Fraud focus: the issues and solutions in retail e-commerce

Fraud is a big, complex, and costly problem that every e-commerce website faces. According to PYMNTS.com, $4.79 out of every $100 of sales is at risk of being fraudulent. As sales increase, the website faces more risk and more loss. Fraud that e-commerce websites face is closely linked to theft of credit card information, although account username and password theft is common too. E-commerce fraud has been a problem websites have been facing for more than a decade. It has been growing over the last decade, and will get even bigger in the decade to come - read more about this here.

Fraud is on the rise

According to the yearly survey conducted by Financial Fraud Action UK (FFA UK), e-commerce fraud in 2016 grew to 18% of total yearly sales. In figures, e-commerce fraud for 2016 was £308.8 million. That is a lot of money being lost due to fraud.

As the figure (Source: financialfraud.org.uk) shows, the percentage of e-commerce fraud increases every year. Banks create and use various robust security systems to protect and defend their customers from fraud. But as these systems become more modern and sophisticated, criminals also grow their skills and move to breaching systems and conning victims of their personal and security information.

The causes: the darknet & phishing.

After extensive research, FFA UK identified two key reasons for fraud: breached information being available on the darknet for fraudulent uses, and successful attempts of phishing and SMishing by criminals. They’re both closely related, and both involve theft of financial data.

Carding on the Darknet

The darknet is a place on the internet that can only be reached using a specialised software like the Tor browser. This is like the black market of the internet where criminals big and small go to trade illegal items like drugs, weapons, and among other things, hacked card data and e-commerce accounts and passwords.

Vocativ.com during a research in 2016 found that a single dark market site held stolen financial information worth $400 million which was provided to them by a single group of hackers. The number of these dark markets has been on the rise, spiking suddenly since 2014.

Darknet markets get their information through cyber crime groups that breach victims personal systems, business and other industries. Many of these card details were obtained from corporate data breaches over the last few years. There were 1,093 data breaches in 2016, which was 40% more than the record setting 780 breaches in 2015, according to the Identity Theft Resource Center. Clearly, each year sets a new record for number of breaches, and this situation isn’t getting any better.

According to the FTC, Reported credit card fraud cases rose from 16% in 2015 to more than 32% in 2016. Criminals who use stolen credit card information have a complex way of covering their tracks when it comes to acquiring high-value items for resale. They use the stolen credit card information to purchase gift cards from e-commerce websites, and then use the gift cards to make purchases. They use a ‘mule’ or fake recipient who is paid to receive at their address, and resend the items once they are delivered.

Gift card purchase and re-shipping makes the process of finding the fraudster more lengthy and complicated. This gives the criminals time to sell the item in different websites or markets for a better cost. By the time legal authorities catch wind of their whereabouts, the criminals have already cashed in on the items, and gotten away.

FFA’s ‘Take Five’ campaign

FFA started a campaign called “Take Five” to educate end user about the ways criminals use phishing and how they can keep themselves safe.

Some of the tips FFA provides to educate users about phishing are:

• If you find a deal on the internet, in an advertisement, over an email or in an SMS that sounds too good to be true, it probably is not true. Most great deals provided by genuine e-commerce websites are through gimmicky advertisements.

• Another way to see if the e-commerce website being used to make a purchase is genuine and safe, is to check for the padlock icon in the browser. The padlock icon shows the user if the site is secure or not. A secure site is used by e-commerce websites, whereas an non-secure website is used by hackers.

• If ever asked for credit card or bank information over mail, chat or SMS, never give it. This sort of data should never be shared with anyone, not even the organisations that provide them. If anyone asks for this data it should raise a trigger that something is suspicious about the interaction.

Observing the fraudsters attempt to hack and gain confidential information, Take Five urges users to guard their personal and financial details. They should never assume an email, text or phone call is authentic even if it includes a reference to some of their basic details.

Protecting from hacks and phishing

E-commerce websites have been working towards protecting themselves from criminals trying to breach and gain personal information. Security methods and systems get expensive as the kind of attacks get more sophisticated. A new system is required by e-commerce websites that spots and fends off fraudsters, and allows only genuine users and transactions to take place.

Security website Informationsecuritybuzz.com has a useful list of steps e-commerce companies can take to protect themselves and their users from phishing.

• Use two-factor authorisation (2FA)

• Match the billing and shipping addresses to confirm authenticity

• Call the number the customer provides with the order

• Match billing addresses and IP addresses to confirm location

• Use software and applications that filter fraud

• Pay attention to the characters of email addresses

• Set a declined transaction limit for each customer

• Flag unusually high value orders for human interaction

These tactics are very helpful, but to execute them you need a dedicated, in-house risk assessment team. Even though they’re very helpful, implementing these steps is not scalable, it becomes costly, and has a low level of accuracy as it uses manual human review to sieve through the huge volumes of data. The best solution to this problem is Machine learning.

Machine learning to fight e-commerce fraud

Fraud detection platforms that rely on machine learning are ideally suited to crunch the large volumes of transaction data, and take an educated guess on the authenticity of each transaction. Ravelin is one such platform that makes machine learning accessible to any e-commerce company big or small.

Ravelin provides a state-of-the-art system that detects and prevents cybercriminals from breaching your website. The algorithms used in the machine learning system strengthens the scanning process, enabling it to check all the data points in a fraction of a second.

Ravelin allows you to assign a fraud score for each doubtful user or doubtful transaction. This helps you keep a close watch on suspicious transactions, and enables you to deflect more fraudsters and criminals.

Phishing for cards

Apart from the darknet, phishing is a universal problem since the early days of the internet. According to Wikipedia, “Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons.” One of the reasons phishing is still successful is that many people don’t know what phishing is.

Low awareness of Phishing

There has been an increase in sophisticated phishing emails purporting to be from major online retailers and internet companies. Fooling victims into providing their personal information like their credit card details, account details and other information that can be used to make fraudulent purchases.

A study conducted by Sophos concluded that cybercrime is a bigger worry than physical world crime. Of the 1250 people surveyed two-thirds worried that a breach would cause them to lose their financial information, 61% worried about hackers sending spam to their contacts through email.

Even after such worry, most of them were not aware of what phishing is and how hackers use this method to steal their data. This means they could easily fall victim to phishing and SMishing. High profile cases like Podesta in the recent US election may well change this awareness problem.

Almost a third (31%) of British online shoppers admit that they are more likely to take a financial risk. If they find a deal that gives them a better discount, they are willing to try it out even though it may contain risk. Criminals use this desire shoppers have and create scam emails, or fake ads on social media, or internet searches promising heavy discounts for desirable goods. Luring innocent customers on their fake sites, they trick them into entering their card details and other information that they can use. Once the fraudster has harvested this information, they can then use the details to commit remote purchase fraud.

Knowing about the common methods criminals use to get access to their data would help users protect themselves.

Methods of Phishing

There are many tactics criminals use to steal user information. One way is to mimic an ecommerce store, and coerce the user into entering their financial or account data, which goes directly to a server belonging to the thief.

These counterfeit websites these criminals use look and feel just like the original e-commerce website. If not read carefully these sites can be confused for the original. Further, the emails and texts sent to the victims show a short time deal, requiring the shopper to act quick to get the deal. Read less and do more is the motto the fraudsters follow. Since the shopper is eager to avail the discount quickly, they tend not to read the whole website and just focus on the words in bold that tell them about the deal. Their FOMO – fear of missing out – on a great deal leads them to let their guard down when it comes to online shopping.

Checkout page phishing

Sucuri a global security firm last year discovered a new phishing technique criminals were using. In this technique criminals hijacked the checkout and payments page of an established e-commerce website by injecting it with a malicious piece of Javascript code. The hackers redirected users to a fake website that looks identical to the original website’s checkout and payment page. Unaware, end users enter their credit card and bank details into the fake page. This gives the criminals all the information they need to exploit the user and the e-commerce website.

eBay was also a victim of a group of hackers. A similar method used by these hackers redirected customers to a fake page that harvested passwords. These criminals used cross-site scripting to inject malicious Javascript code that redirected customers to the password-harvesting site. Hackers using these methods adapt their code and tactics in efforts to stay ahead of the developing security systems that e-commerce sites come up with.

Amazon.com customers were also targeted for phishing. The hackers showed a fake ‘out of stock’ warning on the checkout page and requested the customer for their email ID, the attackers then sent the customers an email and to get their financial info. Malware

Another method in this injection is, the customers are asked to install the latest Java or Flash to continue their shopping. Installing these updates which are tweaked by the hackers provide criminals a more easier access to the internal files on the victim’s computer. Criminals also gain the ability to manipulate the victim’s browser according to their will.

Data breaches

Saks Fifth Avenue, a luxury department e-store was hacked and about 80,000 email IDs were exposed to fraudsters. Of those 80,000 some of them belonged to employees at government and national security organisations who were likely shopping while at work. This could potentially have turned into a matter of national security. Luckily, card information and passwords were not stolen.

Combining offline & online tactics

Cybercriminals have been improving their skills and are becoming more tactful in their methods. A new method they adopted according to Mandiant was to call victims impersonating support representatives ask them to enable macros in a phishing document they send over email. Once users enable the macros, the malware attached to the document infects the device, browser, or the email account being used. This gives cybercriminals all access required to extract financial information from the victim.

Other victims of hacking and phishing were Apple iTunes, websites using Magento, WooCommerce and PrestaShop and Free movies. From small niche sellers to large established e-commerce websites, everyone is prone to becoming a victim of phishing. The attack can come from anywhere.

As seen from the examples above. even big companies have been victims of phishing. Precautions need to be taken to fend off breaches and phishing attacks by cybercriminals. Some organisations have been observing this rising trend and are taking steps to make the internet a safer place for users and e-commerce websites.

To learn more about online payment fraud visit our insights page.