People looking to try out Netflix and watch Squid Games may be shocked to find a price of $4 per month on offers online, way below the standard $13.99 per month list price. Unfortunately, those offers are probably too good to be true — and are likely two-week trial offers harvested en masse and packaged by fraudsters in violation of the terms of service.
Consumer brands and publishers of web applications today face a problem with rapidly growing fraud attempts like this. These are not attempts to break into accounts or steal identities, nor are they explicit attempts to steal merchandise at checkout. Rather, these types of fraud abuse the business logic of legitimate promotional efforts, or they steal credits or points that have monetary value but are not themselves saleable merchandise or services. Dozens of major brands, including Dunkin’ and Netflix, have all suffered or are suffering big attacks. The attacks range from coupon fraud and free trial fraud to gift card theft to loyalty points abuse. This is the post-login wasteland, and it is largely unaddressed by existing fraud solutions.
What is the post-login wasteland, and why does it matter?
Most online fraud prevention solutions focus on two transactional activities. The first is the login to a storefront or website. Common methods to secure access include different CAPTCHA challenges, multifactor authentication and verification questions. Behavioral analysis of login attempts deploy numerous data points to protect against fraudulent users and automated attacks.
The second area of tight scrutiny is the checkout or payment, which is when a user actually tries to pay for something (i.e., products or services). Fraud detection solutions look at payment types or credentials and payment patterns to determine whether the buyer and the payment are legitimate. This bias is understandable. Those two activities are excellent choke points for heading off some of the worst types of fraud, such as credential stuffing and payment fraud.
One clear observation is that accounts can be taken over through methods that bypass login protection, such as malware and social engineering. This calls for a deeper look at the post-login user’s journey as a second line of defense to better detect and prevent ATO attempts.
With regards to the second traditional “checkpoint,” modern applications have many other touchpoints that can be used for fraud. The move toward building deeper and ongoing relationships with customers, and the new variety of promotional and revenue retention activities, creates many new fraud opportunities that don’t go through the payment path.
One such example is loyalty points or credits available to a specific account that can be used or transferred. Another example is a transaction that can be used to launder money or deplete funds between different users on marketplaces sites.
A different direction could be discount code harvesting. Brands often issue discounts to unsatisfied customers automatically or to new and referred users. Smart attackers can exploit this by automating a large number of complaint emails linked to spoofed email addresses and harvesting the discounts for resale online. Solutions focused primarily on login or purchase often miss these creative fraud attempts.
In addition, there is the risk of theft of customers’ personal identifiable information (PII). Theft of PII may be quite damaging to a brand. Fraudsters today are looking to leverage PII stolen from one merchant to use in attacks against many others, as well as for identity theft and financial fraud like opening new credit card accounts.
How To Address The Post-Login Wasteland
Protecting against these blind spot attacks requires a shift of focus. Existing solutions ask the following questions at the aforementioned two points of transaction. At login, solutions ask, “Are you a human or a bot?” and “Do you have the right credentials?” At payment, solutions basically ask, “Are you trying to rip us off?” The question they need to ask, constantly and more intelligently, is, “Are you who you say you are?” By applying this framework to defending their applications, online merchants can get to the root of the problem by establishing more continuous attribution and verification of identity and legitimacy across all behaviors.
The key to solving this problem is to better analyze user sessions and behaviors and build more accurate profiles of whether users are who they say they are. Equally important, IT security teams and e-commerce operators should adopt a broader view of what damage might be caused by account takeover or fake account creation in the post-login wasteland.
For example, this approach can help to identify a spike in redemptions of free trials across multiple accounts, meaning you can insert a multifactor authentication challenge into the trial redemption process to prevent repacking and resale of free trials. Or a solution might recognize anomalous behavior patterns like accessing account data directly after login from a new device to identify possible instances of PII harvesting.
Conclusion: Change Of Focus To Face The Future
Answering that single question, “Are you who you say you are?” is now a critical challenge for online brands that want to protect their customers, reputation and finances. On a more positive note, answering this question can provide a strong complement to legacy security solutions. This approach adds a strong additional layer protecting against any and all types of fraud, such as login and purchase fraud.
More broadly, this change of focus is part of the ongoing evolution of solutions to safeguard online services. To match the creativity of fraudsters, tech solutions must have greater insights into what behaviors are normal and expected, and what behaviors are out of bounds. Applying this perspective can help address the post-login wasteland and put brands in a stronger security position against unknown future attacks that exploit the constantly evolving nature of online services.