March 15, 2019
Holiday Shopping Trends from the Digital Identity Network
Posted December 13, 2018
In this episode Frank is joined by Alisdair Faulkner, Chief Identity Officer of Business Services at LexisNexis Risk Solutions. They discuss the trends from our Digital Identity Network during the week of Black Friday 2018.
Frank: Hey everybody, welcome to another edition of Digital Identity 360. We are super delighted to have Alisdair with us again. And Alisdair is our Chief Identify Officer, one of the founders here at ThreatMetrix and now LexisNexis for Solutions, and he has a mandate to cover the entire identity purview across the company. Today Alisdair is just chopping it up a little bit about what we’re seeing in terms of holiday trends and stuff coming out of our network. So welcome, good to have you. Thanks for joining us.
Alisdair: Always a pleasure.
Frank: Yeah, thank you. So, go ahead.
Alisdair: No, as you said, another huge peak holiday season. We saw a huge transaction growth, just part of the wave of moving from offline, online. Just the convenience. Plus one of the things that was a little interesting is people getting ahead of the rush. Ordering. But certainly we saw peaks of, 20% higher than our transaction volumes last year. So it’s just showing people are just more and more that wave going from physical to digital.
Frank: It’s interesting, that if you look at between Friday, the black Friday-cyber Monday phenomenon, I saw many of our customers in 50% plus transaction growth. And one of the things that was really interesting and you mentioned it a little bit, routinely that we see this weekend, is this idea of how mobile transactions have gone up. I think we’re almost peaking or eclipsing 60% mobile traffic. Talk a little bit about some of the risks associated with the mobile side.
Alisdair: Yeah, I mean it’s one of those things, it’s a double edged sword. You’ve got the convenience, around 62% actually a percentage of mobile transaction up from about 52% last year, and some of the risks obviously is people can impersonate you, you know people are getting used to transacting being on the move, and that can make some e-merchants flat footed when it comes to real time processes. Not used to people traveling around countries that would often flag, fraud flag, being in a jurisdiction or a country or a state that you don’t normally live in. So yeah, that’s kind of fraught for these e-commerce folks, but on the other hand it’s just provided this tremendous opportunity. I mean who wasn’t at the table at Thanksgiving doing a little bit of shopping on the side.
Frank: Oh yeah, 30% off, click now.
Frank: You know what’s interesting? We did a podcast last week with Brett Johnson, who spoke at our Summit. And talked about the idea that so much of fraud is social engineering. So check this out. My own wife got a phone call from a number that looked like my number. My number had been spoofed. Saying, “hey Frank’s in trouble, please provide some money to get him out of trouble.” So, it’s interesting how people engineer names and phone numbers and how that phenomenon is becoming a real mobile thing. Think of the potential threat there, because you got payment methodologies and wallets right on your phone. I can send money with one click if I fall for that kind of thing.
Alisdair: I think that’s a really good point that a mobile encompasses a lot of things and forces are targeting the mobile device or the telecommunications network. They realize that one, many banks and organizations still use one time passwords and they’re looking to facilitate moving or porting your phone number to intercept that authentication method. But then other, more scarier, I think and more personal issues is where they’re impersonating. So, you don’t know whether a phone number is coming from a genuine person or not, and often people panic. The same thing happened actually to someone I know just today, who had someone calling saying their social security number is about to be canceled unless they confirmed. And then what they’re effectively doing is trying to phish social security numbers, information, which could be used against them. And this is important for the theme of holiday shopping is that, it’s not just eCommerce transactions now. There’s a lot of initiatives around gift cards, people are borrowing for Christmas, and thieves are using this social engineering and using the phone, and the telecom network as the weak point to be able to extract this data for use later on.
Frank: And it is a weak point because everything you need is right on that device, right?
Frank: You’ve got everything. I can make a payment. I can do whatever on that device. Interesting point though that manifested more at the holiday season than other times, when we look at what’s in a cart. A typical cart transaction is a hundred bucks. Below a hundred bucks nobody’s seems to worry. But we’re starting to see this year, cybercrime when you’re $250 and above, it’s probably a fraudulent transaction.
Alisdair: Yeah, I mean what we see is, and it’s about everywhere we’ve been tracking through the years, but it’s approximately about a hundred dollars is the average basket value, which is a pretty reasonable statistic that you see over the years. About three hundred dollars or the average fraudulent transaction is between 2.7 and three times the average regular order. So, what becomes really difficult for merchants is that, obviously this is peak season, that the most valuable customers are also the ones that are most likely to be fraud played, those are large basket values so what that’s doing is forcing a premium on those organizations who can have real-time fraud detection, that can leave things like a Digital Identity Network, to understand for example, that device and the associated identity. The regular transaction patent that this is actually someone who’s trying to order some Christmas goods while eating some turkey versus a fraudster that’s trying to rip them off.
Frank: You’re not really impinging on your premium customers who happen to have a basket order that’s much larger than $250 and so it’s interesting that constant tension between friction and prevention, right?
Frank: What do I do and where does it live. Another thing that’s interesting and just today, by the way, you lead with this with a couple of our customers in the network, is the incessant bot attacks that seem to happen in Q4, but certainly the least three or four days. It’s just remarkable in the shopping season. So talk about that a little bit, just the stuffing, the credential stuffing, the weakness that’s being exploited by these bots.
Alisdair: Yeah, so I mean I’ve used this term weaponization of identity and that is happening thick and fast. A tsunami of credential testing where folks are. So, there are two types of attacks. One is where they’re using stolen credit cards to buy goods online during this heavy peak season. But the other profitable attack is to go after your wallet. So, you might have a mobile wallet but you might not realize that you also have a website that you can also access, that same mobile wallet and website and that’s what fraudsters are going for. What’s the best possible fraudulent thing that you could do? Have a valid account, get access to it, because you are using a shared password with your email account. It’s a valid credit card. It’s got good history, so the fraud checks are going to be a lot harder. There’s a lot of nuance in fraud detection. It’s moved from just is this device valid and is the location valid and have we seen it before? But is the behavior down to an individual account user level, consistent because unlike a bank, merchants can’t just enforce two factor authentication.
Frank: That’s right.
Alisdair: It just doesn’t happen. So, the reality of any and every organization, whether you’re an eCommerce merchant, whether you’re a SAS service provider, if you’re using an email as your user name, is that without per user behavior analytics extended across not only the behavioral transactions you see for your site, that is regular transaction pattern-
Frank: Yeah. You’re in trouble.
Alisdair: You need to have a global perspective. And that’s where we’re able to see things like bot attacks hit one of our customers, then pretty soon, they move on. And it’s also this thing, what they’re really trying to get at is by just overwhelm. Overwhelm your defenses and that’s why during the holiday season on the transactional side, it’s just such a peak fraud season, because I know that merchants are hesitant to say no during the period of time where for many of them is 80% of their profit-
Frank: The whole year is q4. That’s right.
Alisdair: Yeah. Exactly. Bot attacks is a near and present danger and it’s here.
Frank: And it’s interesting. It’s part of weaponizing these tools, the sophistication of these people is remarkable, as you said. I’ve got a device with a wallet on it, I’m doing all my transacting with it, but I don’t realize the point of vulnerability is another website that’s sharing that same wallet for a legitimate deal. So, they’re smart enough to exploit the weakness. Right. The point that’s not hardened, the point that’s easier to get to. So, it’s a fascinating time. Heres the beauty of something you just mentioned about what we see when we get on the network. I love this idea when you look at the ThreatMetrix customer and they first employ the system and they have a local view of Frank and then immediately when we turn on the global view, and as you said they’re able to say, “Wow this is amazing, I can now see Frank’s in all this permutations across the internet.”
Frank: All of his behavior in real time across the same journey,
Frank: And without that you’re so vulnerable. You begin to realize, just optically, the power of a Digital Identity Network, because you get this global perspective of me, that they don’t have at the local level. So very salient point on how we use those tools to mitigate things, and in a real sense Alisdair, you are how you behave on the internet.
Alisdair: Right. Yeah, exactly. And to clarify a point on that obviously it’s anonymous data and fraud signals and others that we can service from the network, but more often than not actually, what we find is that the Digital Identity Network is even more valuable for identifying good customers.
Frank: That’s right.
Alisdair: Because you know fraudsters burn devices, they get burner phones, they use virtual machines and so they’re always vaporizing as soon as you find them. But what’s left after that is this huge population of regular every day users who are just transacting as normal, anonymously on the internet and that is the power of the network.
Frank: With established relationships and as you said, the key here and the secret sauce for us is, that I do it anonymously. So, I’m not running a mock of any privacy law or things like that. So, predictions for the holiday season?
Alisdair: Wow, it’s exactly what we’ve seen, transaction growth is just increasing. Mobile becomes by far the dominant platform. Automated attacks are increasing, and increasing in sophistication and it’s multiple state actors you know we’ve seen, even just past back here there was a bust of the major ad fraud, utilizing automation techniques. But what I’m proud about the work that happens at LexisNexis and ThreatMetrix is that we’re not just ripping off budget and ad networks. We’re actually protecting people without them knowing that their identities are being used and abused on a daily basis, and that helps you get up in the morning knowing that you’re doing a great thing.
Frank: Yeah, it provides some meaning to what were doing because it’s a real person who’s benefiting from the fact that we’re protecting them across their journey.
Frank: And that is profoundly cool.
Frank: So, Alisdair, thanks always great to chop it up.
Frank: Good to have you.
Alisdair: Thanks Frank.
Frank: Thank you.