The statistics continue to chill.
2.3M estimated fraud victims in the UK alone in 2015 according to the ONS. 173,000 confirmed reports of identity theft amongst CiFas members (largely utilities and finance companies) in 2015.
From a consumer perspective the chances are that over a period of three to four years you are now more likely than not to be a victim of a successful fraudulent act of some kind.
I happen to have used UK statistics as the impact reporting is unusually well-defined thanks to the efforts of the Office of National Statistics crime reporting. Consider though that the UK has a sophisticated banking sector, works under best-in-class EU regulation with regard to privacy and data protection, and has world-leading payment provider options for online merchants to choose from.
All this and there is a still what can only be described as a pandemic of fraud out there.
So what is driving this wave of crime?
Data breaches provide the kindling
Data breaches receive a great deal of publicity. Recently we’ve seen arrest warrants for four specific hackers for the Yahoo! Breach. That’s a great step forward albeit no-one has actually been arrested at the time of writing.
Data breaches are usually reported on as from the perspective of corporate security and what steps businesses should take to avoid them happening again. What is often unreported though is what happens to the details that are leaked. Sometimes the company itself is held to ransom. It is not possible to know how common this is as for obvious reasons it is not publicised.
More commonly, the data (card details, emails, phone numbers, addresses, account logons) are slowly released in batches and made available for sale on the dark web. The slow leaking of the details has the effect of controlling the price as well as extending the longevity of the details themselves. All Yahoo details all at once would provide a single attack vector that is more easily defended and also make the details practically worthless. Much better to release over time and make available alongside the booty from other breaches. This makes fraud prevention much harder.
The effect then from a policing and prevention point of view is impossible. Instead of searching for four hackers who perpetrated a single large breach you are now looking at crime that will be committed by thousands of people perpetrating millions of attempted frauds of relatively low value of which only a very small proportion will ever be reported to the police in any case.
The Dark Web fans the flames
The degree of technical knowledge required to commit card fraud or to take over an account is now minimal. The ability to download the Tor browser, access some sites on the dark web and make a purchase in bitcoin is not difficult. And it is certainly not expensive; card and personal details can be purchased for pennies. The latest pricing on the dark web for premium details are as follows:
- Uber $3.78
- Facebook $3.02
- Paypal $6.43
- Cards (gen) $0.22
On top of the low barrier to access, there is a growing community of people willing to use these details with little to no stigma attached to the crime widely seen as victimless.
This heady combination gives us both the motive an opportunity to commit crime and the lack of any social pressure to prevent people from doing it.
How do we fight the fire?
There is a large and growing industry around fraud prevention and there is a good understanding that the responsibility is shared between issuer, payment provider, merchant and acquirer. Consumer rights are strong and for good reason - a significant loss of faith in online trade itself could have significant economic consequences.
The banking sector covers some the cost but the majority is borne by merchants. It is their merchant accounts from which the funds are taken to compensate the consumers by the banks, and it is their businesses that are at risk from being shuttered as their ability to take payments is denied by the card schemes. Therefore, it is not just a responsibility in the ethical sense, but a fundamental business requirement to take steps to prevent fraud from becoming a significant issue.
As attacks are getting more sophisticated so are the solutions...There are layers of sophistication in the world of cyber-crime.
At the top there are organised criminals hacking businesses for data and for ransom. These are sophisticated and vary their means of attack. Those who use the cards and details for low level crime are not sophisticated. But they are legion and they need only be better than a poor defence system to succeed.
The good news is that large numbers of people doing similar things for similar goals is that they leave patterns.
And there are techniques now that make the analysis of those patterns instant and highly accurate. Using machine learning, merchants can get not just a decision but a likelihood that any single visitor or order is fraudulent. Merchants can therefore set their own risk threshold. This is important because inevitably some good orders will trigger bad patterns and it takes some time and training of the datasets to get those assessments near perfect.
The net effect of this is that there is no need for any fundamental shift in the customer experience. Merchants can and should continue to focus on creating great online buying experiences. This needs to be underpinned with strong, sensible security that is at least a little more sophisticated than the tools being used to attack their business. This is not really a matter of choice - this is the new reality.
Martin Sweeney, CEO of Ravelin
Image Credit: Gustavo Frazao / Shutterstock