The current pandemic has encouraged more and more online shopping. Globally, the number of ecommerce purchases climbed 23.5% from April 2019 to April 2020. General retail had the highest growth in transaction volume, increasing 209% year-over-year.
As consumers switched to online shopping, fraudsters followed suit—to the point that ecommerce fraud reached its highest recorded peak. Ecommerce fraud can be prohibitively expensive and now costs companies $3.36 for every dollar they lose to fraud compared to $2.40 in 2016. Unfortunately, this isn’t a problem that is likely to go away anytime soon. In fact, card not present (CNP) fraud is predicted to increase by 14% by 2023 and could cost retailers $130 billion by then.
What is ecommerce fraud?
Account takeover (ATO)
The fraud type causing the most financial losses globally is account takeover, which is seeing a year-over-year increase of 122% and accounted for $9 billion in fraud in 2019. There are a number of account takeover techniques, including phishing attacks, account theft, and identity theft.
Credit cards are fraudsters’ most common target because Card Not Present transactions need almost no verification at all. In most cases, once an account is compromised, identities and card details are already available. Phishing attack campaigns target precisely this kind of information, using fraudulent websites, emails, or text messages to access personal data. The growth of identity and account takeover fraud is fueled by the advancements of bots capable of performing upwards of 100 attacks per second—essentially supporting limitless account takeover.
Pharming, on the other hand, is manipulating browsers to direct unsuspecting customers to fraudulent websites. Credit cards and personal account information are stolen in this way, with users unknowingly providing relevant data to illicit websites. Sometimes, the attacks can target specific companies. For example, in 2018, 30 million Facebook accounts were compromised, 150 million records were stolen from Under Armour, and 500 million records were swiped from Marriott.
Graduating from the basics of fraud, hackers now spearhead a more complex attack on ecommerce providers to spy on communications between customers and banks or ecommerce sites. Malware is evolving rapidly, too, and so-called “man-in-the-middle attacks” are on the rise, taking advantage of uneducated, new web users or retailers forced to move online during the pandemic.
Credential stuffing
The gaming industry saw a 126% year-over-year growth in online sales earlier this year. For this particular industry, credential stuffing and streaming potluck are the preferred methods to fraud the system.
Specifically, credential stuffing refers to the use of mass login attempts to verify the validity of stolen username/password pairs. In most of the cases obtained from a data spill, the list of credentials becomes available for sale or free download. Once acquired, malicious actors use automated login flows to gain access to different services and breach accounts, make unauthorized transactions, or even steal personal information. Since most users prefer using the same password for most of their accounts, once an account is compromised, a gate is opened to many accounts.
The FBI periodically sends security alerts to the U.S. financial sector warning organizations about the increasing number of credential stuffing attacks. To this end, it is estimated that 87 million credential stuffing attacks target the U.S. daily.
Streaming potluck is an easy to perform account-sharing fraud where members of a platform share their streaming service account so each member of the group eventually gets access to all services. This unauthorised service sharing can cause revenue losses, but it can be easily avoided with additional, nonintrusive identity verification methods.
Chargebacks: Friendly fraud
One of the most expensive fraud types is when customers request refunds from their issuing banks, claiming that transactions on credit card statements are fraudulent. This is also one of the most common fraud techniques, mainly because banks are the first to be contacted and are also, in most cases, unable to verify service fulfillment or goods receiving.
Chargebacks are translated into losses for retailers ranging from additional fees, loss of inventory or services, and ample time to resolve issues. This fraud is also known as friendly fraud since the intention behind it is hard to verify and might result from either criminal or friendly intent. Studies estimate that chargebacks account for anywhere between 40% and 80% of all online fraud.
Behavioral biometrics:
Enhancing security with a great user experience
Today, more and more executives are embracing the biometric authentication wave, and 72% of security leaders see biometrics as more user-friendly than passwords. The majority of IT departments are actively evaluating biometrics, with 82% of respondents identifying at least one of the basic biometric approaches as a passwordless solution.
Securing an account—be it an ecommerce website or banking app—is the central tenet of fraud prevention. Since most attacks are often possible due to identity theft, account takeover, and credential stuffing, most ecommerce fraud methods can be successfully prevented with secure authentication.
Stealth security does not necessarily translate into a burdensome user experience with many authentication steps or various out-of-band methods. Costly hardware tokens or SMS one-time passwords (OTPs) can add friction and sometimes even hinder checkouts and cause transaction abandonment. Adding typing biometrics as a user-friendly security layer with a high accuracy rate can solve the above-mentioned budget and user experience concerns.
Did you know that even if someone knew your credentials, they couldn’t access your account?
Typing biometrics is used to upgrade authentication in businesses worldwide across many industries. Behavioral biometrics technology can verify online transactions, protect your business against account sharing, and limit account takeover. No matter how fragile a password, adding a security layer such as typing biometrics verification considerably improves security because behavior is innate to a user and almost impossible to imitate.
Secure authentication can prevent most ecommerce fraud types. Typing biometrics can be integrated into adaptive authentication, also known as risk-based authentication (RBA). Such authentication scenarios add valuable insights based on users’ trust level through multiple risk assessments of their activities. With the user experience central to this RBA, additional identity verification is required only in flagged situations. In such cases, users typing a word or short phrase will be enough to gain trust and access.
Try our demo today to see how frictionless authentication can prevent your business from being the victim of ecommerce fraud while preserving a great user experience.
