Understanding true intent: probabilistic vs deterministic approaches

For ecommerce companies, 2020 could be characterised as the best of times and the worst of times. Digital businesses saw massive waves of new customers as COVID-19-related lockdowns spurred people online to buy everything from cars to groceries to video games. And those who previously engaged in online commerce only occasionally, quickly became much more reliant on it.

This massive increase in traffic and customers was a boon for digital commerce companies, but like moths to a flame, it attracted more fraudsters than ever before. Fraudsters sought to blend in with this increased traffic, and commit attacks against companies and their customers before – or without – ever getting caught. With more people online than ever before, this meant that old fraud models of what constituted suspicious behaviour were thrown out the window.

At the same time, ecommerce firms are expected to deliver a seamless experience to consumers with no friction. Doing so while effectively fighting fraud presents quite the conundrum. The key is to combine a risk-based probabilistic approach that identifies potential suspicious behaviour with a deterministic approach that tests higher-risk traffic, and interacts with users to prove definitively their intent.

Who are you?

In this post-breach world, digital identifiers cannot be trusted or taken at face value. That’s because years of massive data breaches have exposed nearly everybody’s emails, passwords, and other pertinent data. All of this is in the hands of fraudsters, who carry out credential stuffing attacks at scale to take over good user accounts and commit downstream fraud.

Even more difficult to detect are synthetic identities, which use a combination of real consumer data and fictitious information. Attackers will use an array of tools to obfuscate and spoof digital identifiers to evade traditional fraud detection models.

This problem is exacerbated in a year which has had an influx of ‘digital debutants’ as lockdowns have forced new sections of society online. Risk models that rely on previous behavioural norms are a far less reliable indicator of trust.

Many businesses rely on risk scores to help identify bad traffic, but these can tell you a certain user might look suspicious, but not what to do with it. Do you get overly conservative, and block any traffic that might seem suspicious and risk alienating potential customers that fall into this net? Taking the opposite approach, and letting in all but the most obviously bad traffic, opens up your platform to fraud attacks which not only drain revenues but harm the experience for your real customers as well.

In order to make sense of these risk scores, in a world where increasing amounts of traffic falls in the ‘suspicious’ bucket, it takes a lot of manual reviews from internal fraud and security teams. This creates inefficiencies and overly burdens internal teams, who could be spending their time doing more value-added tasks rather than manual fraud reviews. It also hurts the customer experience, as users have to wait a while before being authenticated and allowed onto the platform.

Another approach that has proved problematic is relying on out of band authentication such as two-factor authentication. Consumers shop online because it is a quick and easy experience.

2FA adds a great deal of friction to the authentication experience – most consumers hate it. Things like SMS tokens also punish people who have bad cell phone reception at the time, for example, or use VOIP. Fraudsters on the other hand can easily set up fake accounts to bypass SMS or physical tokens.

How to determine true intent

Businesses need risk-based insights that provide a clear path to real-time remediation, without forcing users out of band and killing conversion rates.

Optimal fraud and abuse detection should classify traffic based on suspected intent and then test and interact with the traffic for a more deterministic approach. The first part involves robust detection capabilities. This should include analysing hundreds of data points and utilising behavioural biometrics such as real-time data around device and fingerprint ID as well as behavioural data. This is important since bad actors will generally behave differently because of the monetary incentives. This includes filling out forms quicker, copying, and pasting data, and generally working much more quickly than real customers in order to complete tasks at scale.

After that, traffic can be accurately segmented into bots, good users, and potentially suspicious users. Many actual customers may fall under the latter category for a variety of reasons. That’s where user-friendly secondary screening comes in. It should be something that is designed to be nigh-on impossible for bots to solve and frustrates fraudsters carrying out multiple attacks, but very easy for good users. With accurate detection classification, most good users shouldn’t need secondary screening at all, but for those who do, it should be easy to pass through and be much less antagonistic than traditional MFA.

Testing the responses of traffic posing as a legitimate consumer can happen in several forms – behind the scenes or through in-session user challenges. The trick is to combine risk insights with secondary screening in order to obtain more evidence of true intent. This avoids relying on a purely probabilistic approach, or forcing users out of band and slowing transactions down.

This way, ecommerce firms can keep good customers happy, while frustrating the bad guys, to the point that they abandon attacks.

This editorial was published in the Fraud Prevention in Ecommerce Report 2020/2021, the go-to source in securing transactions while offering a frictionless customer journey.

About Kevin Gosschalk

Kevin Gosschalk formed Arkose Labs to build a revolutionary way to catch fraudsters online by focusing on their underlying objective – financial return. Arkose Labs’ goal is to make it more costly to commit fraud and abuse than the potential reward, thereby removing the financial incentive and creating a world where all online identities can be trusted.

About Arkose Labs

Arkose Labs bankrupts the business model of fraud. Recognised by Gartner as a 2020 Cool Vendor, its innovative approach determines true user intent and remediates attacks in real time. Risk assessments combined with interactive authentication challenges undermine the ROI behind attacks, providing long-term protection while improving good customer throughput.