The fraud prevention space in ecommerce is cluttered today with different solutions. Merchants can easily leave money on the table if they aren’t carefully attuned to what the market offers and what fraud prevention strategy best achieves their goals.
Behavioral scoring, biometric identification, password protection and personally identifiable information all tackle fraudulent purchases in different ways. Unfortunately, many fraud prevention technologies are really solutions in search of a market. Knowing how each class of technology works is crucial for understanding which clients will benefit the most from your solution and what drawbacks you need to address.
Every fraud platform can measure its value by how well it serves the needs of its end user: retail merchants. Retailers will judge fraud platforms based on the impact they have on their two most import figures the top-line and bottom-line, i.e. revenue and net profit.
Fraudulent transactions affect both revenue and net profit in several ways, which are laid out for you below. Direct effects are written in red, indirect effects are written in blue. How well does your platform address these effects?
Criminals benefits only from the items in red, but most merchants, i.e. your customers, will actually lose much more money from the indirect ways fraud affects their operation that are listed in blue. Knowing which negative effects are most important for your client to mitigate is key for designing a fraud prevention solution they will use and like.
Generally, how you try to prevent fraud will have a much bigger impact on most merchants’ sales and profit than any fraud committed. A 2015 study by research firm Javelin estimated that $118 billion of legitimate card transactions are denied every year in the U.S. The company found that 15 percent of all customers surveyed had at least one transaction improperly denied that year. That’s a whole lot of insulted and discouraged customers!
Meanwhile, $9 billion is lost annually to actual fraud. That’s right: The dollar amount most merchants lose due to declining legitimate customer transactions is an order of magnitude larger than the amount of money they lose to fraudsters.
To make things more serious, a lot of those denied legitimate customers won’t be coming back to that merchant anytime soon. Javelin together with the fraud platform Riskified found in a survey that 54 percent of all cardholders improperly declined reduced or stopped patronizing the merchant in question. For online consumers, the figure was even higher – 67 percent!
For most products this means a good fraud solution should focus on minimizing the number of legitimate customers’ cards a merchant declines. Only for very expensive products, e.g. luxury cars, might the merchant care more about avoiding a single chargeback than denying several legitimate sales. Reducing actual fraudulent transactions that slip through is still an important consideration for all merchants – otherwise, they could just let through every transaction – but it’s a lower priority.
To put it succinctly: Fraud is like a disease. A fraud solution is the medicine you choose to treat the disease, while legitimate card transactions declined are an unfortunate side effect of medical treatment. You goal is to find the medicine that treats the disease with the least amount of side effects.
With that in mind, let’s take a look at the types of fraud solutions on the market. Like classes of drugs, these solutions can be divided by the different data they use to detect fraud.
A wave of startups this decade have developed fraud solutions based on scoring the behavioral patterns of customers for the likelihood of fraud. These platforms use proprietary algorithms to assign a fraud score, but each company’s algorithm is unique and usually a trade secret. They may analyze things like user behavior on the website, the time of day they access a website, how frequently they check out the website, the email service provider of the account associated with the purchase, IP address location and more.
If people outside the fraud platform knew the exact algorithm or data it used to create fraud scores, it would be easy for the competition to duplicate it and not too hard for the fraudsters to defeat it. Unfortunately, that means you can’t accurately compare different behavioral-based fraud platforms without integrating the solutions into your payment flow, which is costly and time-consuming.
Pros
Cons
2) Biometric authentication
Another class of solutions that has been getting a lot attention lately are based on biometric authentication. Banks and credit card accounts in the past year have been adopting voice, face and fingerprint recognition technologies to verify user identity.
In many ways, biometric authentication is the mirror image of behavioral analysis for fraud prevention purposes. This means it’s a good way to avoid blocking legitimate customers, but it could face some serious challenges from fraudsters in the future. It also adds friction to the log-in or checkout process by creating an additional step for users.
Pros
Cons
Passwords have always the most basic form of fraud prevention. For past decade or more static passwords, i.e. those that aren’t automatically changed on a regular basis, have been considered vulnerable to code-cracking software and other methods. However, dynamic passwords, i.e. those that are generated frequently or even for one-time use temporarily, are still common.
In transaction fraud, the main password-based solution is 3-D Secure, which is provided by the major credit card companies. It works by rerouting a customer at the time of purchase to a webpage maintained by the bank that issued their credit card. There they must provide a password to authenticate the transaction. If the password doesn’t match the one on-file with the issuer, the transaction will be flagged as fraudulent and denied.
The main benefit of 3-D Secure to merchants has nothing to do with its ability to prevent fraud and everything to do with passing the liability over to the credit card issuer. Credit card companies shift chargeback liability to the card issuing bank and not the merchant when a transaction is authenticated via 3-D Secure. Basically, 3-D Secure is just a password system with poor user experience.
Pros
Cons
Using personally identifiable information (PII) is one of the oldest methods for foiling transactional fraud. By using data unique to a specific individual or household merchants can authenticate the actual identity of an online shopper.
The classic identity data solution for fraud in North America and the U.K. is address verification services (AVS). AVS is a free service provided by the credit companies that take the numeric elements of an address, i.e. house number and postal code, provided by a purchaser and verifies them with the address held on file for that person at the bank that issued their credit card. If the numbers match, the transaction is approved and merchant avoids liability for any chargebacks. If there isn’t a complete match, the merchant can either deny the transaction or accept it but be held liable for any chargebacks.
Pros
Cons
The widespread adoption of email and social media since the start of the millennium has provided new types of PII that can be used for identity authentication. The identity of a customer can now be confirmed using the email address or social media handle associated with their order.
Such identity data can also be combined with behavioral data to create a composite fraud score for a transaction. For example, if a customer changed their password on your ecommerce site, then immediately picked an item and proceeded to checkout where they provided an email that was only created in the past several months, the transaction would receive a high fraud score. If that fraud score exceeded a threshold set the by the merchant, the transaction would either automatically be denied or flagged for manual review by a fraud analyst.
Pros
Cons
All the different transaction authentication systems have their pros and cons and each can be foiled by dedicated fraudsters. The goal of a good fraud prevention system is to maximize your revenue and profit. This means minimizing the amount of legitimate transactions it blocks and increasing the difficulty of committing fraud to deter most fraudsters.
As you can see from above, some methods will work better for merchants than others. If a merchant’s goal is to maximize revenue, they are going to want a system that utilizes either identity or behavioral data and would probably prefer a system that uses both. If a merchant sells a product or serves a geography where fraud and chargebacks rates are high, they may prefer 3-D Secure since it shifts liability to other parties. Biometric solutions at this stage aren’t ready for mass market adoption despite the hype, although they may be good as an additional security measure in certain cases.
Don’t just take my word for it. Talk to merchants yourself and listen carefully to their concerns. The three questions you can expect to hear most often are:
If you are able to provide strong, clear answers to these questions and you should have a growing, satisfied merchant customer base.
Original blog post written by former Pipl Technology Evangelist Ronen Shnidman. Ronen is now Managing Editor @ about-fraud.com