Security and Anti-Fraud for Online Stores

Serhii Nikolaienko 21 Aug 2025 4 min read

Fraud prevention in e-commerce isn’t a wall — it’s a thermostat. You constantly trade off two risks: letting a bad transaction through and losing a good one. Any added “hardness” costs conversion; any “softness” costs chargebacks. Winners dose friction: give freedom when the signal is clean, add a measured challenge when context raises suspicion.

Threat map: who attacks and how

Real-world playbooks include:

Carding and BIN-range testing: mass micro-payments to find live cards and 3DS patterns.
Credential stuffing: replaying leaked logins to steal points/addresses.
Scraping/vitaling: harvesting prices/stock for dumping or buying out scarce goods.
Social vectors: “no item returned”, forged delivery proofs, “item not received” disputes.
Integration weaknesses: webhook interception/tampering, secret leakage, repeat charges without idempotency.

Risk markers: what really signals

No single clue is decisive; ensembles are.

Device/network context: unfamiliar device for this account, abrupt country/ASN change, timezone/locale drift, browser language and currency mismatch.
Session behavior: ultra-fast beeline to pay, paste events in sensitive fields, unnaturally even timings, “error → retry” loops with micro-pauses (bots).
Basket: cheap item + pricey express shipping, multiple gift cards, odd size/variant combos.
Payment stage: streak of declines from one BIN, different cards for the same address/phone, billing/shipping mismatch.
History: “new user — high ticket — rush shipping”, frequent address changes, editing email/phone right before pay.

The outcome is a risk score (0…1) that chooses the path: pass, request an extra factor, force a 3DS challenge, or deny.

Security and antifraud for an online store 2

3DS2: where it saves, where it breaks

3DS2 comes in two modes: frictionless (issuer approves without user action) and challenge (code/biometric). The richer the context you send to the PSP/issuer, the higher your frictionless share.

Send “thick” data: addresses, user-agent, device fingerprint, account history.
Trigger challenges at a risk threshold (new device + high basket + address inconsistencies, etc.).
Track step-up rate, challenge success rate, and issuer decline codes.

Classic mistake: forcing 3DS for everyone — you’ll protect yourself… from your own conversion.

Behavioral biometrics: “how they type” > “who they are”

Think micro-patterns: typing dynamics, cursor paths, scroll inertia, touch/keyboard balance, even micro-jitter from the phone’s gyroscope. Powerful as an additional layer, not a replacement.

Where to apply gently:

Sign-up/login — detect non-human patterns without blanket CAPTCHAs.
Checkout — tell a real customer on a new device from a bot that “types too perfectly.”
Support/returns — abnormal input patterns on forms.

Privacy line: store aggregated features, not raw cursor trails; honor tracking opt-out.

Bots, rate limits, and soft traps

Device/session fingerprint (Canvas/WebGL, fonts, codecs) — a layer, not the pillar.
Invisible honeypots: hidden fields, JS tasks hard for headless bots.
Smarter limits: not just IP. Combine “IP + device + account + BIN + address”, catch burst patterns (10 tries/3s) and ASN swarms.
Slow bogs for carding: increase response latency as failures pile up.
Staged challenges: lightweight computation first, then CAPTCHA — and only for risk segments.

Secure webhooks and secrets: small things that topple systems

Sign every webhook: HMAC of the body + timestamp; verify server-side with rotating secrets and a strict time window.
Idempotency: replays of the same event_id must be safe.
Don’t rely solely on IP allowlists: prefer mTLS or signed payloads.
Secrets belong in a vault with rotation/audit; access by least privilege.
Log webhook retries as first-class events.

Logs as X-ray: where to look

One trace_id from PDP to PSP and back via webhook.
Layers: risk-engine decision, issuer/PSP responses, client behavior.
Attack dashboards: errors by BIN/ASN, accelerated bursts, hourly heatmaps.
3DS metrics: frictionless/challenge shares, challenge success, decline codes — by country/bank/device.
Webhooks: retry share, median delay, PSP desyncs.

Panic list: rising failures from one ASN, a spike in do_not_honor, frictionless share collapsing for one bank, avalanche of webhook retries.

Security and antifraud for an online store 3

Don’t kill conversion: measured friction

New device + high ticket + express → step-up/3DS challenge.
Long-lived account + known device → pass frictionlessly.
Repeats on one BIN → “bog” + frequency limits, not a site-wide CAPTCHA.
Address fields — validate by locale to improve PSP approval.

Every friction must be justified by measurable risk reduction — not by “it feels safer.”

Mini-workshop: a first risk-engine skeleton

Signals: device, network, geo, behavior, basket, account history.
Model: logistic regression/gradient boosting + rules (frequencies, blocklists, banned routes).
Orchestration: allow / step-up / deny branches by score thresholds and constraints.
Feedback: tag chargebacks/disputes/“not received”, store decision reasons.
Experiments: keep a holdout slice to measure true impact and enable fast rollback.

Final: what counts as success

The goal isn’t “zero fraud,” it’s the lowest cost of risk at your revenue level.

Operational: approval rate, frictionless share, step-up rate, challenge success, checkout latency.
Financial: fraud rate, chargeback rate, gross profit per session factoring friction.
Detective: time to detect a new pattern, time to ship a countermeasure, annotation quality.

Takeaway: tune the thermostat — rotate secrets, drill regularly, report incidents, audit friction — and the curves move in the right direction without sacrificing conversion.