The home improvement chain also said the malware responsible for the breach has been removed from all stores.
"A lot of merchants are not doing their homework until they get hit," says an executive with fraud prevention company ClearCommerce.
While online security experts warn that the number and kinds of fraud threatening e-commerce continues to rise, many online merchants don`t take sufficient steps to thwart fraudulent transactions, Daniele Ricci-Barreca, director of technology solutions for ClearCommerce Corp., tells InternetRetailer.com. "A lot of merchants are not doing their homework until they get hit," he says.
Many e-retailers will simply require a credit card account number without asking for additional confirmation information, such as a password or matching billing and ship-to addresses. Such merchants often become quickly known among fraudsters who post their names and URLs on web sites and in chat rooms as e-retailers who are easy to scam with fraudulent card usage.
Sometimes groups of merchants in a single market are lax in stopping fraud, but if one of them starts to tighten security, word often quickly gets out among fraudsters about which sites are still lax. "We see this clearly in some industries," Ricci-Barreca says. "As soon as one competitor has tightened its fraud prevention policies, all of a sudden there`s a flow of fraud into its competitors` sites."
At the same time, there is also an increasing number of tactics e-retailers can use to guard against fraud. Here are five crucial anti-fraud steps recommended by ClearCommerce:
-- Check the frequency of orders from the same IP address, because fraudsters often use the same IP address repeatedly when making online purchases with stolen or otherwise compromised credit cards.
-- Use the card verification method to supplement the security of the online checkout process. This method requires a purchaser to reveal the extra three or four digits that appear on a card in addition to the account number. Since the extra digits appear only on the card, they`re not readily available to someone who has stolen an account number without obtaining the card itself.
-- Use geolocation technology to identify the country of origin of the IP address. Geolocation technology, available as part of some fraud-detection systems, is used to help merchants see if transactions are being made from countries known as common sources of online fraud. For example, if an IP address is based in Nigeria, a known source of fraudulent card usage, but the card account`s billing address is in Chicago and the ship-to address is Miami, where there are many international freight forwarders, a merchant can bet the transaction is being made with a stolen credit card account, Micci-Barreca says.
-- Scrutinize orders to be delivered to New York or Miami, both of which are often used by fraudsters to forward shipments to foreign markets.
-- Trust your instincts. "If something about an order looks suspicious or seems unusual, take the time to verify the information," ClearCommerce says.