2.1.17 Cyber Security

Stay Ahead of Fraud — RSA® Analyzes Purchase Patterns to Help Retailers Detect & Respond to Potential Threats

By: Jon McDonald

The Crunch: Keeping pace with fraud is a tough challenge for retailers because cyber criminals are constantly looking for vulnerable access points to exploit. RSA works to lock cyber criminals out completely by offering businesses protection at every turn. RSA’s proprietary fraud prevention technologies use web session intelligence and behavioral analysis as a factor in determining whether a transaction may be fraudulent. By enlisting RSA, companies can also keep data and other assets protected, ensuring the safety of the valuable consumer information they are entrusted with. And RSA keeps its eye on the future by educating retailers on new technologies and working to raise the overall transaction security standard for everyone.

Cyber criminals are always trying to stay one step ahead of retailers, data security teams, and the law. By constantly updating their technologies and techniques, cyber criminals defraud companies of an estimated $9 billion per year.

And fraud is just one side of the coin, as cyber attacks are also aimed at compromising a company’s data, whether personal or financial, and the effects can be crippling. With the amount of valuable data generated on a daily basis, businesses need to ensure that information is secured across all access points.

Over 30,000 enterprises around the world trust RSA to safeguard them from threats. For retailers, RSA can detect fraud and react to it before security teams may even learn about it.

“We look at how we can better secure the retail infrastructure, both from an organization and a consumer perspective,” said Angel Grant, the Director of Fraud and Risk Intelligence at RSA. “We have an intelligence team that monitors cyber crime, looking for different tactics that are being targeted toward the industry.”

RSA Director of Fraud and Risk Intelligence Angel Grant spoke with us about retailers’ need for proactive security.

Retailers have so many potential points of compromise — in particular through e-commerce — that a forward-thinking security presence has become almost a necessity. RSA, now a part of Dell Technologies, has been on the front lines of the fight against these risks since its founding in 1982, approaching protection from both a software standpoint and by actively helping raise industry and government standards for data protection.

A Security Authority Working to Set Fraud Prevention Standards

RSA has earned the business of half of the world’s Fortune 500 companies by becoming a leader in the digital security industry. Being a leader involves not only employing state-of-the-art security technology but also advocating for higher security standards across businesses.

After a string of high-profile data breaches in the past few years, RSA worked closely with EMVCo to recommend a change to the standard for in-store transactions. Most shoppers have noticed the switch from swiping their card at a point of sale to inserting their card so the terminal can read an EMV chip. Using RSA’s cryptographic algorithm to authenticate transactions, EMV chips make it harder for criminals to steal credit card information during an in-store, or card-present (CP), transaction.

The adoption of EMV has forced criminals to start abandoning methods of stealing credit card information such as installing a fake point-of-sale reader. The new technology has also led to criminals getting rid of stolen numbers as quickly as possible — even using social media — because the numbers themselves may soon be obsolete.

“As more EMV terminals get out there, it is becoming more difficult for them to clone the credit cards and there is a surplus of stolen account information in the underground,” Angel said. “ They are not making enough money, so they are looking for new ways to merchandise their goods.”

Fake POS terminals (left) help steal card numbers, which may even end up for sale on Facebook (right). Photo from RSA Anti-Fraud Command Center.

As it becomes more difficult for cyber criminals to clone cards and commit in-person fraud due to EMV cards, it is expected that fraud will naturally migrate online. RSA has been working to usher in the adoption of EMVCo’s 3D Secure (3DS) 2.0, an authentication process specifically for protecting card-not-present (CNP) transactions.

“The e-commerce market is focused on offering a 3-D Secure environment, which authenticates through the three domains involved in the shopping experience — the bank that issues the card, the merchant, and the consumer,” Angel told us.

The original EMV 3DS made online shoppers authenticate directly with their card’s issuer during an online transaction by use of a username and password. The new EMV 3DS 2.0 standard takes a risk-based approach to help minimize friction in transactions while reducing fraud. RSA has been an advocate for risk-based authentication for the last decade, and its current 3D Secure offering, called Adaptive Authentication for eCommerce, provides a risk engine to issuing banks that only flags transactions that are considered high-risk.

This is a step forward in security that can significantly reduce fraud, while still allowing most customers a seamless checkout process. RSA works in close collaboration as a Technical Associate with EMVCo, as well as an FCC board focused on PCI DSS compliance where it advocates for stronger security across the retail industry.

Risk Engine Evaluates Transaction Behavior, Value, and Frequency

Preventing fraud begins with detection, and RSA Adaptive Authentication for eCommerce is driven by a risk engine that assesses risk quickly and looks for patterns across a wide range of transactions. What makes the detection engine unique is that RSA uses behavioral analysis in a risk calculation to keep legitimate purchases from being flagged as fraudulent.

“Our risk engine looks at over 100 risk indicators including IP and geo-location, the shopping behavior of the user, the transaction amount, and the velocity,” Angel said.

By taking a deeper look at all aspects of a transaction before flagging it, an issuing bank can help retailers avoid sales from being held up despite being very low-risk for fraud. A score is calculated to reflect the overall risk of the transaction, and the issuer can decide where to go from there, on the retailer’s behalf.

“In most of our case studies, fraud loss was reduced 90% taking that risk-based approach,” Angel said. “Online checkout times were reduced by 85%, and shopping cart abandonment was reduced by 70%.”

Cyber criminals also used to be able to take advantage of a retailer’s blind spot, where one company was unaware of fraud at another company, but through a collaboration of its customers, the RSA eFraudNetwork can flag those transactions for all of its clients. Risk factors are analyzed over an intelligent cross-industry sharing network where fraudulent information is compiled so that organizations in a variety of industries — finance, health care, retail — can reject transactions flagged by other companies.

This strategy cuts down on fraud rings using the same stolen information across a variety of different channels, and can even be used to detect improprieties within different channels in the same company.

Angel told us about a global brick-and-mortar client who was targeted because it had a significant e-commerce presence. The criminals wanted to leverage stolen credit cards, but they knew the physical locations had EMV chip readers on all point-of-sale devices. So they shopped for the goods online and used the pick up in-store option — thus bypassing the EMV chip reader entirely — and went to the store to collect the items.

Through RSA, the company was able to spot those sales and stop the fraud from permeating.

“We helped them go through and recognize those transactions,” Angel told us. And since cyber criminals are always adapting to new technologies, RSA is constantly innovating ways to secure transactions of the future.

Helping Retailers Learn to Identify and Adapt to Future Trends

A recent survey conducted by RSA showed that retailers are most concerned about fraud and customer data loss. The study also revealed that more than 80% of retailers weren’t familiar with using behavior to detect risk and more than 70% of retailers take days or longer to investigate fraud. RSA offers a solution directly to retailers, called Web Threat Detection, that utilizes web session intelligence to track and pinpoint fraudulent behaviors of site visitors.

Retailers have to remain vigilant for fraud because the industry has so many vulnerabilities that are constantly changing. And the lines are being blurred because new payment methods are emerging that go beyond the card present and card-not-present designations.

An RSA study found that retailers don’t react quickly to investigate fraud, and many aren’t aware of behavioral analytics.

“We talk about the world as CP and CNP, but think about Apple Pay where you can pay with a mobile device,” Angel said. “Even though that consumer is standing in your store, is that considered a CP or a CNP transaction?”

As these technologies emerge and become popular, retailers want to be able to respond quickly, and RSA wants to help them use data to make the best decisions about what threats to focus on.

“There are so many whiz-bang technologies that are coming out, the industry is struggling to figure out what it should be adopting and securing,” Angel said. “As a whole, the industry is trying to keep up with the pace of how consumers are transacting.”

RSA knows retailers can be overwhelmed by the process, so it is committed to providing guidance on which directions to pursue to keep consumers active while detecting and suppressing fraud. That commitment to education is also why RSA Conferences are held all over the world each year. The events highlight the challenges of modern security and the latest technology, and give attendees access to insights from leaders in the security industry.

Staying ahead of cyber criminals is a full-time job, but RSA has built a network of resources that helps retailers stand up to the challenge.

From E-Commerce to Brick-and-Mortar, RSA Minimizes Losses

RSA has helped drive innovation for digital security — online and at physical touchpoints — allowing retailers to keep chargebacks to a minimum, but the process never stops. Cyber criminals are always trying to find a way to take advantage of security vulnerabilities, which adds up to billions of dollars in losses for retailers each year.

The intelligence professionals at RSA know all about them. From tracking fake point-of-sale devices being sold on the dark web to monitoring the recent trend of card number sales on social media, RSA works to keep fraud out of its clients’ systems.

Taking an omnichannel approach protects retailers from the ingenuity of fraudsters and helps them make smart decisions about integrating new technologies. Putting security at the forefront of plans for growth, both in-store and online, helps retailers stay one step ahead of data threats.

RSA uses behavioral analytics as part of its risk-engine formula, providing issuers with a solution that keeps the transaction pipeline moving and makes the consumer experience more seamless. Retailers can take direct advantage of the web session intelligence and behavioral analytics provided in Web Threat Detection to prevent both common and sophisticated high-impact fraud threats. By employing RSA, a company can stay protected while quickly isolating the real risks that need immediate attention. RSA’s intelligent risk-based approach leads to more satisfaction for customers, more revenue for businesses, and more security for both.

RSA recommends that retailers select a security partner who can provide a cohesive, intelligent platform of solutions to address fraud. In addition to implementing an effective fraud prevention platform, RSA urges retailers to implement additional best practices to protect data, such as using encryption and tokenization at multiple stages – either by themselves, or through a trusted payment gateway. This makes any payment related data useless to fraudsters, in the unfortunate event of a data compromise.

About The Author

Jon McDonald is a contributing editor for DealCrunch with over 15 years of experience editing, writing, and designing at numerous publications. His passions include digging into emerging trends and seeking out the companies making an impact on the retail industry.

Back to IndustryCrunch