Bots & The Rising Threat to Ecommerce
October 9, 2017 - Security
Ecommerce fraud has become a growing problem for online merchants with the advent of automated bots. According to Signifyd, online merchants across eight major industry segments will lose nearly $50 billion this year from ecommerce fraud. Major advances in anti-fraud technology has tipped the arms race in the favor of merchants, with a 34.7% drop in ecommerce fraud losses versus Q1’16, but small merchants may be especially vulnerable.
In this post, we will look at the evolution of ecommerce fraud, how bots play a role, and how online merchants can defend themselves with cutting-edge technology and a little common sense.
[content_upgrade cu_id=”433″]Download Now: 5-Minute Security Audit Worksheet[content_upgrade_button]Click Here[/content_upgrade_button][/content_upgrade]
Evolution of Fraud
Ecommerce fraud has always been a problem, but the introduction of EMV (chip) cards made it difficult for criminals to clone physical cards and exacerbated the problem. Since they couldn’t spend money in person, criminals migrated to Internet and card-not-present (CNP) fraud that targeted a rising number of ecommerce stores. Many small ecommerce shops have found themselves especially vulnerable when using outdated shopping cart software.
The ecommerce industry initially responded using simple strategies, like checking the visitor’s location using their IP address and ensuring they were in the same country that the order was being sent. Criminals responded by using proxy servers and virtual private networks (VPNs) to hide their true location. The industry then used advanced techniques like device and social fingerprinting to link transactions to specific devices, but criminals quickly responded by disguising attributes of their browsers using advanced tools like the Voxis Platform, AntiDetect, or FraudFox VM. These private browsing tools make it nearly impossible to accurately verify a potential customer’s identity.
Fraudulent credit card transactions can become extremely costly for ecommerce merchants. Once a cardholder discovers a fraud, payments are disputed with the bank and almost always favor the cardholder. The online merchant is forced to absorb the loss associated with the payment, forfeit any goods or services, and pay the additional dispute fee. With a significant number of transactions, this can be enough to bankrupt a small ecommerce business.
Ecommerce fraud has become a constant arms race between increasingly complex criminals and ecommerce companies and their partners. The good news is that machine learning techniques have tipped the scales in favor of online merchants – with a 34.7% drop in ecommerce fraud losses in Q1 2017 versus Q1 2016 – but online merchants must ensure that they’re using these techniques to realize any of the benefits.
What is Bot-based Fraud?
Most online criminals employ computer programs – or bots – designed to effective perpetrate a fraud. For example, a criminal may load 20,000 credit card numbers into a bot that automatically tries them across hundreds of websites in just a couple hours. The idea is to quickly identify ecommerce shops that are vulnerable and hit the credit limit for a specific credit card before the account owner discovers the fraud and cancels the card.
How common are these bots?
Incapsula’s Bot Traffic Report found that non-human traffic accounts for about 51.8% of all Internet traffic. While 22.9% of all website traffic came from so-called ‘good bots’, the remaining 28.9% of all website traffic came from so-called ‘bad bots’ that do things like attempt fraudulent ecommerce transactions. These ‘bad bots’ also tend to target emerging and smaller websites rather than larger websites since they’re more likely to be vulnerable.
For online merchants, bad bots can become extremely costly in a very short period of time. Click To Tweet
Bot Fraud Traffic Report – Source: Incapsula
Credit card companies charge around $0.30 to authorize a credit card without charging it as a way to avoid processing a fraudulent credit card. A bot that’s attempting 20,000 transactions could cost an online merchant $6,000 in processing fees and several thousand more dollars when factoring in chargebacks. We have seen merchants coming from other platforms experience upwards of $11,000 in costs from these bots. And, these massive charges can be accrued with little to no warning.
How to Defend Yourself
There are some basic principles that ecommerce providers can use to avoid issues with both online criminals and bot-based fraud. In addition to taking internal measures, it’s important to ensure that you choose the right partners for shopping carts, payment processors, and shipping/logistics that have their own security measures implemented.
[content_upgrade cu_id=”433″]Download Now: 5-Minute Security Audit Worksheet[content_upgrade_button]Click Here[/content_upgrade_button][/content_upgrade]
Basic steps for preventing fraud include:
Ensure that you’re using a modern shopping cart that’s up-to-date with the latest security protocols, such as Foxy.
Collect as much information as possible to use for verification, including a full name, email address, full billing address, CVC code, and phone number.
Authorize each payment using the CVC code and consider address verification (AVS) as an added layer of security.
Signs of suspicious transactions include:
Odd customer details (e.g. fake names or e-mail addresses)
Suspicious messages accompanying the order (e.g. “I would like to proceed with the payment. I’m buying it for someone special as a gift.”)
Changes to shipping methods after an order has already been placed
International credit cards, international shipping addresses, or freight forwarders
Large orders and/or payments across multiple credit cards
Rush orders or overnight deliveries
If you believe you’ve received a fraudulent order:
Immediately refund any suspicious payments
Contact the customer to confirm the order
Delay shipping orders until they’re confirmed
At Foxy, we automatically trigger a Google reCAPTCHA after a certain number of errors are reached, which effectively shuts down bots from making any more attempts at using stolen credit cards. Google’s reCAPTCHA is the most widely used and advanced CAPTCHA provider in the world that’s always improving. Interestingly, the company collects human efforts to classify data and uses it to digitize text, annotate images, and build machine learning datasets.
The Bottom Line
Ecommerce fraud has become increasingly prevalent after EMV credit cards were introduced. While online merchants may be winning the arms race right now, small to medium sized ecommerce stores may be especially vulnerable to bot-based ecommerce fraud. The good news is that there are several steps that you can take to prevent these types of fraud, including working with security-conscious shopping cart solutions like Foxy.