E-commerce revenue is constantly increasing, but the number of fraud cases, as well as the percentage of fraud in online transactions, is increasing faster still. But what types of fraud exist and—more importantly—how can we protect ourselves against them?
The Nilsen Report (1) uses the example of card-based payments to illustrate the point: Internet payment fraud is constantly increasing, and is, apparently, unstoppable. While the increase itself is nothing new (there has been more e-commerce fraud every year since 1993), the rate is impressive. The number of fraud cases has increased by 19 percent compared to 2013, and this is the fourth successive time that fraud growth has exceeded e-commerce growth. Out of every 100 USD in turnover, fraudsters currently snatch 5.65 cents.
Fraud is not exclusive to credit card payments, however. Criminals are becoming more sophisticated in their use of malware to command online banking logins via phones, tablets and computers, using the stolen bank account details to make fraudulent payments. “Alternative” payment methods are also attracting criminals. So what does this fraud look like, exactly? A study (2) asked 274 merchants from various industries in six countries precisely this question. The most common types of fraud are explained below.
Identity Theft
According to the study (2), the most common types of fraud causing concern among merchants are identity theft (71 percent), phishing (66 percent) and account theft (63 percent). Here, credit cards are the most popular target, as a fraudster does not need much to carry out a “card not present” transaction.
In traditional identity theft, the criminals’ goal is to carry out transactions using a different identity. Instead of having to come up with a completely new identity to do this, they simply take over an existing one. This is easier to do—and usually much faster.
In order to commit identity theft or appropriate someone’s identity, fraudsters target personal information, such as names, addresses and email addresses, as well as credit card or account information. This enables them, for example, to order items online under a false name and pay using someone else’s credit card information or by debiting another person’s account. Phishing, on the other hand, simply involves using fraudulent websites, emails or text messages to access personal data. Another technical method is known as pharming, in which manipulated browsers direct unsuspecting customers to fraudulent websites. Often, all that is required to appropriate someone’s identity is a stolen password. This can be used to take over an existing account with an online shop – in most cases, the payment data is already stored in the account.
Of course, hacker attacks on e-commerce providers and stealing customer data also fall under this fraud category, as does using malware on computers to commit identity theft by spying out sensitive data. “Man-in-the-middle attacks” are even more sophisticated. These involve hackers muscling in on communications between customers and merchants (or between customers and banks) in order to siphon off login data.
We haven’t even mentioned the opportunities involved in intercepting credit cards sent by mail, for example, or in copying credit cards in restaurants and hotels or at cash machines. Already, though, the true extent of the identity theft problem is apparent.
Friendly Fraud
In fourth place is what the merchants surveyed (2) refer to as “friendly fraud”. This sounds friendlier than it really is: using this method, customers order goods or services and pay for them – preferably using a “pull” payment method like a credit card or direct debit. Then, however, they deliberately initiate a chargeback, claiming that their credit card or account details were stolen. They are reimbursed—but they keep the goods or services. This fraud method is particularly prevalent with services, such as those in the gambling or adult milieus. Friendly fraud also tends to be combined with re-shipping. This is where criminals who use stolen payment data to pay for their purchases don’t want to have them sent to their home addresses. Instead, they use middlemen whose details are used to make the purchases and who then forward the goods.
Clean Fraud
Clean fraud’s name is misleading, because there’s nothing clean about it. The basic principle of clean fraud is that a stolen credit card is used to make a purchase, but the transaction is then manipulated in such a way that fraud detection functions are circumvented. Much more know-how is required here than with friendly fraud, where the only goal is to cancel the payment once a purchase has been made. In clean fraud, criminals use sound analyses of the fraud detection systems deployed, plus a great deal of knowledge about the rightful owners of their stolen credit cards. A great deal of correct information is then entered during the payment process so that the fraud detection solution is fooled. Before clean fraud is committed, card testing is often carried out. This involves making cheap test purchases online to check that the stolen credit card data works.
Affiliate Fraud
There are two variations of affiliate fraud, both of which have the same aim: to glean more money from an affiliate program by manipulating traffic or signup statistics. This can be done either using a fully automated process or by getting real people to log into merchants’ sites using fake accounts. This type of fraud is payment-method-neutral, but extremely widely distributed.
Triangulation Fraud
During triangulation fraud, the fraud is carried out via three points. The first is a fake online storefront, which offers high-demand goods at extremely low prices. In most cases, additional bait is added, like the information that the goods will only be shipped immediately if the goods are paid for using a credit card. The falsified shop collects address and credit card data – this is its only purpose. The second corner of the fraud triangle involves using other stolen credit card data and the name collected to order goods at a real store and ship them to the original customer. The third point in the fraud triangle involves using the stolen credit card data to make additional purchases. The order data and credit card numbers are now almost impossible to connect, so the fraud usually remains undiscovered for a longer period of time, resulting in greater damages.
Merchant Fraud
Merchant fraud is another method which must be mentioned. It’s very simple: goods are offered at cheap prices, but are never shipped. The payments are, of course, kept. This method of fraud also exists in wholesale. It is not specific to any particular payment method, but this is, of course, where no-chargeback payment methods (most of the push payment types) come into their own.
More International Fraud
On average, the merchants who participated in the study (2) do business in 14 countries. According to 58 percent of those surveyed, the major challenge in fraud prevention is a lack of system integration to provide a unified view of all their transactions across all markets. 52 percent also see increased international transactions as a challenge. Almost exactly the same number (51 percent) have great difficulty in maintaining an overview of the various fraud prevention tools in different countries. Language barriers, as well as the difficulty of keeping international tabs on individual customers, pose additional fraud management challenges.
Different Devices
Fraud methods vary depending on the sales channel, and the fact that most merchants aim to achieve multi-channel sales does not make the situation any easier. According to 69 percent of the merchants surveyed in (2), sales via third-party websites like Amazon, Alibaba or eBay are particularly susceptible to fraud. These are followed by mobile sales (mentioned by 64 percent) and sales via their own online shops (55 percent).
(1) nilsonreport.com/publication_chart_of_the_month.php?1=1&issue=1068
(2) worldpay.com/global/insight-reports/fragmentation-fraud-report
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.