With e-commerce shopping volume continuing to shoot up year after year, Internet retailers, banks and credit card organizations are discovering that the boost in sales is accompanied by a rise in online fraud.
In the United Kingdom, for instance, online shopping last October was up 88% from October 2006, according to Retail Decisions, a British payment processor and card issuer, while attempts at online fraud rose even faster, skyrocketing 131% over the same period.
While various tools are available to combat such fraud, sophisticated criminals–including organized crime groups–continually devise new ways to perpetrate card-not-present fraud, which preys upon telephone and mail-order shopping as well as online sales.
“I’ve heard it likened to a constant game of cat-and-mouse,†says Karen Markey, vice president of association and vendor management at First National Merchant Solutions, an Omaha-based merchant processor. Card-not-present fraudsters, she explains, are not ordinary street crooks. On the contrary, they typically are smart and well-educated individuals determined to make huge profits off of their thefts of merchandise and identities.
“Identities are increasingly being stolen,†says John R. Lazzaro, senior vice president of VoiceVerified Inc., a New Hope, Pa.-based firm that helps merchants secure their online transactions through a system of voice authentication. “It’s virtually impossible to shut off all the holes in the dam.â€
Linda Foley, founder of the Identity Theft Resource Center, a San Diego-based nonprofit firm that offers fraud victims assistance, says the precise level of identity theft and how much it has increased are difficult to gauge. Many studies have varying numbers, the organization points out, and those numbers often conflict.
Gartner Research reports there were 15 million victims of identity theft in 2006, and a Javelin Strategy & Research survey found that businesses and consumers lost $56.6 billion to identity theft in 2005.
Card-not-present crime costs merchants across the globe hundreds of millions–if not billions–of dollars annually. Markey says phishing alone cost Americans $3.2 billion in 2007. Card-not-present fraud involves both identity theft and the use of illicitly obtained card data to make fraudulent purchases.
Merchants trying to limit the vulnerability of their online-sales operations must make complex risk-management decisions to determine how far to go to try to abate card-not-present fraud. The critical question is whether the funds they invest in fraud prevention outweigh potential losses in sales and the inconveniencing–and potentially antagonizing–of legitimate customers.
Most fraud-prevention techniques reject some legitimate sales and involve asking shoppers to take extra steps–and thus sacrifice their time–to ensure that transactions are not fraudulent.
“Every merchant has to figure out the risk they can take,†says Michael Petitti, senior vice president of Trustwave, a Chicago-based information-security firm.
“People are getting much smarter at taking a risk-based approach,†observes David Nussenbaum, director of business consulting at TransUnion LLC, a Chicago-based credit bureau. “There are different rigors of authentication, and they should be applied based on the risk involved.â€
FRAUD IMPACT
Retailers typically assume the cost of card-not-present fraud, and the card brands increasingly are saying card issuers also must bear some of the responsibility. But card-not-present crimes cost not only the payments industry oodles of money, they also threaten the integrity of electronic commerce. If consumer confidence in e-commerce is shattered, the full potential of online shopping could be damaged as well.
Indeed, consumers around the world are concerned about the security of online shopping and banking, according to survey data from Unisys Corp., a Blue Bell, Pa.-based information-technology services provider. In the United States, for instance, 21% of 1,002 consumers surveyed late last year said they were “extremely concerned,†and another 19% said they were “very concerned†about the security of shopping and banking online (see chart on page 26).
In the UK, the introduction of chip-and-PIN transactions three years ago has made it more difficult for criminals to use stolen cards to conduct card-present fraud at stores and other places of business. But it has precipitated a rise in card-not-present fraud; the criminals turned to the lucrative field of Internet fraud once they were stymied by chip-and-PIN security at the point of sale.
The Association for Payment Clearing Services, or APACS, the British card-payments organization, reports that card-not-present fraud in the UK increased by 16% between 2005 and 2006, to £212.6 million (US$419.4 million) from £183.2 million. During the first six months of 2007, card-not-present fraud shot up 44%, to £137 million (US$270.3 million) from £95.1 million over the first six months of 2006.
APACS says card-not-present represents 49% of all card fraud in the UK. The association contends, however, that the increase in card-not-present fraud has resulted primarily from the overall increase in Internet shopping and not necessarily from a more vulnerable card-transaction process.
Tim Kelleher, Unisys vice president of security, says the key to combating card-not-present fraud is to concentrate on security fundamentals. Businesses, he explains, should adhere to industry guidelines and regulations, such as the Payment Card Industry Data Security Standard. Companies need to secure their entire information-technology environments and be sure that data are encrypted, Kelleher adds.
MERCHANT OPTIONS
A number of firms offer merchants a means to avoid transmission of a customer’s cardholder data. One such company, Electronic Payment Exchange of Wilmington, Del., provides technology for its retailer customers that ensures retailers never come in contact with cardholder data. The data go directly to Electronic Payment Exchange, not the merchant. The company then assigns a code number to the customer, who uses that number– instead of his or her credit card data–when making a transaction with the merchant.
A more-common tactic is the red-flag approach. When consumers initiate certain types of credit card purchases, they raise red flags–or suspicions–that fraud possibly could be involved. When a red flag is raised, the merchant or its agent might block the transaction or might give the customer a set of questions to answer.
Red flags often occur when a shopper’s credit card address differs from the shipping address. Suspicions also arise when products are shipped to foreign countries or to postal addresses, or when many identical purchases are sent to a single address. They also may occur when a shopper makes multiple transactions over a short period of time, the transactions have similar account numbers or when a cardholder makes very expensive purchases.
Many such transactions are not fraudulent, and therein lies the risk for the merchant in questioning or negating such transactions.
Merchants that employ the red-flag approach usually are less skeptical of repeat customers with whom they have an established relationship. Sometimes a merchant may ask a customer whose purchase raises a red flag certain questions that only legitimate buyers could answer, such as the type of mortgage they have or the insurance they use.
Fair Isaac Corp., which specializes in risk management, offers online merchants a fraud- management program based on the red-flag approach. It uses a neural network that learns from past online-fraud experiences to flag anything unusual.
“We look at the false-positive rate,†says Mike Urban, Fair Isaac senior director of fraud solutions. “You might get all the fraud, but you may be leaving a lot of money on the table. By balancing that out, you’re allowing more of the good transactions to go through.â€
Visa Inc. and MasterCard Worldwide also offer merchants fraud-detection services, Verified by Visa and MasterCard Secure Code.
A popular system for preventing transaction fraud is through the use of the three-digit code on the back of credit cards, known as Cardholder Verification Value Two (CVV2) on Visa cards and Card Validation Code Two (CVC2) on MasterCards. When a customer provides this number to the merchant when making a purchase, it improves the chances that the genuine cardholder, and not an imposter, is using the card, according to Bruce Cundiff, research director of the consulting firm, Javelin Strategy and Research.
TESTING TACTICS
Unisys’ Kelleher says merchants also can gauge the security of their online systems by “literally having people try to hack into you.â€
Larger online merchants usually employ at least some of these tactics to blunt the efforts of hackers and other Internet bandits. But, says Kelleher, smaller merchants also should protect themselves from card-not-present fraud.
“Retailers do have obligations,†he asserts. “And when you have organized crime with a lot of money deciding they can make more money in cybercrime than in drugs, that’s a serious business.â€
Judd Rousseau, chief operating officer and director of fraud operations for IdentityTheft 911, a Scottsdale, Ariz.-based fraud-prevention consultancy, says Russian and Italian organized-crime groups are involved in card-not-present crime, as are such American street gangs as the Bloods and Crips, which traditionally have made money from illicit drug sales.
But while selling drugs on the street may net gang members 10 to 15 years in jail, says Rousseau, with first-time offenders of card-not-present fraud, “if you get caught, you’re looking at probation to a couple years in jail.â€
Typically, online criminals attack merchants that sell high-priced merchandise such as electronic goods that easily may be resold or fenced. But because identity theft also is part of card-not-present crime, insurance ompanies, telecommunications firms and utilities also are susceptible.
Fraud from identity theft can involve huge sums of money. TransUnion’s Nussenbaum says, for instance, that someone stealing a cardholder’s identity might be able to receive a student loan and abscond with $40,000.
“The fraudsters are finding they can open up credit card accounts or take over existing accounts,†he says. “They might use it once, or they might open up other financial accounts. The smart ones spread their work over multiple institutions and multiple instruments.â€
Regardless of the tactics used by online thieves, card-not-present crime is expected to remain a painful headache for merchants and the payment industry in the foreseeable future. There simply is no way to cut it off completely. “There’s going to be some level of fraud, and all merchants know this,†says Cundiff. “The key is bringing it to a level that’s manageable.â€
(c) 2008 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
http://www.cardforum.com http://www.sourcemedia.com
