When it comes to fraud and cyberthreats – and most things, in fact – 2016 was a doozy. Will next year be even doozier? (Please, no!) After last year’s tongue-in-cheek fraud predictions post, we decided to gather some more earnest thoughts about what 2017 might hold.
1. Account takeover will be the next frontier of fraud
From Snapchat and Cisco to the Department of Justice and Yahoo, 2016 was the year that the general public realized that criminals want all their information – not just their credit cards. Any online business is vulnerable. In fact, researchers found that Netflix, Uber, and Facebook account info commands more money on the dark web than simple credit card details.
In 2017, we believe account takeovers (ATO) will take over (no pun intended) as the fastest-growing method of attack. In fact, findings from the soon-to-be-published Sift Science 2017 Fraud-Fighting Trends report reveal that 48% of respondents observed a rise in ATO last year.
There are a number of reasons why fraudsters are flocking to ATO. First, new business models offer new ways to steal (like setting up fake Uber driver accounts and charging “phantom” rides to stolen accounts). In addition, stolen identities or accounts are a richer form of data – they can be used to create more accounts or sign up for new credit cards.
Also, data breaches are providing plenty of fodder for ATO attempts: since so many people use the same username and password on multiple sites, one batch of compromised info could potentially unlock accounts all across the web. Finally, the technology to catch fake accounts has become pretty sophisticated, and is becoming more widely employed – while online businesses may still be figuring out what they need to do to prevent account takeover.
2. Data breaches will continue to come fast and furious
Some of 2016’s most notorious data breaches – and revelations of previous breaches – included major websites (Yahoo, LinkedIn, Dropbox, Weebly, Snapchat), the government (U.S. Department of Justice, Internal Revenue Service), and universities (UC Berkeley, University of Central Florida).
There’s no reason to think cyberattacks will slow in 2017. We predict there will be at least 12 major data breaches of social media sites, technology companies, and government agencies. This will lead to more compromised accounts, as well as individual high-loss events.
3. EMV’s unwelcome side effects continue
The move to chip-enabled credit cards and credit card readers was the biggest change the payments industry saw in 25 years, so it’s no surprise that there were bumps in the road. From concerns about the security of a signature (versus a PIN) to misguided efforts to speed up the process, general confusion has reigned. While some (like Mastercard) herald the decrease in counterfeit card fraud, the results haven’t been rosy for everyone.
Before the October EMV deadline, many fraud and payments experts speculated that rolling out more secure chip cards would have the unwelcome side effect of driving criminals toward online fraud to recoup that lost income. However, because of the prolonged rollout and slow adoption, the corresponding rise in CNP fraud has also been slower than expected. In 2017, we can expect to see CNP losses increase in more profound, measurable ways.
4. IoT botnets will wreak havoc
In 2017, the Internet of Things will continue to provide hackers with what they need to crash major internet services and infrastructure at scale. The massive DDOS attack of Fall 2016 – launched by a network of IoT devices transformed into bots – was just a harbinger of what’s to come.
Consumers and businesses alike may be wooed by the allure of smart machines in their everyday lives, but they may not be aware of any underlying security problems that put them (and their data) at risk. In fact, most people may not even be aware that their coffee machine or DVR or other IoT device has been compromised. And with manufacturers not adequately incentivized to patch security holes, fraudsters and hackers are left with plenty of access points.
5. Smart fraud prevention will increasingly be seen as a revenue driver
Customers have always come to us looking to solve their fraud and abuse problems, but over the past year we noticed an uptick in businesses starting the conversation by saying their primary goal is to increase their approval rate. And we’re seeing more cross-organizational conversations taking place from the get-go about how to mitigate risk without negatively impacting user experience.
Tuning your fraud prevention tolerance to a healthy balance that prevents fraud without turning away or alienating good customers requires some investment, but it can reap some serious rewards. Recent figures from Business Insider estimate that U.S. e-commerce merchants will lose $8.6 billion in falsely declined transactions by the end of 2016, compared to $6.5 billion in fraud prevented.
While not all of these declines take place on the merchant side, it is worthwhile to measure your fraud false positive rate to see if there are any small tweaks you can make to reduce it. And with all signs pointing to a future in which online experiences are increasingly mobile – and the payment process is increasingly invisible – removing friction should be a top priority for businesses that want to grow in 2017.
6. Machine learning is going mainstream
Speaking of increased approvals, we applaud Mastercard’s recent announcement that they are rolling out artificial intelligence to reduce false declines. It’s great to see a payments giant championing machine learning as a more accurate and effective way to minimize false declines, prevent fraud, and improve the customer experience – this validates what we’ve been hearing from our customers for the past several years.
Meanwhile, as we attend fraud, payments, and technology conferences, we’re increasingly seeing the discussion move from “should I use machine learning?” to a more nuanced “how can I best use machine learning?” or “what type of machine learning approach is right for me?” Prospects are looking for distinctions between the technological approaches offered by different fraud-prevention vendors. Overall, online businesses are realizing that not all machine learning systems are created equal.