PII (Personally Identifying Information) of 140 million Americans potentially compromised! The information from more than 200 thousand credit cards stolen! The numbers from the Equifax breach are staggering and terrifying. Surely they’ll lead to rampant, immediate fraud, and eCommerce merchants should batten down the hatches.
Not quite. Despite the fear mongering, we urge eCommerce retailers to stay calm. Overreacting to this breach is likely to cause more problems than it solves.
While the scope of the fallout for individuals remains to be seen, we at Riskified believe the effects of the breach will be relatively minor for eCommerce merchants and fraud-review teams. At this point in time, we’re near the date where chargebacks from this period would have ‘matured,’ meaning that fraudulent purchases made with this stolen data would have been reported as chargebacks, and we would be feeling the impact. But it isn’t happening. We are yet to see unusual rates of fraud for July and August. Even if we had observed an uptick in fraud, it’s doubtful that it would be due to the Equifax breach. Here’s why:
The hackers didn’t actually get much credit card data
Two-hundred thousand might sound like a big number, but historically this is drop in the bucket. To put it in perspective: Target’s 2013 breach led to 41 million stolen credit cards. Home Depot’s breach in 2014 lost 50 – 60 million compromised cards.
This doesn’t mean individuals should breath a sigh of relief. For the affected card holders, this situation presents an inconvenience at best (calling their banks and replacing their cards) and a financial loss at worst (failing to report a fraudulent purchase). Some experts are even cautioning people to freeze their credit as a precaution.
But this breach is unlikely to change the fraud landscape for merchants. There were already plenty of stolen cards available for purchase on the dark web, and this doesn’t represent a particularly significant increase.
Even if Equifax’s very bad day increases the number of CNP attacks, review processes that were previously effective at detecting CNP fraud should perform just as well today. Changing your review process to be more risk averse is only likely to cause more problems – like turning away good customers.
Stolen PII and CNP fraud aren’t particularly correlated
This is a big breach and a serious amount of data, but it isn’t likely to lead to CNP fraud. Insurance companies, banks, credit card companies and more should all be on alert. With this data, fraudsters may be able to steal identities and open accounts, but that’s an important point: identity theft is a time- and effort-intensive type of fraud. Fraudsters who go to this trouble are after a big score, and stealing from your sneaker shop or online travel agency probably isn’t it.
In one more piece of reassuring news, Riskified was most concerned about merchants selling gold or digital gift cards after the breach, as they can be an early indicator. We work with a number of merchants in those categories, and we haven’t seen anything to show that there’s been a spike in the rate of CNP fraud attacks.
Even when fraudsters get creative, merchants have recourse
Some merchants have worried that information from the Equifax breach could be used to open new credit cards in somebody else’s name, or to change card details (like billing addresses) in order to fix mismatches that would otherwise be giveaways of fraud.
This is definitely a troubling thought. But, in practice, fraudsters would have a tough time pulling this off. For starters, banks are aware that PII is an increasingly unreliable way of verifying identity, and are leaning on more effective measures, like voice recognition.
But even if fraudsters are able to create phony cards, many existing systems should still catch them. Smart fraud-detection models look at much more than just the data on the card. Behavioral analytics, which measures how customers interact with a merchant’s site, can sniff out fraud without any credit card information. And machine learning and linking systems, like the ones Riskified uses, look across shops and weigh factors including how frequently a shopper has changed credit cards, how many credit cards are in a person’s name, distance between a new billing address and old, billing address match to directories such as Whitepages, IP address, proxy use and more.
It’s a scary story, but merchants needn’t be afraid. If what you were doing before was working, keep doing it. There will almost certainly be breaches in the future that more directly impact CNP fraud rates. We’ll cross that bridge when we come to it. Until then, keep selling.