Sharing economy services have made headlines by seamlessly connecting buyers and sellers of services from transportation and lodging to dogwalking and housecleaning. The peer-to-peer rental market alone was estimated last year to be worth upwards of $26 billion.
But, security experts say, the new breed of online services have also made it easier than ever for scammers armed with stolen credit card numbers to extract funds from those accounts.
Credit card fraudsters have long used e-commerce sites to spend other people’s money, says John Canfield, the vice president of risk at WePay, a payment processing platform in the vein of PayPal and Stripe. At least since the early 2000s, credit card thieves have used stolen cards, or account info they’ve acquired after one security breach or another, to buy resellable items on e-commerce sites like Amazon, eBay, and their smaller competitors, he says.
Those scam artists then had to deal with the logistics of receiving the ill-gotten goods and re-listing them on another website or otherwise converting them into cash, says Canfield, who spent nearly a decade on eBay’s Trust & Safety team.
But sharing economy apps, and other online services like crowdfunding sites are changing the equation. In peer-to-peer markets, designed to allow users to both make and receive payments easily, fraudsters can take both sides of a transaction, effectively buying from themselves with someone else’s credit card and, if they’re lucky, disappear with the money before anyone’s the wiser.
“With these platforms, there’s opportunity, because they make it easy for people to get started—yes, I’m going to be a doggie babysitter, or yes i’m going to do this crowdfunding,” Canfield says. “There is an opportunity for the fraudster to act like the recipient of credit card payments.”
To commit fraud in the sharing economy, thieves may hijack valid accounts and associated credit card information–digital security firm ThreatMetrix estimates about 1 in 20 login attempts are fraud attempts on e-commerce sites it works with–or set up new accounts with the credit card numbers that circulate on shady corners of the web after payment system security breaches.
Criminals then pay a seller account also under their control for services that never take place–walking nonexistent dogs, backing fictitious crowdfunded projects, or whatever the victim site allows—and extract the funds to a prepaid debit card or even an online bank account created with more stolen credentials, says Canfield.
“They will work to create a false identity that will get by whatever screening that platform has–obviously the less screening they have the better,” he says. “What we found is that most fraudsters are able to come in with perfect identity information–social security information, birth dates, mailing address for the identity they’re trying to be.”
Ultimately, the marketplace site can be left holding the bag, hit with credit card chargeback fees when account holders or banks detect the fraudulent transactions, unless site operators manage to block them before they happen. Canfield says it’s difficult to estimate the exact amount of fraud that already passes through such sites, but he suspects the problem will grow as new sharing and marketplace sites come online.
“The interesting thing with these platforms, the marketplaces, the business tools is, are they in a position to protect themselves?” Canfield asks.
WePay’s new payment system, WePay Clear, handles fraud detection for apps and sites that use it, as does Stripe.
The trick, says Canfield, is recognizing unusual transactions as they happen.
An article by Andreas Baumhof, the CTO of ThreatMetrix, cites suspicious signs like one device registering a series of accounts, or new accounts being created by a known-compromised device or a proxy.
“It would be unusual if I’m signing up to be a seller on your marketplace, but I’m doing so hidden behind a proxy,” says Alisdair Faulkner, ThreatMetrix’s chief products officer. “There are straightforward things that businesses can do to automate this type of detection.”
Stripe offers other telltale signs of fraud on its website, including
- Unusually large orders
- Rush orders
- Use of international cards or orders with international shipping addresses
- Many smaller transactions made with similar or the same card numbers, especially over a short duration
- Use of obviously or likely-fake information in the transaction (such as fake phone numbers or gibberish email addresses like firstname.lastname@example.org)
Big sharing economy platforms like Airbnb or Uber, or clients of payment providers like WePay, have the advantage of big data, Canfield notes, giving them more examples of normal and shady, anomalous behavior.
In general, there are steps any site can take to reduce fraud, ideally without making it too much harder for typical users to sign up. One option is analyzing social media profiles of new users: Anyone can set up a Facebook account, but it’s hard to fake years of activity.
And to reduce account hijacking, sites can boost the use of multifactor authentication, and techniques like throttling users who are clearly trying multiple usernames or passwords.
“One of the things that we do that’s very, very effective is we can see, is the device used by the seller the same that’s used by a buyer?” says Faulkner. “That’s clearly a dead giveaway.”
Criminals can take more complicated steps to hide their tracks, like using multiple computers in multiple locations, or logging in through proxy servers, but with enough data, those tricks will still either stand out from ordinary transactions or require so much time and resources that fraudsters will get discouraged, he says.
“It does become expensive to continually change your devices, change your connections—and if you do a good enough job on a marketplace, fraud goes elsewhere,” Faulkner says.
But fraud prevention is often a cat-and-mouse game, as criminals adjust their habits to evade detection or see how much they can get away with.
“It’s like a scientist—they’re doing experiments all the time: trying this, trying that, trying this, trying that,” Canfield says. When companies do detect fraud, it’s critical to act quickly. “You really have to drop everything and get your engineering department to quickly make adjustments yourself and as quickly as possible find a fraud vendor or a partner who can help protect you,” he says.
Startups may tend to focus more on building their products and services than preventing fraud, Canfield says. But thieves are always on the lookout for new targets, he says, along with new platforms where they can ply their trade.
“There are these groups and individuals just searching, searching, searching for any place that has vulnerabilities,” he says.