How to Beat Credit Card Fraud

By Paul Lang, http://sellitontheweb.com

How to Beat Credit Card Fraud

From all the media hype surrounding electronic commerce, a newcomer could be forgiven for thinking that making money on the 'Net is easy. Trust me, it's not. A successful Web merchant has to carefully select the product or service they are going to sell, choose an e-commerce solution, and then build their store. But that's just the start of it: they then have to promote their store to encourage people to visit it and then convert these visitors in to purchasers and then hopefully on in to repeat purchasers.

So whatever way you look at it, building an online business takes a lot of work. Imagine then, how an online merchant feels when they see the profits from their hard work being lost through credit card fraud!

There has been much discussion in the media about the impact of Internet credit card fraud from a consumer perspective. This is somewhat surprising really as the incidence of fraud perpetrated by online merchants against consumers is fairly rare and consumers are typically only liable for the first $50 of any fraudulent transaction, and even this liability is often waived by the credit card issuers.

In fact it is usually the merchant who is the true victim of Internet credit card fraud. This is because Internet credit card transactions fall under the heading of MOTO (Mail Order / Telephone Order) transactions, also called CNP (cardholder not present transactions). Most credit card merchant account agreements leave the merchant 100% liable for fraud committed via this type of transaction as well as requiring them to pay a $15-$25 chargeback fee. And as if to rub salt in to the wound, if a merchant experiences a high level of chargebacks they are often hit with an increase in the discount rate they have to pay on each transaction or may even have their account terminated. And once lost, a merchant account can be almost impossible to obtain again.

So just how big a problem is Internet fraud? Global credit card fraud is estimated at over a billion dollars per year, but with Internet transactions making up a tiny percentage of all credit card transactions it is possible to come to the conclusion that Internet credit card fraud is not really a big issue. This might help to explain why banks and card issuers have in general been slow to try and fix the problem.

On the other hand, reports from individual merchants vary. Some claim they have had no problems at all while others claim significant losses. Whatever today's reality is, one thing is clear: the problem is only going to grow as Internet usage and e- commerce continue their rapid expansion.

Indeed, the Internet itself makes the process of credit card fraud easier in many ways. Lists of stolen credit card numbers and even programs to generate valid new numbers are readily available online. And once armed with stolen or false credit card information, the lack of face-to-face or voice contact on the Internet tends to make a thief more brazen than ever.

It would be wise therefore for all online merchants who have not yet been the victim of a fraud attempt to make the assumption that they will experience an attempt to defraud them at some point soon.

It is important for merchants to understand that if they become victims of a fraud they will probably receive very little support from the police authorities. The authorities are likely to view the amount involved to be too small to bother about, or in the case of international orders to be out with their jurisdiction. So it is therefore vital for merchants to put in place fraud prevention processes now and not wait until a fraud attempt occurs.

Before moving on to discuss fraud prevention techniques, one common misconception needs to be cleared up. Some merchants make the assumption that the verification process they initiate when they key a card number in to an electronic swipe terminal provides sufficient fraud protection. This is not the case as all this verification process does is to check that the card has not been reported stolen and that it has sufficient free credit available to fund the purchase.

So why are existing anti-fraud techniques not sufficient? Current techniques for credit card fraud prevention include the use of signatures on anti-tamper tape, holograms and now even the etched image of a card's owner. These are all of no use when it comes to CNP transactions, as the merchant never gets to see the credit card. About the only existing anti-fraud technique that is of any use to the online merchant is AVS - Address Verification Service.

AVS was developed to help MOTO merchants avoid fraud. It works by comparing a portion of the billing address with the records held by the card issuer. However, AVS has some serious limitations when it comes to Internet transactions:

• One of the major opportunities that the Internet brings is the ability to accept orders from all around the world, but AVS only works for addresses in the USA.
  
  
• Another major advantage of the Internet is that it allows "soft" goods such as software to be purchased and downloaded instantly. AVS provides no protection here as all a thief has to do is to obtain a valid address that corresponds to a stolen credit card number.
  
  
• And even with "hard" goods there is still a problem as thieves can supply a valid address for a stolen credit card as the "bill to" but then request a different "ship to" address.

I mentioned above that the banks and card issuing authorities were doing very little to combat online fraud. This is not strictly true as they are investing large sums of money in to a new system known as SET. SET is the Secure Electronic Transaction protocol developed by Visa and MasterCard specifically for enabling secure credit card transactions on the Internet. It uses digital certificates to validate the identities of all parties involved in a purchase and encrypts credit card information before sending it across the Internet. However it is likely to be several years (if ever) before the use of SET becomes widespread.

Not surprisingly then, merchants have been quick to develop and introduce a number of ways to limit their exposure to fraud. Here's a list of some of them:

• Using AVS whenever possible: OK so it only works in the US and the system can be beaten, but it's still a useful way of weeding out the less sophisticated fraudster.
  
  
• Being particularly wary of orders from free e-mail addresses: Once a thief has a stolen credit card number and a stolen address they need one more thing to complete their fraud portfolio - an untraceable e-mail address to hide behind. That's why a high proportion of fraudulent orders come from free e-mail addresses and as a result many merchants refuse to accept orders from them or at least perform additional checks. You can find a list of free e-mail domains on the AntiFraud Web site at http://www.antifraud.com/redflag.htm.
  
  
• Checking out the customer's Web site: it is often possible to determine the URL of a customer's Web site by simply putting "www" in front of the second part of their e-mail address. For example, if a customer provides an e-mail address of "john.doe@somedomain.com" then typing www.somedomain.com in to a Web browser usually leads to their Web site.

Things to look out for include empty or "under construction" Web sites or sites where the contact information differs significantly from the order information. For example, the Web site might display a US business address whilst the order requests delivery to be made to Eastern Europe.

Some merchants go even further and check out who owns the domain name. Information on the ownership of US domains is available on the Network Solutions Web site at http://www.networksolutions.com or alternatively Unix wizards can use the "whois" command.

• Taking special care where the "ship to" address differs from the "bill to" address: Some merchants don't accept these types of orders from international customers and some carry out additional checks even for domestic orders.
  
  
• Watching out for unusual orders: Thieves usually have the "might as well be hung for a sheep as a lamb" mentality and therefore tend to place orders that differ significantly from what legitimate customers typically order. Things to look out for include orders for "big ticket" items, orders for unusually high quantities and orders where the customer is prepared to pay a lot for expedited delivery.
  
  
• Phoning the customer if in any doubt: A quick telephone call can often be enough to establish whether an order is legitimate or not.
  
  
• Collecting all possible order data: When trying to detect fraudulent orders or trying to recover money lost through fraud, the more data you have available the better. This includes the customer's address and telephone number, the name of bank that issued the credit card, and the IP address of the computer from which the order was placed.
  
  
• Firing a warning shot: Stating clearly on a Web site that the merchant has anti fraud safeguards in place and will pursue prosecution for all fraudulent orders can be enough to scare of some would-be thieves.

Although it might be tempting to employ all of the methods above, there is a problem: each of these checks takes time (and therefore money) to perform. The best strategy therefore for most merchants would be to construct a tiered matrix that stipulates the level of checking that should be performed on different order categories. The contents of such a matrix will depend entirely on the nature of what the merchant is trying to sell and how much risk he or she is willing to take, but here's an example:

Domestic Orders
Order value
Less than $25 - Accept all orders
$25 to $99 - AVS check only
$100 to $249 - As above + no orders from free e-mail addresses
More than $250 - As above + phone customer for confirmation

International Orders
Order value
Less than $25 - Ensure "bill to" address = "ship to" address
$25 to $99 - As above + no orders from free e-mail addresses
$100 to $249 - As above + check out customer's Web site
More than $250 - No credit card orders accepted

Although this approach will reduce the risk of fraud considerably, it still has some problems associated with it. For not only do these checks take time and money to perform, they also prevent the use of real-time credit card processing which could in turn lead to lost sales. And most important of all, these methods are difficult to scale successfully: a merchant might be able to perform these checks on a small number of orders per day, but how would they cope when the number of orders grows?

One solution to this quandary is to employ some automated checking tools. There are a number of these available, but for the purposes of this article I am going to focus on two AntiFraud (www.antifraud.com) and CyberSource IVS (www.cybersource.com/solutions/).

AntiFraud is by far the lower costing of these two products, but it has the limited capability to match. It costs just under $10 per month and provides a number of tools:

• Automatic screening of free, Web based or e-email forwarding addresses. AntiFraud provides access to a custom script that automatically checks the buyer's e-mail address against a list of "Red Flag" domains. The list currently has over 2000+ domains listed, and it is updated regularly.
  
  
• IP tracking automatically captures the IP address of the computer from which the order was placed
  
  
• Instant Fraud Attempt Alerts that allows members to notify each other about fraud attempts
  
  
• A regular newsletter

At the other end of the scale, CyberSource's IVS solution (including full payment processing capability) costs $1495 to set up and has a per transaction fee of $0.39, with a monthly minimum of $195.

Cybersource claims that its IVS system has reduced fraud levels to just 0.5% of sales for many of its merchants. IVS is based on an artificial intelligence engine and works by analysing numerous characteristics of each transaction including shipping address, network address and at what time of day or night the order was placed. IVS then assigns weighted scores and compares these against a merchant's pre-defined threshold to determine if a transaction should be declined or accepted.

My final message: Internet credit card fraud is growing and will continue to do so and as things stand just now you, the merchant, are going to have to bear the cost of it. So whatever anti-fraud methods you choose to employ, please start work on implementing them today.

Copyright 1999, Netsavvy Communications. All rights reserved. Reprinted with permission.

Back to Credit Card Scams and other reports