In our last installment, we walked through the reasons why retailers have so far focused almost exclusively on the point of sale when it come to fraud detection. Instead of making a snap-decision based on which transactions fit into a broad category based on simplistic location-based rules, we need to shift our focus to when the account is created in the first place.
And it all comes down to intelligence gathering.
Not Just For Retailers
Typically, before a user makes a purchase they would research it until they felt comfortable enough to say yes. That could include researching the product and the seller, looking at user reviews and ratings, seeing what configuration options the item offers, and so on. If it’s the sort of item that’s purchased often, eventually that purchase becomes automatic, trusted. They don’t think so hard about each future transaction.
Intelligence gathering is step one in any hack, too. Gone are the times when fraudsters could brute-force their way in through weak rule-sets. They’ve had to get more clever and to do that means they’ve had to slow down and do their homework. Before they plan a fraud, they plot out their steps, what they want steal, where the likely security holes in the system are, and only when they are sure will they launch the attack. And once they have one working strategy, they’ll use it again and again until it stops working.
So if customers understand the value of research, and the hackers, too, what about the retailers?
Retailers Get It For Marketing
Marketers long ago learned that investigating their prospective customers, resulted in increased sales. The kinds of information retailers sought started out in the most basic demographics — gender, age, income — but quickly diversified, and they used that information to divide their customers into smaller groups more descriptive of their needs and then tailored their marketing approach to each subset. Retailers could better predict what products would appeal to each group and in some cases lead to entirely new product lines being developed.
No retailer would dream of opening up a store front without having categorized and investigated their intended market, and have plans in place to respond to feedback so they can continually adjust both the message and their product. Why? Because it works.
Given how sold retailers already are on gathering intelligence to entice customers to their storefronts, it’s startling that more retailers don’t scope out their prospective customers once they arrive at their website but before they make an attempt to purchase an item.
Intelligence Gathering for Account Creation
So if intelligence gathering works for marketing by helping retailers get the customer in and ready to spend cash, what would happen if they spent some time looking at the account before it’s made?
Successful fraudsters have taken intelligence gathering on prospective targets to new heights because they have no choice. As rule-based fraud detection became more and more complicated, fraudsters had to continually change tactics. Before, you could take a single account and test a thousand stolen credit cards, one after the other, until one worked, but when that behavior got flagged, fraudsters started making thousands of accounts each with a single credit card. You can put new rules in place to flag them but then fraudsters let them sit fallow until that time has expired. These accounts appear indistinguishable from legitimate accounts.
Yet the creation of these accounts do leave telltale hints as their purpose, distinct from that of a legitimate user, if you’re looking for them.
Marketing intelligence can often predict the upcoming needs and desires of a customer before the customer is even aware of them. So accurate in some cases they can predict customer pregnancies. That same level of precision can be applied to deciding ahead of time whether a newly minted account is for a real person or for a foot soldier waiting for orders in a future attack.
In our next installment we’ll look at what we can do to separate the wheat from the chaff, the good user from the bad, in a preventative fraud strategy that uses behavioral biometrics.