The everlasting war between retailers and scammers
Unless retailers acknowledge cyber threats and adopt the newest technologies, we could see an uptick in cyberattacks this shopping season.
Due to the pandemic, the growth of e-commerce is rapidly accelerating. Naturally, fraudsters follow the money.
“Security is a very dynamic space, so there’s no system that is 100% secure. The most important thing is to have a very diverse stack of technologies to combat fraud and mitigate risk,” André Ferraz, CEO of Incognia, told CyberNews.
Retailers should acknowledge cyber risks, rely on the newest technologies, and do not try to build cybersecurity systems themselves but rather choose reliable and diverse vendors.
Leigh Shout from Cifas, in his article addressing safe shopping, aptly questioned whether Black Friday is actually the Black Fraud-day as together with great deals the number of scams skyrockets as well.
In May, ACI Worldwide Research announced that global e-commerce retail sales had achieved 209% year-over-year revenue growth. Fraud attempt rate based on transaction value rose by 13% to 4.3% in April 2020, up from 3.8%.
According to André Ferraz, common and fast-growing types of fraud include synthetic identity fraud, phishing, credential stuffing, and SIM swaps.
Constant war with fraudsters
Mr. Ferraz reckons that technology companies and fraudsters are fighting each other all the time.
“Technologies are being broken and fixed all the time. Fraudsters are finding ways to break it, and the technology vendors are identifying those problems and fixing them, so this is happening all the time. It’s a war,” he said.
Of course, no system can offer 100% protection from scammers to retailers. But there are some steps that a business can take to avoid fraud.
“The most important thing is to have a very diverse stack of technologies to combat fraud and mitigate risk. You can’t risk it on a single provider. You have to have different vendors that help you do different things, and you have to have some control over that,” he said.
The second step to protecting your business is having a good monitoring system.
Mr. Ferraz said.
“And if you can see the data in real-time, if systems are not working and you start having issues with fraud, you would be able to spot that quickly and to act. If you have diverse technologies and monitoring systems, you are in a good position to combat fraud because you have tools which you can configure, and you have visibility so you can know when and how to act,” Mr. Ferraz said.
He wouldn’t advise any company to build its own technology because it’s very complex, and it’s going to become a disruption for the business.
According to him, e-commerce players, should be using the best vendors to be prepared.
“The most important thing is being aware that those risks exist, and also being open-minded in adopting new technologies. If the companies think that way, they will definitely be in good shape to overcome those challenges,” he said.
What can technology offer?
“Definitely, this shopping season is going to be very important in terms of transaction volumes and fraud risk. We are seeing a few things today,” said Mr. Ferraz.
And here are the four trends that he listed for us.
- SMS-based two-factor authentication (2FA). Mr. Ferraz says 2FA is no longer safe as fraudsters use SIM-swap attacks on customers. That way, they can take over the phone number of a user, and compromise any systems that are using SMS-based 2FA.
- Mobile commerce. For any retailer using mobile commerce, Mr. Ferraz suggests leveraging sensors and location information. “We are talking about the device which has way more sensors than a traditional computer. The companies are currently not leveraging those censors very well, but they are powerful to combat fraud,” he told CyberNews. For example, retailers could use geolocation to mitigate risks. With location information, a retailer is able to verify if a user is purchasing items from the same location that they provided for that transaction. “You are usually going to use a shift to address to tell the e-commerce website where they should deliver your purchase, and also go to address where they should go after you if you don’t pay,” Mr. Ferraz said. Mobile devices enable you to verify that information in real-time, and that, according to him, is something that could mitigate a lot of risks.
- For those retailers who are offering in-store mobile payments, he strongly recommends using location data. Mobile payments have grown significantly, and they are more secure from a healthcare perspective. In this case, location is relevant because retailers can confirm that a user is at the physical store while making a transaction. That way, retailers can verify payment information with more security.
- The rules should not be very strict, though, so that they don't intimidate customers. “If they are very conservative, they are probably going to leave some good customers outside. If they take too much risk, they are going to face a lot of fraud," Mr. Ferraz said.
Read more: David Hatter’s tips for safe online shopping: you are a target
ABC for e-commerce beginners
What if I just decided to open an e-shop? The good news is, Mr. Ferraz reckons, that today we already have modern technology that helps us protect businesses but at the same time doesn’t create too much friction for consumers.
“Those technologies that I would outline first are device intelligence, so being able to understand which devices are currently accessing your website or your mobile app, and being able to re-identify. Let’s say that someone has committed fraud. The fraudsters usually do it recurrently. So if you have device intelligence, the next time that fraudster comes, you would be able to identify that fraudster, and you would block them,” Mr. Ferraz explained.
He also suggests using behavioral biometrics, which analyzes how users are acting on a particular website or mobile application. How fast are they typing, are they copy-pasting, or are they potentially a bot, which is very common.
Finally, location behavioral biometrics is focused on the mobile environment but helps understand the location patterns of a device, and that way, retailers can assess risk with much higher accuracy.
“For example, if the person is making a purchase and the delivery address is a certain location and that person is there at that moment, that is information that tells you that the person is at least telling the truth and you could find that person. A fraudster would never reveal their real location,” said Mr. Ferraz.
Combining device intelligence, behavioral biometrics, and location behavioral biometrics helps build a high level of security without creating barriers for the consumer at the same time.
“That’s the best of both worlds - because you have security and convenience at the same time,” he said.
A tip for consumers: stay vigilant and do your homework
When it comes to consumers, mindset is the most important thing. It is more important than any particular technology because the latter is changing, and we should always be adopting the most modern and secure technology there is.
“The most important thing for consumers is awareness. They need to understand that digital space hasn’t been so relevant so far, the fraudsters are part of this ecosystem, and they are constantly acting,” Mr. Ferraz said.
Here are the most important things that customers need to know before they go shopping.
- Protecting email accounts. Every e-commerce website, every application is going to use your email address as your credential for authentication. If your email account is not well protected - doesn’t have a strong password, does not have 2FA enabled - and gets compromised, all of the services you use consequently would be compromised.
- You should beware of any communication that you receive. It could be either a phone call or a text message. As Mr. Ferraz pointed out, scams usually come in two different forms. One is a very good opportunity, a price, a promotion, a gift. If something looks too good to be true and appears out of thin air, you should be careful. Another scam format is someone trying to pass as a retailer or a financial institution saying that they’ve identified a problem with your account. “The bank is going to call you, but it’s not really the bank - it’s a scammer. They are going to say that they’ve seen a transaction on your credit card. Do you recognize it? You are not going to recognize it, and this creates a scenario which makes it very easy for the scammer to convince you,” Mr. Ferraz said.
- If you decide to shop online, you should verify a few things. Firstly, you should verify if they are using secure communications, so HTTPS. It is mandatory. “The second thing that people should verify is reviews. They should take a look online if that store is reputable and if the reviews are positive. There’s a lot of information online: people should do some research before buying,” said Mr. Ferraz.