on-demand economy and fraud: a new war

Protecting On-Demand Services from Fraud

On-demand economy has experienced a significant boom with the development of Internet and electronic payment services. On-demand businesses have sprung up everywhere - in travel, food, shopping - and are ready to provide their customers with products and services at all times. You can call a taxi or an Uber any time, have pizza or groceries delivered to your doorstep at all hours or schedule cleaners to come take care of your bathroom: on-demand provides not just the service itself, but also convenience and certainty of delivery. 

Alas, as the on-demand services field grew, so did the number of fraudsters, who took advantage of the fact that while on-demand service providers' client base grew rapidly, the providers ignored or did not pay enough attention to security. 72% of businesses cited fraud as a growing concern over the past 12 months, with 63% of businesses experiencing the same or higher fraud losses during the same time. Obviously, making a service an 'input basic info' two-taps procedure is great for the customer but also a boon to the fraudster!

New Opportunities, New Threats

Today, fraudsters use new techniques to attack their classic targets, ATMs. These include 'cash trapping' and 'black boxing'.

Cash traps employ physical manipulation of ATMs, preventing customer access to their cash by either blocking the cash shutter or the cash dispenser. A black box attack is performed by drilling into the ATM, connecting an unauthorized device to its system and using it to issue dispense commands. On the less 'physical' side there are contactless card frauds, taking advantage of the fact that payments using a contactless card require only waving your card against a reader, with no PIN involved. This allowed fraudsters to use stolen cards but only for a limited amount per purchase - a limit set by card providers, but usually not exceeding 30 Euro.

But with the rise of on-demand services, fraudsters extended their efforts and began targeting weaknesses in providers' security systems, such as lack of email validation or of manual transaction review. Chargebacks would grow up to 2% of all transactions and there were many cases of voucher reuse and referral fraud. Another popular method of attack was using disposable email addresses to take advantage of service providers allowing multiple attempts on a card and having poor card checks in place, which also lead to customer account takeovers. And of course, there are cases of suppliers working with a willing accomplice to accept stolen payment details for large orders knowing they will be charged back – incidents which not only result in significant losses of profit, but also of customer trust in the market.

Fraud Specifics: Jackpotting ATMs

Jackpotting, or installing malware on an ATM using a USB device or downloading it from an infected network, is becoming an increasingly large concern for security experts. It completely avoids physical break-ins. Hacking group Cobalt is believed to have stolen over $25 million over the course of 2016 using jackpotting. Europol's recent action culminated in the arrests of 27 "Black Box" attackers, who had caused losses counted in hundreds of thousands of euro. Further arrests are expected.

Fraud Specifics: Natural Disasters, Smartphones and Theft

In 2016, several Russian nationals stole an estimated $2.2m dollars from dozens of First Bank ATMs in Taipei, taking advantage of the chaos in the wake of a typhoon. The thefts were perpetrated by connecting devices, possibly smartphones, to ATMs. Malware detected on the ATMs points to a premeditated attack, according to manufacturer Wincor Nixdorf. The First Bank and several other Taipei banks had to temporarily suspend withdrawal from their ATMs after the attacks, pending inspection.

Protecting the Customer

When it comes to confidence in own abilities to detect fraudulent activities, 54% of businesses are only "somewhat confident" while 40% are "very confident". Viewed from the customer's side, the numbers are these: while 27% of consumers report abandoning a transaction due to a lack of visible security, 4 out of 5 consumers trust that banks and businesses have protecting their personal data as a top priority, with 66% stating "I like all the security protocols when I interact online because it makes me feel protected".

3_photo-1518331483807-f6adb0e1ad23.jpg

But while fraudsters adapted, taking advantage of new flaws, technologies are being employed to counter them and provide fast and secure solutions. On-demand businesses began using local PSPs (payment service providers) to provide various Strong Customer Authentication protocols, keep track of chargeback data and to be able to provide information on failed transactions in case of review. This is called payment gateway/processor and is a key element in fraud defense.

Since on-demand services generate and process large amounts of data over short periods of time, fraud detection and prediction is fully dependent on said data being used in an optimal way, which is where automation comes in. Automation has become one of the basic tenets of on-demand businesses, since routinisation and codification makes processes reliable and cheaper to repeat. This approach is now being applied to fraud detection as well. Machine learning allows for transaction review and potential fraud detection in the same way the on-demand business' services are provided: instantly. 

Man & Machine

While automation can be of immense help, the human factor is still crucial. There needs to be someone who can potentially query and confirm or deny an automated system's decision and also respond to customer queries. Since fraudsters often attempt to trick customer service into allowing a previously flagged order to go through, operators need full and easy access to all pertinent information, provided by automated systems. Human operators can also review white and black lists, since automation can sometimes erroneously flag a good user as bad or halt a valid shipment.

It is this cooperation between machine learning and human operators that makes a fraud detection system the best it can be and reduces risk while increasing customer trust.