By Kacy Zurkus, Card Not Present Staff
As more and more businesses grow in the e-commerce marketplace, fraudsters are taking advantage of an ever-evolving threat landscape. In an effort to foster consumer loyalty and deliver a consumer payment experience with less friction, many online merchants encourage users to establish online accounts and store payment credentials. More online accounts means more are being accessed illegally by fraudsters, yet there is little evidence that consumers are changing their online behaviors in simple ways that could protect their own accounts and e-commerce businesses.
Given that account takeover attacks have become so prevalent and continue to pose risks to online businesses, should e-commerce merchants be doing more to educate their customers about good cyber hygiene? Or does the responsibility lie elsewhere?
Reminding consumers to check their purchase history and credit card statements doesn’t go far enough, particularly when those consumers are reusing passwords and making it easier for their accounts to be compromised. Even if they do see a fraudulent transaction, they often call their issuing bank rather than the merchants, initiating a chargeback that could have been handled as a refund. That’s the extent of consumer education as it relates to credit card fraud.
The Fraud Problem
According to Experian’s 2019 Global Identity and Fraud Report, 55 percent of businesses surveyed experienced an increase in online fraud-related losses. The majority of that loss was the result of account origination and account takeover attacks. Often hackers are able to hack into user accounts with stolen passwords because most consumers use the same password across multiple accounts.
In a recent survey of 3,000 adults in the U.S. conducted by Google, 52 percent of the participants admitted that they reuse the same password for multiple but not all accounts. Another 13 percent admitted they reuse the same password for all of their accounts.
Despite the large majority of users who are guilty of password reuse, 35 percent of survey participants did say that they use a different password for all of their accounts—perhaps a step in the right direction.
“The biggest change we saw in 2018 was a rise in awareness, with consumers starting to understand the vulnerability of passwords,” said Shimrit Tzur-David, CTO and co-founder of Secret Double Octopus.
Still, as consumers begin to understand the riskiness of their online habits, online retailers face an ever-increasing avalanche of malicious login attempts. In fact, NuData Security researchers found that, during the holiday season alone, over half of login traffic was identified as fraudulent.
“While we, as an industry, will continue to educate consumers every chance we have, consumers are not able to protect themselves from the continually evolving sophisticated attacks perpetrated by hackers, and they cannot be expected to take every precaution,” said Lisa Baergen, vice president of marketing for NuData Security, a Mastercard company.
Technology Can Help
Because the responsibility for protecting transactions and consumers from fraud is left to the merchants and banks—and the unique liability rules in place in the online space—e-commerce merchants need to know what technologies are available to help identify customers by knowing their unique online behaviors rather than relying on passwords, said Baergen. “Multi-layer verification technologies that don’t rely on credentials thwart fraudulent attempts as bad actors can’t mimic inherent user behavior, making stolen credentials valueless.”
To authenticate CNP transactions, merchants also have access to EMV 3DS, which Baergen said is commonly known as 3DS 2.0. “EMV 3DS usage gathers more information around each transaction to help determine if it is a usual purchase for that user or an unusual one.”
The new protocol collects more information around each transaction and gives merchants a choice to share that additional information with the issuer so that issuers are able to make more accurate decisions and increase approvals.
Making Fraud Prevention Sexy
Missing in the focus on technology is the connection with people—not to mention that a more educated consumer base theoretically could reduce the need for expensive technology. Tzur-David asked, “What if e-commerce businesses took these vulnerabilities and turned them into sales points? Shipping companies turned e-signatures from a way of preventing fraudulent acceptance into a business advantage, which streamlined businesses while preventing fraud.”
E-commerce businesses need to start showing consumers that they prioritize customer security, and in this age of “password vulnerability awareness” they can turn it into a business advantage, especially for early adopters. “E-commerce businesses should adopt and then educate, for higher standards of authentication—attracting new fearful consumers while retaining consumers with a security advantage.”
Changing Consumer Habits
The good news, despite the increase in fraud, is that shopping online is generally safe and can become safer if the industry continues to educate consumers about best practices, according to UK Finance.
“Shopping online or over the phone is easy, convenient and generally very safe. Card issuers have advanced fraud screening systems in place to detect and stop any suspicious transactions, and customers are protected against unauthorized fraud losses on a debit or credit card,” said a UK Finance spokesperson.
The UK finance industry sponsors a specialist police unit, the Dedicated Card and Payment Crime Unit, for whom card-not-present fraud is a top priority, the spokesperson said. “The unit tackles the organised criminal groups responsible for financial fraud and scams, and in 2018, the unit prevented £94.5 million ($124.4 million) of fraud, bringing the total value of fraud prevent to an estimated £600 million (&789.8 million) since its creation. Last year the unit secured 48 convictions and disrupted 11 organized crime groups (OCGs).”
It's important to remember that human beings are creatures of habit, and unless they have a reason to, they are not inclined to change their behaviors, particularly when there are few negative consequences to their actions. The industry must be proactive in its efforts to help consumers understand why their behaviors need to change.
That’s why industry efforts to advance awareness are as critical to fraud protection as are advanced technologies. According to UK Finance, consumers can learn how to keep themselves safe from fraud online through both an industry backed campaign, Take Five to Stop Fraud as well as the FFA’s advice on online shopping.
Regulations to the Rescue?
Sometimes, though, education is not enough. However unfortunate, many would likely agree with Tzur-David who said that in his experience, “no matter how big the threat is and how many people are affected, change usually comes from the regulator because we as consumers tend to forget quickly.”
That’s why e-commerce businesses and governments should work together to establish regulations that will not only protect consumers but online merchants as well. The success of today’s digital enterprise depends not only on technology but on people and process as well. If businesses want access to consumers, 2FA and passwordless authentication are the stepping stones of good security measures that will force behavior changes.
The problem with forcing behavior changes is that consumers don’t understand why they need to change. They aren’t aware of the inherent risks in their behaviors because they aren’t being educated. As the threat landscape evolves, the risks will change, but consumer behavior likely won’t—unless and until they understand and feel the consequences of their actions.