A lot of ink has been spilled over the rise of account takeover (ATO), a type of attack in which a fraudster steals account credentials such as passwords in order to access social media accounts, financial information, and more. ATO accounted for over $2 billion in losses last year. As ATO continues to rise, businesses – particularly B2B businesses that handle sensitive customer information – are sounding the alarm.
So, why the sudden rise in ATO? According to Karisse Hendrick, e-commerce has experienced a recent boom that’s put ATO on everyone’s radar. Larger B2B companies aren’t the only targets; fraudsters are now targeting smaller businesses and companies with mobile apps for shopping and customer loyalty programs.
What are businesses overlooking? How could they better prepare to deal with ATO?
Evan: Welcome to Trust and Safety in Numbers presented by Sifts Science. I am your host Evan Ramzipoor, here today with Karisse Hendrick, Editor-at-Large of cardnotpresent.com and Consultant at Chargelytics Consulting. Thanks for joining us. We’ll be chatting today about chargebacks and ATO and all kinds of fraud, but before we get to that, let’s run off with a fast fraud fact. Did you know that businesses aren’t prepared to deal with mobile fraud? In fact, only 14% have a system in place to detect and respond to mobile fraud and most learn about attacks from their own customers. To learn more, check out “10 Things You Need to Know About Mobile Fraud” on the Sift Science blog. Now onto the interview. Tell me a bit about who you are and your career trajectory so far.
Karisse: Well, I’ll try to do that in a really a quick way. I’ve been in the CNP fraud and payments for over 12 years, I’ve had quite a diverse background in the industry in risk, and have been at the acquire level as well as for merchants and been in a support role for online and mobile commerce companies for about six years now. I’m currently the owner and principal consultant of Chargelytics Consultant where I focus on the charge reproduction strategies and fraud and payment optimization to really work with businesses on a more detailed level. And then I’m also the Editor-at-Large for cardnotpresent.com and the CNP Expo where I really get to support this industry that I love through content and education, and I work with hundreds of merchants to really see things from a 10,000-foot view of the industry and all things that impact card-not-present merchants.
Evan: So you’ve seen a lot of changes in the industry and one of the biggest changes in, or at least recently, has been that a lot of big box stores, restaurants and other unlikely retailers are making an aggressive push into e-commerce and m-commerce. What do you see happening as those companies continue to make that kind of push?
Karisse: Right. So that’s definitely something I’ve really noticed in the last year. We had several large companies, quick-service restaurants, big box companies, and really large established restaurants attend the CNP Expo last month. And something that I’m really noticing is that even though they’re existing brands that are very large, a lot of them are experiencing CNP fraud, specifically being liable for fraud chargebacks for the first time. So they’re very kind of overwhelmed, the guys, they’re kind of experiencing a lot of the same things that maybe I experienced as a merchant 10 years ago, trying to get a handle of kind of the rules may not seem fair or, “What do I need to do?” or reviewing orders in a quick fashion because they only have, you know, a split second between the time for decision processing.
So they’re looking at what tools to use. You know, they’re kind of overwhelmed by, “Do we do manual review or do we do things automated?” Lots of new solutions. I think, you know, they’re… a lot of what happens in existing companies is that they move someone in internally, which is great because they have knowledge of the business. However, if you are in a big company that has never dealt with card-not-present commerce before and you’re being tasked with getting rid of this problem, it can be very overwhelming, so we provided a lot of support for them and will continue to do that with answering the questions that they need and helping them kind of understand the landscape and what they need to know.
Evan: I think part of what’s so overwhelming is that many of these companies may not have fraud and risk teams yet, or they may not have a very robust fraud and risk teams yet. What challenges are they going to face going forward?
Karisse: Well, I think, honestly, the very first times or the first thing that any company needs to start off with when they have a fraud problem is, “What’s the organization is gonna look like?” Are you going to rely more heavily on automated tools to make the decision process? Are you going to rely more heavily on manual review or are you going to do a hybrid? Kind of starting off with that 10,000-foot view, which I think as a best practice. I wouldn’t say that that’s something that every company does. A lot of times it’s hard to see the forest through the trees especially when you’re just losing a lot. When I’m talking to my clients, I kind of call it the O-S moments that companies have.
That’s really when they start paying attention to fraud. And when you’re in the middle of having that O-S moment, it can be difficult to create a strategy. But determining, “What tools can we rely on?” and what tools are going to be scalable, not just when your business takes off, and the gift cards, or the app that you have is really popular, not just with the guys but with bad guys, but also, “Is it scalable for the fraud that you’re going to see next year and the year ahead and not just the fraud that you’re seeing right now?” So there’s definitely a lot of decisions to be made at the very beginning or they should be because I see what happens when maybe they’re made a few years after things have calmed down a little bit, and it can be more challenging.
Evan: What recommendations do you usually have for companies that are starting at square one, building up their risk and fraud teams?
Karisse: Yeah, so, you know, the first thing I tell everyone is that there’s no cookie cutter because each vertical is different, each business model is different, who your target customer is going to be different than maybe another merchant. And so it’s figuring out, “What is our business model? What does fraud look like for us? What are people doing now and what could they be doing in the future?” And then figuring out, “What kind of tools do we need to match that or layers of tools really to kind of sift through the good orders down to the bad?” So that’s kind of where to start is figuring out what are your specific company needs and then what is your business’ culture and what are your business decisions around risk and fraud. And specifically making sure that you have a way to safely determine false positives from real fraud, but also does the company want to be extremely aggressive against fraud and maybe risk a few false positives or would they rather be a lot more customer focused and maybe bring in a little extra fraud. So it’s all about kind of continually moving those dials to be consistent with your business’ decisions and path and kind of the attitude around risks.
Evan: And with all of these new businesses entering the e-commerce and m-commerce space, how is that changing the types of fraud that we’re seeing?
Karisse: Recently, more than ever, the most aggressive and fast moving pace of this cat-and-mouse game that we’re in with fraud. So, and what I mean by that is fraudsters are continuously learning and adapting very quickly to the thresholds and the rule that specific companies have, as well as what the industry has. So whereas, a few years ago, the fraud that most companies would see will be kind of straight credit card fraud , that was where the information where breaches were coming from was the credit card numbers. Now we’re seeing a lot more breaches focusing on account, like rich account data. And so you’re going to be seeing them exploiting that in any way they can through synthetic fraud with the issuers, as well as more account takeovers, but also just creativeness. You know, they’re posting on the dark web, “This specific company has a threshold of X and they are looking at billing and shipping maps. So as long as the billing and shipping match, then you’re okay.”
And they’re continually changing and adapting and sharing information with each other and I feel like e-commerce is a lot slower to that. It takes a lot more time to implement a new tool, to implement a new process. It can be difficult to talk to your peers because of privacy rules and those things within the organizations. So we’re not moving as fast, but they’re adapting and changing and they’re paying attention. So the static rules engines, the linear rules engines. I’m seeing those being less effective to some of the more aggressive fraud types.
Evan: You mentioned account takeover a couple times and there’s certainly a lot of alarm bells going off in the fraud and abuse space over the rise in account takeover. Is there a rise in account takeover? Is it just that we’re seeing more e-commerce and so it looks like there’s this rise and account takeover? What are your thoughts on account takeover? I’m going to say account takeover one more time.
Karisse: It’s kind of hard for me to say if there is a rise in account takeover or not from my perspective because it’s something that I’ve been talking to merchants about or hearing questions about for years. I think what’s different for me is the size of the company and the type of company that’s asking. So, you know, four or five years ago it was just online gaming, and then it went into the travel and ticketing space and I’m talking about the bigger brands. And then as they found solutions for that problem, it’s kind of trickled into much more broad base and impacting a lot more merchants, whether there’s more as far as the total count of account takeover, I don’t know. But the number of impact, number of merchants it’s impacting, the type of merchants it’s impacting, I’ve been surprised that some of these like smaller specialty clothing retailers are being hit by account takeover, when it used to be the really large online ticketing companies. So ENB has definitely shifted just the amount of broad and general that’s coming to e-commerce in the last year and a half from what I’ve seen, but it’s also shifting who it’s impacting.
As the bigger companies, the more recognizable brands become better prepared against account takeover or any fraud really, then it’s trickling down into everyone. The other impacts or the breaches, as I mentioned earlier, what the data that’s being breached and really help determine what kind of fraud you’re going to see in your business down the line. I just was talking to a large online gaming company today and they were saying that, because of a very large email company being breached several months ago, they’re seeing just a lot more account takeover being used with username and password script with thought.
So if you’re looking at the breaches and you’re seeing username and password breaches happening, then chances are that eventually you’re going to have account takeover using username and password. If you’re seeing more emails and passwords or things like that, then you’re going to see a much different type of fraud. So looking at that, and because security is tighter on the card-present side because of EMV, because of breeches like Target and Home Depot that happened several years ago, you’re just going to see less credit card numbers being hacked and exposed, because those can also be turned off very quickly. It’s much harder to change consumer behavior and that’s what they’re betting on.
Evan: Aside from account takeover, the other type of fraud that’s been in the news a lot lately is mobile fraud. Are we seeing a lot more mobile fraud and are businesses prepared to deal with it?
Karisse: I think we’re seeing more mobile fraud because mobile is being used a lot more for purchases. That’s kinda the first thing, right? So whenever you see a change in all consumer behavior, you’re going to see a pretty consistent spike in fraud in that same area where that’s through a specific channel, a specific business model, a popular brand that is up and coming. You know, as consumers increased their use of mobile to make purchases and in commerce on their phones and on their iPads and other devices, we’re going to see fraud increased too.
And I think to answer the second question is, “Are merchants prepared for it?” It really depends on the company. And I think that what a lot of companies think is that mobile and e-commerce are the same thing, and so they won’t have specific tools or maybe not. Maybe it’s the same tool, but a different way to identify mobile traffic from e-commerce traffic, and with the use of emulators and that is when someone can use their computer to make it look like it’s a mobile transaction and all the other things. I mean, I think it’s really important to have a way to identify mobile from e-commerce. It’s also different behavior, a different type of customer.
So what may be risky other than already being placed on the PC isn’t gonna be as risky if it was placed on a phone. You can’t rely on IP data as much, so you need to have a system that provides device information but not just, you know, the kind of surface level device information, but information that can really get down to details of understanding that device. I’ve also, yeah, just going back to the adaptiveness of fraudsters, and the cat-and-mouse game, they’re really working around the whole device ID recognition and knowing that I kind of say that device ID is the new IP, in the fact that IPs were able to be spoofed for a long time before a lot of merchants realize it. And I think that device ID is the same way. It’s still very, very useful and very important to have but can’t be relied on a 100%.
We’re hearing of warehouses being set up with multiple cell phones, setting up app accounts and then reselling whatever is being sold on the app on a third-party website, so saying, “Hey, you can get this, you know, if you’re having somebody deliver groceries to you, you can get your groceries half off if you order it through us.” And then they’re creating an account for that person and it’s looking to the merchant as if it’s on a brand new device, like it’s a brand new customer, but really it might be in a warehouse with thousands of cell phones systematically being set up for accounts. So that’s the cat-and-mouse game and it’s just really important to know what’s happening and be adaptive and never to just sit and say, “Okay, I think that I’ve got it under control.” Because as soon as you do that, that’s when something new comes up.
Evan: And on that note, thank you so much for joining us and sharing your learnings and experience with us today. We really appreciate it.
Karisse: Absolutely. It’s my pleasure. I’m always happy to.
Evan: Thanks for joining us on Trust and Safety in Numbers. Until next time, stay vigilant, fraud fighters.
Your information will be used to contact you about our service and subscribe you to our direct marketing communications. You can, of course, unsubscribe at any time. Please see our Website Privacy Notice.