Sign In

Online Fraud & Security

Online fraud and security breaches remain a real risk for Irish businesses with the growing popularity of online shopping, aided by advancements in payment gateways, increased business adoption of eCommerce and growing customer familiarity with the benefits of shopping online.

Given this continued climb in the number of digital shoppers, the need for Irish businesses to be remain vigilant online with their security software and systems is as important as ever against the threat of cybercrime and while the 3DS2 protocol has increased online payment security, there are other threats you must be aware of.

3DS2 & Strong Customer Authentication

The 3DS2 protocol reduces the risk of online fraud and makes payments more secure as businesses and their payment provider are submitting additional data in each transaction to the cardholder’s bank (the issuer).

When the bank determines if the cardholder is the actual transactor, with the data matches what the bank requires, the transaction can continue on a “frictionless” flow and will not need user input.

While some transactions will require an extra step with additional authentication from the cardholder to ensure the purchase is genuine, the protocol also allows frictionless processing through use of exemptions with the Strong Customer Authentication (SCA) challenge being bypassed.

If a transaction is enabled with 3DS2, liability from fraudulent transactions lies with the issuer as they deemed this transaction to be legitimate. If a transaction is “not enabled” and is successful, the liability remains with the merchant. However, merchants can also avail of exemption to increase the number of transactions not requiring additional input from the cardholder but this can switch some liability back to them depending on the circumstances.

Check out our FAQ guide on 3DS2 and SCA for an informed overview of how they work to protect your business and customers, while keeping online payments as frictionless as possible.

Protecting your online systems and data

Unauthorised access to your on-line shopping systems can lead to major business disruption, financial losses and reputational damage, including the withdrawal of your payment facility by the card scheme/s and card scheme fines of up to €20 for each individual compromised cardholder account.

Given the very tangible impact an online breach can have on a business’ finances and reputation, online fraud prevention is better and far less costly than seeking cybercrime cures. Below we have highlighted some of the potential threats and preventative measures you can take to keep your online business safe from hackers.

Threat: Weak and not updated passwords pose a cybercrime risk

Weak passwords still remain an easy target for hackers looking to breach online platforms and software. Data and systems should never be protected with passwords that can be guessed easily like family names, favourite sporting teams or musicians.

Obvious number sequences, like 123456, and words made up of letters immediately adjacent to one another on a keyboard still remain popular password options that can leave businesses exposed. Reusing the same password for a multitude of uses and not updating your passwords only heightens vulnerabilities.

Prevention: Make sure staff, devices and operational software use strong and regularly updated passwords.

Ideally passwords should be 12-15 characters long, consisting of a seemingly random collection of uppercase and lowercase letters, numbers and special characters, like punctuation.

These passwords should be changed a minimum of every 30 days with regular reviews to access and permission levels of staff, as well as deleting accounts that are no longer required.

Threat: Ransomware and Malware attacks can cause serious damage

Malware and ransomware (where hackers demand a fee) are on the rise and can bring your business to a halt by preventing access to computer files, systems and networks or the loss / theft and compromise of customer, payment and business data, leading to major business disruption and losses.

Prevention: Run the latest anti-virus / anti-malware software on your eCommerce platform

Along with making sure your anti-virus/ antimalware software is running properly, you should also ensure you or your web-hosting provider have implemented a web application firewall (WAF) or additional intrusion-detection technologies.

The data transferred between your computer and a website’s server should always be encrypted using TLS certificates.

Threat: Delaying the installation of security and software patches

Criminals rely on complacency and delays, so make it a priority to stay up-to-date. You may be exposing your business to an increased risk of intrusion, fraud, financial losses and reputational risk.

Prevention: Make sure the latest software and security patches are installed as soon as they are available

Software and security patches, including ones for your shopping cart, will protect you from online attackers who would otherwise take advantage of system vulnerabilities. If you and not a third party vendor are responsible for updating security patches, it’s recommended to apply updates from trusted network locations (e.g., home, work) and only install links from trusted vendor sites.

Do not trust a link in an email message—attackers have used email messages to direct users to websites hosting malicious files disguised as legitimate updates. Be vigilant with email messages claiming to have a software update file attached—these attachments may contain malware

Threat: False links divert online shoppers to fake payment pages

Fraudsters can steal your revenue by creating fake payment pages and diverting your customers using false links.

Prevention: Review all website links to prevent online fraud

Regular reviewing any links (such as URLs, iFrames, APIs etc.), from your website to the payment gateway to confirm the links have not been altered to redirect customers to unauthorized locations.

Threat: Having your business information available to too many employees and third parties

The risk of fraud from an individual with too much or unnecessary access to your business’ confidential information and /or systems weakens your defences against online fraud. By accident or design, confidential information or access to your system could be shared with malicious parties.

Prevention: Divide out duties, regulate access and implement training

For people managing your IT environment, especially business critical systems / infrastructure, regulating their access depending on what role or task their responsible for can minimise the risk of fraud by any individual and lessens the potential for that person to become a target for fraudsters.

By having minimum level of systems access for the job /duties (‘least privilege principle’) to limit accessibility to confidential information, Should an employee, contractor or third party vendor become compromised, the impact will be more limited as you don’t have all your eggs in any one basket.

Monitoring, tracking and restricting access to sensitive payment data and critical IT systems / infrastructure by ensuring processes, logs and audit trails enhance traceability.

Cybersecurity training will help all staff become aware of the purpose and benefits of this approach as well as supporting them use systems securely and follow defined procedures, Training should also include temporary staff and should make everyone aware of potential security threats and take appropriate action in the event of a suspected breach.

Trusted Third Parties

Online businesses must ensure all of the components and features on their eCommerce website are identified and properly secured or managed by relevant third party providers.

Selecting reputable, trusted third parties to support your eCommerce solution with valid TLS certificates as well as the most current software upgrades and security patches is important in enhancing the security of your eCommerce website and associated software. Making sure the following points below are included in your contract with them help galvanise your business’ online security:

  • use the latest version of all software and security patches that meet the latest IT security standards
  • ensure your web host provider monitors any attempts or un-authorised changes of your Home Page content and will react immediately if something is detected
  • use 2-step verification for remote access by any connected third party

Card fraud is always a risk for businesses that accept card payments where the card is not physically present (i.e. taking payments over the phone, through a virtual terminal, or in-person sales where a business puts card details through their point of sales terminal  without using the chip security/ contactless functionality).

Fraudsters continue to target businesses with fraudulent card not present transactions, resulting in financial loss for the impacted businesses.

Given that Card Not Present (CNP) transactions are taken at your own risk, and your business is financially liable for fraudulent transactions, it is important that you are aware of the fraud risks associated with CNP transactions and how to identify them.

Remain vigilant when accepting payments where the card is not present and take the necessary steps to validate the identity of the cardholder by either having prior knowledge of the cardholder or by other means.

Some signs of a potentially fraudulent transaction

 

We highlight some signs below of transactions that are likely to be fraudulent. Get to know them and make sure all your staff members recognise them too.

Sometimes the first sign of fraud can just be a general feeling that something isn’t quite right. If that happens, act on your instincts and don’t send out goods / complete a sale until you’ve carried out further checks.

Multiple or bulk orders – Watch out for customers buying lots of the same item, either in the same transaction or separately

First-time customers who place multiple orders – The risk of fraud is smaller when dealing with customers you know

High-value orders – Orders larger than normal may indicate fraud. High-value items such as jewellery or electrical goods are often targeted by fraudsters because they are easy to resell, so take extra care with this type of transaction

Hesitant customers – Customers who seem uncertain about personal information, such as their postcode or spelling of their street name, could well be using a false identity. Also watch out for customers being prompted when giving the requested information

Same name, different title – Could your customer be using the card of a family member?

Sales that are too easy – Be suspicious if a customer is not interested in the price and/or detailed description of the goods, but is only interested in delivery times

Different person to the cardholder collecting the goods (eg. courier/taxi driver)

Cardholder is present but only has details of the card and not the card itself –The card details may be stolen. If you input them through your card terminal and the transaction is fraudulent, you are liable.

Suspicious card combinations such as:

  • Transactions on several cards where the billing address matches but different/various shipping addresses
  • Multiple transactions on a single card over a very short period of time
  • Multiple cards beginning with the same first six digits offered immediately after the previous cards are declined
  • Customer offering multiple different cards one after another without hesitation when previous cards are declined
  • Orders shipped to a single address but purchased with various cards
  • Overseas shipping address – Be careful when shipping overseas, especially if you are dealing with a new customer or a very large order
  • Different shipping address – Orders where the shipping address is different from the billing address may be legitimate (for example, when sending flowers or a birthday present) but requests to send goods to hotels, guest houses or PO boxes are often associated with fraud

Related Card Fraud Prevention Pages