IOBA Standard - On-Line Fraud

IOBA Home

Newsletter Home

President's Message

Committee Reports

Bookselling on the Net

On-Line Fraud

Listing Services

Descriptions That Sell

Auctions

Contact IOBA

All material IOBA

IOBA

standard.gif (6453 bytes)

On-Line Fraud

This compilation of four articles was reprinted from:
Sell It!, ( http://www.SellItOnTheWeb.com ), edited and published by Paul Lang

Online Fraud Prevention (Part 1)

Just How Serious is Online Fraud?
by Paul Lang

As promised, this month I'm going to be focusing on online fraud.However, whereas most articles on this subject deal with merchants defrauding customers, I intend focusing on the problem of customersdefrauding merchants, particularly through the fraudulent use of credit cards online.

Later in the series I'll be looking at ways you can reduce the risk of being the victim of online fraud as well as taking a look at some current and future technologies that can help you. However, this week I want to start by trying to understand just how widespread a problem online fraud is and what the costs and risks are to a typical e-tailer.

Unfortunately, this is not as easy a task as you might imagine, for although there are many statistics published on the size of the fraud problem, none of them are what I would regard as being "official" i.e. I have yet to come across a formal statement from any of the major credit card companies detailing exactly how bad the problem is.

However, it is possible to piece together an overall picture from some readily available snippets of data.

What are the chances of getting stung?~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you have been selling or shopping online for a while now and have been lucky enough not to have experienced any fraud, you might be tempted to underestimate the risk. In that case, these statistics should wake you up:

o New research by the Gartner Group (E-Commerce Times, 10/11/00) predicts half of small to mid-sized businesses implementing their own computer security measures will fall prey to cybercrime within the next two years.

o 83% of e-tailers believed online fraud to be a serious problem, according to the CyberSource Fraud 2000 Survey.

What are the potential cost impacts for your business?~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Early last year, Expedia, Microsoft's online travel affiliate, announced that it was to record a fiscal third-quarter charge of $4 million to $6 million to cover the cost of fraudulent transactions on its Web site arising from the use of stolen credit cards to make travel reservations. Now, I suspect it's unlikely that anyone reading this article is likely to face costs on this scale, but nevertheless the costs of fraud can be enormous even for small businesses:

o A Gartner survey of more than 160 companies revealed that 12 times more fraud exists on Internet transactions and that e-tailers are paying credit card discount rates that are 66 percent higher than traditional retailer fees.

o The CyberSource Fraud 2000 Survey revealed that the average percentage of revenue lost to online fraud was around 4%.

However, whilst these figures are frightening enough, the true cost of online fraud to e-tailers is much, much higher. Again, according to the CyberSource Fraud 2000 Survey "when (e-tailers were) asked to assess significant negative business impacts related to fraud,

29% mentioned the loss of customer goodwill, 23% chargebacks, 22% loss of staff time, 18% loss of revenue, 12% loss of goods, and 8% bank fees.

Putting these figures together can produce a truly frightening picture. If 4% of revenue is lost to fraud and this were only to represent 18% of the total costs involved, then the actual cost to e-tailers of online fraud could be as high as 22% of revenue!

So what's the bottom line?
~~~~~~~~~~~~~~~~~~~~~~~~~~

While the cost of fraud could be enough in itself to cause your e-business to join the lengthening list of dot.com fatalities, there is another serious risk: if chargeback levels in your Web store become too high then you could lose your merchant account. And quite simply, if you cannot accept credit cards in your Web store your chances of surviving are very slim indeed.

Of course, the key phrase above is "too high" but just how high is "too high?" I have seen quoted several times a statement that Visa and MasterCard were placing "enormous pressure" on their Internet merchants to keep chargeback levels at less than 1%. However, I have not been able to verify that this is indeed a formal business practice by the major credit card companies.

Even so, the available data would suggest that many e-tailers would struggle to keep chargeback levels beneath this ceiling:

o According to an Unterberg Towbin study in 1998, more than 50 percent of disputed (or potentially fraudulent) charges at the Visa European division came from Internet transactions. However, 'Net transactions represented only 2 percent of the division's total transaction volume.

o A recent Gartner study stated that e-tailers typically incur online chargeback rates of 2.64%, with fraudulent or stolen credit cards accounting for 1.13% of this total.

o And the CyberSource Fraud 2000 Survey revealed that approximately 4% of total transactions over their system are fraudulent, but that this figure ranged from 0% to 40%.

I accept that the above does paint a rather bleak picture. Fortunately though, there are many precautions that you can take to reduce your risk of suffering serious online fraud. And that is what I will be looking at over the remainder of this series of articles.

Written by Paul Lang, Director, Netsavvy Communications.

Paul edits and publishes Sell It!, ( http://www.SellItOnTheWeb.com ) an award-winning e-commerce Web site that is dedicated to helping small businesses sell their goods or services on the Web.

Paul also produces a weekly email newsletter that is packed with focused e-commerce features and the latest industry news. You can get your FREE subscription by visiting
http://laser.sparklist.com/scripts/lyris.pl?enter=sellit
or by sending a blank e-mail to:
join-sellit@laser.sparklist.com

Part 2
********************************

How to Beat Credit Card Fraud
by Paul Lang

Last week ( http://sellitontheweb.com/ezine/opinion076.shtml ) I took a look at the available data on credit card fraud on the 'Net and evaluated the risks to e-tailers. The results were, to say the least, rather worrying.

Surprisingly then, articles on Internet fraud usually concentrate on fraud from a consumers' perspective. However, the incidence of fraud perpetrated by online merchants against consumers is relatively rare and consumers are typically only liable for the first $50 of any fraudulent transaction, and the credit card issuer often waives even this liability.

In fact it is usually the e-tailer who is the true victim of Internet credit card fraud. This is because Internet credit card transactions fall under the heading of MOTO (Mail Order / Telephone Order) transactions, also called CNP (Cardholder Not Present transactions). Most credit card merchant account agreements leave the merchant 100% liable for fraud committed via this type of transaction as well as requiring them to pay a $15-$25 chargeback fee.

And as we saw last week ( http://sellitontheweb.com/ezine/opinion076.shtml ), if a merchant experiences a high level of chargebacks they are often hit with an increase in the discount rate they have to pay on each transaction or may even have their account terminated.

It is also important for e-tailers to understand that if they become victims of a fraud they will probably receive very little support from the police authorities. The authorities are likely to view the amount involved to be too small to bother about, or in the case of international orders to be out with their jurisdiction. So it is therefore vital for merchants to put in place fraud prevention processes now and not wait until a fraud attempt occurs.

Before moving on to discuss fraud prevention techniques, one common misconception needs to be cleared up. Some merchants make the assumption that the verification process they initiate when they key a card number in to an electronic swipe terminal provides sufficient fraud protection. This is not the case as all this verification process does is to check that the card has not been reported stolen and that it has sufficient free credit available to fund the purchase.

So why are existing anti-fraud techniques insufficient? Current techniques for credit card fraud prevention include the use of signatures on anti-tamper tape, holograms and now even the etched image of a card's owner. These are all of no use when it comes to CNP transactions, as the merchant never gets to see the credit card. About the only existing anti-fraud technique that is of any use to the online merchant is AVS Address Verification Service.

AVS was developed to help MOTO merchants avoid fraud. It works by comparing a portion of the billing address with the records held by the card issuer. However, AVS has some serious limitations when it comes to Internet transactions:

o One of the major opportunities that the Internet brings is the ability to accept orders from all around the world, but AVS only works for addresses in the USA.

o Another major advantage of the Internet is that it allows "soft" goods such as software to be purchased and downloaded instantly. AVS provides no protection here as all a thief has to do is to obtain a valid address that corresponds to a stolen credit card number.

o And even with "hard" goods there is still a problem as thieves can supply a valid address for a stolen credit card as the "bill to" but then request a different "ship to" address.

Not surprisingly then, merchants have been quick to develop and introduce a number of ways to limit their exposure to fraud. Here's a list of some of them:

o Using AVS whenever possible: OK so it only works in the US and the system can be beaten, but it's still a useful way of weeding out the less sophisticated fraudster.

o Being particularly wary of orders from free e-mail addresses: Once a thief has a stolen credit card number and a stolen address they need one more thing to complete their fraud portfolio- an untraceable e-mail address to hide behind. That's why a high proportion of fraudulent orders come from free e-mail addresses and as a result many merchants refuse to accept orders from them or at least perform additional checks. You can find a sample list of free e-mail domains on the AntiFraud Web site at: http://www.antifraud.com/redflag.htm

o Checking out the customer's Web site: it is often possible to determine the URL of a customer's Web site by simply putting "www" in front of the second part of their e-mail address. For example, if a customer provides an e-mail address of "john.doe@somedomain.com" then typing www.somedomain.com in to a Web browser usually leads to their Web site.

Things to look out for include empty or "under construction" Web sites or sites where the contact information differs significantly from the order information. For example, the Web site might display a US business address whilst the order requests delivery to be made to Eastern Europe.

Some merchants go even further and check out who owns the domain name. Information on the ownership of US domains is available on the Network Solutions Web site ( http://www.networksolutions.com ) or alternatively Unix wizards can use the "whois" command.

o Taking special care where the "ship to" address differs from the "bill to" address: Some merchants don't accept these types of orders from international customers and some carry out additional checks even for domestic orders.

o Watching out for unusual orders: Thieves usually have the "might as well be hung for a sheep as a lamb" mentality and therefore tend to place orders that differ significantly from what legitimate customers typically order. Things to look out for include orders for "big ticket" items, orders for unusually high quantities and orders where the customer is prepared to pay a lot for expedited delivery.

o Phoning the customer if in any doubt: A quick telephone call can often be enough to establish whether an order is legitimate or not.

o Collecting all possible order data: When trying to detect fraudulent orders or trying to recover money lost through fraud, the more data you have available the better. This includes the customer's address and telephone number, the name of bank that issued the credit card, and the IP address of the computer from which the order was placed.

o Firing a warning shot: Stating clearly on a Web site that the merchant has anti fraud safeguards in place and will pursue prosecution for all fraudulent orders can be enough to scare of some would-be thieves.

Although it might be tempting to employ all of the methods above, there is a problem: each of these checks takes time (and therefore money) to perform. The best strategy therefore for most merchants would be to construct a tiered matrix that stipulates the level of checking that should be performed on different order categories. The contents of such a matrix will depend entirely on the nature of what the merchant is trying to sell and how much risk he or she is willing to take, but here's an example:

Order Value Domestic Orders International Orders

<$25 Accept all Accept all

$25 to $99 AVS only Check bill to = ship to

No "freemail" addresses

$100 to $249 AVS Check bill to = ship to

No "freemail" addresses No "freemail" addresses

Check out customer's Web site

$250 AVS No credit card orders accepted

No "freemail" addresses Ask customer to wire funds

Phone customer for before shipment

verification

Although this approach will reduce the risk of fraud considerably, it still has some problems associated with it. For not only do these checks take time and money to perform, they also prevent the use of real-time credit card processing which could in turn lead to lost sales. And most important of all, these methods are difficult to scale successfully: a merchant might be able to perform these checks on a small number of orders per day, but how would they cope when the number of orders grows?

One solution to this quandary is to employ some automated checking tools, and I'll be taking a look at some of these next week.

Part 3.

Beyond SET: Enhanced Security for Online Transactions
by Kurt Thumlert*

The protracted demise of the Secure Electronic Transaction protocol (otherwise known as SET) is now complete. Designed to bolster fraud prevention on Internet credit card transactions, SET was beleaguered by complexities that made full implementation untenable.

Still, with the laborious passing of SET, new and improved approaches to securing online transactions are visible on the horizon. And many of these security protocols will provide the degree of consumer authentication needed to decrease problematic fraud and chargeback levels - very good news for online merchants.

Good news indeed, principally because the current SSL (Secure Sockets Layer) protocol was not designed to protect online business from fraudulent use of stolen credit cards. Though SSL provides very important encryption for credit card data - and a secure medium of transmission - consumer authentication on card-not-present transactions is not part of the SSL protocol. Similarly, SSL does not insulate credit card data on merchant servers. Unfortunately, short of deploying elaborate fraud detection systems (that attempt to flush out suspect ordering activity), cardholder authentication remains a major e-commerce snag - at least for the moment.

Designed to remedy security problems, SET was developed in 1996. However, the technical and bandwidth requirements of SET, as well as mounting complexities involved in full realization, created a situation in which SET's disadvantages outweighed it's potential benefits.

Currently, there are a number secure transaction models competing to replace SET, and each concentrates on more comprehensive protocols for authenticating customers during card-not-present transactions. In all cases, more data is required from the consumer than the current inadequate standard of credit card number combined with expiration date. Most importantly for online merchants, more and more liability for chargebacks will fall on the consumer, which should radically decrease abuse of 'consumer-friendly' credit card policies.

First, there is the Payer Authorization model in which the credit card company issues a password or PIN number to the cardholder to be used during card-not-present transactions. During a sale, a pre-authorization process requires that your customers enter a password along with the credit card number. The merchant is then notified of consumer authenticity - or potential fraud. If the card issuer verifies the password, the merchant transmits an authorization message and the pre-authorization process is concluded successfully.

American Express' 'Private Payments' model for secure transactions operates on the same principle as the Payer Authorization model - except for one key difference: for each online transaction the consumer must go to the American Express website to receive a 'disposable' transaction number to be used in conjunction with the credit card number. The transaction number can only be used once and is rendered inoperative after a transaction is made. To receive the transaction number in the first place, the cardholder must provide a user name and password at the Private Payments site.

The last model, the Visa Smart Card program, basically strives to emulate the 'swipe' of physical point-of-sale transactions combined with PIN number security. For these transactions, the card issuer must issue 'smart' credit cards loaded with microchips that can authenticate user identity. Of course, the consumer will also have to have a terminal connected to his/her PC in which to swipe the card. A PIN number then activates the credit card data locked in the smart card microchip.

Because each of these models require passwords or PIN numbers, all provide relatively strong anti-fraud protection in cases where credit card numbers are stolen or hacked en masse. As a result, these security developments should go a long way in improving consumer confidence in the Internet as a viable, secure environment for transacting business.

Of perhaps greater significance to online merchants, the authentication protocols require more consumer data than current systems and the capacity to confirm cardholder identity is greatly enhanced. This means less fraud exposure and one very significant ancillary benefit: more and more chargeback liability will rest with the consumer - and this is very good news for those e-businesses suffering from damaging chargeback fees and exorbitant fraud levels.

(*Kurt Thumlert is the Internet Marketing Content Specialist for PaymentOnline ( http://www.paymentonline.com ), a company that provides e-commerce services for businesses, including real-time credit card processing, secured shopping carts, order pages and hosting, and Payment Gateways like SecureGate. Kurt can be reached at mailto:kurt@paymentonline.com).

********************************
Part 4
********************************

Fraud Prevention Tools
by Paul Lang

Two weeks ago I described some manual checks that you can use to help prevent fraud in your online store. However, although these checks will reduce the risk of fraud considerably, they are far from perfect. For not only do they take time and money to perform, they also prevent the use of real-time credit card processing, which could in turn lead to lost sales. And most important of all, these methods are difficult to scale successfully: a merchant might be able to perform these checks on a small number of orders per day, but how would they cope when the number of orders grows?

One solution to this quandary is to employ automated checking tools. Fortunately, many real-time credit card processing services have now integrated anti-fraud screening tools from vendors such as CyberSource ( http://www.cybersource.com ) or HNC ( http://www.efalcon.com ). In addition to these integrated tools, there are a number of standalone anti-fraud tools available that are suitable for e-tailers who are either processing their credit card payments offline or who are looking to employ some additional anti-fraud protection measures.

For the purposes of this article I am going to focus on three of these tools: AntiFraud, iV-Caller and CyberCash Fraud Patrol.

Antifraud ( http://www.antifraud.com ) is the lowest cost of these products, but it has the limited capability to match. It costs just under $10 per month and provides a number of tools:

o Automatic screening of free, Web based or e-email forwarding addresses. AntiFraud provides access to a custom script that automatically checks the buyer's e-mail address against a list of "Red Flag" domains. The list currently has over 3000 domains listed, and it is updated regularly.

o IP tracking automatically captures the IP address of the computer from which the order was placed

o Instant Fraud Attempt Alerts that allows members to notify each other about fraud attempts

o A regular newsletter

The principle behind iV-Caller ( http://www.iverify.com ) is very simple. One of the problems with AVS (Address Verification System), which is the mainstay of fraud protection in the US, is that it provides no protection for Web merchants selling downloadable products because a fraudster can get hold of a valid address that matches a stolen credit card number. To try to overcome this shortcoming, iV-Caller ensures that all customers provide a valid telephone number and that they can be contacted at that number.

Here's how it works:

1. iVerify provides merchants with a short piece of code that they add in to a registration form on their own Web.

2. During the registration process consumers are asked to provide details of a telephone number where they can be contacted, when they want to be called and finally they chose a 6-10 digit code for themselves.

3. This information is passed to the iVerify server that then makes a telephone call to the consumer. When they receive the call the consumer is prompted to enter the code they selected by punching the buttons on their phone.

4. If the code is entered correctly the consumer is successfully registered.

iV-Caller costs $29.95 to set up and has a $0.09 per verification charge.

CyberCash Fraud Patrol ( http://www.cybercash.com/fraudpatrol ) is normally provided as a premium service to Cybercash's CashRegister merchants and therefore forms part of a complete real-time processing package. However, CyberCash have also made this service available to other merchants. Here's how it works:

1. The e-tailer passes details of the proposed transaction to CyberCash

2. CyberCash scores the transaction by checking it against a huge database of past fraudulent transactions and by profiling it against known fraudulent behaviour patterns.

3. CyberCash returns a fraud score to the e-tailer who then decides (manually or automatically) whether or not to authorise the transaction.

CyberCash Fraud Patrol costs $495 to set up, has a monthly fee of $59 and a per verification fee of between $0.15-$0.20, depending on the number of transaction. Prices for CashRegister customers are much lower (i.e. $99 set up and $39 per month) so it might make financial sense for some e-tailers to sign up for the complete CashRegister service instead.

My final message: Internet credit card fraud is growing and will continue to do so and as things stand just now you, the e-tailer, are going to have to bear the cost of it. So whatever anti-fraud methods you choose to employ, please start work on implementing them today.