CYFOR – Combatting Digital Crime
28th November 2014
As part of CYFOR’s series on Fighting Fraud, we continue our look into the domain of online fraud and digital crime.
Smartphones and social networking sites have created new opportunities for cyber criminals, but how can companies mitigate the threat to e-commerce without alienating consumers with restricting security.
Are cyber criminals winning the online security arms race? A recent study from computer security software company McAfee and the Centre for Strategic and International Studies suggests they might be. Estimates of global losses due to digital crime were worth $445 billion for 2013 – on par with the trade in illegal drugs. Given that cyber-crime is indoors work with no heavy lifting and you can scope a shop with a laptop rather than a 20 strong gang, its popularity is unlikely to wane any time soon.
“Cyber criminals are innovating faster than most of us,” warns CYFOR digital forensics investigator, Adrian Wood. “They are extremely organised and surprisingly sophisticated. They’re even crowdfunding their malware development.”
He describes one audacious trick that appears to be a message from Facebook warning of unlawful attempts to access someone’s Facebook account and urging that person to download a security app to their phone, which in reality allows gangs to steal bank PIN codes.
For online retailers, this can seem terrifying. On the one hand, fraud threats loom. If bank and credit card fraud were included in the annual Crime Survey for England and Wales, the estimated number of crimes would jump by 50 per cent, taking the total from 7.3 million to 11 million offences a year. On the other hand, customer checkout abandonment rates currently hover at roughly 33 per cent, according to research from the UK’s online retail association IMRG. The last thing any site needs is another barrier to a successful customer experience.
“Visa had fraud rates of 1 per cent when they created the complex Verified by Visa password system, which ruined the shopping experience for the honest 99 per cent,” says Sebastian Siemiatkowski from mobile payments platform Klarna.
“Nobody outside the payments industry cares about the problems of the payments industry. They just want to click ‘buy’.”
Mr Siemiatkowski says that, in the vast majority of cases, Klarna can assess a customer’s risk using their e-mail address or postcode instead of a long sign-in process and risk management is a burgeoning industry. In Canada, for example, a company called SecureKey links online banking with government identity services. The digital charge card Affirm, launched by PayPal co-founder Max Levchin, offers a “digital tab”, authenticating consumers with Facebook and other social and data signals to assess risk.
“I think we’ll move to a point in the future where information needs to be encrypted in transit and encrypted at rest,” says Stephen Atkinson, CYFOR Head of eDisclosure. “At the moment it’s mainly banks that underpin identity management and fraud protection for the entire payments industry and they’re going to resist that expense if they’re expected to do so for countless new players who don’t want to pay them for the service. The liability is huge, the upside decreasing.”
All of these solutions, however, come at a cost and that cost is borne by the retailer. In the UK, most of the online card verification systems, such as Verified by Visa or 3D Secure, have been in place almost as long as chip and PIN payments, and while the systems were clunky at launch, they’re becoming evermore sophisticated.
Indeed, Mark Cobbett at the UK Cards Association warns retailers not to panic. “The techniques may seem more complicated but, with fraud, criminals have been doing the same basic things for the past 300 years – counterfeiting, copying and pickpocketing,” he says. “The internet can seem more alarming because every incident is grouped together and easy to record, rather than dotted across high streets around the country. In fact, e-commerce fraud is worth 6p in every £100, while online retailers have reduced the risk of shoplifting, which can account for 7 or 8 per cent.”
He suggests retailers start with some time-worn principles to keep themselves safe. First know your customer, second don’t get too greedy – if an unexpected bulk purchase seems too good to be true, that’s because it might be – and third lock up your warehouse with strong security. Online this means software that spots unusual shopping patterns, alerts unusual deals and keeps out hackers.
E-commerce fraud is worth 6p in every £100, while online retailers have reduced the risk of shoplifting, which can account for 7 or 8 per cent.
Companies such as Experian, 192.com and Ethica can help here, especially for smaller retailers. They gather groups of retailers together, and share information and customer data, making fraud easier to record and predict. And verification systems are becoming less clunky; at launch, customers would be forced on to dedicated sites to enter complex passwords – that’s changing.
Joel Tobias, Managing Director at CYFOR with an interest in online fraud investigations, points out that change needs to come quickly as, faced with tight verification, crooks are turning to “man in the middle” scams, setting up fake pages and e-mailing people to enter their banking passcodes. The sooner verification is entirely on the retailer site, the better.
Graham Goodwin, financial crime manager at insurance giant Towergate and former Metropolitan Police Fraud Squad detective, says the big drive by criminals is data breaches, where crooks break into companies secure servers and can hide for up to 200 days harvesting card information.
There are some five or six massive breaches every week, according to Forbes.com Data Breach Bulletin. Even here, CYFOR’s Mr Tobias sees hope. Software can usually spot unusual spending patterns, as anyone who’s received a call from their card company checking the past few purchases knows. The key, says Mr Wood, is collaboration – just as in life, you’ll get more done if you talk to each other.