Breaking the Fraud Chain

Retailers’ biggest worry is increasing e-commerce fraud according to a report from the Federal Reserve Bank of Minneapolis. Online fraud is one of the biggest challenges facing retailers, with card-not-present (CNP) fraud being one of their top worries. CNP fraud will hit US$71 billion over the next five years, Juniper Research has forecast, as it is an easy way for cybercriminals to access money, products and services. There has been a 100 percent increase in purchase attempts with flagged credit cards, according to NuData Security.
With these numbers, it’s no surprise that merchants have allocated most resources toward securing CNP transactions. Retailers also have been getting hit from point-of-sale systems — the physical machines that take card payments. Some retailers have discovered that their devices have been infected with malware that records the payer’s card information. POS hacking has a low barrier to entry, as cybercriminals just need to connect a $25 Raspberry Pi to upload malicious code that can penetrate the network. Those are not the only threats. Third-party suppliers that retailers subcontract can become another target for fraud. Third-party vendors, in turn, hire other companies, creating a long list of providers that handle sensitive data. It is within these relationships that cybercriminals target the weakest link to steal personal data such as credit card information.
Retailers and merchants can close the loop on point-of-sale systems through continuous monitoring of POS devices and regular installation of security patches. It’s crucial to apply new patches to all devices to prevent attacks like the recent one on Forever 21: The company had installed the latest security patches in all its POS devices except for just a few and those were the ones attacked. Identifying all your third, fourth and even twentieth-party providers is the first step toward establishing a risk management strategy. Bad actors use any chance to steal payment data that will then trickle down to the CNP channel, where merchants can’t differentiate between legitimate customers and impostors.
The most effective weapon against CNP fraud is to devalue the stolen data. The options to steal sensitive information have been evolving constantly, but if the stolen data is not useful to make a profit, fraudsters will lose interest in it. Following this approach, many companies have been implementing multilayered solutions applied to the CNP transactions that evaluate users by several key points:
1. what they have — device type, for instance
2. what they are — physical biometrics that can include facial, retinal or fingerprint scans.
There is an underlying layer that helps with identification by looking at a user’s passive biometrics. Passive biometrics can analyze the user’s inherent online behavior. If suspicions are raised, the company can trigger an additional verification request based on what the user has or is. This security approach, based on passive biometrics and behavioral analytics, secures a card from illegal online transactions without relying on data that could be stolen, such as username and password. Passive biometrics and behavioral analytics give retailers context for digital transactions and the ability to stop anomalous transactions before they happen. Users benefit from a seamless experience, while organizations gain the additional assurance of authentication.

You May Also Like