DUBLIN -- Tuesday morning at MRC Dublin, keynote speaker Dr. Patrick Dixon, author of “The Future of Almost Anything” and founder and chairman of the forecasting company Global Change, presented some eye-popping statistics on payments fraud. He also provided attendees with a list of reasons why fraudsters will continue to thrive in this new, fraud-heavy paradigm that merchants currently find themselves in.
“We’re dealing with an epidemic, a pandemic, a plague,” he said. “We of all people are relatively sophisticated. We should know how to guard our stuff, and our stuff should be safer than most people’s. But we are being fleeced, filched and brutally attacked every single day.”
The numbers in ecommerce are exceptionally bad. In the United States alone, there is projected to be $19 billion in fraud losses in 2018. Up to 43 percent of U.S. ecommerce orders are fake in peak months. And 8 percent of all online merchant revenues are fraud in the U.S. “Ecommerce fraud is out of control in many nations, despite huge amounts of effort,” he said. “We’re only in the first hour of the first day of the ecommerce age, and quite frankly, it sucks. We have got to sort this out.”
According to Dixon, the greatest threat to the payments industry comes from institutional blindness. “The greatest insights in our world come often from a flash of inspiration as we talk to people across an industry, across a discipline, from one company to another, and we suddenly see something,” he said. So, to thwart fraud, merchants need to find a new way to look at the problem, he said.
One way to view fraud in a new light is to look at it the way that the fraudsters do. He asked attendees to pretend that, instead of attending a conference on payments and risk, that they were attending conference held by fraudsters. These types of conferences are real and take place both on the dark web and physically, in the real world.
Dixon provided 10 reasons why the fraud party is still going on.
- Massive data theft is still very common. Fraudsters have perfected the art of stealing hundreds of millions of email addresses every single day. For example, 3 billion Yahoo email accounts were compromised in 2017. “But we’re so blasé about it because it happens every single day,” Dixon said. “And there’s a huge gap between when something happens and when we hear about it. When you hear about it, it happened a year or two or three ago. This the biggest data crisis the world has ever known.”
- There has been rapid growth of digital payments around the globe. For example, India is in the process of wiping out cash. But as they do, their fraud exposure is going to skyrocket.
- There are a lot of ignorant people out there. Dixon noted that there are still people who fall for emails in which every word is misspelled—even the name of the company that the fraudster is impersonating.
- There is almost zero risk of being caught. Dixon noted that there is no area of criminality in which you are less likely to go to prison than fraud. Most fraud victims don’t even report the incident. And in the UK for example, 99.6 percent of the fraud that is reported never results in any prosecution. “You have to be really stupid or unlucky to go to prison for fraud,” he said. “And it’s even worse when you go across borders,” Dixon said. “When was the last time you heard about a criminal in the Czech Republic who has been fleecing people in Dublin? It just does not happen.”
- Impatient customers mean looser controls. Merchants can implement strong controls that cut down fraud down to a fraction, but that also will likely result in a dropoff in sales. Those that do experience this tend to scale back on security so their business doesn’t go under.
- Very large fraud targets exist. Up to 70 percent of the retail spending in many EU countries happens in less than eight companies. When targeting merchants in those countries, fraudsters only have to target a small group of organizations. And if they get inside those sites, if they’re good, they can live there for a year or more before their detected. “The key is to just not be greedy,” Dixon said. “Just take a little hit every day, so no one notices.”
- It’s easy to work in the dark web. Fraudsters are highly motivated, incredibly sophisticated, creative and innovative, Dixon noted. They are working together, and are constantly trying things out to test your systems. And again, if they do break in, you probably won’t notice for a long time.
- Customers are increasingly more mobile. In many nations, most web payments are already mobile. This creates a vulnerability, but it also can help to cut down on fraud if merchants use it properly. “Because we can plot their normal movements, we have a metric that enables us to start to classify the lifestyle they lead, the websites they normally look at, and if those things don’t fit, we can start to kick them out. So it’s very important we use this location data,” Dixon said.
- Very weak passwords are still common. People are still not making any effort to create unique and strong passwords; Dixon noted that one in 100 of all passwords is actually 123456. And that’s a huge problem; 25 percent of workers in banks, merchants and credit card companies try to access data they are forbidden to see, and 66 percent of them succeed. Why? Weak passwords. Furthermore, 43 percent of people use same password on all sites. But the problems are not solely one the consumer side; 40 percent of companies store passwords in Word, and 26 percent of IT professionals share passwords insecurely.
- There has been slow uptake of the latest weapons. The very latest antifraud tools are not being used by most organizations, Dixon explained. As a result, the time for a corporation to contain the damage from a fraud incident is 55 days on average. A lot can happen in that time.
Dixon advises merchants to hire white hat hackers who can find weaknesses in their websites. He asked attendees how many of them are currently doing this and very few people raised their hands. “We need to entice the talent out of the dark rooms and into the light so they're not hacking you,” he said.
He concluded by stressing that merchants can’t stop the fraud pandemic by going it alone; they need to collaborate. The need to share data with each other—both good and bad. “The only way to bring ecommerce into the future is with agile strategies and strong partnerships, backed by global leadership,” he said.