Many of the eCommerce (online) Fraud schemes in place today use stolen credit cards to steal goods or services from businesses. All e-tailers are targets (no pun intended) but often small businesses are targeted because they are often unable identify that an eCommerce transaction contains a stolen credit card, and unfortunately they don't find out the credit card was stolen until the transaction is charged back from the bank up to 90 days later. Consequently, the business who accepted the eCommerce sale now has to suffer:
the lost revenue (more specifically the cost of goods/services sold),
the administrative overhead to internal staff to process the chargeback transaction returned by the bank,
if charge backs are excessive in volume or value, the business being defrauded can lose the ability to process credit card transactions,
chargeback fees can erode channel margins and profitability,
and the resale of product outside approved sales channels (i.e. by Fraudsters) can create a negative brand exposure.
It's a losing situation all the way around, the person whose credit card is stolen has to deal with lack of funds and mental anguish. The bank loses money due to the cost to reissue the credit card and the cost of internal staff time to process paperwork to process the charge back. Recent high profile breaches such as Target or Neiman Marcus flood the market with valid credit card numbers with which to conduct eCommerce Fraud or other fraud schemes. This is part of the reason why Target has been sued by banks (www.reuters.com/article/2014/03/26/us-target-trustwave-lawsuit-idUSBREA2P0B020140326) citing "they lost money from alerting customers to the breach, reimbursing fraudulent charges and reissuing cards. These losses could increase, they said, if criminals ultimately use several million stolen cards as some analysts project."
The individual that wins in this scenario is the person who defrauded the business with the stolen credit card--they now have goods or services they didn't pay for and could potentially resell for profit...and most do exactly that.
eCommerce Fraud as a Business
eCommerce Fraud is a business, and a big one. Many people that commit fraud do it as their day job. They get up in the AM, have a cup of coffee, maybe take their kids to school, and then spend their work day figuring out ways to profit from defrauding businesses. In many cases, fraud even follows a 9-5 workweek pattern. Here's the thing--they are smart, it's their livelihood and they manage a return on their time investment. If they can automate their process by writing scripts (i.e. Python or other) they can reach more eCommerce sites and by the law of averages they are able to infiltrate more eCommerce sites. Often these scripts are run using a Bot network for various reasons, but one reason is the ability to run scripted transactions in volume with support from a rented Bot network.
In order to combat eCommerce Fraud, many businesses battling this problem have established eCommerce Fraud Prevention teams. This often includes having a team of staff with an eye for picking out a transaction as fraudulent based on anomalies or other discrepancies in the order. This model of manually reviewing transactions has worked but doesn't always scale when you consider that "fraudsters" have tools that are automated and scale to the size of a Bot network (www.cnet.com/news/bots-now-running-the-internet-with-61-percent-of-web-traffic/).
The Bot Network
The thing about Bot networks is that they are often rented for multiple purposes. The same Bots rented to place fraudulent eCommerce transactions may also be used for malicious attacks (i.e. DDOS, SQL Injection, etc). Any medium to large eCommerce site with a web application firewall has an IT Security Operations Engineer who has seen malicious activity. Given the volume of traffic at some of the large e-Tailers it's not uncommon to see an IP address conducting malicious activity on Monday or Tuesday and then trying to place a fraudulent order on Thursday or Friday. Knowing that scheme is in place, it would be easy to correlate that activity of any source IP address in a SIEM or even Splunk (use of IP Anonymizer is almost always blocked in the eCommerce Fraud Prevention circles). The behavioral IP address information would be valuable to an eCommerce team trying to discern if an order is fraudulent. Also many WAF's have the ability to block or alert on User Agent Strings or Python signatures which might indicate a bot--so the ability to correlate this information with transaction order data could save your Fraud Prevention team a lot of time manually reviewing orders.
How IT Security can Help
How can IT Security teams help? The IT Security toolset re-purposed just slightly for eCommerce Fraud Prevention can pay for it self quickly if eCommerce Fraud is a problem. I've heard often that eCommerce Fraud Prevention teams that organizationally sit in Finance or the Call Center do not know how to engage IT, and conversely IT Security teams don't know this problem might be costing their business millions of dollars annually. Help starts by reaching out to the other party, finance to IT and vise-versa. If you're in the eCommerce Fraud Prevention team, call your CISO or IT Security Manager and explain the challenges you have. If you are IT Security, helping put revenue back on the bottom line for your company could build political capital for the team and pave the way to expanded budget and headcount...but just as important is that it's a good way to prove that IT Security can help the business grow and expand.
The NuHarbor Consulting Group is an Information Security and Risk advisory firm. We specialize in Information Security, Information Risk Management, IT Compliance, and Security Technology Integration Services. For help with eCommerce Fraud Prevention practices or eCommerce Fraud Prevention Technology please reach out to email@example.com or 1-800-917-5719.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.