Fraud prevention in online retail

A desire for self-enrichment,coupled with a flair for Internet technologies and immoral values, are sought-after attributes for members of cyber criminal gangs. There’s been a long-running arms race – what are the chances of beating the criminals?

Everyone’s talking about cyber security, hacking and online fraud. These topics are not only important and urgent, but also hot on social media, amongst influencers, as well as real and pseudo security experts. Cyber spies appear in nearly all blockbusters now, just look at James Bond and Wallander. What’s more, the US and many other countries have declared cyberspace a military zone.

At Confederation level in Switzerland cyber crime is primarily combated by MELANI [1] and Fedpol [2]. Today, the Confederation is intensifying its efforts to prevent and combat cyber risks by introducing a “Mr. Cyber” [3]. Florian Schütz, previously employed at RUAG and an ex-security manager at Zalando was specially chosen for this task. Cyber security is not just something from TV crime series; it’s a serious topic.

The title of this post specifically relates to preventing fraudulent activities in online retail and is distinct from other hacking activities like ransomware and encryption trojans. 99% of online retail systems are based on the customer connecting to a website with their browser (Chrome, Firefox, Edge, Safari, mobile app) where they select their chosen goods and have them delivered to their home.

Hackers who have attacked these systems have quickly learnt that direct attacks on the retail platform infrastructure are time-consuming and difficult. But there are always reports coming in about companies being successfully hacked, including the stealing of credit card information, as hackers find ways to gain unauthorized access to company IT infrastructure. In 99% of cases, however, hackers try to outsmart the end users themselves and steal money from their PCs, laptops and mobile phones, or set up illegal payments in online systems.

It’s a tricky subject from a retail platform perspective as the end devices are the responsibility of customers and may be poorly maintained and lacking updates etc. In other words, retail platforms need to consider customer end devices as insecure, and assume as a matter of principle that these devices are already being used by cyber criminals. 
But what about if a retail platform were able to notice how people use a website or app? Such as how fast they type when entering a payment or in what order purchases are made. If a retail platform had this knowledge, it would make life very difficult for cyber criminals. Analysis of typing speed, clicks and user behaviour is not a theoretical concept; it is already deployed by many online retail platforms in the form of a fraud detection system. Having data on user behaviour is a powerful tool for defence and can prevent misuse. But the criminals and arms race still continue as hackers are experiencing a drop in income and are doing all they can to stay one step ahead and outsmart these fraud detection systems.

It should be interesting – and it’s only just beginning! With advancing digitization and use of machine learning algorithms, the opportunities for hackers and defenders alike are growing exponentially. It’s a promising area for the IT industry. Software developers are the Michelangelos and rock stars of the future. Security is a ongoing process – we cannot get left behind. The many opportunities offered by this digital age come at a price, and it’s important to keep in mind that cyberspace is simply reflecting reality. Fraud in the real world has been around ever since there have been people. It may be the world’s second oldest business model. Stay on your guard.

Ivan Bütler speaks on this topic at Connecta Bern.