e-commerce fraud solutions: making sense of the data and hype

PowerPoint Presentation

The Nuts and Bolts of e- Commerce Fraud Solutions

The fraud prevention space in e-commerce is cluttered with different solutions. Merchants can easily leave money on the table if they arent carefully attuned to what the market offers and what fraud prevention strategy best achieves their goals.Behavioral scoring, biometric identification, password protection and personally identifiable information all tackle fraudulent purchases in different ways. Unfortunately, many fraud prevention technologies are really solutions in search of a market. Knowing how each class of technology works is crucial for understanding what clients will benefit the most from your solution and what drawbacks you need to address.

What makes a good fraudprevention system?Every fraud platform can measure its value by how well it serves the needs of its end user: retail merchants. Retailers will judge fraud platforms based on the impact they have on their two most import figures the top-line and bottom- line, i.e. revenue and net profit.

Fraudulent transactions affect both revenue and net profit in several ways, which are laid out for you below. Direct effects are written in red, indirect effects are written in blue. How well does your platform address these effects?

1.Reduced Revenue

Fraudulent purchases lead to chargebacks and when the merchant is liable that means less recognized revenue.

Merchants lose revenue from legitimate sales that were denied because they were flagged by a fraud solution as likely to be fraudulent.

What makes a good fraudprevention system?Increased complexity and time to complete checkout due to fraud-prevention processes frustrates potential customers and leads them to abandon purchases.

2.Lower Profit and Higher Losses

Goods already shipped that are subject to chargebacks are usually unrecoverable, creating an expense that hurts the bottom line.

Any legitimate sales that are denied also hurt thebottom-line, since less revenue means less profit.

Top priority:reducing false positivesThe criminal benefits only from the items in red, but most merchants, i.e. your customers, will actually lose much more money from the indirect ways fraud affects their operation that are listed in blue. Knowing which negative effects are most important for your client to mitigate is key for designing a fraud prevention solution they will use and like.Generally, how you try to prevent fraud will have a much bigger impact on most merchants sales and profit than any actual fraud committed. A 2015 study by research firm Javelin estimated that $118 billion of legitimate card transactions are denied every year in the U.S. The company found that 15 percent of all customers surveyed had at least one transaction improperly denied that year. Thats a whole lot of insulted and discouraged customers!Meanwhile, $9 billion is lost annually to actual fraud. Thats right: The dollar amount most merchants lose due to declining legitimate customer transactions is an order of magnitude larger than the amount of money they lose to fraudsters.

Top priority:reducing false positivesTo make things more serious, a lot of those denied legitimate customers wont be coming back to the merchant anytime soon. Javelin together with the fraud platform Riskified found in a survey that 54 percent of all cardholders improperly declined reduced or stopped patronizing the merchant in question. For online consumers, the figure was even higher 67 percent!

Top priority:reducing false positivesFor most products this means a good fraud solution should focus on minimizing the amount of legitimate customers cards a merchant declines. Only for very expensive products, e.g. luxury cars, might the merchant care more about avoiding a single chargeback more than missing sales to several customers. Reducing actual fraudulent transactions that slip through is still an important consideration for all merchants otherwise, they could just let through every transaction but its a lower priority.To put it succinctly: Fraud is like a disease. A fraud solution is the medicine you choose to treat that disease, while legitimate card transactions declined are an unfortunate side effect of medical treatment. You goal is to find the medicine that treats the disease with the least side effects.

With that in mind, lets take a look at the types of fraud solutions on the market. Like classes of drugs, the solutions can be divided by the data they use to detect fraud.

1) Behavioral algorithmsA wave of startups this decade have developed fraud solutions based on scoring the behavioral patterns of customers for the likelihood of fraud. These platforms use proprietary algorithms to assign a fraud score, but each companys algorithm is unique and usually a trade secret. They may analyze things like user behavior on the website, the time they access a website, how frequently they check out the website, the email service provider of the account associated with the purchase, IP address location and more.If people outside the fraud platform knew the exact algorithm or data it used to create fraud scores it would be easy for the competition to duplicate it and not too hard for the fraudsters to defeat it. Unfortunately, that means you cant accurately compare different behavioral-based

Fraud solutions by data type:Behavioral algorithms

fraud platforms without integrating the solutions into your payment flow, which is costly and time-consuming.

ProsBehavioral analysis is relatively frictionless since you arent asking the customer to do anything they wouldnt otherwise do. This should help reduce abandoned sales.

ConsIts very difficult to compare different behavioral platforms without testing them out yourself. That means deciding between platforms can be a shot in the dark.Behavioral solutions dont actually verify the identity of the purchaser. If legitimate users act in a non-typical manner they may get flagged as fraudsters.If fraudsters ever figure out what specific data points are used by a fraud scoring algorithm, they could find ways to reduce their fraud score below the threshold.

Fraud solutions by data type:Behavioral algorithms

2) Biometric authenticationAnother class of solutions that has been getting a lot attention lately are based on biometric authentication. Banks and credit card accounts in the past year have been adopting voice, face and fingerprint recognition technologies to verify user identity.In many ways, biometric authentication is the mirror image of behavioral analysis for fraud prevention purposes. This means its a good way to avoid blocking legitimate customers, but it could face some serious challenges from fraudsters in the future. It also adds friction to the log-in or checkout process by creating an additional step for users.

Pros

Legitimate customers are very unlikely to be blockedsince authorization requires a body part.

Fraud solutions by data type:Biometric authentication

ConsRequiring users to take selfies or provide a fingerprint is a hassle and a trust issue between customers and merchants and may lead to abandoned purchases.This requires hardware on the part of customer to capture images or audio. This can be a significant problem for serving the 1/3 of Americans without smartphones.Biometrics rely on permanent identifiers that cannot be changed once compromised. This makes them very high-value targets for fraudsters and they can be spoofed.

Fraud solutions by data type:Biometric authentication

3) Password protection and 3-D SecurePasswords have always the most basic form of fraud prevention. For past decade or more static passwords, i.e. those that arent automatically changed on a regular basis, have been considered vulnerable to code-cracking software and other methods. However, dynamic passwords, i.e. those that are generated frequently or even for one-time use temporarily, are still common.In transaction fraud, the main password-based solution is 3-D Secure, which is provided by the major credit card companies. It works by rerouting a customer at the time of purchase to a webpage maintained by the bank that issued their credit card. There they must provide a password to authenticate the transaction. If the password doesnt match the one on-file with the issuer, the transaction will be flagged as fraudulent and denied.

Fraud solutions by data type:Password protect & 3-D Secure

The main benefit of 3-D Secure to merchants has nothing to do with its ability to prevent fraud and everything to do with passing the liability over to the issuer. Credit card companies shift chargeback liability to the issuer and not the merchant when a transaction is authenticated via 3-D Secure. 3-D Secure is basically a password system with poor user experience.

ProsAuthorized transactions are no longer the liability of the merchant.Credit card companies often offer discounted interchange fees to merchants using 3-D Secure.

ConsCustomers must enroll their card in 3-D secure for the merchant to use it as an authentication method for their purchase. This is a major friction point.


3-D Secure redirects customers to another browser tab or window. This is a friction point that creates a major trust issue for online shoppers.Digital natives have been trained to view automatically opening browser pages as a tool for malware and pornography sites. Some will abandon the sales process at this point.The webpage redirect also provides a valuable target for a phishing attack by fraudsters. Any such attacks, when made public, will further reduces consumer trust in online sites using 3-D Secure.


4) PII: Old and New

A. AVS Traditional PIIPersonally identifiable information (PII) is one of the oldest methods for foiling transactional fraud. It verifies identity by authenticating details about the purchaser that are specific to just one person or household.In North America and the U.K. the classic PII fraud solution is address verification services (AVS). AVS is a free service provided by the credit companies that take the numeric elements of the address, i.e. house number and postal code, provided by the purchasers and verifies them with the address held on file for that person at their credit cards issuing bank. If the numbers match, the transaction is approved and merchant avoids liability for any chargebacks. If there isnt a complete match, the merchant can either deny the transaction or accept it but will be held liable for any chargebacks.

Fraud solutions by data type:Personally Identifiable Information

ProsAVS is a form of passive authentication. It requires no additional steps from the end-customer, since they must already provide a shipping address for their order.

The merchant is not liable for chargebacks for any AVSauthenticated transactions.

AVS is provided by the credit card companies for free.

ConsThe free AVS system provided by credit card companies only has widespread coverage in North America and the U.K.Cross-border e-commerce merchants can solve this problem by using a global solution that incorporates address information provided by data providers like PIPL.AVS solutions not maintained by the credit card companies will not shield the merchant from chargeback liability.


Fat finger issues. Sometimes shoppers mistakenly enter the wrong numbers for postal code or street address leading them to be flagged as fraudsters.

B. New PIIThe widespread adoption of email and social media since the start of the millennium has provided new types of PII that can be used for identity authentication. The identity of a customer can now be confirmed using the email address or social media handle associated with their order.It can also be combined with behavioral data to create a fraud score for a transaction. For example, if a customer changed their password on your e-commerce site, picked an item and proceeded to checkout, where they provided an email that was only created in the past several months, the transaction would receive a high fraud score.


ProsPII is a form of passive authentication that only uses data that customers already provide when they use a merchant site. It keeps the checkout process frictionless.Every legitimate e-commerce customers should have PII data that enables verification, which should cut down dramatically on false positives.Aspects of PII data, such as age of email address or social media handle, are difficult for fraudsters to fake than behavioral patterns, which can be imitated.The cost of implementing and using PII data can be much lower than biometrics. There is no need for special hardware to collect data, like fingerprint readers.


ConsPII data leaks in recent years mean that fraudsters may be able acquire basic PII data on the dark web. You may want to use several types of PII or PII in conjunction with other data types to reduce fraud risk, especiallysynthetic identity fraud.To date, the credit card companies have not offered to shift chargeback liability for merchants that have authenticated customer identity via new PII data such as email.


All the different transaction authentication systems have their pros and cons and each can be foiled by dedicated fraudsters. The goal of a good fraud prevention system is to maximize your revenue and profit. This means minimizing the amount of legitimate transactions it blocks and increasing the difficulty of committing fraud to deter most fraudsters.As you can see from above, some methods will work better for merchants than others. If a merchants goal is to maximize revenue, they are going to want a system that utilizes either PII or behavioral data and would probably prefer a system that uses both. If a merchant sells a product or serves a geography where fraud and chargebacks rates are high, they may prefer 3-D Secure since it shifts liability to other parties. Biometrics at this stage isnt well-tuned for mass market adoption, although it may be good as an additional security measure in certain cases.

Making educated choices

But dont just take my word for it. Talk to merchants yourself and listen carefully to their concerns. The three questions you can expect to hear most often are:

Does your solution add friction to my checkout process?

How does your solution affect my chargeback liability?How is your fraud platform better than [name of competitor]?If make sure you are able to provide clear, strong answers to these questions and you should have a growing, satisfied merchant customer base.

Making educated choices

e-commerce fraud solutions: making sense of the data and hype

Data & Analytics