Everyone has heard about it by now. Equifax, a provider of credit scores, was hacked between May and July of this year. PII (Personally Identifying Information) for about 140 million Americans was potentially compromised, as well as the details of over two-hundred thousand credit cards.
We’ve been hearing a lot of concerns from merchants that the Equifax breach could result in more fraud attacks and chargebacks for their eCommerce stores–and wondering if they need to be more cautious in approving orders now. But despite some recent scary headlines, we’d like to urge eCommerce retailers to stay calm. Overreacting to this breach is likely to cause more problems than it solves.
While the scope of the fallout for individuals remains to be seen, we believe the effects of this breach will be relatively minor for eCommerce merchants and fraud review teams. As we near the date where chargebacks from this period would have ‘matured’, we are yet to see unusual rates of fraud for July and August. Moreover, we’re quite skeptical that even if we had observed an uptick in fraud, it would be due to the Equifax breach. Here’s why:
This isn’t primarily a credit card breach.
Two-hundred thousand might sound like a lot of stolen credit cards, but historically this is a drop in the bucket. To put this number in perspective: the Target breach in 2013 resulted in 41 million stolen credit cards, and the Home Depot breach in 2014 resulted in between 50 – 60 million compromised cards.
This is not to trivialize this breach of credit card information. For the affected card holders, this situation presents an inconvenience at best (replacing their cards) and a financial loss at worst (if they fail to notice a fraudulent purchase and report a chargeback). Some experts are even cautioning people to preemptively freeze their credit to protect from identity theft.
But from a merchant’s point of view the stolen card details are unlikely to change the fraud landscape: prior to this breach there was no shortage of stolen cards already available for purchase on the dark web.
Even if going forward the card details stolen from Equifax increase the number of CNP attacks, review processes that in the past were effective at detecting if someone other than the cardholder was making the purchase should perform just as well today. Changing your review process to be more risk averse is only likely to cause problems – like turning away good customers.
Stolen PII is unlikely to lead to a bump in CNP fraud
It is true that stolen personal information, including Social Security and Driver’s License numbers, can potentially result in insurance and social security scams, or attempts to defraud banks into sending transfers.
Which is precisely the point: stealing an identity is a time and effort intensive type of fraud. Fraudsters who go to this trouble are after the big score, and unlikely to risk being unmasked in order to steal a pair of sneakers or an airline ticket.
Even for the merchants we were the most concerned about after the breach – those who sell gold or digital gift cards (ways to essentially just buy money) – we haven’t seen any anomalous behavior to indicate that there’s been a spike in the rate of CNP fraud attacks.
Even when fraudsters get creative, merchants have recourse
There has been nervous speculation among some merchants that information from the Equifax breach could be used in a particularly frightening way: fraudsters might be able to use the stolen PII to open new credit cards in somebody else’s name, or to change card details (like billing addresses) in order to fix mismatches that would otherwise be giveaways of fraud.
This is definitely a troubling thought. But in practice, fraudsters would have a tough time pulling this off. For starters, banks are aware that PII is an increasingly unreliable way of verifying identity, and are leaning on more effective measures, like voice recognition.
But even if fraudsters are able to create phony cards, many existing tools are sophisticated enough to catch them. Machine learning and linking systems that Riskified uses to detect fraud can weigh factors like how frequently a shopper has changed credit cards, how many credit cards are in one person’s name, the distance between a new billing address and old billing address, if a new billing address matches the customer’s identity in directories like Whitepages, IP address, proxy use and so on. Furthermore, behavioral analytics, which measure how customers behave on a merchant’s website, don’t depend on any card information to differentiate between fraudulent and legitimate shopping patterns
The bottom line is don’t be afraid. If what you were doing before was working, keep doing it. There will almost certainly be breaches in the future that more directly impact CNP fraud rates. We’ll cross that bridge when we get to it. Until then, keep calm and keep selling.