How can online businesses safeguard customers against ID theft?
Criminals are constantly updating and evolving the methods they use to commit identity fraud. While serious steps have been taken by authorities and businesses across Europe to tackle the problem and safeguard consumers, the threat remains significant.
As the frequency of fraud increases, so does consumer awareness of the issue – thanks to headlines in the press and on TV. With this in mind, it is clear that if a business fails to adequately protect consumer data, they don’t just stand to lose short-term revenue, they risk their brand reputation over the long term.
At RISK IDENT, we are dedicated to monitoring all the latest tactics used by fraudsters as they try to circumvent the law. Cases of identity theft reached an all-time high in 2017, with almost 175,000 incidents reported, many of which led directly to account takeovers by criminals. This trend shows no sign of abating in 2018. Driving this rise is the continued growth of mCommerce, with smartphones being targeted more and more.
The ticketing industry is also attracting significant levels of fraud, facilitated by bots and related technology.
Understanding the fraudsters
Alongside the growth in ID theft has been a proliferation in the number and type of people committing fraud. There are now three general categories of fraudsters within eCommerce and telecoms that businesses must distinguish between:
• Petty criminals:
These have long been a fixture in ID theft. They use stolen credentials and payment information to obtain goods that are then resold on eBay or other online auction sites.
• Individuals with a bad credit history or no money:
A new category, these people want to buy a premium product that they cannot afford; leather jackets, handbags, electronics, Apple products, so will take advantage of any access to other people’s payment details.
• Organized criminals:
These people do it for a living, using their proceeds to finance other high-margin crimes, such as selling drugs or even weapons. The intentions of criminals in each category can be quite different to each other. The first two are mainly driven by greed and opportunism. The last, however, is the result of dangerous criminal motives, with a significant impact on wider society. Such criminal gangs can be highly organized and work cross-border – which can mean cases are escalated to Europol. Such cases are very expensive for businesses, with losses totalling many hundreds of thousands of pounds, making it vital that steps are made to prevent them.
Measuring the ID theft threat
Once identity data has been stolen, it is all too easy for fraudsters to create new accounts on eCommerce sites and begin ordering merchandise, often to be sold-off at a profit. However, the real danger comes when the fraudster uses the personal information to hijack existing accounts, masquerading as a legitimate user – better known, of course, as “account takeover”.
Inadequate password security, such as repeating passwords across accounts, or using simple words like ‘password’, plays a significant role here, but fraudsters can trawl social media and use personal information to break security questions.
Fraudsters can also target a victim’s email account, which often acts as the anchor to their entire online life. From there, they can break into multiple accounts across a vast range of online businesses.
A consumer’s email account can contain everything from addresses, to birthdays, to saved payment information. These details alone constitute everything one would need for online fraud. In addition, a genuine account that has been hijacked also offers fraudsters a significant advantage: trustworthiness.
Online businesses typically place much more trust in existing customers with years of good experience behind them, than they do with new customer accounts. Account takeovers, then, give fraudsters perfect cover for committing crime.
Spotting hijacked accounts
Fraudsters work hard to stay invisible for as long as possible, but it is possible to spot them early and prevent irreparable damage. Signs of an account takeover can range from:
• An unusual numbers of failed login attempts
• A password change followed by unusual customer behaviour
• Purchasing an unusually expensive item or a high volume of goods
• Login attempts from different devices and places
• Switching to an older browser or operating system.
However, many of these indicators can also be innocent customer behaviours. With this in mind, online businesses must be careful of false alarms – false positives not only harm immediate revenues, but also damage customer relationships and, consequently, a business’ brand image. Fighting fraud with AI Machine learning technology (ML) has a key role to play in supporting businesses to spot these signs of account takeover. Based on developing computer programs, ML recognizes patterns and regularities in datasets, so it can learn from each transaction and historical data. In this way, it can continually create new models and evolve algorithms that help eCommerce businesses identify cases of fraud so they can take corrective action.
Fraudsters can seek to conceal their locations, mask their identities and make their fraudulent transactions look unsuspicious, but ML is well equipped to find patterns, calculate risks and halt illicit activities – in real-time.
However, AI on its own is not enough – human fraud managers are indispensable in the process. Domain experts, with years of experience fighting fraud, know their fraud problems best and can never be replaced by a machine. Only by combining the two entities will businesses see the best results. Fraud managers constantly feed their knowledge on the context and causes of fraud into the machine, allowing the system to evolve continually.
Ready for the future
The joint challenge of ID theft and account takeover is not going to go away any time soon. While it is important for consumers to be vigilant and take steps in ensuring the security of their own data, eCommerce businesses have a key part to play in protecting customers’ data, and in supporting them to safeguard their information. By talking to fraud experts, online retailers can ensure they have all the tools they need to optimize their security processes, so they can take the right steps to continue to protect their customers from the impact of ID fraud.