How fraudulent activity can be detected before the checkout

When it comes to fraud and cyber mitigation, merchants have many options in the market with over 50 companies providing some kind of protection against fraud and cyberattacks. Many of those tools rely on static data collected at checkout such as credit card number, email address or other data such as device information. They are tools that are 10+ years old which are ancient in the ecommerce world. 

Unfortunately, that data can also be stolen, cloned, and often spoofed. Fraudsters have increasingly been analysing those tools and their vulnerabilities on ecommerce sites and have come up with evasion techniques which expose the merchant to new kinds of losses occurring before checkout. In order to combat that, merchants are using more tools which increases friction at checkout, creating false positives and frustrations for legitimate clients, although they are always attempting to find the right balance between fraud detection and increased friction resulting in lower conversion.

Fortunately, the development of technology and the advances made in machine learning and artificial intelligence and computing power have allowed for the development of new tools which can go much deeper and start analysing the session and the behaviour of the user behind the device to give the merchant much more insight earlier. These technologies were first used by governments and the military to combat terrorism and money laundering and are now making their way into the civilian merchant world. So how can those be leveraged?

Fraudsters vs merchants – who is winning the battle?

When a fraudster sets out to attack a merchant, he can use various techniques – he can create a bot script, which will perform repetitive actions on the merchant site in order to find a point of entry or vulnerabilities often through credential staffing. Thus, they try out thousands of usernames and passwords often collected on the dark web. Once he has found a point of entry, he will use that to monetise the access. 

Since merchants protect their checkout well with the tools mentioned above, fraudsters often look for other ways to defraud the merchant such as but not limited to reward point stealing, refund abuse, coupon abuse or just plain information change on accounts including shipping address. They then leave the account and hope that the legitimate user does not notice which our experience shows will happen in 20-25% of cases sending the merchandise to the fraudulent address.

Fighting fraud before it happens

The new type of tools used to analyse the session will monitor all of the sessions happening at the merchant on mobile devices or web and will provide real-time feedback to the merchant when any kind of risky activity is perpetrated. These risks can include as a new account creation, a login or a change in information on an existing account. 

For example, with the explosion in mobile wallet adoption, LeumiCard wanted to ensure that the trend would not result in a subsequent increase of mobile fraud. Ensuring that user experience was not impacted was also a significant concern. The initial results showed:

• More than 90% accuracy after only a few gestures were captured in the app/login.

• Significant user adoption and an increase in transactions, and more.

In addition, the tools will continuously analyse hundreds of parameters during the entire session to detect intent. When a legitimate user comes to a site, they expect to be able to purchase and they will have a certain cadence and site familiarity. On the other hand, a fraudster will have less familiarity with the data since it is not his, but will have more familiarity with the site since he has likely been at it for hours with hundreds of attempts. A fraudster also has to be fast to maximise his ROI. All of those parameters can be analysed and compared to millions of legitimate sessions to find the ones that are out of pattern. 

When the fraudster attempts to have a more ‘normal behaviour’, the systems can detect the changes in behaviour throughout the session which usually would not happen with a legitimate user. Evasion techniques are often detected as abnormal changes in behaviour.

All that behaviour can be divided into conscious and unconscious. The conscious behaviour is, for example, which page you will consult next, but the unconscious ones are those instances that show how fast you type, how hard you press your screen etc. Each of those elements will tell the merchant something about the user. While conscious behaviour can be modified easily, unconscious behaviour is a lot harder to change and when there is an attempt to change it, it is detected as a change in unconscious behaviour which is highly unlikely to happen in a legitimate situation. 

If the merchant has a solution in place to analyse the session, it can also detect human vs non-human (i.e. bot) behaviour. That is why analysing behaviour is so important. This information can also be used as data augmentation if the user goes all the way to checkout to give existing tools more data to digest in order to increase their precision. 

All of this will enable the merchant to do early detection, which allows for soft mitigation during the session while the user is present vs having to decline a transaction at checkout once the merchant has gone through manual review and decided the transaction is too risky to approve.

Our new whitepaper outlines how continuous authentication using behavioural biometrics contributes significantly to the success of a bank's mobile offering. Banks can overcome many challenges including PSD2, Open Banking, user experience, and fraud prevention. Download our whitepaper here.

About Alasdair Rambaud

Alasdair Rambaud was the CEO of SecuredTouch, a position he assumed in August 2019. He is now Head of Fraud at Ping Identity. Alasdair has been in the payments and fraud mitigation for merchants and financial institutions for over 20 years and has held many global roles with EverCompliant, CardinalCommerce, and Accertify. Alasdair started his career at American Express where he spent 15 years in Sales, Strategy, and General Management. Alasdair has a passion for helping merchants solve their fraud dilemmas without compromising on the customer experience.

About SecuredTouch, a Ping Identity Company

SecuredTouch, a Ping Identity company is an industry leader in bot attack prevention, identity risk, and fraud intelligence. SecuredTouch helps organisations address multiple fraud use cases with one platform, including account takeover, bot detection, payment fraud, and more. By operating continuously and without customer friction, SecuredTouch provides customers the ability to reduce fraud losses, catch risky behaviour, and increase security, all while improving user experience. SecuredTouch delivers market leading solutions to clients in multiple sectors globally.