Unauthorized use damage reached 10 million yen per month at its peak

“Atcosme Shopping” is a membership-based EC site that handles cosmetics and beauty-related items developed by istyle Co., Ltd. (“istyle”), which operates the largest word-of-mouth site “@cosme”. About 2,500 brands carry the largest number of genuine brands in Japan, with a total of more than 46,000 items. Users are mainly women in their 20s and 30s, who are the main users of @cosme, and the monthly number of orders exceeds about 150,000. As the EC market expanded rapidly due to the impact of the new coronavirus from the spring of 2020, sales of at-cosme shopping also increased rapidly, and annual sales in FY2022 reached about 9.2 billion yen.
As sales increased, damages caused by fraudulent use of credit cards also increased. As a countermeasure, a full-time person in charge performed a visual check, and measures were taken to suspend shipment of suspicious orders, but there were issues with accuracy and man-hours. “We used Excel’s filter function to stop shipments of suspicious transactions, but it was difficult to stop all of them because fraudulent trends changed. For this reason, when we had a lot of orders, even if we increased the number of people in charge to two people, we couldn't check everything, and sometimes we prioritized shipping." Although I tried it, the effect was small, and the number of unauthorized uses in December and January 2021 reached a peak of 1,000 cases a month, or about 10 million yen.

The number of chargebacks dropped sharply in the first three months after Sift was introduced

Payment service providers also requested further measures to prevent fraudulent use, and after comparing and considering multiple solutions, istyle chose Sift. "There are three reasons why we chose Sift. First, it uses machine learning-based scoring rather than rules-based scoring, so it requires less effort to operate. Also, it targets not only payment data but also user behavior to detect fraudulent transactions. It was possible to identify it, and the price was reasonable.'' (Mr. Kudo)
Preparations for implementation began around October 2021, and data linkage to Sift and machine learning began in December 2021. It took about three months to implement the system, and the number of man-hours was approximately one man-month. "We referred to Sift's API specifications and asked Macnica engineers to assist us with any questions we had, and the implementation went smoothly." (Mr. Kudo)
Three months after its introduction, Sift automatically assigned a high transaction risk score to transactions that would have been suspended due to visual checks that were being conducted in parallel. In April 2022, when the scoring stabilized, the number of chargebacks decreased sharply, and the effects of the introduction became clearly visible.
Currently, transactions with a medium risk score in Sift are reviewed on the management screen and decisions are made to cancel, put on hold, or ship the order. The accuracy is further improved by applying machine learning to Sift on the judgment results. In addition, we have created a tool that uses Sift's API to import chargeback data (transaction data of fraudulent use) sent from payment processors in conjunction with transaction IDs, and we are using this tool on a daily basis. "I no longer have to visually check data in Excel, and the daily checking work that used to take more than half a day now takes only 1-2 hours. The work has become easier and chargebacks have decreased, and I've been using it for a while now. I think it was good.” (Mr. Hamada)

Combine EMV 3D Secure for High Sift Risk Scored Transactions

According to the "Credit Card Security Guidelines [Ver. 4.0]", a practical guideline for the Installment Sales Act announced in March 2023, as a countermeasure against the ever-increasing number of unauthorized use of e-commerce sites, all of EMV 3D Secure (EMV-3DS) to require the introduction of personal authentication on EC sites. The previous version, 3D Secure 1.0, requires a registered 3D Secure password for all transactions. As a result, there were many e-commerce sites that were concerned about the occurrence of "cart abandonment," in which users stop shopping in the middle of payment, and it did not spread. Atcosme shopping also considered introducing 3D Secure 1.0 before introducing Sift, but in order to introduce it, it was necessary to implement a mechanism to send only high-risk transactions to 3D Secure in order to reduce concerns about cart abandonment. . There is a situation that it did not lead to introduction because it takes man-hours to develop the system for that purpose.
The current version, EMV-3DS, uses risk-based authentication based on device information, behavior information, attribute information, etc. to approve transactions that are judged to have a degree of risk below a certain level without requiring additional authentication. Refusal of suspicious transactions. For medium-risk transactions in the meantime, a “challenge mode” is used to request additional personal authentication using a one-time password such as a short message, and to decide whether to proceed with the transaction. Compared to 3D Secure 1.0, it can be said that the risk of shopping cart abandonment on the EC site side is also considered.
At Cosme Shopping has already introduced EMV-3DS in addition to Sift, and is conducting EMV-3DS transactions for transactions that meet several conditions, such as Sift's transaction risk score exceeding medium. EMV-3DS side risk assessment is left to the credit card company. “About 1.6% of all transactions have a Sift risk score exceeding moderate. Also, transactions with a clearly high Sift risk score are not automatically rejected and sent to EMV-3DS. 3DS does not enforce challenge mode.For customers whose transaction is approved by EMV-3DS, the person in charge will finally confirm whether the product can be shipped, minimizing the risk of dropping out of the basket. We are implementing anti-fraud measures that are limited to the minimum.” (Mr. Hamada)

By using Sift and EMV-3DS together, only transactions with a Sift risk score of medium or higher are sent to EMV-3DS, so that the majority of users will not be bothered by additional identity verification. In addition, even for transactions that flowed to EMV-3DS, if risk-based authentication on the EMV-3DS side determines that the risk is low, the user does not need to enter additional authentication. Requests for additional authentication can be limited to "users judged to be at high risk by both Sift and EMV-3DS". In fact, the introduction of Sift and EMV-3DS has not caused an increase in cart abandonment. "We were able to reduce the risk of abandoned carts and prevent fraudulent use, and at the same time, we were able to greatly reduce the time and effort required to operate the system. I think the current situation is ideal," said Mr. Hamada.

We will work on further countermeasures against unauthorized use so that you can use it with peace of mind

By using Sift and EMV-3DS together, the current monthly fraudulent usage amount has been significantly reduced compared to the peak period, and chargebacks have been suppressed to about dozens per month. However, we have not been able to completely prevent it, and we are looking for further countermeasures.
One way to reduce fraudulent use is to reduce the score of transactions sent to EMV-3DS, which currently have a medium or higher score, and expand the scope of EMV-3DS transactions. “Yes, but [that method] may increase the occurrence of abandoned checkouts. In principle, chargebacks are exempted even if there is unauthorized use.We would like to carefully review the score in consideration of the ease of use for customers." (Mr. Hamada) "Credit Card Security Guidelines [ Version 4.0” requires the addition of items to be sent during EMV-3DS transactions in order to improve the accuracy of EMV-3DS personal authentication, and we would like to consider such measures in the future.
Security measures for login accounts can also be considered. Atcosme shopping is a membership site, and you cannot shop without logging in. Many users who use credit cards fraudulently create new accounts, register other people's credit card numbers, and carry out fraudulent transactions. "Account Abuse", another service of Sift, can detect and deter the creation of fraudulent accounts based on e-mail addresses and the characteristics of operations when creating accounts. "Since the login account for @cosme shopping is common to the entire group, including @cosme, we would like to consider it for the entire group if it is effective in strengthening countermeasures against unauthorized use." (Mr. Kudo) In cyberattacks, legitimate account information is stolen by phishing, and the damage caused by unauthorized login is increasing. At cosmetics shopping, damage from unauthorized logins due to phishing is not so conspicuous so far, but it is possible to deter unauthorized logins with Sift's "Account Defense".
"We want to provide services that users can use with peace of mind. Countermeasures against unauthorized use are part of that," says Mr. Hamada. Atcosme shopping has the role of delivering brand products to consumers who want them, as a point of contact between brands and consumers. Unauthorized purchases can lead to damage to the customer's brand through resale. Sift plays a part in istyle's mission of "creating happy encounters between products and consumers" in order to meet the expectations of client brands and consumers.