Security reminder - Identify fraud and protect your business

Fraud is an ever-growing problem, continuing to threaten businesses as the attacks develop and become more sophisticated. A recent study found that the total cost of ecommerce fraud to merchants will exceed $48 billion USD globally in 2023* and Visa has recently seen an increase in fraudulent activity in the form of enumeration (BIN) attacks. In response to this, Visa has recommended adopting a layered approach to tackle fraud, using as many fraud protection methods as you can.

Along with passing on Visa’s advice, Checkout.com would also like to remind you of best practices to help prevent these attacks and other types of fraud across all card schemes.

What is an enumeration attack?

An enumeration attack, also known as a BIN attack or brute force attack, is when a fraudster systematically submits Card Not Present (CNP) purchases through an ecommerce website targeting a specific account range or issuer Bank Identification Number (BIN). Software is used to run a script of BIN numbers, usually at high velocity and often with a low value. These transactions are often in large bursts within a short period of time, gathering information on which accounts are real.

The fraudster uses the authentication response to identify legitimate and active account numbers, leading to other higher value fraudulent purchase attempts using the payment account information they have gathered.

What can you do to prevent attacks?

1. Make sure your business is aware of the risks associated with accepting payments online
2. Have incident response plans tested and in place ready to use should you need them
3. Contact your service provider quickly if fraudulent activity occurs
4. Implement fraud prevention tactics:

• Monitor and review the language and time zone of cardholders’ IP addresses and devices. This near-real-time authorization monitoring can help you detect anomalies or inconsistencies in the data and flag these transactions as higher risk
• Add any IP addresses that have regularly failed payment attempts to your fraud block list for review
• Use EMV 3DS (3DS2) checks
• Lock a user’s account when multiple incorrect password/username attempts have been made
• Monitor the IP address of a single account login. If the account is being used across multiple IP addresses, review and analyze if this is legitimate
• Block the use of common or suspicious passwords and review any logins that use these currently
• Review customer sessions for excessive bandwidth consumption. You can also monitor tracking elements for multiple transactions using the same email address and device ID but with multiple different cards
• Use random pauses (throttling) on account checking and increase these checks on BINs that see higher fraud attempts
• Implement CAPTCHA and RECAPTCHA controls along with botnet detection and fingerprint authentication
• Think about implementing velocity checks on lower transaction values as well as large value items
• Use Address Verification Service (AVS) and Card Verification Code (CVC) checks
• Use anomaly detection to monitor transactions and sales patterns

How Checkout.com can help

3D Secure Authentication

Checkout.com provides your customers with the ability to verify that they are the card owner using our flexible 3D Secure Authentication product, helping you to reduce fraud and chargebacks.

Our Authentication product works across all platforms and acquirers and gives you the option to ask your customers to complete an authenticated purchase flow.

Since launch, Checkout.com has shown best-in-class 3DS performance in benchmarking by Arcot, a market leading ACS1, and we continue to outperform our competitors in this space.

We are also continuing to enhance this tool with support for the latest protocol - 3D Secure 2.3 (where supported by issuers), new 3RI, decoupled authentication flows, and improved automation to further increase approval rates will all be coming soon.

Fraud Detection

Our Fraud Detection tool lets you control the type of payments you accept and reduce the risk of fraud. This includes pre-configured setup and block list, pre-set fraud rules, and Machine Learning (ML) with fixed thresholds to decline, approve, or send transactions for 3D Secure authentication.

The tool lets you make minor edits to some pre-set rules and add further rules from a pre-set list. You can test these changes before implementation using our shadow-mode testing feature and access a full suite of analytics and reports within the tool.

We are regularly releasing new Fraud Detection features and making improvements to suit the developing fraud landscape. Most recently we have added Device ID velocities, a data quality widget, decline rules performance and back testing.

Speak to your Checkout.com support team if you’re interested in learning more about our Pro solution – designed for fraud teams that want more control over their risk setup. Pro unlocks additional functionality to give you more advanced risk tools and the ability to fully customize your strategy:

• Customizable ML thresholds
• Comprehensive rules, including custom, weighted, and advanced rule types (such as cumulative velocity rules)
• Ability to send custom data to build custom rules
• Customer segmentation to build tailored risk flows
• Option to choose 3DS challenge preference indicators to apply or reduce friction for certain transactions while triggering a liability shift

If you would like any further information about either of these products or have any other questions, please contact your Checkout.com support team who will be happy to help.

*https://www.businesswire.com/news/home/20221011005739/en/Juniper-Research-eCommerce-Losses-to-Online-Payment-Fraud-to-Exceed-48-Billion-Globally-in-2023-as-Fraud-Incursions-Evolve