10 2017 | SECURITY
Fighting Online Fraud
Paysafe Group’s EVP Daniel Kornitzer has pioneered industry-leading risk management processes. For PIN magazine he sums up his thoughts on fraud after 20-plus years in technology management.
We live in fascinating times. As a technologist at heart, I’m thrilled by the advances in big data, real-time streaming, correlation, virtual cubes and the like, and by the incredible promise of supercomputers and quantum computing. These technologies are creating value for individuals and communities around the world. For example, when quantum computing becomes commercially available, in the next five to 10 years, it will bring tremendous opportunities for science and medicine.
But every rose has its thorn. As quantum computing will also make it easy for criminals to break public key cryptography, which is at the base of today’s online and mobile commerce. The problem is that the same advances available to companies and authorities are also available to organizations with unsavoury goals. Risk in digital payments is no longer only the work of isolated, malicious hackers in their basement, seeking to impress their friends, but of criminal organizations with access to a wealth of technical resources, such as organized crime, cause-motivated hacktivists and rogue nations.
These criminals can often correlate data from different breaches to either use or sell on the dark web. Stolen sensitive personal information that can lead to all sorts of fraud, identity theft, account takeovers, and more. Compounding the problem is the ubiquity of digital payments. E-Commerce is approaching $ 2 trillion globally, and the explosion of mobile, with currently five billion connected devices, which are predicted to reach anywhere between 25 and 50 billion by 2020. Powered by the growth of the Internet of Things that will allow our fridges to order milk and our dishwashers to order soap when they’re about to run out, obeying “intelligent contracts,” which are a sort of standing orders establishing the triggers and boundaries of these automated transactions.
»The conundrum of risk management boils down to two seemingly conflicting goals: consumer convenience and protection against fraud.«
- Daniel Kornitzer,
Executive Vice President and
Chief Product Officer at Paysafe
At Paysafe, a pioneer of E-Commerce since its inception in the late ’90s, we have seen virtually all flavors of risk and fraud, and have developed a unique expertise, that combines knowledge, processes and proprietary technology, as well as the integration of leading third-party security tools and industry best practices, as recommended by the card schemes.The conundrum of risk management boils down to two seemingly conflicting goals: (a) consumer convenience, and (b) protection against fraud. Convenience, as consumers and merchants desire a frictionless environment: single tap, single click, remember-me features, etc. On the other hand, security needs continue to grow, with two-factor authentication, biometrics, etc.
THE MANY FLAVORS OF FRAUD
The thing is … fraud has as many facets as there are flavors in a good Italian gelato shop. So what to do to keep fraudsters at bay? The key to mitigating E-Commerce risk is relentless vigilance. Putting in place the tools that generate data, not a flood of useless reports that mostly go unread, but laser focused data (threat intelligence), which leads to analysis, and prompt action. There is no single answer or silver bullet to combat fraud, especially since fraud continually morphs and keeps taking new forms. Instead, a constantly evolving, multi-pronged approach has been proven to deliver excellent results, composed of the following elements:
• Staff training;
• Selecting the right processing partner;
• Refining your own offering (privacy, refund policy, easy access to customer service);
• Internal fraud prevention (access control, need to know basis);
• Use of fraud screening tools (device fingerprinting, IP geolocation);
• Use of scheme tools (AVS, CVV2, 3DS);
• Strict adherence to PCI DSS;
• Use of self-learning (i.e. machine learning) fraud management algorithms, which enable a reduction in false positives by detecting new fraud patterns;
• Outsorting for manual review of certain transactions;
• Monitoring of chargebacks, but also total volume, refunds and declines, for any unexpected spikes or other inconsistencies;
• Being great about risk and fraud is not a nice to have. It’s not about becoming a bit more profitable. It’s a major competitive differentiator;
SENDING THE FRAUD AWAY
Fraudsters are always looking for the path of least resistance. If your webshop is easier to defraud, you’ll be certain to attract an inordinate amount of fraud. Conversely, if you are better than your competition, you’ll effectively be “sending the fraud away.”
So, in my opinion, the best approach is to take control and create a path that, without compromising convenience and ease of use, protects your business and your consumers. As my very first boss taught me years ago, there are three secrets to success: preparation, preparation and preparation ... Risk management is no exception.
The many facets of fraud
Daniel Kornitzer has encountered fraud in hundreds of variations and forms during his long career in risk management and E-Commerce. Here is just a small sample of the most common:
the consumer, or a close family member, performs the transaction but then claims he/she did not.
fraudulent transactions for the sole purpose of generating affiliate commissions. The commissions are paid then the affiliate disappears before the transactions come back as chargebacks.
the fraudsters get goods shipped to a legitimate looking address, only to have the goods forwarded to the ultimate destination.
infected computers are used to initiate orders to take advantage of their “clean IP address.”
Emails that direct to a false webpage, aimed at collecting login credentials to defraud the unsuspecting consumer.
Involves spoofed emails that appear to come from people in position of authority within the company, like a CEO or CFO, asking for an immediate wire transfer.
The fraudster pretends to sell goods online, but for the only purpose of collecting credit card information and other personal details, which are then immediately used to perform fraudulent purchases at another site.
Where the transaction provides absolutely no indication of anything improper, clearly the hardest to detect.