ThreatMetrix Predicts Mobile Transactions and Account Takeovers Will Turn Holiday Shopping into “the Nightmare before Christmas,” Chanukah and Kwanza
This year is expected to be one of the hottest shopping seasons on record. In fact, the National Retail Federation expects a 4.1 increase in sales. Translated into hard cash, that’s roughly $616.9 billion — more than enough incentive for cybercriminals to go all out looking soft spots to attack on e-commerce sites.
Cybercrime migrating from POS to online
And, with the adoption of in-store technologies like EMV and Apple pay making it harder for criminals to make a living doing point-of-sale fraud, e-commerce businesses can anticipate many of those criminals to shift their expertise into online crime.
To help e-commerce businesses protect themselves and their customers before the holiday shopping season goes into full swing, ThreatMetrix offers these predictions, observations and suggestions:
Transactions at the table: Increase in mobile shopping starts before the turkey’s done
Last week, the “ThreatMetrix Cybercrime Report: Q4 2014” found that mobile represents nearly one-third of all activity on The ThreatMetrix® Global Trust Intelligence Network (The Network). Combine that with the fact that Adobe has predicted the season’s lowest prices will pop up on Thanksgiving Day and consumers can expect to see a lot of mobile shopping taking place during their Thanksgiving feasts, spilling over into “Sofa Sunday.”
This poses a huge opportunity for fraudsters because mobile users are more likely to store credit card data with retailers, a prime target for account takeover attacks. Another challenge is that retailers are more likely to reduce risk thresholds for mobile devices to avoid false positives.
Alisdair Faulkner observes
“Cybercriminals follow the flow of money, and this Thanksgiving, a very high number of transactions will take place through mobile channels,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Unfortunately, it can be difficult for retailers to use IP geo-location data to ensure mobile transactions are authentic. Instead, retailers should try to leverage trust intelligence networks to recognize customers with good mobile purchasing history, and complement with finer grained authentication intelligence available within a native mobile application. Retailers should also ensure that their mobile applications have not been injected by malware.”
The lump of coal in the stocking: Account takeover in the wake of high profile data breaches
Over the past year, there’ve been countless numbers of data breaches with hundreds of millions of user accounts compromised: 40 million in the Target breach, 60 million in the Home Depot breach, a whopping 1.2 billion passwords stolen by a Russian cybercrime ring. Stolen identities as a result of these and other breaches will play a major role in helping cybercriminal account takeovers this holiday season.
Retailers have to ensure that in real time they have a system in place to differentiate between trusted customers and cybercriminals. The system should be able to identify suspicious login patterns, risky or compromised devices and devices disguising their geo-location. Additionally, these systems shouldn’t add friction to the user experience or trap trusted customers in a fraud net.
“Unfortunately, many consumers use the same login credentials across multiple websites, which means that when those credentials fall into the hands of cybercriminals through data breaches or malware, all of their accounts and likely all of their credit cards will be compromised,” said Faulkner. “This sadly means that cybercriminals this year could end up having the merriest holiday season of all.”
In 2013, ThreatMetrix screened one-quarter of all Black Friday transactions in the U.S.
Last year using The Network, its global data repository, ThreatMetrix screened one in four of all U.S. e-commerce transactions on Black Friday to help retailers protect their customers from cyberfraud. The Network analyzes more than 850 million monthly transactions, and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites. It is the most comprehensive data repository of its kind, using its real-time analytics to evaluate logins, payments, new account registrations, remote access attempts and other transactions for validity.