Examining the Vulnerabilities of Fraud Scores for Online Merchants and Financial Institutions
- Fraudsters are accessing legitimate fraud detection systems
- These fraudsters are able to manipulate data created by detection tools
- Merchants need to be aware of this evolving tactic and ensure their vendors can still accurately score orders even when data is incomplete
Frank on Fraud reports on a new fraud technique revealed via Karisse Hendrick’s Fraudology Podcast, during her discussion with fraud fighter Nate Kharrl.
Some fraudsters, it seems, are exploiting fraud detection systems by purposefully blocking scripts and data points that are used to calculate fraud risk scores. Masking this key information allows them to artificially lower the scores and increase the chances that fraudulent orders will be approved.
“Fraudsters figure out which online merchant scripts belong to fraud detection tools and block them,“ said Mr. Kharrl, “This prevents data from getting into the scores.”
Fraudster or Legitimate Online User?
To be clear, fraudsters are not developing their own solutions to block the scripts. They are, rather, utilizing legitimate tools for nefarious acts.
These tools include:
- Residential Proxies – Ability To Be Anonymous Online
- Anti Detect Solutions – Ability To Block Fraud Scripts
- Tracking Blockers – Helps Bots Stay In Business
The challenge is identifying which are the fraudsters.
“To be clear," Mr. Kharri says, “every data point is in the attacker’s control. To catch them you have to find out who is blocking or manipulating the data and understand who is malicious and who is just privacy-conscious”.
Karisse Hendrick adds, “The majority of legitimate users that enterprise merchants see use these are primarily GenZ-ers who are not only savvy and conscious about who gets their data, but they also expect a seamless online experience more than any other group of customers online”.
It's not all on the merchant, however, as the fraud vendor holds responsibility too.
Ms. Hendrick notes the result is that “fraud detection systems are not being as accurate as in years past. When merchants complain, the vendors investigate it, and then tell the merchant the scores are faulty because they are not getting all the data points.”
It's important to vet the vendors, asking specific questions such as “Does your solution utilize JavaScript or other client-side code?” and “What data points does your solution consider when that data collection has been blocked by privacy-conscious users?”
Vendors and merchants need to collaborate to ensure that the fraud tools are working correctly, and not being exploited by online fraudsters.
Fraud Scores and Check Fraud
Most fraud systems are based on a fraud score -- measuring the risk of a payment. However, check fraud scores are much different than online scores, as they cannot be manipulated by fraudsters since they are performed in secure environments and not through a website.
For transactional/behavioral analytics, a payment occurs and the solution evaluates the individual transaction against past behaviors to provide a risk score.
For image forensics, fraud scores are generated by analyzing the images of checks. Different analyzers such as Check Stock Validation (CSV-AI), Automated Signature Verification (ASV-AI), Writer Verification (WV-AI), and Alteration Detection examine the images of checks when they are deposited -- removing the ability of fraudsters to manipulate the images when the system kicks in.
The risk score is then generated and checks are flagged for review by fraud analysts in their review platforms. If a check is flagged as fraud, the payment is stopped while simultaneously the image of the check is added to the negative list.
Fraudsters continue to exploit checks as a payment channel, so it's important to understand that once the check is deposited, the fraud solutions discussed above cannot be exploited to manipulate the risk scores.
And, with a success rate of 95%, financial institutions can be assured that more fraud is being caught when deploying a multi-layered technology approach.