SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
How can Australian merchants turn the tide on CNP fraud?
Tue, 2nd Oct 2018
FYI, this story is more than a year old

An staggering $476 million has been lost to fraud by Australian merchants over the last 12 months, thanks to the deployment of more innovative fraud methods by criminals.

A sophisticated new generation of fraudsters are no longer content with physical theft or simple card skimming. This threat manifests itself as “card not present” (CNP) fraud on eCommerce channels, where methods like identity theft, account takeover data breaches and bust-out scams are employed.

Accounting for some 78% of all payment fraud in Australia, CNP fraud has pushed the country's fraud rate to record levels.

The good news is Australian consumers are not liable for fraud losses and will be refunded as long as they can demonstrate they have maintained a standard of care with their confidential data.

However, CNP fraud can have a huge impact on a business, putting their profit margins and long-term reputation on the line as losses are often sheeted back to merchants in Australia – worrying the ASIC and the RBA.

So, why has CNP fraud reached such critical levels in Australia? For starters, businesses entering the online market may not have the right tools to fully protect themselves against cybercriminals.

This means there are gaps in their defences that fraudsters exploit all too easily. At the same time, consumers' personal banking data can be compromised in a matter of minutes simply by targeting their mobile phones.

Another significant contributing factor is email. It's the gateway to most consumers' online accounts; and carries with it a wealth of untapped data. Nowadays, criminals can easily get their hands on email addresses from the dark web at little cost, or they simply create ones which appear to be legitimate.

Why aren't businesses taking action? 

So, what's holding businesses back from shoring up holes in eCommerce fraud defences?

With fraud rates in Australia accounting for 7.5 cents per $100, many merchants struggle to find the right balance between the robust digital identity verification needed to prevent fraud, while minimising friction in the payment experience for consumers.

Businesses fear adding too many layers of fraud prevention to the payment process can frustrate consumers – if they have to jump through too many hoops to order something online, consumers will simply abandon their shopping cart and shop elsewhere. This, of course, reduces conversion rates, impacting on merchants' sales and profit margins.

Another barrier is the perceived cost of fraud prevention solutions. It's a misconception that integrating these systems is a costly and complex process. In fact, by prioritising investment in smart systems, businesses can increase profit margins through approving more transactions.

At the same time, they can also help avert huge financial disasters from fraud – the cost of a new fraud prevention system is far outweighed by the losses from one successful fraud incident.

Why should businesses invest in fraud prevention?

Understandably, Australian merchants – like their counterparts all around the world – have many priorities when it comes to optimising day-to-day operations. Preventing fraud is not always at the top of the list. This leads to a reliance on sub-standard fraud prevention mechanisms, heavy on manual effort to face today's sophisticated and increasingly automated fraud threats.

The time needed to manually analyse customers and verify orders means many businesses are unable to devote their attention to other aspects of their operations, impeding growth.  Most importantly of all though, failure to balance the fraud prevention equation can undermine a merchant's reputation – nationally and globally. If consumers can't trust a business to keep their hard-earned cash safe, they will shop elsewhere.

This is a particularly important point for Australia's smaller retailers, given that they rely on word of mouth referrals and positive online reviews to generate new customers.

How can we build better defences?

It's important to build a clear picture of who's behind a transaction. Verifying only standard transaction data, such as name or address, leaves easily exploitable gaps and contributes to a higher fraud exposure level.

For the fraudster, impersonating a real customer's behavior patterns and history is too complicated and cannot be employed at a scalable level. As a result, fraudsters use the most common method of tackling this issue: farming fake email addresses and establishing “sleeping cell” accounts to be exploited at a later date. To fight back against these threats, businesses need layered intelligence to counter attacks from all angles to make for a powerful defence solution, as well as a sound validation system.

It's important to build a clear picture of who is behind a transaction. When digital identity validation happens quickly, it allows companies to take steps to accelerate approvals, automate workflows and optimise processes.

Businesses should consider a scientific approach to stay ahead of the curve by ensuring fraud tools are powered by the latest technology. At the most basic level, businesses should opt for fraud prevention solutions that utilise machine learning. This branch of AI can monitor and evaluate data without manual analysis, minimising human error.

The behaviour and history associated with an email address represents powerful intelligence that cannot be overlooked. This includes whether the email account is active and/or valid, the tenure and ownership of the address, and previous transactional behaviour.

Time to protect Australian consumers

It's undeniable online fraud poses a clear and present threat to Australian businesses. With cybercriminals becoming smarter, and fraud tools becoming more accessible than ever, it's in a business' best interest to protect themselves and their customers, by creating a multi-factor authentication process to increase the agreed industry security benchmark.

The axiom by Benjamin Franklin “An ounce of prevention is worth a pound of cure” is still relevant today in relation to online businesses operating in Australia, and even globally. With AusPayNet announcing the start of an industry consultation on a new framework to mitigate fraud, businesses need to keep up with the advancement in technology and invest in better fraud prevention tools, otherwise they will be open to attack which would be detrimental to their time, reputation, and profit.