An endless race
Written by David Adams
As fraudsters find new ways to circumvent traditional anti-fraud systems and establish more elaborate crime rings, online retailers need to be more aware than ever of what else they can do in this area. David Adams reports
Back in the late 90s, there were still people in both the retail and the technology industries who were sceptical about internet shopping. Their views seem quaint now, but were based on quite reasonable concerns: the fact that most bricks and mortar retailers lacked the ability to deliver goods sold online; and the widespread belief that many consumers would not want to enter credit card details on websites, for fear of handing them to fraudsters on a plate.
A decade and a bit later and a great many of us happily pay for goods online, while retailers and logistics companies have risen to the challenge of delivering the merchandise. But the sceptics were right to highlight the security issue. Retailers, banks, credit card companies and payment schemes are all still engaged in an endless arms race against criminals using ever more sophisticated techniques.
In one sense the retailers are winning, because the vast majority of online transactions are secure and legitimate. But the fraudsters are still doing well. UK businesses lost an average of 1.8 per cent of overall online revenue to fraud in 2009, representing an average of £400,000, according to the 2010 CyberSource UK Online Fraud Report. A third of the businesses surveyed said they suffered from more fraud each year. And while almost half said they were seeing either a decline or no increase, 69 per cent expected their online revenues to grow in 2010, with 40 per cent expecting rises of up to 20 per cent and almost a third forecasting increases of 20 per cent or above. You can almost see the fraudsters rubbing their hands with glee.
Total fraud losses from UK credit and debit cards actually fell in 2009, by 28 per cent, a decrease of £170 million to £440.3 million compared to 2008, according to the UK Cards Association. But the criminals had merely transferred their attentions to vulnerabilities elsewhere, with the use of malware and botnets pushing up the cost of online banking losses and the incidence of phishing attacks, by 14 and 16 per cent respectively.
And fraudsters were targeting softer targets within the retail sector too. Disturbingly, 24 per cent of 1,000 consumers surveyed for part of the CyberSource fraud report believe that retailers bear primary responsibility for protecting consumers against online fraud. "As far as customers are concerned, the buck stops with the retailer," says Dr Akif Khan, head of client and technical services at CyberSource and co-author of the fraud report.
There are many different technologies that could help. The key is finding the right mix. CyberSource has devised the 'risk management pipeline' concept to explain how technologies and processes could fit together for this purpose, with orders entering the pipeline at one end and retained revenue flowing out of the other. The aim is to stop profits leaking out through any of the cracks in a four stage process on the way: automated screening, manual review, the accept/reject decision and fraud claim management.
Automated screening - checking and validating order and billing addresses, IP addresses, where cards were issued and so on - has become more sophisticated, with the most important advance being the move to real-time screening. But the two important changes in recent years have been a growth in the use of device fingerprinting and of 3D Secure technology.
Device fingerprinting takes basic information from the computer placing an order to create a unique fingerprint for that device, revealing unexpected behaviour such as multiple orders using multiple cards being placed from a single laptop.
Most online shoppers in the UK are now familiar with 3D Secure, having used the password protected verification scheme probably either in its original Verified by Visa form or as MasterCard's SecureCode. This technology offers consumers another layer of protection and mitigates risk for merchants by transferring liability to the card issuing banks. It can add a whole layer of additional
protection, but is still vulnerable to phishing attacks based around the 3D Secure pop-up window, as well as to the inherent weaknesses of a password-based system; and there was also resistance to its use among some merchants because of fears it would put consumers off making a purchase.
Stanley Skoglund, head of payment system risk at Visa Europe, accepts that the Verified by Visa scheme didn't move into the mainstream quite as quickly and smoothly as the company had hoped, but says that hard work on the part of Visa and the issuing banks is now paying off.
"The uptake, especially in the UK, is beginning to yield results," he says. "Fifty to 60 per cent of online Visa transactions in the UK are now authenticated through Verified by Visa. Visa Europe operates in 36 countries and if we can continue to see an uptake in issuing banks issuing the technology overall fraud will come down significantly." Twenty million cardholders and more than 200,000 online merchants in the UK, including Tesco, John Lewis, Next, Dixons and lastminute.com, have all joined the scheme.
Overall, CyberSource identifies a lack of joined up thinking about online fraud as a key weakness for retailers. But that might be tricky for smaller retailers. One way they can try to improve their defences is through the use of payment services from providers like Sage Pay, which offers merchants free fraud screening and protection through CNP (Card Not Present) fraud screening
specialist The 3rd Man; using its Verified Payment Data Query (VPDQ) risk management solution.
Sage Pay customers include Hello Baby, a small online nursery goods retailer based in East London. The company has been trading for two years and sells through Amazon and eBay as well as its own website. It started working with Sage Pay in early 2009 after experiencing problems with another payment services provider.
"(The previous provider was) very bad at educating merchants about how to manage fraud," says Trevor Ginn, Hello Baby founder and managing director. "It's easy, as a new merchant, to think that a credit card payment is cleared funds and it isn't. If someone does a payment on eBay or Amazon you're covered, but if someone does a payment on the website you need a full picture of what's going on. (The payment provider) didn't support 3D Secure at the time. We didn't really understand that you need to be looking at transaction data, so we had quite a lot of problems. What I like about Sage Pay is that they have a very clear interface that shows the address check and the 3D Secure check and so on. It just makes life easier."
The main advice he'd pass on to other small companies would be to take the issue seriously. "As a merchant you have to ask the right questions. I thought I was quite clued up and I wasn't. I learned that the hard way."
Meanwhile, retailers of all sizes will have to pay more attention to another potential source of fraud in future: selling through mobile devices like the iPhone. "If retailers are aiming to sell on the mobile channel they will have to build up to understand it and to collect the right data," warns Ori Eisen, chief innovation officer at anti-fraud specialist 41st Parameter. "Unfortunately the platform is much smaller than a PC or a Mac. If you have a PC with Flash a merchant or a retailer can store references or a unique ID there. But the iPhone doesn't have Flash and you can't use the same technology."
Concerns have already been raised about malicious iPhone 'apps' downloaded in good faith by consumers becoming the foundation for phishing scams. There was a warning sign in December when Google removed 50 applications from its Android Market app store because of concerns that they could be malicious.
But as the sources of threats change, so security technologies evolve to counter them. For example, Visa has been running trials of a one time code-generating credit card, with an alphanumeric display and keypad built in, for more than a year with banks in Switzerland, Italy, Israel and the UK (MBNA). Three-factor
authentication solutions are quite conceivable, but while they might be hard to crack, would consumers accept them?
The challenge is finding the right balance, a task that will become easier if consumers are better informed. "The grassroots stuff is education of people shopping online," says Joe Robey, business development coordinator at Sage Pay. "We try to encourage merchants to do more of that."
The online shopping market will be worth £25 billion in 2010, according to Deloitte. "Online is the fastest growing segment in retail," says Visa's Stanley Skoglund. "But while we know fraudsters are becoming more sophisticated, I think we will continue to see a decrease in fraud in this environment."
Only the right combination of technology, vigilance and diligence will make that possible. "There is no magic bullet," says Sage Pay's Robey. "It's about using a range of tools: real-time fraud screening, 3D Secure and some of the other newer technologies. The more options the better."
The eternal truth about IT security remains: nothing can ever be 100 per cent secure - but doing the very best that you can is always a better option than just crossing your fingers and hoping for the best.