Retailers’ biggest worry is increasing e-commerce fraud — including data breaches, targeted attacks and card-not-present fraud — according to a report from the Federal Reserve Bank of Minneapolis.
Online fraud is one of the biggest challenges facing retailers, with card-not-present (CNP) fraud being one of their top worries.
CNP fraud will hit US$71 billion over the next five years, Juniper Research has forecast, as it is an easy way for cybercriminals to access money, products and services.
There has been a 100 percent increase in purchase attempts with flagged — suspicious — credit cards, according to NuData Security.
With these numbers, it’s no surprise that merchants have allocated most resources toward securing CNP transactions.
Retailers also have been getting hit from point-of-sale systems — the physical machines that take card payments. Some retailers have discovered that their devices have been infected with malware that records the payer’s card information. POS hacking has a low barrier to entry, as cybercriminals just need to connect a $25 Raspberry Pi to upload malicious code that can penetrate the network.
Those are not the only threats. Third-party suppliers that retailers subcontract can become another target for fraud. Third-party vendors, in turn, hire other companies, creating a long list of providers that handle sensitive data. It is within these relationships that cybercriminals target the weakest link to steal personal data such as credit card information.
Reviewing the Fraud Chain Link by Link
Retailers and merchants can close the loop on point-of-sale systems through continuous monitoring of POS devices and regular installation of security patches. It’s crucial to apply new patches to all devices to prevent attacks like the recent one on Forever 21: The company had installed the latest security patches in all its POS devices except for just a few — and those were the ones attacked.
Identifying all your third, fourth and even twentieth-party providers is the first step toward establishing a risk management strategy.
Bad actors use any chance to steal payment data that will then trickle down to the CNP channel, where merchants can’t differentiate between legitimate customers and impostors.
Breaking the Chain
The most effective weapon against CNP fraud is to devalue the stolen data. The options to steal sensitive information have been evolving constantly, but if the stolen data is not useful to make a profit, fraudsters will lose interest in it.
Following this approach, many companies have been implementing multilayered solutions applied to the CNP transactions that evaluate users by several key points:
- what they have — device type, for instance; and
- what they are — physical biometrics that can include facial, retinal or fingerprint scans.
There is an underlying layer that helps with identification by looking at a user’s passive biometrics. Passive biometrics can analyze the user’s inherent online behavior. If suspicions are raised, the company can trigger an additional verification request based on what the user has or is.
This security approach, based on passive biometrics and behavioral analytics, secures a card from illegal online transactions without relying on data that could be stolen, such as username and password.
Passive biometrics and behavioral analytics can recognize customers through hundreds of identifiers, such as how they type — their input speed and keystroke deviation — or how they hold a device. These are powerful indicators of a human versus nonhuman interaction, and they can help to ensure that the right person gains access to an account.
Letting Go of the Chains That Bind
Passive biometrics and behavioral analytics give retailers context for digital transactions and the ability to stop anomalous transactions before they happen. Users benefit from a seamless experience, while organizations gain the additional assurance of authentication.
Retailers and e-commerce organizations that use multilayered security strategies with passive biometrics and behavioral analytics effectively can confirm legitimate users with pinpoint accuracy, without relying on credentials that might have been stolen. User patterns and behaviors cannot be replicated by cybercriminals using stolen credentials or card details, which devalues stolen data and breaks the fraud chain.