Saturday, May 14, 2022

To The eCommerce Merchant: 3 Proven Tactics To Combat Fraud as a Service

 


As we keep paying attention to those threat variants that are making the news headlines, it is also very important to note that there are other attack vectors out there that are just as much damaging, if not even more. 

One such thing that you need to be aware of is Fraud.  While there is nothing new about this, the way it has precipitated been mind blowing.  It’s not just matter of having your wallet or purse stolen, now it is about your Digital Identity that is at stake.

With everybody working at home and even fewer people yet visiting the traditional brick and mortar stores, most of the American population are now shopping online.  Heck, depending upon where you live, you can even have your groceries delivered to you.  But making sure that you remain safe in the digital world, especially as it relates to eCommerce, is a difficult thing to do.

But to make things even more complicated, the Cyberattacker of today is now resorting to a new thing called “Fraud as a Service”.  I think in the past I wrote something about “Ransomware as a Service”, and this is where the Cyberattacker can essentially hire a professional from the Dark Web and have the deploy the malicious for pennies on the dollar.  Now is the same with Fraud.

In this regard, the Cyberattacker can make use of two attack vectors:  Bots and Brand Impersonation.  With the former, the hijacking of One Time Passwords (OTPs) is now the norm.  In this scenario, the hacker already knows your login credentials, but they need that OTP to continue to complete the authentication process. 

With the latter, you are redirected to a phony eCommerce site which looks like the real thing.  This is often done through Phishing attacks or Domain Name Heisting (this is where the actual domain of a legitimate business is hijacked, or a an almost similar one is registered by the Cyberattacker – for example, target.com could become targett.com).

But combatting Digital Fraud is a two-pronged effort.  What do I mean by this?  It rakes both the online vendor (the one that is hosting the eCommerce store), and YOU, the customer.  In today’s blog, we will focus upon the former.  A future blog will deal with how you can better protect yourself.  So, what can the online vendor actually do?  Here are some key steps that can be followed relatively quickly:

1)     Keep track of how many purchases are being made:

I am actually an online vendor myself to a certain degree, and of course we all want tons of sales and transactions coming through our retail sites.  But guess what . . . it can also be a bad sign as well.  How so?  Well this is where the bots come into play.  They can load up shopping carts and literally make hundreds of purchases in a just a matter of a few minutes.  Heck, they will even use brute force methods in order to detect the proper login credentials of the unsuspecting victim.  So on a daily basis, take a look at your transaction history and see if there is any unusual ordering.  If there is, then this could be a telltale indicator that you have bots, and not real customers hitting your online store.  To mitigate this, perhaps you should put restraints on how many times customers can purchase items from your store in a pre-established time period.  While you could make some customers about this, tell them that it is for their own online safety.  Always being open and upfront in this regard will always win in the end.

2)     You may have to screen every order:

This is where keeping track of malicious behavior (as eluded to in the last section) will come into play.  It may come to the point where each and every transaction will have to screened to make sure that there no bots that are entering into your system.  For example, you may have a customer that just purchased an item from their iPhone, from a certain location.  Then they drove a few miles away, to visit a friend, and then made yet another purchase at your online store, but this time from a Samsung, and a different location.  Would this considered to be fraud?  To you, the business owner, it could look that way, when in reality it was never the case.  Therefore, with the help of automated tools such as that of AI and ML, you can easily up profiles on your customers in just a matter of minutes and set up various baselines.  Those that fall outside of this threshold should be flagged for possible malicious intent.  And remember, you do not have to manually do this. The AI and ML tools that are available today can very easily do this for you, and present everything in one dashboard.  You should even consider  running various types of batch analyses against other customer profiles, to make sure that the same credit card number is not being used over and over again.  But keep in mind that once you start using AI and ML tools for these purposes, it will be your job to make sure that they are fed with the most recent data on a real time basis.  This is the only way that the algorithms will continue to learn about your customers, in an effort to also stop any false positives from filtering in (this is where a legitimate customer is flagged for malicious behavior). 

3)     Try to avoid automatic declines:

Credit card companies are pretty good today at detecting fraudulent purchases, and even if just one or two are made, the card will be automatically declined.  In this case, they will call the customer, confirm the orders, or in a worst-case scenario, issue a new card to the victim.  But this is not the cut and dry scenario with an online merchant. For example, using that old saying, it can take years to get a new customer, but only seconds to lose one, using automatic declines may not be best suited here. Therefore, you may want to let purchases go through, but only stop them if there is any unusual activity that has been detected.  This is where keeping your AI and ML tools up to date with the latest data and having them run on a real time basis becomes absolutely critical.  Then at the end of the day, after you scour through the files that have been outputted, you can always reach out to that particular customer to confirm their order in case they have purchased an extraordinary amount which falls outside of their baseline.  In fact, taking this approach will show to the customer that you are proactive about keeping their data safe, and in turn, this could bring in more repeat business.  In fact, according to recent study, 40% of online customers will not return back to the same vendor if their purchase has been declined.

(SOURCE:  https://www2.clear.sale/consumer-behavior-intro-unlocked)

My Thoughts On This:

Notice that this blog put a heavy emphasis on using AI and ML tools.  This may sound fearful at first, but it should not be.  In this regard, your best bet is to probably hire an MSSP to install these tools for you.  That way, they can also do a Dark Web scan to make sure that none of your customers PII datasets are down there, but also nobody has heisted your domain name in an effort to create a phony website. 

In other words, apart from keeping your customers protected from Farud as a Service, you also need to make sure that your IP is also equally protected.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...