How to Detect Identity Theft in Ecommerce

Knowing who your ecommerce customers are is the first step to reducing chargebacks and return fraud.

How can you trust they’re real? Detect identity theft as soon as possible.

Why Is Identity Theft a Problem for Ecommerce?

Identity theft creates opportunities for fraudsters to appear legitimate online. They can use stolen IDs, credit cards, and even full ecommerce accounts to exploit your online store and make money.

This is what identity theft means for merchants:

• Higher chargeback rates: Fraudsters will use stolen IDs and credit cards to purchase goods or services. When the legitimate cardholder realizes what happened, they issue a chargeback request, which means money out of your pocket.
  
• Lost items and goods: A direct consequence of chargebacks is that your stock gets depleted without it being paid for.
  
• Chargeback admin fees: Adding insult to injury, you have to pay a chargeback fee. Even if you successfully dispute a chargeback, this is wasted admin hours.
  
• Reputational damage: Customers whose credit cards were illegally used on your site make negative associations with your brand and sometimes even speak up on social media, causing your name to suffer.
  
• Higher card payment fees: If your chargeback rates increase drastically, card operators will charge you more for each payment. Some may even ban you from using their network.

It all adds up to give you every incentive to detect stolen, synthetic or fake identities as soon as possible. 

How Do You Detect Identity Theft in Ecommerce?

For many online stores, the issue isn’t simply to detect bad users who rely on stolen identities; it’s also to do it without adding too much friction to the shopper journey.

As every online store owner will know, any obstacle between the user and their purchase leads to higher rates of cart abandonment and churn. 

With the above in mind, here are options you have to validate user IDs without a heavy KYC process:

• Perform light KYC checks: KYC (Know Your Customer) is a legal requirement in industries like banking, but there are advantages to following the same principles in retail. By performing quick checks to validate IDs, you can get a better idea of who you’re dealing with (and who you’re shipping to).
  
• Enrich existing data: At the bare minimum, your customers will have an IP address to connect to your site. You can learn a lot from that data by enriching it (connecting it to extra information). The same goes with their device, or even an email address and phone number.
  
• Learn more about card types: Card numbers contain useful information about the kind of payment method you are processing, some of which are riskier than others. It can be a prepaid card, for instance, or an exclusive card. The key is to retrieve that information using a credit card BIN lookup.

An important point to note is that not all suspicious card or IP data will point to identity theft. What this highlights, however, is that you should pay more attention at the checkout stage. 

This is why identity theft detection is only as good as your risk management strategy. For most online retailers with an anti-fraud prevention system in place, this is where risk rules come into play.

Top 3 Custom Rules for Identity Theft in Ecommerce fraud

When it comes to identity theft protection for ecommerce, all the risk rules you deploy will help answer the same question: is that person really who they say they are? Let’s look at three concrete examples.

#1: Card and IP Address Don’t Match

We’ve covered the importance of understanding and enriching card data above, but here’s a real-life example that can help you see how that may help separate good from bad customers. 

In the example above, we have a bad card payment with an incorrect CVV, but there may be worrying evidence if the US card user’s IP points to another country.

For instance, below we have set a rule to flag the sale whenever the card was issued in the US but the shopper’s IP is in Russia.

Of course, people do travel, and not everyone who uses a US card in Russia is a fraudster.

But the key is to be able to spot these potential red flags. Once we know this, we can take it into account together with hundreds of other data points to evaluate how risky the shopper in question might be.

#2: Email or Phone Has Not Been Registered on Social Media

This is an example of data enrichment based on an email address or phone number only.

A tool like SEON can check if they have been used to register to social media sites as varied as LinkedIn, Twitter, Patreon, Quora, Netflix, and Airbnb, among others. 

Why is this important?

In today’s digital landscape, it’s extremely unlikely to deal with people who have no social presence whatsoever. While social media platforms tend to be location-specific, SEON can check 50+ networks worldwide, which should definitely raise red flags if no profiles are found at all. 

Here again, a lack of social presence doesn’t necessarily mean your customer is using a stolen identity. However, it increases the chance that something fishy might be happening. 

#3: Device Fingerprinting Returns Suspicious Data 

Understanding how users connect to your store is also a great way to learn who they are.

In the fraud detection world, this is done via device fingerprinting. The method allows you to learn to extract metadata on your customer’s software and hardware configurations. 

How does this relate to identity theft?

Well, fraudsters must try numerous stolen identities before they can target your store. That means switching devices, browsers, and IP address constantly. Because it’s so time-consuming, they use tools such as emulators and virtual machines instead, which allow them to make it appear as if they’re different people.

Luckily for you, seeing that data in real-time can help you:

• see when spoofing methods are deployed
• create identifiers for each unique device

The latter is particularly effective when it comes to protecting user accounts. Is a loyal customer suddenly connecting with a brand new device, IP address, and paying with a prepaid card? You should be extra vigilant.

How SEON Helps Ecommerce with Identity Theft

SEON offers a full fraud prevention solution for online stores, available via the end-to-end platform, APIs, as a Google Chrome plugin, or even a Shopify fraud detection apps.  

The key is to give you as much data as possible to understand who your customers are – without having to ask for extra information. 

You can use that data to:

• spot connections between accounts (to avoid bonus abuse and spot fraud rings)
• reduce chargeback rates from fake users
• stop identity and card theft on your website
• prevent return fraud
• and more…

The anti-fraud modules can be deployed at several touchpoints, including the transaction stage, signup, and even at login to ensure only your legitimate customers have access to their accounts on your platform.

FAQ

Sources

• Statista: Value of e-commerce losses to online payment fraud worldwide in 2020 and 2021