The biggest fraud threat of the year? There’s an app for that

COVID-19 caused a wave of retail customers to swap shopping bags for smartphones. And while Mom-and-Pop groceries set up shop on Uber Eats and curbside pickup exploded in popularity, e-commerce giants poured money into their apps. With three simple clicks a customer can easily create an account, shop and pay using a number of payment options. Although smooth user experiences equate directly to increased revenue, this ease sometimes comes with more risk.

Sift's research shows that general account takeovers rose by 282% between 2019 and 2020. This surge of ATO means that there are more consumer credentials available for fraudsters to leverage than ever before in retail apps. When combined with increased popularity of curbside pick-up, thieves are taking advantage of this shift in buying with a technique called 'buy online, pick-up in store fraud.'

Many apps do little to prevent stolen credit and debit cards from being used, unfortunately. Fraudsters simply create a new account with credentials stolen from the dark web and a throwaway email address, enjoy a streamlined shopping spree and then pick up their ill-gotten goods at the curb.

The best way to prevent this type of fraud is to identify and stop malicious behavior inside an app, before the order is ever placed.

Identify your customer
BOPIS fraud works so well through apps because criminals have found a way to bypass the vital tripwires of traditional security checks, like proving identification, providing a signature or even a physical delivery address.

Retailers need to look to other forms of data to understand their customers' usual behavior and spot telltale deviations. For example, speed of pick-up or distance between the customer's known location and pickup store may be equally important, and may point to something fishy.

Advanced velocity checks can detect changes in user behavior, whether through purchase volume, changes in device, address or change in payment method. By constantly evolving, these velocity checks allow for natural changes in customer behavior, while protecting against fraud.

Use the user
Device fingerprints — information collected about the software and hardware of a remote computing device for the purpose of identification — can uniquely identify the device and customer combination. When an app or account is used on a new device, additional checks on identity should be required. If you've flagged a device as being associated with fraudulent behavior in the past, this may also help prevent attacks in the future as fraudsters may cycle through stolen credentials, but often reuse their hardware.

Leave a cookie
The simplest method of identifying a device is by depositing a cookie upon his or her arrival at a specified website or completion of an action. Where an app is being used for the first time, there should be no such cookie. In which case, further account validation should be made before stored payment details can be accessed or used. Each cookie is unique, making it as device-specific as possible and guarding against the use of freshly stolen accounts on new devices.

COVID-19 has seen an explosion of innovation from retailers trying to maintain customer relationships and protect the shopping experience in the face of unprecedented challenges. Reliance on mobile apps will likely be the consumer buying preference throughout the remainder of this pandemic and beyond. But this innovation need not lead to a shopping spree for fraudsters; by looking outside typical customer data and building new types of behavior models, fraud prevention teams can help retailers and customers enjoy their apps and kick fraud to the curb.