Over the past 180 days, the credit card data of nearly half a million people in the United States has been put up for sale on the dark web for a list price of around $10 each. This includes everything needed to make fraudulent card-free (CNP) purchases online, including cardholder name, card number, CVV number and expiration date. Other details may be included in the sale price, such as bank issuer and available balance.

“In some markets [on the dark web]there is someone who manages the whole market to make sure that the transactions are fair and that everyone gets their fair share,” said Noam Kehati, researcher at CyberInt, announcing the results of his research in January.

The market for credit card data has exploded since the pandemic as people conduct far more transactions online, and so it has become easier to obtain card details, according to Reuben Braham, Vice President of CyberInt . “It’s only increasing,” he said.

This trajectory is why many experts are warning retailers to align online fraud prevention with areas of increasing risk, invest in best practices, multi-tiered fraud prevention solutions, and recalibrate the balance between fraud risk assessment and customer friction if necessary to maximize the whole. benefit.

Retailers will likely lose $130 billion to CNP fraud between 2018 and 2023, according to a 2019 market forecast study by Juniper Research on online payment fraud. As more people shop online and card fraud becomes more difficult due to enhanced card security features and point-of-sale compliance standards, there has been a significant shift towards CNP fraud. , which now accounts for an estimated 75% of all card fraud.

Shopping trends and fraud evolve together

The pandemic has changed consumer behavior and thieves have followed suit, says LexisNexis’ 2021 True Cost of Fraud study. More fraud losses are attributed to the mobile channel than in previous years as more consumers turn to digital transactions, and mobile in particular.

“The spike in fraud attacks and costs for e-commerce merchants since the start of 2020 was not a temporary event; e-commerce saw a 34.4% increase in the cost of fraud and an increase in 140% of fraud attacks by volume since the pre-COVID-19 period,” according to the study.

As a result, the total cost and volume of fraud has risen sharply compared to pre-COVID times, analysts say. Every dollar of fraud costs U.S. retailers and online merchants $3.60, up from $3.13 pre-pandemic, with the shift to mobile channels being the main catalyst. Losses from fraudulent international transactions are proving particularly problematic, nearly doubling in 2021 compared to 2020, complicated by identity authentication issues and data privacy restrictions.

CNP fraud has become the tool of choice for fraudsters because there is no need to steal the card itself, just its attributes. Consumers typically aren’t aware of the theft until fraudulent transactions surface, but it’s merchants who are likely to end up with the cost of false transactions, more often than fraudulent purchases made with a card. physical.

According to Francisco Rodriguez-Fernandez, professor of economics at the University of Granada in Spain and author of “Cash Fraud and Electronic Payments: Taxonomy, Estimation and Projections.” electronic payments as they evolve,” he said. LP Magazine.

That thieves have gotten smarter is another point raised in the Lexis Nexis 2021 research project. “, warns the study.

Perhaps that’s why the study concludes that US retailers may be falling behind in their fight against rising fraudulent attacks. The hundreds of retailers surveyed were asked, in a typical month, how many fraudulent transactions they prevent and how many successful transactions. Disturbingly, retailers are reporting one successful attack for every attack they prevent, and this trend is going in the wrong direction. In 2019, for example, retailers reported thwarting 59% of fraudulent online transaction attempts.

Looking for solutions

Powerful tools exist to prevent CNP fraud while minimizing false declines, but many retailers have been slow to invest in these tools, according to Juniper Research report author Steffen Sorrell. Online retailers still focus primarily on point-of-transaction fraud risk assessment, rather than session analysis and behavioral monitoring or validation of a user’s identity to assess fraud risk. before any transactions, he said. Additionally, retailers too often look at the business case for investing in solutions solely from a fraud prevention perspective, rather than also recognizing the substantial value of reducing false positive denial rates, in which legitimate orders are incorrectly labeled as fraudulent.

“A tiered fraud detection and prevention (FDP) solution naturally helps prevent fraud directly, but it also offers significant gains in terms of recovering revenue potentially lost through false positives. This is something that retailers remain undereducated on and which has allowed fraudsters to capitalize on relatively low FDP spend,” Sorrell said.

A successful CNP fraud prevention approach is one that strikes the right balance between fraud defense and customer experience, most experts seemed to agree. “Not all transactions carry the same level of risk; companies need intelligence to know when to apply more or less effort with customers,” recommend the authors of the LexisNexis study. “New customers may appreciate the additional steps taken to verify their identity, such as challenge questions and one-time passcodes. Repeat customers may get bored at some point expecting the company to know about them. »

And after? Verification of information can help distinguish real customers from imposters, such as the geolocation of the person who made an authentication request. As more retailers strengthen their customer authentication processes, fraudsters may find CNP fraud more difficult to pull off. Then what ?

Europe already has strong customer authentication regulations in place, so the experience there may hold a clue. In a webinar on the subject, experts said that as CNP fraud becomes more difficult to commit, social engineering scams are increasingly integrated into fraud activity.

“An example we see is where fraudsters make online purchases using stolen credit card data. Fraudsters then convince real cardholders to share one-time passwords with them to perform strong authentication and confirm the purchase,” said Stephen Topliss, vice president for fraud and identity at LexisNexis Risk. Solutions.