Guest: Doriel Abrahams
Today I’m talking about something a lot of fraud teams have been wrestling with lately. The rules that used to feel settled in ecommerce fraud are not feeling so settled anymore. And honestly, that is probably a good thing.
In this episode, I sat down with Doriel Abrahams, Head of Risk for the US at Forter, to talk about 3DS ecommerce fraud strategy, how online fraud has shifted so quickly over the last 18 to 24 months, and why merchants need to rethink some of the “conventional wisdom” that used to shape fraud programs. Things like whether 3D Secure in the US is worth using, how selectively to use 3DS in EU and APAC, how much to rely on issuer authorization rates, and whether negative lists still deserve the faith some teams put in them.
That is where this conversation gets really useful.
Because this is not just about one tool or one tactic. It is about fraud strategy in 2023 and beyond. It is about whether merchants are adapting fast enough when organized fraud rings, changing customer behavior, and new attack patterns are putting pressure on systems that were designed for an earlier version of ecommerce fraud.
And that matters.
Because if fraud teams keep using the same tools in the same ways just because that is how they have always been used, they can end up optimizing for an old environment while attackers are already operating in the new one.
Here is what that means in practice:
- 3DS ecommerce fraud strategy needs to be based on current risk and performance, not outdated assumptions
- Merchant fraud prevention gets weaker when teams rely too heavily on old playbooks that no longer match current attack patterns
- Fraud provider innovation matters because static tools and static thinking both age badly in fast-moving fraud environments
- Fraud operations adaptation is essential when organized fraud tactics expose weaknesses in conventional controls
What you’ll hear in this episode:
- Why Doriel believes 3D Secure in the US deserves a fresh look from merchants and fraud teams
- How ecommerce fraud optimization has changed as online retail fraud tactics have evolved so quickly
- Why negative lists fraud strategies may be less effective than many teams assume
- What the Master Manipulators fraud ring revealed about fraud detection modernization during peak season
- How merchant teams should think about issuer authorization rates, fraud prevention best practices, and broader payment fraud strategy
You should listen to this episode if you:
- Work in ecommerce, payments, fraud, or risk and want a more current view of 3DS ecommerce fraud strategy
- Are rethinking 3D Secure in the US or looking at selective EU APAC 3DS strategy
- Want to improve ecommerce revenue protection without relying on outdated assumptions
- Need a better framework for fraud operations adaptation and fraud detection modernization
- Care about merchant fraud prevention and how provider strategy should evolve with the threat landscape
If you liked this episode, be sure to subscribe and review the podcast on iTunes, Spotify, YouTube, or wherever you listen to podcasts. It really helps with getting the word out.
Episode notes & key takeaways
Why 3DS ecommerce fraud strategy needs a second look
Let’s break this down.
For a long time, there were certain things merchants just “knew” about 3DS. In the US, it was often treated like too much friction, too much downside, or something better left for special cases. In other regions, teams got used to more selective or more expected usage. But when fraud changes as fast as it has, those old assumptions deserve to be challenged.
That is exactly where this conversation starts.
Doriel makes the point that 3DS ecommerce fraud strategy should not be driven by habit. It should be driven by how fraud is behaving now, how issuers are responding now, and what the actual performance tradeoffs look like now. And honestly, I think that is the right lens. Because too many merchants are still making decisions based on what 3DS used to mean instead of what it may mean in the current environment.
That matters.
Because if the fraud landscape is changing faster than merchant strategy, then even good teams can end up lagging behind. Not because they are ignoring risk, but because they are still using yesterday’s assumptions to solve today’s problems.
A few practical takeaways:
- 3DS ecommerce fraud strategy should be revisited regularly as fraud patterns and issuer behavior change
- 3D Secure in the US may create more value in certain scenarios than older assumptions suggest
- Payment fraud strategy gets stronger when teams evaluate tools based on current outcomes, not historical bias
- Fraud prevention best practices should evolve as merchant, issuer, and attacker behavior all shift
Why old fraud rules break fastest during rapid change
This is where things get interesting.
A lot of fraud programs are built on rules that were earned through experience. And that experience matters. But one of the risks in fraud is that what used to work well can quietly become less useful over time, especially when attackers adapt faster than the business does.
We saw that very clearly in the period Doriel and I talk about.
The last 18 to 24 months changed a lot. Online retail fraud tactics became more adaptive. Organized rings got more aggressive. Consumer behavior kept shifting. And peak periods put even more pressure on fraud systems that were already being tested. When that happens, the biggest risk is not always having no strategy. Sometimes it is having a strategy that used to be right.
That usually does not end well.
Because fraud teams can end up overtrusting old heuristics, overdefending weaker signals, or underestimating how much the environment has changed around them.
What good teams should be asking:
- Which fraud rules still hold up, and which ones have become more habit than strategy?
- Has the merchant’s fraud stack adapted as quickly as the fraud itself?
- Are teams measuring the real cost of old assumptions on fraud, approval rates, and customer experience?
- Is fraud strategy in 2023 still anchored to conditions from earlier years?
Why negative lists may be giving merchants false confidence
Here’s what’s actually happening.
Negative lists can feel useful because they give teams something concrete. A blocked email. A blocked card. A blocked device. A blocked user. That can feel satisfying because it looks like action. But one of the smartest parts of this conversation is Doriel pushing on the idea that negative lists fraud strategies often create more comfort than real resilience.
And that matters.
Because bad actors adapt. Fast. They change identifiers. They switch devices. They rotate cards. They move across merchants. They test new paths. So if a merchant is leaning too heavily on negative lists, it may be solving for a much older and simpler model of abuse than the one they are actually facing now.
That is the real issue.
The problem is not that negative lists never have value. It is that they can become a crutch. And once they become a crutch, fraud teams may feel more protected than they really are while organized attackers are already moving around those controls.
A few practical takeaways:
- Negative lists fraud strategies can create blind spots when attackers rotate identifiers quickly
- Fraud detection modernization requires more context than static blocklists can provide
- Merchant fraud prevention works better when teams focus on broader patterns, not just repeated identifiers
- Ecommerce fraud optimization depends on recognizing adaptive behavior, not just known bad entities
What the Master Manipulators period taught merchants
This is one of the most useful reference points in the whole conversation.
The Master Manipulators fraud ring put a lot of merchant strategies to the test during one of the busiest and most fragile times of year. And what it exposed was not just one tactic or one vulnerability. It exposed how many merchants were still depending on controls that struggled when the attacks became more coordinated, more persistent, and more operationally sophisticated.
Right.
That is why this example matters so much for 3DS ecommerce fraud strategy and for broader fraud operations adaptation. It reminded everyone that the pressure test is not theoretical. Fraud rings do not care whether a control used to be “good enough.” They care whether it still works under stress right now.
And if it does not, they will find that out before you do.
That is the part fraud teams should sit with a little longer. Because large organized attacks have a way of revealing which strategies were built for scale and which ones were built for comfort.
A few things worth paying attention to:
- The Master Manipulators fraud ring exposed weaknesses in conventional ecommerce fraud optimization
- Fraud operations adaptation becomes essential when organized rings pressure multiple layers of a merchant’s program
- Ecommerce revenue protection depends on how well controls hold up during peak traffic and attack conditions
- Fraud provider innovation matters most when traditional defenses start failing under real pressure
Why merchant fraud prevention has to stay adaptive
Honestly, this is the biggest takeaway for me.
The point is not that 3DS is always the answer. The point is not that negative lists are always useless. The point is that fraud strategy has to stay adaptive enough to question the old rules before attackers force that conversation for you.
That is the part that holds up.
Merchant fraud prevention works best when teams are willing to challenge inherited assumptions, test tools in current conditions, and rethink what “best practice” actually means as fraud evolves. That includes provider strategy. It includes internal operations. It includes how merchants think about issuer authorization rates, customer friction, and layered controls.
Because if fraud is adapting and your program is not, the outcome is pretty predictable.
The big takeaway from this episode is pretty straightforward. 3DS ecommerce fraud strategy should be driven by current fraud reality, not old industry reflexes. Negative lists may no longer offer the kind of protection many teams assume they do. And merchants who want stronger ecommerce revenue protection need to keep modernizing their fraud detection, their provider expectations, and their willingness to rethink conventional wisdom before the next pressure test arrives.
That is the part I would pay attention to.
