In the midst of the most recent winter storm of the century, a friend of mine posted on her Facebook page that now she knew the conditions were bad – the local mall closed.
I suspect that as most of the country seems to be buried under snow this winter, more people will turn to online shopping. While that’s good news for online retailers, it also means that they should be thinking about how to best protect the consumer from credit card fraud.
In a conversation with Reed Taussig, the president and CEO of ThreatMetrix, he told me that he predicts improved fraud prevention will come through less reliance on cookies and personally identifiable information (PII). He said:
Historically, cookies and cookie equivalents such as local stored objects (LSO) have been used to identify devices to stop fraud and to authenticate returning customers. An example of this is when you log into your bank account or online brokerage account. In most cases you will see a message pop up which states, ‘Please wait while we authenticate your login.’ What the bank or brokerage company is doing is looking for a browser cookie or an LSO that identifies your device as one that they have seen before. If that cookie or LSO is not present, you may have purchased a new computer or are logging in from a friend’s or family member’s computer. The bank will typically issue some kind of challenge response like, “Who was your favorite teacher?” in order to authenticate that you are in fact you.
To make matters worse recently, in response to user privacy concerns, the FTC has proposed new rules that will require customers to opt-in to accept cookies in order to stop overly aggressive advertising.
In other words, customers appear to be making it harder for companies to help prevent fraud by trying to avoid cookie being stored. As a SecurityWeek story pointed out:
Many fraud prevention solutions are being rendered ineffective as more consumers become concerned with online privacy. It’s harder to detect repeat visitors — and repeat fraudsters — as they are either deleting or blocking cookies themselves, or having cookies deleted via their computer security software. As such, a move toward cookieless device identification and device fingerprinting is becoming critical in preventing fraudulent transactions today.
To help with better fraud prevention, ThreatMetrix developed the ThreatMetrix Fraud Network, according to Taussig:
Using the ThreatMetrix Fraud Network our customers are able to validate the identity of an individual in the absence of PII. In contrast to most identity matching solutions such as Experian, TransUnion and Equifax, ThreatMetrix does not assert in the positive that John Doe really is John Doe. Instead ThreatMetrix provides a confidence score on a per transaction basis that a given identity may or may not be who that person claims to be.