Security Experts:

The Tricky Balance in Declining or Accepting Online Payments

False positives are one of the biggest problems for security controls. In malware detection they interrupt work and divert incident response away from real issues. But in ecommerce and financial fraud detection, false positives can have a direct and serious effect on profitability. In most cases, it is a balance between high detection (more secure but with more false positives), and lower detection (less secure with fewer false positives). 

The potential cost for on-line traders in not getting this balance right is highlighted in a new report from fraud prevention firm Riskified. Surveying 5,000 U.S.-based consumers in December 2018, Riskified finds that 49% of shoppers do not return to an online retailer after a fraud has happened (false negative). Furthermore, 30% of the responders have had a genuine purchase declined (false positive) even when 57% of these are from repeat custom. 

Forty-two percent of those shoppers who have a genuine purchase declined go elsewhere, either abandoning the purchase completely (28%) or shopping with a competitor instead (14%).

It is the retailer caught in the middle of this. He loses good money through lost sales and lost future custom when his anti-fraud software generates false positives; and he loses future custom and has to bear the cost of the fraud over false negatives.

"It's really difficult for any single retailer to effectively manage their fraud, and this survey shows just how damaging it is when they fail to do so," said Eyal Raab, Riskified's VP of business development. "Merchants need to be able to meet their customers where and how they want to shop, but offering options like omnichannel fulfillment or digital gift cards opens them up to threats. Making accurate decisions and approving good orders not only increases revenue now, it also makes happier, more loyal customers in the future."

Of course, it isn't always just a case of measuring the card owner's credit rating if the card details have been stolen. Given the option of four people to blame for fraudulent purchases on a stolen card (the company that lost the details, the bank that approved the charge, the merchant that accepted the payment, or the true owner of the card), blame is surprisingly evenly apportioned in the 18-21 years age group. The user is slightly the most blamed, and the merchant slightly the least blamed.

From that age onward, blame on the user decreases while blame on the merchant increases. Blame on the bank is fairly consistent at around 25% across all age groups -- but overall, the most blamed group for online card fraud is the breached company that lost the details in the first place.

Fraud doesn't always happen at the point of payment. 'Liar buyer', where a customer orders and receives goods but denies they were delivered and refuses to pay, is also a significant problem. This is a particularly difficult problem to stop with digital controls. Maintaining a history of customers who refuse to pay while claiming the goods weren't received is unlikely to work -- abusers are unlikely to repeat the same tactic with same merchant.

Interestingly, the survey shows two distinctions. Firstly, the affluent seem the more likely to be liar buyers, with nearly 50% of respondents with $1 million or more in annual income owning up to liar buying. The most trustworthy income bracket is the $80,000 to $100,000, with little over 10% having engaged in liar buying.

Secondly, age also has a bearing. Up to age 51, liar buying activity was reported by between 16.8% and 20.7% of respondents. After age 51, it drops to 8.8%.

Sharing information between merchants on potential liar buying would be one solution -- but probably illegal under many data protection and consumer privacy laws.  "To counter this," writes Riskified in an associated blog, "Riskified recommends coordinating with a delivery provider that offers proof of delivery." But not all merchants would choose or be able to do this since it would increase their costs.

Riskified's own online fraud prevention system promises its customers 30% more successful sales, 66% fewer declines, and 0% user friction; although it doesn't specify what these figures relate to. The product uses a combination of behavioral analytics, machine learning, proxy detection, order linking, and device and browser finger-printing before making an accept or decline recommendation on each transaction.

Related: Chip Cards Lead to 70% Drop in Counterfeit Fraud: Visa 

Related: Cybercriminals Study-up on Credit Card Fraud 

Related: Online Fraud in the U.S. Grew Dramatically Post-EMV 

Related: What Happens to Stolen Data After a Breach? 

Related: Barrage of Mobile Fraud Attacks Will Increase 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.