Online fraud in peak season

How can merchants securely handle large volumes of sales without impacting the customer experience?

We advise merchants to limit the friction to a minimum, however, if they need to add friction, at least to add it early in the session. Moreover, we urge upon the following best practices: 

Don’t wait for the transaction in order to assess risk – Apply early detection techniques, allowing for more flexible and softer mitigations with lower friction and conversion impact. For example, instead of blocking the user at the checkout due to suspected ATO, challenge the suspected user when trying to change the shipping address/modify the email address etc.

Constantly monitor detection accuracy – Establish a feedback loop based on fraud labels (e.g. chargebacks) and legit traffic labels (e.g. challenges passed successfully like multi-factor authentication, 3-D Secure) to get ongoing visibility into accuracy and identify anomalies compared to previous periods.

Do you see any particular trends in any specific ecommerce vertical during the peak season?

We could notice a trend around bot attacks. Automated accounts creation attempts by bots on large scales begin even before the peak season itself. More alarming is the fact that bots have increased 200-300% in the last two years at large retailers. New variants of bot attacks in lower scales occur before the peak sales events – fraudsters are running ‘tests’ in order to fine-tune their attack vector for the sales event itself.

These new variants usually involve using newer automation frameworks, new evasion techniques, and adaptations to specific new sections on the merchants websites that are dedicated to the peak season (e.g. dedicated Peak Season sales page, scrapping limited releases and schedules etc.). 

The usage of newer automation frameworks and evasion techniques is aimed to bypass ‘signature’-based detection (i.e. detection based on preliminary research of the specific bots and tools). The usage of behavioural data for detection is what allows us to achieve zero-day detection of these tools, even if never seen before. Traffic from tampered devices (rooted, jailbroken devices etc.) and emulators is also on the rise.

Chargeback fraud and refund abuse also spike in this period. How can merchants avoid these types of bad experiences?

First of all, early detection is key by preventing the fake accounts from being created in the first place and blocking the bots from running credentials stuffing from validating compromised credentials. 

Aside from bad bots, merchants should also detect fraudulent tools like emulators, cloning applications, and tampered devices and challenge/block traffic from such clients.

Similar to bots, these fraudulent tools can be detected with high accuracy based on behavioural and device attributes, meaning these can be detected early in the session – there’s no need to wait for transactional information, i.e. it is possible to detect and block this traffic before any damage is done.

Customer behaviour is likely to change during this busy period, which may trigger the risk settings. How can merchants avoid blocking these consumers and reduce false positives rates by adjusting or improving fraud patterns?

They should put focus on the overall population behaviour rather than behaviour at the individual account level. This way, they can give more weight to the anomalies of fraudulent activity compared to the entire population of users and less to the per-account profile, and limit the usage of blacklists. 

What is PingOne Fraud’s solution to proactively minimise fraud exposure?

The detection is based on behavioural data combined with device and network attributes, allowing us to detect anomalies and fraudulent activity at a very early stage, without the need to wait for a transaction to happen. Early detection allows us to identify fraudulent activity at the ‘preparation’ stage and prevent it before any damage is done. For example:

a. detect fake accounts creation at registration;

b. detect credentials testing by BOTs at login as a preparation for account takeover (ATO);

c. detect account setting changes that occur as part of an ATO, like shipping address changes, email changes etc., which happens before checkout.

It is also of utmost importance to detect the tools being used by fraudsters (bots, emulators etc.) regardless of what they are doing.

This interview is part of The Fraud Prevention in Ecommerce Report 2021/2022, the ultimate source of knowledge that delves into the evolutionary trail of the payments fraud ecosystem, revealing the most effective security methods for businesses to win the battle against bad actors.

About Ran Wasserman

Ran brings 15+ years of experience in software development and cybersecurity, from IAF’s elite computing unit as a developer and team leader, to IMPERVA where he held several development and management positions, focusing on web security and the WAF product. As SecuredTouch CTO, he led the research and delivery of SecuredTouch’s cutting edge fraud solutions. With SecuredTouch acquisition, Ran is now a Principal Architect on Ping’s product architecture group. Based in Tel Aviv, Israel, Ran holds a B.Sc. in Computer Science from the Academic College of Tel Aviv and an MBA from Tel Aviv University.

About Ping Identity

Ping Identity delivers intelligent identity solutions for the enterprise. We enable companies to achieve Zero Trust identity-defined security and more personalised, streamlined user experiences. The PingOne Cloud Platform provides customers, workforce, and partners with access to cloud, mobile, SaaS, and on-premises applications across the hybrid enterprise. Over half of the Fortune 100 choose us for our identity expertise, open standards, and partnerships with companies including Microsoft and Amazon. We provide flexible identity solutions that accelerate digital business initiatives, delight customers, and secure the enterprise through multi-factor authentication, single sign-on, access management, intelligent API security, directory, and data governance capabilities.