Sophisticated eCommerce fraudsters increasingly use artificial intelligence (AI) to attack merchants. In the past, only one kind of eCommerce fraud existed. Fraudsters tried to steal personal identifying information and credit card numbers. They would then make fraudulent purchases. The result was chargebacks.
That model still exists today. However, it is no longer an exclusive one. In fact, it probably isn’t even the most popular method of eCommerce fraud for sophisticated fraudsters
Sophisticated fraudsters either currently use, or will use in the future, certain new AI tactics to steal from merchants.
Using AI to Create Lists of Stolen Credit Card Information
One technique the upper crust of technological thieves uses right now is to steal information not to purchase goods, but to sell it.
When they discover a match between personal information and credit card details correct enough to evade fraud detection, they put it on a list. When the list of matches becomes large enough, they sell the list to a less sophisticated thief.
This strategy is much more profitable. AI uses an algorithm to find matching credentials very quickly via brute force attacks. Brute force fraud attacks automatically generate and try username/password combinations. The speed of the algorithm makes it much easier to find large numbers of matches very quickly.
Once the algorithm generates a large enough list, the fraudster sells it on the dark web. Lower level thieves the purchase these lists then use the information to commit traditional eCommerce chargeback fraud.
Why Sophisticated Fraudsters Often Prefer AI to Chargeback Fraud
Sophisticated fraudsters often prefer this technique for several reasons.
First, it scales well. Fradusters cannot effectively automate purchasing goods. You must know what you want to purchase, go through the process of adding things to your shopping cart, change the account’s shipping address, put in the stolen credentials, and complete the purchase. The best eCommerce fraud solutions easily detect non-human shopping patterns and decline the orders they make. If you sell the credentials instead, you bypass all of that.
Second, AI brute force attack lists let fraudsters translate their successful attacks directly into cash. Traditional eCommerce fraud nets fraudsters stolen merchandise. These goods can be resold, but that takes time. It also cannot be scaled well. In contrast, it takes little effort to put a list of credentials up for sale on the dark web. Because the attack is so easy to scale, fraudsters can set low price points and sell a high volume of stolen information to turn a large profit.
Artificial Intelligence Account Takeover Fraud
The other major AI eCommerce fraud tactic expected in the future is an enhanced form of account takeover fraud (ATO).
ATO is when a fraudster tricks an organizational insider into either sending money or providing the credentials necessary to send money from a corporate account. In one version of this scam, the fraudster gets bank account information they can use to drain the account. Another version tricks employees into sending information to an account that looks legitimate but that the fraudster actually controls.
In the future, technology experts anticipate fraudsters will use AI to enhance this scam. Currently, businesses train employees to look out for certain warning signs that indicate fraudulent behavior before clicking any links or downloading file attachments.
But with AI, fraudsters will be able to more closely mimic natural language. This means that the kinds of awkward phraseology that allow humans to identify phishing attacks will vanish. In addition, it’s possible AI will allow trojans to insert themselves into pre-existing email threads. This will make it even more difficult for the average human employee to successfully ignore requests that can compromise information.
ATO is already one of the biggest eCommerce fraud trends of 2019. Its impact will grow when fraudsters adopt AI at scale.
Preventing AI Ecommerce Fraud
Fortunately, there is hope. Merchants looking to prevent AI eCommerce fraud can turn to solutions that specialize in protection against new fraud threats.
In addition, merchants should remain proactive and familiar with the general best practices for how to prevent chargebacks. Compromised customer credentials only result in a chargeback if the merchant accepts the fraudulent order.
Finally, the emergence of AI requires merchants and buyers to take the threat of fraud more seriously. Fortunately, the beginnings of this culture change are already taking shape. Although credentials like AVS codes remain important, they are increasingly no longer sufficient on their own. For example, the requirements of PSD2 in Europe will require two factor authentication (2FA) for transactions over 30 Euros.
This is a good start. In the future, expect similar regulations as AI adoption by fraudsters increases.