Why is payment fraud so persistent?

This article was first published by IT Tech Portal. You can read the original article here.

Online payment fraud has been with us since the birth of ecommerce and, despite continual improvements in preventative techniques, it is widespread and growing - read more about this here.

Just look at the statistics:

In 2014, online retailers lost over $32 billion to online credit card fraud. In 2015, in the UK alone, online fraud cost over £10.9 billion to the overall economy-- that’s roughly $210 per person. In 2016, there were 2.3million fraudulent transaction attempts

The same incredible growth that we have seen in online transaction volumes, has been followed by a greater relative increase in fraud. So what forces continue to drive continual growth in this type of crime and why is it so persistently high?

Ease of opportunity

The degree of technical knowledge required to commit card fraud is now minimal. The ability to download the Tor browser, access some sites on the dark web and make a purchase in bitcoin is not difficult. And it is certainly not expensive; card and personal details can be purchased for pennies as we can see from this chilling offer:

The supply of card details, while of questionable quality, is trending towards infinite. Vigilante.pw keep a live record of data breaches and it recently topped 3 billion compromised records in nearly 2500 confirmed breaches; and the pace of these hacks is accelerating. These data breaches are driving the supply and providing the source material for the fraud we are all suffering.

This combination of an endless supply of data and cheap and easy ways of accessing it means that the days of acquisitive crime are all but over for all but the most desperate. Why risk the consequences of stealing a TV from a house or a store when a brand new one could be delivered to your house? Why shoplift food from a well-protected supermarket when a delicious hot meal could be delivered to you for free?

Demographics

This shift in crime patterns naturally mirrors the shift in generations. A new wave of young people with at least basic digital skills become old enough to indulge in cybercrime and the pickings are rich.

We need to get away from the image of a ‘hacker’ using advanced skills to pick the lock of a super-secure server. These are blunt force attacks require no more skill than entering in details on a few sites and apps to find where they work.

Young people are naturally connected to each other via a host of social services. Subreddits are also a rich source for sharing fraud tactics along with websites where vulnerabilities have been spotted. Collusion is rampant, effective and anonymous.

Lack of stigma

Driving this increase in participation is the decrease in stigma attached to committing these crimes. A whole generation has grown up with online piracy (downloading movies, music, games and software - a recent report by American Assembly shows that 24% of 18-29 y.o’s consider it OK to upload movie files to sites where others can download them; directly contributing to online piracy.

Although piracy is not exactly a ‘gateway drug’ to online fraud, it certainly bends the longstanding connection between law and morals. If it’s OK to steal content, why not steal credit card numbers on the dark web?

Police are not equipped to manage the problem

Police are organised to deal with acquisitive crime in the real world. Breaking into a house, shoplifting and stealing are what response, detection and evidence-building teamsare built to manage. The conviction rates in most advanced economies act as a deterrent to all but the most desperate.

When it comes to payment fraud the opposite holds true. For a start the crimes are rarely reported. Each individual fraudulent transaction is not usually large enough to justify a company’s time in pursuing the perpetrator. The few cases that are passed to the police then hit the same triage problem - is it worth the police’s time to follow it up?

There is a contradiction here, of course. Criminal damage or theft of a trivial amount of goods in a shop will almost always be reported and pursued. This is because the evidence is simple to gather; CCTV footage or the word of a security guard is usually enough.

For an online crime though the evidence is more difficult to ascertain. Can the police find the person who used stolen details in the first place? Assuming they can, can they then prove that it was accused’s phone or computer that was used in the commission in the crime, or that it was the accused who was actually using the phone or computer? If the person is abroad, are there jurisdiction complications?

This stretches the police’s already beleaguered resources and takes them into areas few forces are trained for. There are of course significant policing resources available to investigate large data breaches or an incident like the Tesco Bank attack in the UK. However in payment fraud, the cardholder is usually compensated and the merchant is rarely active in pursuit of the criminal. Together the unwillingness of both the police and the merchants to pursue crime is creating the perfect environment for the opportunistic criminal.

Consumers aren’t protecting themselves

Some of the blame for card fraud has to be shared by consumers.

While it is relatively easy for criminals to obtain somebody’s credit card information, basic safety practices could go a long way in stopping them. Such practices include:

• Only making purchases on trusted sites.
• Never handing out credit card information over email or the phone.
• Checking website security.
• Using strong and varied passwords on sites that store financial information.

Although consumers share responsibility for online credit card fraud, businesses bear the brunt of its effects. While laws vary from one jurisdiction to the next, the onus is generally on businesses to refund fraudulent transactions -- and it goes without saying that businesses in this situation cannot recover the goods they have refunded. Chargebacks also represent a significant cost to businesses, involving heavy fees in addition to the funds that have to be returned.

This puts a massive burden on businesses; do you refuse to accept credit cards online (and go out of business), or do you accept the risk of fraudulent transactions? Some choice. Businesses need to change how they manage fraud

So if we accept the argument that for demographic, sociological, legislative and opportunistic reasons this problem is not going to get better quickly, the question we need to answer quickly is what the response is going to be.

To date the response across merchants has varied. Most use and many rely on the fraud checks from their payment provider (PSP). These are of course useful and will in many cases stop cards that have been compromised from being used again. However, their defences are easily overcome, and they have proven largely inadequate when a fraudster uses card details that up to that point have never been seen before by the payment provider.

For many businesses, the response to tackling fraud beyond their payment provider has been to invest in a rules engine and to manually check transactions that fail these rules or that appear suspicious. Manual review has its place, but in a world where volume and varieties of fraud attack continues to increase, it is not difficult to see manual processes being overwhelmed.

We need to tackle fraud by using best asset that we have: Data. Fraudsters leave trails and those trails are to be found in the data. The more data we track, the more those fraudulent patterns become clear and the easier it is to stop the fraud automatically and immediately. Machine learning is the only technique that has the capability to identify these patterns, and the move to employing it at the core of fraud detection is a matter of when and not if, for at least most medium-to-high volume businesses.

Just as importantly, the industry needs to share data on compromised card and accounts. By operating independently, merchants make it easy for fraudsters to move from target to target. We need to operate together by meaningfully sharing data in a way that is fast and accurate so a fraudster is shut down not just on one site but on many. There are of course complexities to this, but the principle is obvious and the technical aspects of it are largely solved. The key requirement to stem the tide of fraud is largely one of will. Fraud thrives because our efforts to stop it are inadequate. This needs to change fast.

Learn more about online payment fraud here.