When security holes in US retailer Target’s systems resulted in one of the biggest customer data breaches in the retail sector over the holiday season, it became clear that anyone accepting credit or debit card payments needs to be able to ensure data security.
But smart criminals out there think beyond access to a database. A determined fraudster may use a single stolen credit card number in a network of interlacing frauds that can entangle even vigilant companies.
Online platform 99Designs is a two-sided marketplace connecting customers with designers. To deliver a great experience we need to be able to both accept customers’ funds and guarantee rapid payments to designers. And we need to do this on any browser, in multiple currencies, around the globe. Being able to facilitate seamless transactions between customers and designers is our competitive advantage – but it also makes us a potential target.
We realised this shortly after 99Designs launched in 2008 and immediately began creating proprietary security systems. In recent years some remarkable tools have sprung up for analysing site visitors’ behaviour. We can monitor how long a user spends on the transaction page, how many credit card numbers they typically enter, and a slew of other characteristics that tell us how authentic customers behave – as well as what behaviours signal fraud.
By developing mitigation strategies solely for those tell-tale behaviours we cut our exposure to almost nothing.
Here’s how it works: Advanced pattern matching alerts our fraud team to a potential problem. They, in turn, inform a tech team armed with deployment systems capable of pushing changes or new fraud rules as often as needed. The speed of our response has made all the difference.
That process may sound daunting, but it’s increasingly within reach for smaller businesses. There are now many companies that employ “white hat hackers” (people knowledgeable in the techniques hackers use to penetrate sites) but who leverage that skill to help companies identify and plug holes in their security.
99Designs works with fraud-fighting service SiftScience. We transmit the actions users are taking on our website and SiftScience crunches the numbers to determine if the actions seem fraudulent. Compressing the kind of data collection that used to take years into a rapid, real-time process is a game-changer for smaller businesses, which can benefit from the knowledge gained from larger companies.
A second way to improve security is to cease handling your own payments altogether. If you’re a small startup or a one-way vendor sending out a product, you can simply outsource your payments to a company that does security screening, like Stripe or Braintree.
Online vendors have traditionally collected credit card numbers and forwarded them to a merchant account to process, but this method is clumsy and outmoded. It also has other major downsides. If you reach a certain percentage of sales that results in chargebacks, your merchant account will cancel you. A few bursts of fraud can leave you without a payment processor for days, or longer — a devastating situation for a small business. Better to integrate an external payment form and let specialists in this area handle the security.
On the horizon a more sophisticated, though controversial, security technique is coming: device fingerprinting.
Browsers are designed such that a website can’t identify a repeat visitor unless the user chooses to leave a record by, for instance, turning on cookies. That protocol protects user privacy but makes it easier for criminals to repeatedly probe or defraud sites that can’t distinguish a new visitor from the one who paid them with a stolen credit card five minutes earlier.
Device fingerprinting will enable websites to link attacks originating from a single machine, even if the person has tried to cloak their footsteps. This technology is clearly walking a dangerous line between respecting users’ privacy and protecting their financial information. At 99Designs, we’re waiting to see how it develops before seriously considering implementation – as is the case with many online companies. But it’s a safe bet that device fingerprinting will become both more prevalent and less costly over time.
Maintaining a secure website is tough because the target is always moving. Still, taking some basic protections is often sufficient to drive away fraud. Your company’s goal is to be a more difficult target than others in the same market, such that the fraudster moves down the street after trying your door. But in fact everyone in the ‘neighbourhood’ needs to be vigilant, because there’s an ecosystem effect to these kinds of thefts. The more opportunities for fraud there are online, the higher the value of a stolen credit card.
To deter online fraud, we all need to bar our doors.