Lessons Learned On Mitigating Online Shopping Fraud


As we approach the late spring and early summer season, shoppers will be out be out in full force, in stores, on the web, and using mobile apps.  Graduations, Mother’s Day, and Father’s Day all contribute to what is traditionally a bumper season for retailers.  Mother’s Day, coming up shortly, is one of the biggest shopping periods, as statista research shows Americans spend more than $20 billion each year on their mothers. This is the time of year when people are spending money on gifts, very often online.

Unfortunately, this opens up a lot of opportunities for fraudsters, who are looking to take advantage of retailers' and shoppers’ security gaps. Luckily, merchants have a variety of tools to address this problem. Combining device authentication and the latest ways to validate identity, retailers can establish trust with their customers and the devices they use to shop.

Bot Detection

When criminals combine hijacked IDs with bots, accounts can be opened at an extremely fast rate. Often times after a big breach, fraudsters may gain access to consumer data and use a bot to quickly open accounts in large volumes of consumer names. Watching for bot attacks is critical, since they involve velocity attacks enabled by automation, usually hijacking a computer to attempt to open hundreds of accounts or make purchases in a short amount of time, often using the same device repeatedly to perform the fraudulent transaction until the device is detected and disabled. Due to the large volume of activity generated by a bot attack, simple observation for a spike in traffic or identifying the use of the same device repeatedly can help identify the attack.

Biometrics Are More Secure Than Passwords

The latest user identification best practices involve the use of biometrics to positively identify that users are who they say they are.  The recent proliferation of fingerprint-enabled mobile devices has provided new opportunities for retailers accepting mobile payments to leverage fingerprint biometrics as a more secure means of identifying non-fraudulent users.

Biometrics Should Be Paired With Secured Devices

While biometrics offer a secure means of identifying users, the environment that the biometrics operates on must also be secured. A mobile phone has thousands of unique identifying attributes that are part of the device itself and can be used to uncover and analyze risk factors that could lead to potentially fraudulent activities. For example, a device can be scanned for malware to ensure there is no spyware or crimeware that can steal account information or credentials even after a biometric is used. Also, application validation ensures a consumer hasn’t downloaded a malicious app that will collect consumer information. And location validation using multiple sources can ensure a location isn’t unusual for a consumer or isn’t being spoofed.

Identifying The Device Is A Critical Step

A permanent device ID is a way to identify a device using its unique attributes in order to establish the first layer of trust by fulfilling the “something you have” factor in a multifactor solution.

Establishing a device as trusted provides organizations with the confidence they need to allow customers to transact with the least amount of friction, while at the same time, allowing institutions to consider an unknown device for a particular customer to be higher risk. In those cases, the device may be challenged with another authentication step, or potentially denied if other high-risk indicators are present. This helps protect both the true customer and the financial institution.

Communications Must Be Secure

SMS and other non-secure communications sent over mobile networks are ripe for interception by criminal actors, unless properly encrypted. To prevent mobile communications from being intercepted, there must be a completely secure path to transport sensitive information that is encrypted end-to-end, digitally signed, cannot be read by any other device and is protected against replay attacks (secure communications).

Device And Behavioral Analysis Are Critical

Device reputation analysis involves attempting to match attributes between mobile devices accessing your systems and known users. If an institution can match that device with their own customer base, using a permanent identifier, then they have some insight into the correlation to the customer or the good or bad history.

And, behavioral analysis is always at the core of any fraud prevention approach. Behavioral analysis ensures the device is one typically associated with the customer, ensures the transaction activity is typical for this customer, and assumes an increased level of risk for new accounts.

These are a few of the top things retailers can implement to protect customers and themselves from financial and reputational losses associated with digital fraud, ensuring safer online shopping excursions in the future.

-Michael Lynch, chief strategy officer, InAuth

Michael Lynch is responsible for leading InAuth’s new products strategy, along with developing key domestic and international partnerships. Lynch brings two decades of experience in key roles within financial services, consulting, and Fortune 500 companies, specializing in security and technology leadership. Prior to joining InAuth, Lynch served as a senior vice president for Bank of America, responsible for Authentication Strategy. He served at Bank of America for 14 years in various leadership positions within technology, customer protection, and online and mobile security strategy roles. Prior to Bank of America, Lynch specialized in information technology in various financial services, Fortune 500, and consulting services roles.  LinkedIn page.

This ad will auto-close in 10 seconds