Everyone knows detecting fraudulent e-commerce activity is crucial, but how do you know when something is up?
Fraud detection provider Simility aggregated patterns across 500,000 browser-based devices throughout January 2016. Analysts looked for patterns in the 10,000 (or 2%) of those devices that were in the hands of fraudsters and contrasted those with the other 98% of devices in the hands of good or “organic” users.
Simility discovered seven anomalies that were leading indicators of fraud:
1. 32-bit OS running on 64 bit processors: A transaction is eight times more likely to be fraudulent if the device configuration matches this description. Similty analysis indicates this is often because fraudsters use “cracked versions” of older Windows machines which are imaged and then explicitly programmed for greater control.
2. Fresh cookies without old cookies: Fraudsters clear their cookies 90% of the time, whereas organic users clear cookies only 10% of the time. Thus cookie age is a strong fraud signal, and browser cookies are more likely to be good the older they are.
3. Null values: Browsers have a “Do Not Track feature. For organic/real users, the possible options are “Yes”, “No”, and “Unspecified.” The default setting is “No” 70% of the time. With fraudsters, this value is often “null” which is not among possible organic values. There are more browser configuration parameters where fraudulent devices have values other than the possible organic values.
4. Flushed browser referrer history: Fraudsters often flush their browser referrer history. Less than 5% of the organic population explicitly filters their referrer history using third-party plugins or extensions. Fraudsters as a population are five times more likely to do this.
5. Fraudsters don’t use Macs: Windows desktop and laptop have a dominant market share organically (90%-plus overall) and 70%-plus among the sampled data of users. However, more than 96% of fraudsters use Windows.
6. Fraudsters do not install a lot of plugins and extensions: Ninety percent of fraudsters having less than five plugins in the browser. By comparison, good users have more plugins, and in fact 5% of the organic population have more than 25 plugins/extensions installed.
7. Fraudsters don’t go incognito: A user in “private mode” is more likely to be good than bad. Surprisingly, fraudsters do not enable private mode. Organic users are three times more likely to prefer private mode.