For the sake of fraud fighting: how to secure online transactions on the Russian market
The growth of digital businesses and e-commerce leads to the rise of cybersecurity threats: money laundering, fraudulent activity, scams and malware.
Nowadays technology is developing rapidly and so are the fraudsters. For years, lots of enterprise companies collect all types of data about their customers, using various technologies, but as practice has shown, in the pursuit of increasing profitability, they forgot about data security.
According to Raconteur Fraud Report 2018, 49% of organisations have become victims of fraud over the past year, while Russian fraudsters come along with the global trends and attack 47% of organisations. In the most cases criminal actions were performed through viruses, phishing and social engineering methods in order to gain financial assets and personal payment information. Noticeably, since 2015 fraudulent transactions in mobile applications have grown by 600% and explanation to that fact is based on the customers’ preference to use mobile applications for online banking rather than traditional web channel, according to Russian top-20 banks.
Fraud in financial industry
Phishing and social engineering remain the most common attack methods for compromising users’ confidential data in Russia. Fraudsters present themselves as employees of various financial institutions (banks, PSPs) and trying to lure out confidential information from users.
When digital businesses offer new products and services for users (very frequently), it opens up a wide range of opportunities for various kinds of fraud.
Examples:
| Market offer | Fraudster opportunity (what fraudster thinks)
|
| Next day shipping —-> | I will buy goods for stolen bonuses and take a mule before the merchant’s team will find out
|
| Instant payments —-> | I will cash out it before your fraud analysis team will know
|
| 10 $ bonus for registration —->
|
10 $–good, but 100 $–perfect: a fraudster uses different registration accounts to get bonuses
|
| Personal data in user account —->
|
Can be stolen |
While e-commerce world is expanding, all the new forms of digital B2B, B2C, C2B and C2C interaction are getting particularly vulnerable to fraudulent activities.
3DS authorisation – good or evil?
Every country has its own experience of 3D Secure as an additional security layer for authenticating cardholders online. A correctly entered verification code proves out that it is definitely you who are in the hustle of online shopping. 3DS is widespread in Russia to the point where customers expect it during the payment process, and the absence of such type of authentication can be considered very suspicious and insecure.
For a business, the benefits of 3D Secure are obvious: it reduces fraud risks and ensures there will be no confusion with an erroneous transaction when the actual cardholder comes with a reasonable question, “What was that? I want a refund”. But 3D Secure has its downsides that should be mentioned: it does add an extra step to the checkout process, thereby creating additional discomfort, potentially leading to lost sales.
Enabling or disabling 3D Secure is always a trade-off between fraud and revenue. Finding the right balance between optimised acceptance and security can be a smart solution. Merchants tend to minimise use of 3DS, SMS messages, logins, passwords to reward trusted customer with a frictionless user experience and increase revenue.
What other data can be stolen while payments
The models and heuristics are not common for merchants. They depend primarily on a category of goods and services sold by a merchant, whether it is subscription and digital content, or educational services, or everyday use goods.
Not only payment data is important in analysing users’ operations. For different industries, various types of user’s environment such as shipping addresses, emails, phone numbers, device fingerprints, geo location, air tickets information and so on are evaluated. Every company analyses users’ behavior and identity while this user is operating with service – age, goods preferences, associations, correlated events, velocity and frequency service usage are usually being tracked.
Russian customers are well-versed with 3DS.
For consumer transactions fraud, the most common types are stolen credentials, geo shifting, carding, bin attacks. Note that bank cards remain the most popular means of online payment: 90.5% of Russians used them in the past year. 89.7% paid via online banking, and 77.6% paid with e-wallets. With increasing e-wallet and digital money services popularity in Russia, takeover attempts, bot attacks, mass registration are quite frequent security challenges.
Account takeover is a staged business for fraudsters. Fraudsters can acquire hacked users’ accounts at various sites on the darknet, after that they get access to user’s account and can withdraw money, or use the bonuses accumulated by users to obtain goods and services.
Fraudsters abuse loyalty programs by creating synthetic accounts. For example, after registering and obtaining bonus points, they buy goods below market value, and then sell them through the auction boards.
Cybersecurity BTL on entering Russian market
The Russian market is not a special case in terms of fraud. Russian customers are well-versed with 3DS, that works similar to the upcoming Europe 3DS 2.0. Costs on providing secure online transactions can often be neglected by businesses that frequently leads to fraud losses. That is why the first advice is to partner with a local cybersecurity services provider or a PSP that offers their clients a solution for fighting payment and other fraud.
The second recommendation is to set up a 3DS authorisation rule determined by merchants and a payment service provider to find the balance between security and revenue growth. For example,
- if a customer has already made a payment in the store and confirmed it via 3DS,
- as long as the parameters on all devices remain the same, it is very likely that the further payments from this particular customer can be conducted without 3DS.
The longer an adaptive 3DS is utilised, the more data will be accumulated, and, as a result, more and more payments can be carried out safely and without 3DS authorisation.
It’s worth mentioning that Apple Pay, Google Pay, and Samsung Pay are becoming increasingly popular (on average, 44.8% of Russians used them over the past year against 38.3% a year earlier), and in terms of frictionless processing of online transactions they are a real remedy.
A merchant paying attention to these pieces of advice to secure its payments’ acceptance has every chance to be a success on both Russian and many similar markets.
By Oksana Korobkina, CCO at Yandex.Money
