Digital Transactions Authoritative, insightful and timely information for payments professionals
By Kevin Woodward
@DTPaymentNews
Criminals stepped up their attacks on e-commerce sites in the second quarter, producing more than 69 million rejected transactions, a stunning 90% increase from the same quarter a year ago, according to the Q2 2016 Cybercrime report recently released by ThreatMetrix.
Of these transactions, 23% were payments, 76% account logins, and 1% account creations. This combination indicates that criminals, deterred by the increasing inability to commit fraud at the point of sale with a counterfeit credit or debit card, are turning to card-not-present transactions, Vanita Pandey, vice president of strategy and product marketing at San Jose, Calif.-based ThreatMetrix, tells Digital Transactions News.
“The 90% growth was on top of elevated growth from the year before,” Pandey says. “Fraudsters knew the [EMV] migration was already happening, and they know our businesses were starting to prepare months, years in advance.”
Given the volume of stolen personally identifiable information—more than 864 million stolen records since 2005, claims the Identity Theft Resource Center—criminals are turning to this data in order to gain access to a legitimate customer’s existing account or appear as a legitimate customer setting up an account, Pandey says. “Identity has become the new currency,” she says.
Criminals use an email address or password to gain access to an account and then make purchases while pretending to be a legitimate purchaser.
Account creation is another avenue. Because fraudsters already can get so much information about consumers, they can easily spoof a service, such as a credit card issuer, into issuing a new card using a consumer’s name.
Account creation fraud is complicated by the increasing use of mobile devices, Pandey says. Of the 5.2 billion transactions analyzed in the ThreatMetrix report, 40% originated on a mobile device.
Particularly troubling was the appearance of a bot attack on a mobile device this quarter. A bot is a software application that runs automated tasks. The challenge for retailers and financial institutions is distinguishing between legitimate users and fraudulent ones, Pandey says. This is complicated by bots that will attempt to gain access to an account by slowing down its frequency of attempts to counter any fraud-prevention rules designed to look for multiple attempts over a short time period.
The takeaway for payments companies? They should offer services that reduce the friction in completing online transactions, Pandey says. “Nothing’s worse than ‘fat-fingering’ your 16-digit card number,” she says. Consumers also don’t want to feel challenged for what they may view as routine purchases. Merchants have to balance that sentiment with the consumer’s expectation of some verification if he makes an out-sized transaction, she says. “All of this needs to be done in a passive way. It’s about being able to recognize trusted customers from fraudsters,” Pandey says.
