Tuesday April 14, 2015, the Observatory organized a breakfast on the subject, “Is e-commerce a forerunner in the fight against digital identity fraud?”. The speakers on this subject were Alexandre Arcounteil, head of business activities at CERTISSIM – FIANET, Sébastien Carleti, expert at ONEY Tech- Accord Bank and Bertrand Pineau, head of intelligence and innovation at FEVAD.
“Trust is an essential element when one wants to trade on the internet; digital identity fraud is thus a very important topic.”
The three speakers started from the premise that e-commerce is a growing marketing; the sector currently weighs 50 billion euros spread over 18 000 websites in France. It will have created 100 000 jobs. This is explained through the fact that almost everything is sold over the internet.
After the phenomenal growth of online commerce new forms of shopping on the internet such as collaborative consumption, which gives preference to C to C sales, has evolved into a global market estimated at $335 billion. Foreign sales have also tremendously grown: it does not require the physical presence of the company in a certain territory, allowing cost reduction and easy expansion. Finally, mobile sales are in full development: the soaring smart phone use allows consumers to buy anything from anywhere.
It is therefore understandable that even if a retailer is not physically present, transactions have been facilitated thanks to new methods of payment; the concept of trust must be more frequently taken into account.
Since the late 2000s, the e-commerce sector has become a growing market. Yet, the Observatory speakers all recognized that the victim of digital identity fraud is not the consumer but the trader himself. The consumer is insured by his bank and now by European legislation who states that all victims of identity theft will be reimbursed.
Traditionally, fraud is based on the usurpation of an account: the usurpers will look closely at past purchases, recover user passwords and then place orders with recovered bank details. Since 2011, this phenomenon has taken colossal proportions. E-tailers must therefore develop tools to secure their online payment platforms. Hence the importance of trust between the online retailers and their consumers: if consumers are wary to pay on a site, they will think before making a purchase whereas if the service provider has tools that secure payment, establishing confidence for consumption. Carried by this need, the 3D secure payment (3DS) is growing: a concept where the consumer will not pay for his good until entering a code that he has received by text message on his mobile phone. This also confirms that the consumer is not a machine.
Starting in 2009, the nature of these attacks has changed: we went from seeing a risk of card theft to now full-on identity theft. During the discussion three examples of address fraud were presented:
- Fraud at the relay point: bypassing the verification of postal information via a telemetric directory.
- Mule fraud: compromising the identity of the person receiving the object. In this case, there is no actual identity fraud, given that the person who receives the object is at the correct address but the fraud is in regards to an illegal object being delivered.
- Sim swap fraud: specific to the 3DS payment, it is based on the principle of payment and not on the security cryptogram but on a code sent by SMS.
The speakers specified that consumers today often have several identities: a bank account for bank details, a personal identity for information relating to personal data, a postal identity corresponding to the residence of a person and a technical identity.
- EncroChat: Deciphering of the End-to-End Encryption Service Used by Criminals Cybercrime
- Preserving Digital Footprints and Cyber Resilience: Training the Swiss Police Cybercrime
- Ransomware in Six Questions (by the Ministerial Delegation to the Security Industries and the Fight Against Cyberthreats, French Ministry of the Interior) Cybercrime