accept authentication tools that include biometrics. Experian’s report showed that 66% of consumers like security protocols when they interact online because they make them feel protected.

Changing the numbers

Customer’s changing perceptions are a great opportunity for eTailers and banks to review their authentication methods and implement solutions that protect their companies from the devastating consequences of breaches. Authentication solutions with multiple layers that include physical and passive biometrics are proving to be the least intrusive and the most accepted by end users.

The holiday shopping rush and downstream fraud are already behind us, but there is no shortage of fraud schemes (FakeBank, tax return fraud…) and there is also no shortage of stolen data, so the numbers in this article are only a fraction of the activity that takes place behind the scenes. It’s time for companies to fight back: get into that crowd, find their good users, and leave bad actors alone in their own crowd.     — Related to this post: The Case for Intelligent Friction

Authenticating on today’s breached world? Watch our webinar featuring Forrester analyst firm.

Want to read more posts like this? See our full blog here.