Right now, the information thieves want most from your customers may not be their credit card numbers but their email addresses and account passwords. In 2015, fraud watchers saw a doubling of account-creation fraud, in which criminals used stolen credentials to gain control of consumer accounts and open new accounts under their names to defraud merchants. Payment security and data encryption are still crucial for merchants, but so is helping customers keep their credentials secure.
Small targets, big consequences
When hackers get hold of consumers’ email addresses and passwords they can inflict a lot of damage, both to the individuals’ credit ratings and to the merchants they defraud. The market for personal information isn’t new, of course. Security investigator and reporter Bryan Krebs found in 2013 that data thieves were charging between $1 and $8 online per account for stolen credentials to customer accounts at iTunes, Dell, BestBuy, and Target. Retailers and digital goods sellers aren’t the only merchants at risk. Krebs also found stolen credentials linked to accounts with airlines (United and Continental), FedEx, several wireless carriers, and Facebook and Twitter.
There’s not much individual consumers can do about large-scale data breaches aimed at retailers, banks, healthcare companies, and government agencies, even though there’s evidence that thieves are increasingly breaching security to gather, sell, and exploit individuals’ personal data. But there’s quite a bit your customers can do to prevent their accounts from being hacked directly, and it’s good business to encourage them to keep their information secure.
Help your customers practice good password habits
Because most people are busy and don’t think they’re potential targets, they often use guessable or computer-crackable passwords like “12345” or “password” – the most popular passwords for several years running — for their customer accounts. Telling customers to pick a good password is less effective than setting up your system to require good passwords. If your business doesn’t already have account-creation rules in place that require more secure passwords (with a minimum number of characters and a mix of character types), it’s time for that to change.
Remind customers what they can expect from your business
Phishing has expanded to social media networks, but there are data thieves who still gather credentials with fake emails from merchants. Your company’s customer-facing emails – especially those from your customer service department – and your purchase receipts should include a reminder that your employees will never ask for customer account passwords or payment account information via email, and that no one from your company will call to ask for account passwords or credit-card information.
Offer security tips ahead of peak shopping days
You can act as an advocate for your customers by stepping up account safety reminders ahead of the holidays. That’s when customers are often in a hurry to speed through gift ordering, travel booking, and event planning online. It’s also the season when your business may receive with a high volume of orders that need to be screened for fraud, which means that it’s also a peak time for fraud attempts.
Keep your own fraud-prevention program up to date
Even careful customers can be hit by malware, phishing, and other attacks that hijack their email addresses and customer accounts. As retail, healthcare and government data breaches continue to pull consumers’ personal information into the dark web for sale, customers can find their accounts and identities compromised even if they’ve never been the victim of a direct attack.
For these reasons, behavioral analytics must be part of your comprehensive fraud detection program. For instance, if a particular customer always buys from you on his laptop at home, behavioral analytics will catch transactions submitted via his account from a smartphone overseas. (Of course, maybe he’s on vacation, so it’s also important to contact the customer directly before declining a transaction.)
Fraud prevention is an ongoing cost of doing business for merchants, but it doesn’t have to be an unbearable expense. Work with your customers to keep their data and yours secure. You’ll strengthen your relationship with them while protecting your business from fraud.
Dustin Lewis is the Director of Network Operations at Forte Payment Systems, where he architects highly available, secure and performant systems. Dustin joined Forte after earning his degree in Computer Science from the University of California. Since then he and his team have completed numerous projects to improve processing operations at Forte. Follow Forte on twitter @fortepayments