| Cardholder not present (CNP) fraud accounted for more than half the total UK card fraud losses last year: £328 million of the £610 million total, according to the latest APACS figures. While CNP losses were up by 13 per cent on 2007 figures, counterfeit fraud - skimming or cloning cards - increased by 18 per cent and card ID theft grew even faster: up by 39 per cent to £47 million. Small wonder then that, while the banks are mandating 3-D Secure systems to cut CNP losses, consumers are increasingly worried about ID theft and reluctant to give their card details either online or by phone. The recent BBC News exposé highlighting theft of card and personal details at Indian call centres will have done little to assuage confidence.
For retailers, it means a precarious balancing act between putting enough security measures in place to keep chargebacks to the minimum while avoiding too many “false negatives” turning away legitimate business. “False negatives are very difficult to quantify,” says Akif Khan, head of client and technical services at Cybersource and co-author of the company’s latest fraud report. “But almost all rejects will include some good orders.”
Robin Adams, consulting director for security, risk and compliance at The Logic Group, suggests that intelligent fraud prevention systems need to analyse such parameters as the location of the card issue, the delivery address and the IP geography of the computer used to order the goods. “You might have an order with a US card issuer, a delivery address in eastern Europe and an IP location in South America,” he says. “Which would ring alarm bells, but if you just put in place a business rule to reject all orders from certain Eastern European countries then that could include a very high percentage of good orders.”
According to the Cybersource survey, just over a quarter of online retailers check IP geolocation. The survey also suggests that for many retailers, manual review remains a preferred option for authenticating orders with some 70 per cent of online retailers using some degree of manual review and ten per cent of
companies still reviewing every order. Not only is this an expensive process, but one that becomes increasingly demanding as the level of sales increases. Among more sophisticated merchants who only review suspicious orders, typically 19 per cent of orders are sent for manual review with 72 per cent subsequently accepted. As Dr Khan says in the report: “This represents a relatively high false positive rate and may indicate that automated fraud screens flagging up suspicions need to be better tuned.”
It is something which Adams, too, has noticed in discussions with clients: “We do find that many turn off the address verification service tools (AVS) in their systems as these throw up too many queries,” he says. “Some say that AVS rejects around ten per cent of orders for perfectly innocuous reasons such as use of a corporate card with different cardholder address to delivery address or errors in post codes.”
Share and share alike
Sharing information about dodgy transactions could be another effective tactic to combat fraud. So called ‘hot lists’ of stolen or fraudulent cards have been around for years and have proved of limited use, as by the time a card is listed the fraudster has generally used it several times. Ethoca, which started operations in 2005, currently has 51 businesses signed up for its collaborative service in the UK, US and Canada. Companies provide Ethoca with transaction records for 18 to 24 months giving details of all accepted, rejected and fraudulent orders. This gives a risk assessment score for that particular operation. The data is then constantly updated in real time so that each transaction can be immediately checked for risk against past and current fraudulent activity with e-mail address, card number and IP geolocation the key parameters. Each transaction is given a risk score between one and 1,000 with business rules managing rejection when, for example, the score exceeds 700. Although data are not specifically shared between the various companies using the service the analytics are, so that, eventually, the more companies that sign up for the system the more accurate risk assessments become.
“If fraud is too low then that probably means the retailers is turning away too much good business,” says Ethoca CEO and co-founder, André Edelbrock. “We’re not involved in data sharing with this collaborative system - it’s more about gaining greater intelligence from the data.” Currently, the company has around 300 million transaction records on file and Edelbrock expects this to reach two billion by the end of the year.
While focusing on payment fraud is an obvious preoccupation it is not the only online security risk faced by multi-channel retailers. Martin O’Neal, managing director at security consultants Corsaire, finds plenty of other pitfalls in the sites his testers review. “We have found many sites where it is possible to enter negative numbers or decimal figures when placing orders,” he says. Instead of these being rejected these sites then process the figures as entered so someone entering 0.1 when ordering a sofa, for example, is only charged a tenth of the price - as the system records it as a discount - but since a fraction of a sofa cannot be delivered the error is automatically corrected further along the pipeline and the dishonest shoppers receives their furniture for a fraction of the price. Similarly, Corsaire has found banking sites where entering negative figures for transfer between accounts ends up crediting both with the funds. “These sorts of errors often creep in when a new version of the website is released, due to limited testing before launch,” adds O’Neal.
Savvy shoppers, too, have become wise to online retailers’ randomised promotional experiments where variable discounts are offered at different times to test response. “Shoppers simply keep visiting the same page until they see the lowest price,” says O’Neal. “Although the retailer thinks it is running a valid trial the results are actually being manipulated by customers.”
While such shoppers may be happy to exploit the viral nature of social networking to the full to identify the best offers, others will hesitate to expose their precious card details to the risk of fraudsters - hardly surprising given the latest increases in ID fraud and card cloning on the increase. For less experienced shoppers, the banks’ preferred 3D Secure technologies - Verified by Visa and MasterCard SecureCode - can look more like attempted fraud with pop-up windows demanding personal information. As a result many shoppers abandon the transaction at this point. To counter this many retailers have tended to implement the technology so that existing 3D-Secure customers do see the pop up, triggered by
their card number, but there is no attempt to recruit new users to the scheme.
YesPay has now come up with a more user-friendly alternative in the form of an e-wallet which allows consumers to store information such as card number and address but with vital components - postcode and card verification number - missing. To make a purchase they simply select the card from their e-wallet and add the two missing numbers. Merchants can use a similar e-wallet for regular card payments: this e-wallet is PCI DSS compliant and effectively means that the retailer never has to see or store the card details.
“Banks have been pushing retailers to adopt 3D-Secure,” says YesPay European vice president, sales and marketing, Rohit Patni. “But they haven’t educated the consumer. They ran an enormous campaign for chip and PIN but nothing to increase consumer awareness of 3D-Secure, and unless they do so then adoption rates will remain low.”
The banks have also started offering customers various one-time pass-code generating systems that provide added security and alleviate the need to key in sensitive details for each transaction. Once the user’s card is registered the device generates a short code for each transaction and that is all that must be keyed in to complete a transaction. Cryptocard, which provides this type of technology, is hoping that retail initiatives will soon develop. “Consumers are starting to see and use these systems in the banking environment,” says Jason Hart, senior vice president Europe. “And we believe that ultimately it will be consumer pressure that drives retailers to adopt similar technologies.”
According to Hart, one retailer who introduced this sort of two-factor authentication found a 35 per cent increase in orders as shoppers switched allegiances to the site as it offered better security. “Adoption will probably be influenced by generational change,” adds Hart. “The 17 to 25s understand technology so quickly see the benefits but older age groups may not.”
The system is available as a managed authentication service so could easily be adopted by several retailers sharing the same consumer passcode-generating device. Hart expects initial growth to come from the online gaming and gambling sector with increased take-up of the technology becoming apparent within 18 to 20 months.
With technology and consumer awareness combining to reduce CNP and ID theft frauds, it cannot be long before the fraudsters have to migrate yet again: look out for more in-session phishing and SQL injections in future...
top
|
