Identiq Continues its Award Winning Streak
Stopping Fraud Should Start at the Door: How to Protect Account Creation
The last few years, especially in online retail, have seen a shift in fraud prevention - from a focus almost exclusively on the point of transaction, fraud fighters have begun to protect the full business’ user base as well. What’s really interesting is that this trend increasingly includes not just the protection of existing accounts, but account creation as well.
The shift to account protection, generally, accelerated in 2020, when a huge uptick in phishing attacks (rocketing up by 667% at the start of the pandemic, and staying high) combined with continued data breaches and poor password hygiene to make account takeover a runaway hit of the year: Javelin reported that by late 2020 ATOs were trending at the highest loss rate so far, up a horrifying 72% over the year before.
In that context, it makes sense that fraud prevention teams were starting to focus on the earliest point in the flow they could control: Account creation.
Stopping Fraud at the Door
Intuitively, there’s an appealing logic to trying to stop fraudsters from signing up in the first place. Of course you want to stop shoplifters from stealing goods, and you want a guard to deter thieves from attempting to rob your cash register. But fundamentally, you’d rather they just didn’t come in at all.
In online fraud prevention, it doesn’t just feel safer, it’s pragmatic. Fraudulent accounts increase the risk of fraudulent transactions. An account that has been open for some time and left to age, looking innocent, is more likely to get the green light when a fraudster leverages it for a purchase.
Beyond that, depending on your industry, fake accounts can be used for collusion, money laundering, or to erode the reliability of your ecosystem with fake reviews, fake products etc. - activities which are very problematic even if your business doesn’t lose out financially.
Taking a more strategic approach, allowing fake accounts gives a company a misleading impression of the nature and scale of its account ecosystem, which can lead to unwise decisions on many levels of the organization, taken on the basis of mistaken information. The fraud department protects the company from this risk as well, when it guards account creation.
It makes sense that more and more fraud departments are looking into how best to protect accounts at signup. Since I keep getting asked about it, I’m outlining what I see as a useful framework here.
How to Detect Fraud at Signup
There are several approaches to fraud detection at signup, and each one has its advantages and disadvantages. It’s worthwhile understanding the breakdown of your options, so that you can work out which combination will work best for your business. Here’s the landscape of categories, as I see it:
- Identify assets with bad reputation
- Suspicious behavior detection
- Positive Identity validation
- Document validation
I’ll take a look at each one separately, but what ties them together is that they’re each trying, in different ways, to supplement the relative paucity of information typically available at signup by making the most of the information that is there.
Assets with Bad Reputation
Essentially, this is a set of negative asset lists. Bad emails, IPs, devices etc. This approach tries to detect the fraudster through the repeated use of an asset that has already been identified as fraudulent. Since fraudsters do often attempt to maximize their ROI by using the same set of credentials against a wide range of sites and apps, you can see the logic.
- Works to prevent repeat attacks from the same fraudster
- Limits the fraudster's ability to use the same email/phone/IP etc. multiple times, which makes their attacks more costly for them to carry out, because they need new credentials more often.
- As someone once said - "negative lists tell me about the fraud of yesterday" - as we all know, fraudsters do move on, and fast. It’s hard for negative lists to update fast enough.
- Can be easily bypassed by good fraudsters, who are skilled enough to come with a clean slate and no "links" to negative assets. They know the extra effort can result in higher payoff, making it worth their while.
- Problematic assets are often blocked by the time you become aware of them, and so putting them on a negative list would be redundant - think of credit cards, which you identify as stolen through chargebacks. At that point, the issuer will have blocked the card already - so putting the card on a negative list wouldn’t give you extra value.
- False positives - e.g. block all users from a ZIP area, or even a country, due to high fraud rates. You need to be careful about which data you use.
However the main issue I have with tracking an asset’s bad reputation is always that an asset isn’t really good or bad. It’s just an IP, or a credit card, etc. The use to which it’s being put can be good or bad. The identity behind it can be good or bad. But that’s not the same as saying the asset itself is good or bad - if you block an IP because it’s had some bad usage, you risk blocking a lot of good traffic too. The same with a physical address, which may have many people living or working in the same building, or which may house a fraudster only temporarily. And so on.
I’m not saying don’t use it. I’m saying use with caution, and in context.
Behavioral analysis tries to distinguish statistically between the behavior of a new legitimate user and a bot, or a fraudster. The assumption is that bots and fraudsters will interact differently with your site in various ways. For example they will fill forms faster, move the mouse in straight lines, type in a different pattern etc.
- Can detect bots, scripts and large scale attacks (particularly useful in the present time, when bot attacks are so common)
- Works even if the fraudster cleaned all their "bad" links
- Relies on client-side code, which is at the mercy of the fraudster
- Bots get better at mimicking humans (see here: youtu.be/fsF7enQY8uI and youtu.be/xdqFGlSeR-Y for more info on this interesting trend)
- Many of the approaches fail when your legitimate user switches to a new device, or uses them in a different way (sitting, standing, lying) etc.
Side Note on Behavioral Detection
While behavioral bot detection works, don’t confuse behavioral bot detection with the “behavioral biometric” fingerprint identification of a known customer. Some companies claim to have this ability, but I have yet to see one that can deliver. In every case I saw, these fingerprints are not transferable across devices. Actually, many times not even within a single device. Think about it - I use my laptop with its internal keyboard and touchpad, with an external keyboard and mouse, and with another keyboard, differently laid out, at home. Not to mention my phone and tablet. Each of these will necessarily yield a different way in which I move the mouse, type etc. They’re all normal for me.
The other aspect which is often omitted is the length of interaction required to build the biometric fingerprint for a new user. Typically this requires dozens of minutes of interaction. It may be viable for some solutions, but likely not for many others who aim to create a very fast user experience which takes seconds to complete.
I would be very happy to learn if anyone has been able to crack the above limitations.
Positive Identity Verification
Positive identity validation is making sure that the user is who they say they are, by cross-referencing all the information with the user's own history across a wide range of internet sites and services. Essentially, you’re making sure that the name, email, phone, device, IP and other assets all match the same identity all over the internet, not just on your site - the user is new to you, but if they’re a real user they are likely well known by many other sites and services.
- Blocks both stolen identities and made-up identities
- Smooth user experience for the good users
- Prevents repeat abuse and large-scale attacks
- Users unknown to anyone on the network, need to prove their identity at least once before they are trusted, with adaptive friction - older people using the internet more recently, or young people just starting to buy online for themselves, etc.
- May be unable to identify users who make big changes - e.g. relocating to take a new job and using a credit card from the new company
Requiring some form of document verification at signup, such as a driver’s licence, identity card (for countries which have these) or passport.
- Shows the customer you’re protecting the site (may be especially relevant with financial services)
- Can help satisfy KYC requirements for businesses which have that to consider
- Taps into a large centralized database (drivers licenses, federal database etc.)
- Adds friction, even when using services which try to make it as easy as possible
- Not everyone has this sort of identification, so you risk excluding certain groups for the wrong reasons
- Unfortunately, with deepfake and similar technology, fraudsters have already proved that they can get around this kind of check
As you can see, each approach has its strengths and weaknesses. I would recommend learning more about all the above approaches, and for best results you’ll probably want to combine a couple of different types of approaches. That way, you can make sure you are able to both prevent fraud and provide a great user experience for the rest of your users.
Feel free to reach out to me if you have more questions. Fraud fighting is my hobby as well as having been my job for well over a decade. I’m happy to discuss all the options and what might work best for your company at length!
Uri Arad, Identiq’s VP Product, has been fighting fraud and fraudsters for more than a decade and has seen the fraud and identity challenge from diverse perspectives: product, risk, and R&D. Before he co-founded Identiq to create the solution he’d been dreaming of for years, he was the Head of Analytics and Research at PayPal’s risk department. He has tremendous experience building cross-functional teams which use the latest technological developments to create innovative products that both reduce loss and improve customer experience. Uri's expertise extends both to analyzing and meeting business needs and to an in-depth understanding of the technology that makes improvement possible.
What’s a Rich Text element?
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
Static and dynamic content editing
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
How to customize formatting for each rich text
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Securing a Marketplace for Your Buyers and Sellers | Marketplace Risk and Identiq Webinar