The rise of ecommerce’s share of global retail sales – from 14% in 2018 to 19% in 2020 due to the effects of COVID-19 lockdowns – has likewise led to an increase in global fraud rates. This is in part down to a new group of online shoppers not fully aware of the dangers of the internet. They are perfect targets. Fraudsters use a bag of tricks based around social engineering (an act that influences a person to take an action that may not be in their best interest) to get what they want from them.
Phishing remains a prominent scam method, where cybercriminals fool victims to divulge sensitive information. Emails are sent, garnering fear and urgency, enticing people to click on a malicious link. They are directed to what appears to be a legitimate service to make an outstanding bill payment or update details. If successful, the account falls under the control of the fraudster.
Similar techniques include vishing (eliciting information or action over the phone) and SMiShing (using SMS to do the same). By utilising sophisticated tools to spoof caller ID (but not always), a direct call or SMS appears to be sent from the victim’s own bank or another service, requiring urgent action. By influencing an individual to install a remote desktop programme (RDP, linking two networked computers) to supposedly fix a problem, a fraudster gains account access. Surprisingly, the main aim is not to steal money: the bigger prize can be scans of ID documents saved on the victim’s device, used to assume a real identity to open multiple new accounts, launder cash, and take out loans.
Two-factor authentication (2FA) is not so strong
In what for a long time has been standard for authenticating online transactions and preventing phishing, 2FA appears to provide adequate protection. It is based upon two levels of security: a password (something you know), and an authentication code often received via SMS on a phone (something you own). Unfortunately, fraudsters have upped their game so much that 2FA provides little more than a false sense of security.
Cybercriminals can defeat 2FA using the Muraena and NecroBrowser toolkit. Developed by researchers Michele Orru and Guiseppe Trotta, the aim was to highlight that anti-phishing strategies can be compromised. Previous deep technical knowledge and many tools were required to defeat 2FA – attackers needed to have their phishing sites function as proxies, forwarding requests to legitimate services and deliver responses in real time. The aim was to gain access to valid browser cookie sessions, but they had to be used quickly before expiring.
A simpler method to get around 2FA is SIM swapping. Through phishing and/or social engineering, a fraudster obtains a victim’s details, using them to contact their mobile service provider. Impersonating the victim and feigning the loss of a phone, they attempt to convince the provider to port the number to a new SIM. If successful, all incoming calls/messages (including verification codes) will be sent to the fraudster’s phone.
ATO fraud attempts in ecommerce will only increase
To combat fraud, the European Union introduced PSD2/SCA (Payment Services Directive/Strong Customer Authentication) regulations, requiring merchants to incorporate multi-factor authentication for online transactions. This has improved anti-fraud measures, and rather than going up against advanced security, many fraudsters choose to focus attention on ATO. The methods are easier than you think, which is why ecommerce merchants need to take effective countermeasures.
Fraudsters try to beat anti-fraud by behaving like a normal customer
The fraudster’s first steps are to analyse the account’s purchase history, delivery address, payment methods etc. This is followed by browsing online shops and adding similar previously purchased products to the shopping cart. Returning days later, adding more goods, making the purchase, and leaving reviews will seem natural. Some fraudsters, in a very nonchalant manner, will also contact customer services to engage in conversation to create a bond with an ecommerce merchant. Eventually, unwanted items will then be removed from the cart with only the desired items purchased. This can go on indefinitely until the fraud is discovered.
Advanced anti-fraud solutions based on exhaustive end-user session profiling and machine learning can prevent attacks
Such effective attacks highlight why merchants have begun to take their users’ behaviour seriously and that rule-based anti-fraud systems can be ineffective against evolving attacks. The answer to these problems is to deploy advanced anti-fraud solutions based on behavioural biometrics, digital fingerprinting, backed up by AI/machine learning models. This is precisely what Nethone provides. Our integrated solution effectively differentiates genuine customers from fraud actors in real time and in a non-invasive manner. Global fraud threats and techniques are evolving, but so too are the solutions.
This editorial is part of the The Fraud Prevention in Ecommerce Report 2021/2022, the ultimate source of knowledge that delves into the evolutionary trail of the payments fraud ecosystem, revealing the most effective security methods for businesses to win the battle against bad actors.
About Aleksander Kijek
At Nethone, Aleksander bridges the gap between the tech and business teams, translates complex and technological ideas into clear gains with client needs turned into tangible product developments. Additionally, he loves to dive deep into exploring new areas and opportunities for Nethone to deliver better results for our customers. When not fighting fraud, he can be found reading with a self-brewed third-wave coffee next to him or bouldering.
About Nethone
Nethone is a machine learning-based fraud prevention SaaS company that allows online merchants and financial institutions to holistically understand their end-users — also referred to as ‘Know Your Users’ (KYU) in industry parlance. With its proprietary online user profiling and ML technologies, Nethone can detect and prevent payment fraud, account takeovers, with unrivalled effectiveness.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now