A (web) beacon of hope for CNP fraud prevention

Ecommerce has put a global marketplace at our fingertips. Unfortunately, it has also opened up a world of opportunity for fraudsters. With easily bought stolen credit card information, criminals can order merchandise online which is then resold for a large, quick profit. This card not present (CNP) online order fraud not only victimizes the real cardholder by incurring unauthorized costs, but the merchant as well, since they get hit with costly chargebacks.

With the implementation of the new EMV (i.e. “chip and PIN” cards), which made physical credit card fraud harder, fraudsters shifted their focus to ecommerce. Online retail is particularly attractive for CNP fraud because of the anonymity built into the Internet: there’s no physical person whose face the retailer can check against an ID and the name on the credit card. What this is means that fraud prevention must rely on other information to detect a fraudulent order.

From marketing tool to fraud spotter

One technological tool, the web beacon, was made specifically for extracting additional data from a web visitor, and is instrumental in helping merchants separate the legitimate orders from the fraudulent ones. This extra information can be very useful in supplementing the limited information provided by the Internet connection itself, such as the IP address.

Yet how is a web beacon able to provide that extra data? Basically, since a web beacon is a piece of code (usually JavaScript) which runs in the browser and is able to both query a web visitor’s device and track that visitor across the merchant’s website. Web beacons are already extensively used for web traffic analytics, where their data is used to gauge the effectiveness of online marketing. In fact, the web beacon used by Google Analytics can help merchants manually review orders by highlighting the data patterns which indicate fraud.

Accept or decline? More data leads to better fraud screening decisions

By querying the visitor’s device and reporting back information like the particular browser plugins installed, the time zone the device is set to, and the keyboard language, fraud prevention tools can then check to see if all the gathered data tells a coherent story of a legitimate order.

For example, if the IP address for an online shopper matches the US, but the timezone is in Russia and the keyboard language is set to Russian, then it’s very likely that someone located in Russia is using a proxy in the US. However, legitimate customers may have reasons for concealing their geographic location, but so do fraudsters. At the very least, this particular order requires extra scrutiny. If the web beacon is also able to perform proxy detection (by monitoring ping times, for example), then you would be able to tell if it was someone from Russia who happened to be shopping online on their laptop from home while visiting the US versus someone in Russia visiting your site – while wanting you to believe they’re in the US. If it’s the latter, there’s a very good chance the order is in fact fraudulent.

Web beacons are also effective in tracking a shopper’s activity across a merchant’s website. Fraudsters and real shoppers exhibit very different behaviors when it comes to what pages they visit and for how long. Not surprisingly, the bad guys try to make a quick purchase, whereas legitimate customers are more likely to meander through the site as their compare different items, colors and prices.

By feeding all the pieces of information gathered by the web beacon into machine learning algorithms, ecommerce fraud prevention solution vendors like Riskified are able to accurately distinguish the fraudsters from the legitimate shoppers in less than a second. By declining the fraudulent orders, merchants who use these solutions are able to drastically reduce their losses from chargebacks while also boosting their revenue by not turning away paying customers due to false declines.

Login/Register access is temporary disabled