As online sales surge this holiday shopping season, so does online fraud, which analysts at security solutions provider RSA said costs the retail industry $660,000 per hour. But there are tactics that retailers can deploy to offset fraud such as credential testing and more creative authentication.
Here, Angel Grant, director of fraud and risk intelligence at RSA, discusses these issues and share insights about online fraud and its impact on business.
WWD: What are some of the ways retailers can mitigate fraud this holiday season?
Angel Grant: There are three ways. First, prepare for credential testing. Most users will reuse the same e-mail address, username and password on multiple web sites. In one case, we saw more than 200,000 accounts were tested and over 18,000 of them were valid customer accounts. This often leads to fraud: once stolen credentials have been tested and verified on organizations’ sites, hackers will often use them to make fraudulent purchases or transfers, or sell them to other cybercriminals to do the same.
Second is to expect account theft. After large breaches, it’s common that fraudsters use verified stolen credentials to take over existing accounts and create unauthorized new accounts. Fraud rates are typically 15-times greater in the first 10 days of a breach. Organizations should be on the lookout for suspicious behavior on existing accounts, including logins from new devices, unexpected password and account profile changes, the addition of new payees, etc.
Third is creative authentication. Usernames and passwords alone aren’t enough these days. Organizations need to consider creative ways to determine the legitimacy of users accessing their business, such as exploring factors like device use, behavioral patterns, locations, biometrics, etc.
WWD: When it comes to fraud, what are the top concerns retailers should have during this holiday season?
A.G.: With so many data breaches involving usernames and passwords this year, one of the top concerns for retailers this season should be account takeovers and theft. It’s not unusual to see an account takeover outbreak after a large breach as hackers often use stolen credentials to take over existing accounts. Retailers should be mindful of suspicious behavior, such as multiple login failures and login attempts from unusual locations.
WWD: A lot of consumers are doing their online shopping from their mobile phones. What role does this play in fraudulent activity?
A.G.: We’re seeing more fraud originating from mobile devices than from PCs, and in fact, this past year, over 60 percent of fraudulent transactions originated from a mobile device. As more and more consumers move their shopping to mobile, we expect the level of fraud to increase, too.
WWD: How much are retailers losing to fraud? Who pays for those losses — the retailers or the end customers?
A.G.: E-commerce fraud is costing the industry $660,000 per hour. Retailers end up bearing a majority of that cost through chargebacks from credit card providers. Even more, this is damaging for retailers who may face the loss of customer and brand loyalty as a result.
WWD: How much can retailers save per incident and annually with fraud mitigation strategies in place?
A.G.: Savings will vary by retailer, but the actual cost per fraud incident goes beyond individual chargebacks. For retailers, the resulting loss of customer loyalty or diminished brand value are often hard to measure, but are no less important or impactful. Broadly, companies also need to be aware of not imposing too stringent security measures that add friction to customers’ online shopping experiences.
WWD: What factors impact the value of someone’s login credentials across various retail accounts when they’re sold on the dark web?
A.G.: There are many factors that impact the value of login credentials sold on the dark web. The main factor is how easy it is for a hacker to resell the merchandise, especially from a brand name, i.e., it’s easier to sell an Apple iPhone over a pair of boots. Another factor that contributes to cost on the dark web is if there is a credit card saved on the account file and whether the stolen credentials have been verified. This means that a hacker was able to verify a successful login and the owner/consumer hasn’t changed their password so we can expect even more fraud transactions to come.
For More Business News From WWD, See: