How Dixons Carphone knew smartphone upgrade attempts didn’t ring true
July 8, 2015 03:29 PM
Dixons Carphone PLC not only sells a lot of high-end mobile devices, it must diligently try to thwart organized efforts to steal those valuable products.
A recent fraud attack on the United Kingdom-based retailer involved a criminal ring targeting online storefronts using using external third-party data that had been compromised, Leonie Darbon, systems and analysis manager for Dixons Carphone’s fraud and credit strategy projects, said Wednesday. The criminal effort was detected using technology from anti-fraud tech vendor Iovation Inc., which helped find patterns and commonalities by comparing multiple pieces of data, including IP addresses that didn’t correlate with the customer, she said.
Criminals, using external compromised data, identified opportunities to upgrade with Dixons Carphone, and they attempted to place orders for those newer devices, especially the iPhone 6, Darbon said. Dixons Carphone fulfills those orders, with much of its business coming from the wireless networks that sell the phones via contracts.
There were clues that a larger-scale fraud attempt was underway. Sometimes it was the same misspelling in the customer title field, indicating it had been copied and pasted multiple times, on the upgrade request, she said. Those irregularities and the fact that Dixons Carphone uses the latest technology for device recognition helped determine if the person placing the order or upgrade was, indeed, the customer, Darbon said.
Iovation Inc., based in Portland, Ore., evaluates risk using advanced device identification, shared device reputation and device-based authentication from its database of more than 2.5 billion Internet devices. Device-based authentication, for example, uses a customer’s known devices—a laptop or mobile phone—to verify authorization to access an account.
“Iovation helps us correlate locations, devices, accounts and fraud indicators, giving us a powerful weapon to stop large-scale fraud,” Darbon said. “By optimizing Iovation’s fraud prevention policies through identifying devices that have been used to commit fraud with Iovation’s other clients, and weigh that heavily in our review process, we get insights into fraudulent behavior that we couldn’t get anywhere else.”
Security updates are ongoing and must adapt, she said, noting that the retailer is considering other ways to incorporate device identity. And when the retailer reviewed security measures in 2009 and tightened security in 2010 by integrating Iovation with risk-management technology and services company Accertify Inc., fraud attempts dropped and shifted to rival firms perceived as having weaker links, she said.
Dixons Carphone has three branded online channels and 1,000 retail stores. Its line of business makes it a likely fraud target because it has desirable products that can be easily disposed of, free next-day delivery, the ability to ship to alternative addresses and no upfront cost on many products because they’re bought on a contract basis through a service provider, Darbon said.
Dixons Retail PLC and mobile phone retailer Carphone Warehouse Group merged last summer to become Dixons Carphone, No. 12 in the Internet Retailer 2015 Europe 500 Guide.