The world of eCommerce fraud changes so unpredictably that merchants often struggle to defend against all possible lines of attack — rendering old-school tactics like rules engines ineffective. But artificial intelligence (AI)-based behavioral analytics can take over where legacy methods fall short. In this month’s AML/KYC Tracker, Worldpay Head of Global Identity Services Ryan Fox explains how machine learning (ML) and better data flow between cybersecurity and fraud-fighting teams will be key to ensuring flexible, modern defenses in the new decade.
Global eCommerce is growing so fast that some cities are struggling to handle the package delivery trucks flooding their streets. Digital shopping is a sizable opportunity for businesses, however, and consumers were estimated to have spent nearly $3.5 trillion online in 2019 — an approximately 18 percent year-over-year increase in worldwide sales.
Entrepreneurs are not alone in seeing moneymaking potential in online shopping, though, as fraudsters are eager to steal what they can. Tackling emerging eCommerce fraud is more intricate than ever, and payment processing companies and their online merchant clients must cooperate to safeguard these transactions, Ryan Fox, head of global identity services at payment services provider Worldpay from FIS, said in a recent interview with PYMNTS.
The Hack-to-Fraud Cycle
Online commerce means businesses’ cybersecurity teams need to collaborate more tightly than ever, Fox explained. Hacks cannot be written off as isolated attacks as they are often the first stage in a plan to steal information.
“The [attack that is] exclusively [seen as] a cyberthreat is no longer just a cyberthreat in and of itself, [but] a means to an end from a fraud perspective,” he said. “To the greatest extent possible, align your [company’s] identity, fraud and cyber practices, [and] ensure [it maintains] data and visibility across those different environments. That will be your best bet to combat fraud across an omnichannel environment.”
Better security comes from better communication, and the fraud teams at businesses must speak with all parties involved in a transaction — card issuers, merchants and the payment processors that connect them — that can benefit from sharing insights about consumers. Payment processors typically have better information about the broader online transactions space, for example, and merchants complement this perspective with more in-depth consumer data. This gives companies more complete views of both legitimate customer behavior and signs of fraud.
Security’s New Face
Securing transactions requires robust measures by everyone involved, Fox said. Merchants can better trust transactions made with cards issued by firms with strong authentication approaches, for example.
“The degree to which an issuer is able to establish trust in a consumer’s identity … and [bind] it to strong credentials is the same degree to which you can have a trusted transaction with a merchant,” he said. This is “because that trust should be derived through the payment channel [as well as] through authentication capabilities, [bridging] the issuer to the merchant, and folks like Worldpay facilitate those connections. It’s a completely interconnected ecosystem. While there are different challenges and methods applied across different players, the entire system is ultimately only going to be as strong as its weakest link.”
Issuers thus must shake free of traditional security approaches that may be less effective against modern threats. Knowledge-based authentication (KBA) measures such as security questions are not enough as synthetic IDs and account takeovers (ATOs) can often evade issuers’ defenses, Fox said. Effective protections against such attacks require behavior-based insights that better indicate whether the entity typing in those security question answers is legitimate.
Fox noted that financial services providers have traditionally relied on rules-based models to thwart payment-related fraud, utilizing back-end software that assesses transactions for certain suspicious criteria. The software might decline those above certain value thresholds, for example, or flag any transactions with identified risk factors for review. These tools can be helpful on their own — and communication among card issuers, merchants and payment processors can improve their accuracy — but they still only go so far, he said.
“The patterns of fraud are moving and adjusting so quickly that if rules are the only way you’re combating [cybercrime], you’re always going to be two steps behind,” he said.
New fraud forms are constantly emerging, and merchants cannot expect to predict them all and program their rules engines to look for the right factors, Fox added. More flexible, insightful approaches are needed to round out defenses. Artificial intelligence (AI) and machine learning (ML)-based behavioral analysis offer especially robust mechanisms for ferreting out criminals, especially if entities share insights on accounts’ normal behavior patterns to create a more holistic, accurate view and pinpoint unusual activity.
Businesses can also shore up protections by mixing customer identity verification tactics, including behavioral analytics, authenticating government-issued IDs and using mobile network data to evaluate consumers’ digital footprints.
Fraudsters are always adapting their approaches to skirt companies’ defenses and make off with funds. Because eCommerce is too important for competitive merchants to avoid, they must find ways to protect themselves and their customers while transacting online. Merchants, payment providers, issuers and all other players have roles to play in fending off theft, and it has become increasingly clear that legacy authentication and fraud detection models are not enough. AI, behavioral analysis and multichannel authentication will continue to emerge as key tools retailers need when claiming slices of consumers’ eCommerce spending.