As we keep paying attention to those threat variants that
are making the news headlines, it is also very important to note that there are
other attack vectors out there that are just as much damaging, if not even
more.
One such thing that you need to be aware of is Fraud. While there is nothing new about this, the
way it has precipitated been mind blowing.
It’s not just matter of having your wallet or purse stolen, now it is
about your Digital Identity that is at stake.
With everybody working at home and even fewer people yet visiting
the traditional brick and mortar stores, most of the American population are
now shopping online. Heck, depending
upon where you live, you can even have your groceries delivered to you. But making sure that you remain safe in the digital
world, especially as it relates to eCommerce, is a difficult thing to do.
But to make things even more complicated, the Cyberattacker
of today is now resorting to a new thing called “Fraud as a Service”. I think in the past I wrote something about “Ransomware
as a Service”, and this is where the Cyberattacker can essentially hire a professional
from the Dark Web and have the deploy the malicious for pennies on the dollar. Now is the same with Fraud.
In this regard, the Cyberattacker can make use of two attack
vectors: Bots and Brand Impersonation. With the former, the hijacking of One Time Passwords
(OTPs) is now the norm. In this scenario,
the hacker already knows your login credentials, but they need that OTP to
continue to complete the authentication process.
With the latter, you are redirected to a phony eCommerce
site which looks like the real thing.
This is often done through Phishing attacks or Domain Name Heisting (this
is where the actual domain of a legitimate business is hijacked, or a an almost
similar one is registered by the Cyberattacker – for example, target.com could become
targett.com).
But combatting Digital Fraud is a two-pronged effort. What do I mean by this? It rakes both the online vendor (the one that
is hosting the eCommerce store), and YOU, the customer. In today’s blog, we will focus upon the
former. A future blog will deal with how
you can better protect yourself. So, what
can the online vendor actually do? Here
are some key steps that can be followed relatively quickly:
1)
Keep track of how many purchases are being made:
I am actually an online vendor
myself to a certain degree, and of course we all want tons of sales and transactions
coming through our retail sites. But guess
what . . . it can also be a bad sign as well.
How so? Well this is where the bots
come into play. They can load up shopping
carts and literally make hundreds of purchases in a just a matter of a few minutes. Heck, they will even use brute force methods in
order to detect the proper login credentials of the unsuspecting victim. So on a daily basis, take a look at your transaction
history and see if there is any unusual ordering. If there is, then this could be a telltale
indicator that you have bots, and not real customers hitting your online
store. To mitigate this, perhaps you
should put restraints on how many times customers can purchase items from your store
in a pre-established time period. While
you could make some customers about this, tell them that it is for their own online
safety. Always being open and upfront in
this regard will always win in the end.
2)
You may have to screen every order:
This is where keeping track of
malicious behavior (as eluded to in the last section) will come into play. It may come to the point where each and every
transaction will have to screened to make sure that there no bots that are
entering into your system. For example, you
may have a customer that just purchased an item from their iPhone, from a certain
location. Then they drove a few miles
away, to visit a friend, and then made yet another purchase at your online
store, but this time from a Samsung, and a different location. Would this considered to be fraud? To you, the business owner, it could look
that way, when in reality it was never the case. Therefore, with the help of automated tools such
as that of AI and ML, you can easily up profiles on your customers in just a
matter of minutes and set up various baselines.
Those that fall outside of this threshold should be flagged for possible
malicious intent. And remember, you do
not have to manually do this. The AI and ML tools that are available today can
very easily do this for you, and present everything in one dashboard. You should even consider running various types of batch analyses
against other customer profiles, to make sure that the same credit card number
is not being used over and over again.
But keep in mind that once you start using AI and ML tools for these purposes,
it will be your job to make sure that they are fed with the most recent data on
a real time basis. This is the only way
that the algorithms will continue to learn about your customers, in an effort
to also stop any false positives from filtering in (this is where a legitimate
customer is flagged for malicious behavior).
3)
Try to avoid automatic declines:
Credit card companies are pretty
good today at detecting fraudulent purchases, and even if just one or two are
made, the card will be automatically declined.
In this case, they will call the customer, confirm the orders, or in a worst-case
scenario, issue a new card to the victim.
But this is not the cut and dry scenario with an online merchant. For example,
using that old saying, it can take years to get a new customer, but only seconds
to lose one, using automatic declines may not be best suited here. Therefore,
you may want to let purchases go through, but only stop them if there is any
unusual activity that has been detected.
This is where keeping your AI and ML tools up to date with the latest
data and having them run on a real time basis becomes absolutely critical. Then at the end of the day, after you scour
through the files that have been outputted, you can always reach out to that particular
customer to confirm their order in case they have purchased an extraordinary
amount which falls outside of their baseline.
In fact, taking this approach will show to the customer that you are
proactive about keeping their data safe, and in turn, this could bring in more
repeat business. In fact, according to
recent study, 40% of online customers will not return back to the same vendor
if their purchase has been declined.
(SOURCE: https://www2.clear.sale/consumer-behavior-intro-unlocked)
My Thoughts On This:
Notice that this blog put a heavy emphasis on using AI and
ML tools. This may sound fearful at
first, but it should not be. In this regard,
your best bet is to probably hire an MSSP to install these tools for you. That way, they can also do a Dark Web scan to
make sure that none of your customers PII datasets are down there, but also
nobody has heisted your domain name in an effort to create a phony website.
In other words, apart from keeping your customers protected from
Farud as a Service, you also need to make sure that your IP is also equally
protected.
No comments:
Post a Comment