GlobalSign Blog

10 Feb 2016

How to Spot Fraud in eCommerce Transactions

In real life, I'm me. In digital life, I can be you or Mickey Mouse, or better yet Spiderman, or even better… Superman. There's no limit in the digital world. In the real world I'm hampered down by my inability to climb walls, swing around the city, or fly faster than light around the globe. In the real world I can catch bad guys if I have the courage but I might get my biometric identifiers mashed up while doing so (facial recognition, broken nose and/or jaw, eyes swollen shut etc.).

The problem with eCommerce transactions

The anonymity of the digital world is giving a headache to all online commerce vendors. One of the first steps in doing any kind of eCommerce transaction online is to require the visitor to register. This is one of the biggest hurdles in online commerce, be it B2C or B2B.

A consumer user will often avoid complex and convoluted registration forms and turn away—choosing to do business elsewhere without these barriers. A business user expects to have smooth access to external services without any extra hassle. Unfortunately, this is not the world we live in. Yet...

Too many times online sites fall for the attribute trap. They want to know everything about their customer, so they require too much info upfront. Wouldn't it work with less information? Or perhaps using external information sources to expedite the registration process? Using a third party source, who has already vetted the identity at some point, would be a great way to speed up customer conversion.

How to spot an eCommerce fraudster

To spot a fraud, you have to use a source where the true identity of the user has been verified at some point. Clark Kent trying to register to your online site won't get far unless an independent source can actually confirm his home address of now extinct Krypton, which might prove to be a tad difficult. It's gone.

Leveraging an existing identity, such as an eID, is one option. Unfortunately, eIDs are not enjoying the success they should have outside of a few countries. But, there are other sources where a verified digital identity can be queried.

Banks in most parts of the world implement a stringent registration process in order to become a customer. Mobile Network Operators (MNOs) confirm the identity of their subscriber in most cases, leaving out the so called burner identities, or pre-paid subscriptions without any link to an existing credit card or other personal identifier. This varies from operator to operator and from country to country, but in general, financial institutions and MNOs are a good source in spotting a fraud.

How financial institutions and mobile network operators spot fraud

Financial institutions and MNOs have a repository of vetted identities. They know our name, our address, email, phone number and various other attributes and they have done their job in vetting these attributes. Otherwise, Mr. Kent would be out of gas, have no access to his money and unable to send a text message.

The companies holding these identities can act as Identity Providers, or attribute providers. This information could be used for our benefit, with user consent, to improve our experience with other digital or third party services. Emphasis on user consent.

The API-economy is all about machines talking to other machines. If you have an online site, you could utilize the API exposed by a third party to acquire user attributes. You can use the multiple standards available to confirm the identity of an online user from a third party and make sure that person is actually Superman and not Bizarro.

Federation protocols, such as SAML and WS-Federation, have been around for a while and they have established themselves as the de-facto protocols in transferring identity information from one domain to another. OAuth, OpenID Connect are more recent ones, relying on the trust infrastructure of the internet and being very friendly towards the developers. The most recent one is now Mobile Connect.

Mobile Connect is a specific implementation of the OpenID Connect protocol, but it has the most potential to disrupt everything we know about authentication.

The promise of a global identity with Mobile Connect

If you think of your own situation, you will think of your customer experience. We all have too many passwords. I can barely keep up with all the different passwords I have used to register as "Superman not Bizzaro". As users, we don't want another password.

Mobile Connect can provide a single global identity. If you are eBay or Amazon, or the local bike shop, Mobile Connect can deliver you an identity. What's more important, Mobile Connect can deliver, with the users consent, attributes about your online customers. So, I urge you to look up the Mobile Connect program from GSMA.

With Mobile Connect, a true global identity could be easily and readily available and it's tied to our phone number.

GlobalSign Identity and Access Management (IAM) solutions help online services to create cost savings, improve customer experience and increase conversion rates. Contact us now to hear more.

Visit GlobalSign at Mobile World Congress Feb. 22-25, 2016 in Hall 7, Stand 7J12 (Meontrust booth) to learn more, or register to our upcoming Mobile Connect webinar.

Share this Post

Subscribe to our Blog