In the past 180 days, credit card data for nearly half a million people in the US was put on sale on the dark web with a going price of about $10 each. That includes everything necessary to make fraudulent card-not-present (CNP) purchases online, including the cardholder’s name, card number, CVV number, and expiration date. Other details may be included in the sale price, such as the bank issuer and available balance.
“In some of the markets [on the dark web], there is someone managing the whole marketplace to see that the transactions are fair, and everyone is getting their right share,” said Noam Kehati, a researcher at CyberInt, in announcing findings of their research in January.
The market in credit card data has exploded since the pandemic as people are making a lot more transactions online, and so it has become easier to get card details, according to Reuben Braham, vice president at CyberInt. “It’s only increasing,” he said.
That trajectory is why many experts are warning retailers to align online fraud prevention with areas of growing risk, to invest in best practice, multi-layered fraud prevention solutions, and to recalibrate as necessary the balance between fraud risk assessment and customer friction to maximize overall profit.
Retailers will probably lose $130 billion from CNP fraud between 2018 and 2023, according to a 2019 market forecast study by Juniper Research on online payment fraud. As more people shop online and card-present fraud grows more difficult because of enhanced card security features and PoS compliance standards, there has been a significant shift to CNP fraud, which now accounts for roughly 75 percent of all card fraud, according to estimates.
Shopping Trends and Fraud Evolve Together
The pandemic changed consumers’ behavior and thieves followed suit, explains the 2021 True Cost of Fraud Study by LexisNexis. More fraud losses are being attributed to the mobile channel than in prior years, as more consumers turn to digital transactions—and mobile ones in particular.
“The spike in fraud attacks and cost for ecommerce merchants since early 2020 was not a temporary event; Ecommerce saw a 34.4 percent increase in the cost of fraud and a 140 percent increase in volume fraud attacks since the pre- to early-COVID-19 period,” according to the study.
Consequently, the total cost and volume of fraud has risen sharply compared to pre-COVID periods, say analysts. Every $1 of fraud costs US retail and ecommerce merchants $3.60 compared to $3.13 prior to the pandemic, with the shift to mobile channels a primary catalyst. Losses from fraudulent international transactions are proving especially problematic, nearly doubling in 2021 from 2020, complicated by identity authentication challenges and data privacy restrictions.
CNP fraud has become the tool of choice for fraudsters because there is no need to steal the card itself—just its attributes. Consumers are typically unaware of the theft until after fraudulent transactions appear, but it’s merchants who are likely to get stuck with the cost of bogus transactions, more often than with fraudulent purchases made with a physical card.
CNP fraud is growing faster than CNP transactions because fraudsters are adopting increasingly complex approaches that outpace merchants’ security measures, according to Francisco Rodriguez-Fernandez, professor of economics at the University of Granada in Spain and author of “Fraud in cash and electronic payments: taxonomy, estimation and projections.” “Fraudsters have proven an ability to identify new weaknesses in electronic payment instruments as they have evolved,” he told LP Magazine.
That thieves have gotten smarter is another point made in the 2021 Lexis Nexis research project. “Fraudsters developed new skills and learnings during the pandemic, including merchants’ weak points with fraud detection,” the study warns.
It’s perhaps why the study concludes that US retailers may be falling behind in their battle against increased fraud attacks. The hundreds of retailers surveyed were asked, in a typical month, how many fraudulent transactions they prevent and how many are successful. Disturbingly, retailers report one successful attack for every one that they prevent, and that trend has been heading in the wrong direction. In 2019, for example, retailers said they thwarted 59 percent of attempted fraudulent online transactions.
Powerful tools exist to prevent CNP fraud while minimizing false declines, but many retailers have been slow to invest in them, according to Juniper Research report author Steffen Sorrell. Online retailers are still mostly focused on assessing fraud risk at the point of transaction, rather than conducting session analysis and behavioral monitoring or validating the identity of a user to assess fraud risk before any transaction, he said. Also, retailers too often examine the business case for investing in solutions from solely a fraud prevention perspective, rather than also recognizing the substantial value in keeping down false-positive decline rates, in which legitimate orders are incorrectly labeled as fraudulent.
“A layered fraud detection and prevention (FDP) solution naturally helps directly preventing fraud, but it also offers major gains in terms of recovering potentially lost revenue through false positives. This is something about which retailers remain undereducated and has allowed fraudsters to capitalize on relatively low FDP spend,” Sorrell said.
A successful CNP fraud prevention approach is one that strikes the correct balance between fraud defense and customer experience, most experts seemed to agree. “Not every transaction carries the same level of risk; businesses need intelligence to know when to apply more or less effort with customers,” recommends authors of the LexisNexis study. “New customers may appreciate the extra steps taken to verify their identity, such as challenge questions and one-time passcodes. Recurring customers may tire of this at some point based on the expectation that the business should know them.”
What’s next? Ascertaining information can help to distinguish real customers from imposters, like the geolocation of the person initiating an authentication request. As more retailers strengthen their customer authentication processes, fraudsters may find CNP fraud more difficult to pull off. What then?
Europe has already implemented Strong Customer Authentication regulations and so the experience there may hold a clue. In a webinar on the subject, experts said that as CNP fraud becomes harder to commit, social engineering scams increasingly get integrated into fraud activity.
“One example we’re seeing is where fraudsters are making ecommerce purchases using stolen credit card data. The fraudsters then convince the real card holders to share one-time-passwords with them to complete step-up authentication and confirm the purchase,” said Stephen Topliss, vice president for fraud & identity at LexisNexis Risk Solutions.