Nuts and Bolts of Ecommerce Fraud Solutions

The fraud prevention space in ecommerce is cluttered today with different solutions. Merchants can easily leave money on the table if they aren’t carefully attuned to what the market offers and what fraud prevention strategy best achieves their goals.

Behavioral scoring, biometric identification, password protection and personally identifiable information all tackle fraudulent purchases in different ways. Unfortunately, many fraud prevention technologies are really solutions in search of a market. Knowing how each class of technology works is crucial for understanding which clients will benefit the most from your solution and what drawbacks you need to address.

What makes a good fraud prevention system?

Every fraud platform can measure its value by how well it serves the needs of its end user: retail merchants. Retailers will judge fraud platforms based on the impact they have on their two most import figures the top-line and bottom-line, i.e. revenue and net profit.

Fraudulent transactions affect both revenue and net profit in several ways, which are laid out for you below. Direct effects are written in red, indirect effects are written in blue. How well does your platform address these effects?

Reduced Revenue

• Fraudulent purchases lead to chargebacks and when the merchant is liable that means less recognized revenue.
• Merchants lose revenue from legitimate sales that were denied because they were flagged by a fraud solution as likely to be fraudulent.
• Increased complexity and time to complete checkout due to fraud-prevention processes frustrates potential customers and leads them to abandon purchases.

Lower Profit and Higher Losses

• Goods already shipped that are subject to chargebacks are usually unrecoverable, creating an expense that hurts the bottom line.
• Any legitimate sales that are denied also hurt the bottom-line, since less revenue means less profit.

Top priority: reducing false positives

Criminals benefits only from the items in red, but most merchants, i.e. your customers, will actually lose much more money from the indirect ways fraud affects their operation that are listed in blue. Knowing which negative effects are most important for your client to mitigate is key for designing a fraud prevention solution they will use and like.

Generally, how you try to prevent fraud will have a much bigger impact on most merchants’ sales and profit than any fraud committed. A 2015 study by research firm Javelin estimated that $118 billion of legitimate card transactions are denied every year in the U.S. The company found that 15 percent of all customers surveyed had at least one transaction improperly denied that year. That’s a whole lot of insulted and discouraged customers!

Meanwhile, $9 billion is lost annually to actual fraud. That’s right: The dollar amount most merchants lose due to declining legitimate customer transactions is an order of magnitude larger than the amount of money they lose to fraudsters.

To make things more serious, a lot of those denied legitimate customers won’t be coming back to that merchant anytime soon. Javelin together with the fraud platform Riskified found in a survey that 54 percent of all cardholders improperly declined reduced or stopped patronizing the merchant in question. For online consumers, the figure was even higher – 67 percent!

For most products this means a good fraud solution should focus on minimizing the number of legitimate customers’ cards a merchant declines. Only for very expensive products, e.g. luxury cars, might the merchant care more about avoiding a single chargeback than denying several legitimate sales. Reducing actual fraudulent transactions that slip through is still an important consideration for all merchants – otherwise, they could just let through every transaction – but it’s a lower priority.

To put it succinctly: Fraud is like a disease. A fraud solution is the medicine you choose to treat the disease, while legitimate card transactions declined are an unfortunate side effect of medical treatment. You goal is to find the medicine that treats the disease with the least amount of side effects.

Fraud solutions by data type

With that in mind, let’s take a look at the types of fraud solutions on the market. Like classes of drugs, these solutions can be divided by the different data they use to detect fraud.

1) Behavioral algorithms

A wave of startups this decade have developed fraud solutions based on scoring the behavioral patterns of customers for the likelihood of fraud. These platforms use proprietary algorithms to assign a fraud score, but each company’s algorithm is unique and usually a trade secret. They may analyze things like user behavior on the website, the time of day they access a website, how frequently they check out the website, the email service provider of the account associated with the purchase, IP address location and more.

If people outside the fraud platform knew the exact algorithm or data it used to create fraud scores, it would be easy for the competition to duplicate it and not too hard for the fraudsters to defeat it. Unfortunately, that means you can’t accurately compare different behavioral-based fraud platforms without integrating the solutions into your payment flow, which is costly and time-consuming.

Pros

• Behavioral analysis is a passive form of authentication since you aren’t asking the customer to do anything they wouldn’t otherwise do. This should help reduce abandoned sales.

Cons

• It’s very difficult to compare different behavioral platforms without testing them out yourself. That means deciding between platforms can be a shot in the dark.
• Behavioral solutions don’t actually verify the identity of the purchaser. If legitimate users act in a non-typical manner they may get flagged as fraudsters.
• If fraudsters ever figure out what specific data points are used by a fraud scoring algorithm, they could find ways to reduce their fraud score below the threshold.

2) Biometric authentication

Another class of solutions that has been getting a lot attention lately are based on biometric authentication. Banks and credit card accounts in the past year have been adopting voice, face and fingerprint recognition technologies to verify user identity.

In many ways, biometric authentication is the mirror image of behavioral analysis for fraud prevention purposes. This means it’s a good way to avoid blocking legitimate customers, but it could face some serious challenges from fraudsters in the future. It also adds friction to the log-in or checkout process by creating an additional step for users.

Pros

• Legitimate customers are very unlikely to be blocked since authorization requires a body part.

Cons

• Requiring users to take selfies or provide a fingerprint is a hassle and a trust issue between customers and merchants and may lead to abandoned purchases.
• This requires hardware on the part of customer to capture images or audio. This can be a significant problem for serving the 1/3 of Americans without smartphones.
• Biometrics rely on permanent identifiers that cannot be changed once compromised. This makes them very high-value targets for fraudsters and they can be spoofed.

3) Password protection and 3-D Secure

Passwords have always the most basic form of fraud prevention. For past decade or more static passwords, i.e. those that aren’t automatically changed on a regular basis, have been considered vulnerable to code-cracking software and other methods. However, dynamic passwords, i.e. those that are generated frequently or even for one-time use temporarily, are still common.

In transaction fraud, the main password-based solution is 3-D Secure, which is provided by the major credit card companies. It works by rerouting a customer at the time of purchase to a webpage maintained by the bank that issued their credit card. There they must provide a password to authenticate the transaction. If the password doesn’t match the one on-file with the issuer, the transaction will be flagged as fraudulent and denied.

The main benefit of 3-D Secure to merchants has nothing to do with its ability to prevent fraud and everything to do with passing the liability over to the credit card issuer. Credit card companies shift chargeback liability to the card issuing bank and not the merchant when a transaction is authenticated via 3-D Secure. Basically, 3-D Secure is just a password system with poor user experience.

Pros

• Authorized transactions are no longer the liability of the merchant.
• Credit card companies often offer discounted interchange fees to merchants using 3-D Secure.

Cons

• Customers must enroll their card in 3-D secure for the merchant to use it as an authentication method for their purchase. This is a major friction point.
• 3-D Secure redirects customers to another browser tab or window. This can create a major trust issue and friction point for online shoppers.
• Digital natives have been trained to view automatically opening browser pages as a tool used by malware and pornography sites. Some will abandon the sales process at this point.
• The webpage redirect also provides a valuable target for phishing attacks by fraudsters. Any such attacks, when made public, will further reduces consumer trust in online sites using 3-D Secure.

4) Identity Data: Old and New

AVS – Old School Approach

Using personally identifiable information (PII) is one of the oldest methods for foiling transactional fraud. By using data unique to a specific individual or household merchants can authenticate the actual identity of an online shopper.

The classic identity data solution for fraud in North America and the U.K. is address verification services (AVS). AVS is a free service provided by the credit companies that take the numeric elements of an address, i.e. house number and postal code, provided by a purchaser and verifies them with the address held on file for that person at the bank that issued their credit card. If the numbers match, the transaction is approved and merchant avoids liability for any chargebacks. If there isn’t a complete match, the merchant can either deny the transaction or accept it but be held liable for any chargebacks.

Pros

• AVS is a form of passive authentication. It requires no additional steps from the end-customer, since they must already provide a shipping address for their order.
• The merchant is not liable for chargebacks for any AVS authenticated transactions.
• AVS is provided by the credit card companies for free.

Cons

• The free AVS system provided by credit card companies only has widespread coverage in North America and the U.K.
• Cross-border ecommerce merchants can solve this problem by using a global solution that incorporates address information provided by data providers like Pipl.
• AVS solutions not maintained by the credit card companies will not shield the merchant from chargeback liability.
• Fat finger issues. Sometimes shoppers mistakenly enter the wrong numbers for postal code or street address leading them to be flagged as fraudsters.

New(er) Identity Data

The widespread adoption of email and social media since the start of the millennium has provided new types of PII that can be used for identity authentication. The identity of a customer can now be confirmed using the email address or social media handle associated with their order.

Such identity data can also be combined with behavioral data to create a composite fraud score for a transaction. For example, if a customer changed their password on your ecommerce site, then immediately picked an item and proceeded to checkout where they provided an email that was only created in the past several months, the transaction would receive a high fraud score. If that fraud score exceeded a threshold set the by the merchant, the transaction would either automatically be denied or flagged for manual review by a fraud analyst.

Pros

• Identity data is a form of passive authentication that only uses information that customers already provide when they use a merchant site. It keeps the checkout process frictionless.
• Every legitimate ecommerce customer should have an identity data trail that enables verification, which should cut down dramatically on false positives.
• Certain identity data attributes, such as age of email address or social media handle, are more difficult for fraudsters to fake than behavioral patterns, which can be imitated.
• The cost of implementing and using identity data is typically much lower than biometric solutions. There is no need for special hardware to collect data, like fingerprint readers.

Cons

• Government and bank database leaks in recent years mean that fraudsters may be able acquire basic identity data on the dark web. You may want to use several types of identity data or identity data in conjunction with other data types to reduce fraud risk, especially synthetic identity fraud.
• To date, the credit card companies have not offered to shift chargeback liability for merchants that have authenticated customer identity via new types of identity data such as email.

Making educated choices

All the different transaction authentication systems have their pros and cons and each can be foiled by dedicated fraudsters. The goal of a good fraud prevention system is to maximize your revenue and profit. This means minimizing the amount of legitimate transactions it blocks and increasing the difficulty of committing fraud to deter most fraudsters.

As you can see from above, some methods will work better for merchants than others. If a merchant’s goal is to maximize revenue, they are going to want a system that utilizes either identity or behavioral data and would probably prefer a system that uses both. If a merchant sells a product or serves a geography where fraud and chargebacks rates are high, they may prefer 3-D Secure since it shifts liability to other parties. Biometric solutions at this stage aren’t ready for mass market adoption despite the hype, although they may be good as an additional security measure in certain cases.

Don’t just take my word for it. Talk to merchants yourself and listen carefully to their concerns. The three questions you can expect to hear most often are:

• Does your solution add friction to my checkout process?
• How does your solution affect my chargeback liability?
• How is your fraud platform better than [name of competitor]?

If you are able to provide strong, clear answers to these questions and you should have a growing, satisfied merchant customer base.

Original blog post written by former Pipl Technology Evangelist Ronen Shnidman. Ronen is now Managing Editor @ about-fraud.com