Global Trends

Global eCommerce grows by about 20% every year, with a 5 year CAGR of 16.3% and exhibiting no signs of weakening. From 2015 to 2019, this market will have in size from $1.5 to over $3Tn, according to eMarketer

As the online trade grows, so does fraud. Card-not-present fraud is estimated to cost retailers worldwide $130 Bn between 2018 and 2023, according to Juniper Research.

While consumers prefer the convenience of card-on-file commerce, attackers increasingly rely on attacks such as account takeover to exploit this user preference. In United States alone, account takeover losses reached $5.1 Bn in 2018 according to Javelin, while the FBI estimates global losses from this attack to reach $12.5Bn.

And the attackers do not necessarily come from the outside the business. According to the Global Fraud & Risk Report by Kroll, 81% of fraud incidents and 58% of cybersecurity incidents originated or were perpetrated by insiders, current or ex-employees of the business.

 

Attack Types

Some of the more sophisticated, and therefore more dangerous fraud schemes are listed in the table below:

Fraud scheme Description Target(s)
Triangulation fraud The attacker sets up a storefront which offers goods at low prices. The attacker collects money for the goods, then uses stolen cards to purchase goods from legitimate merchants. Merchants, cardholders
Interception fraud The attacker orders goods to an address linked to the stolen card, then intercepts the package by re-routing or stealing it from the doorstep. Merchants, cardholders
Account takeover fraud The attacker takes over legitimate customer or merchant employee credentials, then uses it to purchase goods or initiate shipments. The attack is sometimes used together with triangulation or interception fraud schemes. Merchants, cardholders
Merchant friendly fraud The attacker sets up a storefront with legitimate goods. He/She then uses it to generate seemingly valid payment traffic and signs up with multiple processors or acquirers. At a certain point, the fraudulent store begins sending illegal traffic through their storefront.  Processors, acquirer banks

 

 

Fraud Detection

Besides general security measures that could possibly thwart some of these attacks, a key moment of fraud detection is the moment when the order is placed and paid for. Multiple solutions exist in this space. However, the general principles of fraud prevention are the same: a transaction, once analyzed, is either declined on the spot if it appears too suspicious, is approved or is flagged for a manual review. 

The real burden to fraud detection is false positives. In the case of a false positive, a completely legitimate customer is unable to complete their purchase. Besides the direct loss of revenue, it also alienates the consumer having a profound effect on customer lifetime value. However, dramatically reducing false positives usually results in a rising number of false negatives (cases when a fraudulent transaction is flagged as legit), beating the purpose of fraud detection.

To manage these constraints, some processors deploy a solution where suspicious transactions are sent for a manual review by a fraud analyst. This shifts the effort of fraud prevention onto the processor without necessarily resolving the underlying issue. 

Many of these manually analyzed transactions require insight into the details of the particular online order. These details are rarely available to the payment processor, and obtaining them from the merchant is not always easy – multiple e-commerce channels and platforms require costly integration, and for many merchants, it is easier to cope with immediate fraud-incurred expenses.

 

Non-invasive Order Analysis Engine

To better understand how false positives can be reduced without causing significant manual effort or integration costs, we prototyped a non-invasive order analysis engine that relies on machine learning, web scraping, and some algorithms.
Here is how it worked:

Overview of the process

Figure 1. Overview of the process

 

We began the process of transaction analysis with basic anomaly detection. Transactions were mapped into a multi-dimensional linear space, including dimensions such as log-amount, a representation of transaction currency and date. 

Figure 2. Two-dimensional anomaly detection with fitted Gaussian function

Figure 2. Two-dimensional anomaly detection with fitted Gaussian function

 

Using this model, any transaction that stands out would be flagged for additional processing. For the sake of the additional processing, a crawler-based on the ScrapingHub platform would have previously been connected to the merchant’s website, downloaded the product catalog, including details about volume discounts, taxes, and fees and stored them in a database. Upon receiving a flagged transaction, the engine then calculates orders that could result in the amount of the transaction in question.

 

  Figure 3. Transaction amount doesn't match advertised catalogue

Figure 3. Transaction amount doesn’t match advertised catalog

 

The engine can then be used in two ways. It can either feed its score into the overall transaction fraud scoring value, increasing or reducing the final fraud score. Or alternatively, the engine can provide insights to the fraud analyst in form of possible order compositions, so the analyst can examine the possible cart combinations to decide if they are logical.

Figure 4: Screenshot of fraud analyst’s console

 

Advantages of the Engine 

The proposed solution has several key advantages. To begin with, it is non-invasive and easy to extend to additional eCommerce websites without a costly integration effort. The logic behind the analytical engine utilizes a combination of algorithms and machine-learning tools to prioritize and “reverse-engineer” orders. 

 

Conclusion

Existing fraud prevention engines rely on data that is available at the point of payment transaction.  Any further improvement of their performance will require data about contents of the order – something not every merchant is able to provide. This is especially true for smaller merchants that can utilize an off-the-shelf shopping cart solution that’s easy to scrape, but won’t be able to provide order details to a processor due to integration effort. 

 

We believe some of the next generation fraud prevention engines will use similar techniques and we will soon start seeing them on the market. We’ll certainly be working on these and similar proof-of-concept technologies. At Credorax, we’re always looking for solutions like these to make eCommerce better for our merchants and their customers.