MRC Vegas was an exciting event - it’s an excellent opportunity to meet merchants and listen to their pain points, and to hear what problems they’re struggling with and what success stories they can share in their effort to control fraud losses while growing their businesses. We’ve made a list of the topics we noticed came up in every conversation.
Machine learning is king
While not everyone is doing it, everyone is definitely talking about it. The push for automation and accuracy has pushed most fraud teams towards solutions that include machine learning as a key component in their detection strategy. From powering biometric face detection to replacing rules - we reckon everyone is either using machine learning or considering adding it to their solution in 2017.
The Account Takeover (ATO) business is booming
Historically ATO attacks targeted mostly very large companies. There has been a recent trend of medium sized merchants experiencing attacks directed towards them. These attacks take place in two stages: First, parallelized “credential stuffing”, often using botnets in order to evade detection systems. The second is extracting value from the compromised accounts by hijacking accounts and performing fraudulent purchases. Stopping these at the credential stuffing stage and the later use of hijacked accounts is essential for a comprehensive fraud solution.
Cyber security and payment fraud tools converge
Along with consumers (and fraudsters) fraud detection solutions are continuing to increase focus towards mobile. While e-commerce moves from the physical world and web e-commerce moves to mobile, these solutions need to adapt accordingly – specifically, to be able to identify and score types of customers – not simple transactions. A comprehensive detection and prevention strategy uses techniques from cyber-security to identity those fraudulent identities
Behavioural analytics is more than a click of a mouse
Understanding which transactions are fraudulent is getting much harder without the context of the user’s activity prior to the purchase. We saw that merchants increasingly try to look at the history of the user’s activity – their account creation, their payment method registration, their browsing of inventory, their search patterns – in order to assess if a particular order matches a particular fraud pattern.
As eCommerce grows, merchants need to achieve more with fewer resources
Most merchants we talked with include some manual review in their process, especially for high-value orders. While removing humans from the equation is not a goal in itself, teams are resource-constrained and would like to grow their businesses without increasing the burden on the fraud team. In short, they require smart solutions that allow them to scale their operation without increasing headcount. Paths to achieving this include: using a more accurate detection engine; streamlining manual review processes with contextual decision support, and; using automation to provide uplift mechanisms for high-risk users, such as identity validation schemes.
Smarter identity validation
A lot of merchants struggle with identity. It’s not considered legitimate to ask for government issued cards from their customers – interestingly, unless it’s a bank, or money transfer service, or insurance – as the request is generally considered too invasive and off-putting.
In any case, validating government issued identity cards is cumbersome and quite expensive. Innovation in this field comes through automated validation and using a risk-based approach, again only pushing high-risk users to the process. We also heard people talk about the power of one's online persona to complement your government issued id. While social media platforms haven’t yet found a clear path to allow customers to use their online identity in the process, we at Ravelin see this as a natural step. High-performing fraud analysts already see this as a key way to validate a person’s identity in practice.
Alternative payment methods
While credit cards remain the favoured payment method because of their global reach, merchants must adapt to markets where credits cards don’t have the same penetration rate. This means accepting alternate payment methods. We heard about direct carrier billing, e-wallets and country specific payment platforms, and how gateways are trying to help merchants expand the ways they can accept payments from a customer that don’t have a credit card or favor a smoother, trusted local payment options. Just like credit and debit cards, alternative payments are never risk-free, and fraudsters will find ways to circumvent defenses put in place by payment processors and the schemes, including phishing, account takeover and malware on desktop and mobile devices.