(Page 4 of 4)
After its in-house order management system has placed high-risk orders into a queue, a member of the 20-person Ice.com risk management staff telephones or e-mails the customer to explain that the retailer needs proof of identification before processing the order. By placing the customer’s name and all or part of the customer’s Social Security number into the IDlive system, which consolidates information from thousands of public records, the retailer receives three questions based on the customer’s personal records. The questions, about such personal histories as past home addresses or past jobs, are designed to be known only by the true person the online customer claims to be.
Ice.com then enters the customer’s answers into the IDlive system and waits a few seconds for an authentication of the customer’s identity.
The IDlive system can be set up to automatically interact with an online customer, who fills out a pop-up form of questions and waits for an approval, but Ice.com wanted to conduct the process manually to directly learn how customers would react, Schaff says. “So far they’ve been pleasantly surprised that we’re doing this,” he says, adding that customers say they appreciate Ice.com’s taking steps to prevent fraudulent use of their identities.
IDology’s IDlive service connects with a database of more than 4,000 sources of public records, including Social Security numbers, to verify that an online customer is the true holder of the credit card account being used for a purchase, says vice president and chief marketing officer Raye Croghan. She adds that the system can check specific details needed by particular types of retailers, such as when online wine sellers need to check a purchaser’s age.
IDology charges a one-time application fee of $100 plus per-transaction fees of 25 to 85 cents depending on volume, Croghan says. Other vendors providing similar forms of identity authentication include Verid Inc. and StikeForce Technologies Inc.
Also on the prevention front, eBay and PayPal have developed anti-fraud software that checks for inconsistencies in their regular users’ transactions and flags them for review. “EBay and PayPal have done a lot of sophisticated work in fighting phishing attacks,” says Jevans.
Vendors that offer similar software and services include Cyota Inc., The 41st Parameter and Retail Decisions. “These systems can detect patterns and then detect anomalies in customer behavior, such as when a customer usually makes three purchases a month for $50 each, then suddenly makes a $10,000 purchase,” Litan says.
Another security company, PassMark Security Inc., has developed a system under which a consumer chooses an image that gets recorded with her personal information when she opens an account. Each time (or occasionally, depending on the account provider) the customer prepares to make an online transaction, the system requires her to identify the chosen image.
EBay and PayPal have also distributed for free to 1 million customers a toolbar with technology from WholeSecurity Inc. that alerts consumers when they go to a suspicious site or receive an e-mail that appears to be phishing. The toolbar flashes red if a user finds himself on a spoofed web page or if incoming e-mail has the characteristics of a phishing e-mail mimicking the eBay or PayPal brand. It flashes green if all appears legitimate, or gray if legitimacy is unclear.
WholeSecurity’s Phish Finder system automatically transmits a message with details of suspected phish e-mails and spoofed web sites to a management console on an eBay back-end server, says John Ball, product manager at WholeSecurity, where risk managers can decide whether to pursue the site operator. They can also forward details of the phish e-mails and spoofed web sites to WholeSecurity’s Phish Reporting Network, where the information is shared with other subscribers, including Microsoft Corp. and Visa.
Other security systems, such as from Quova Corp. and MaxMind, use geolocation technology to identify from where a consumer or suspected e-mail is operating.
Deployed either separately or as part of risk management systems from companies like eFunds Corp.,CyberSource Corp. and Retail Decisions, geolocation can alert a merchant whenever a credit card is being used from a location not typically used by the authentic cardholder, such as a country known for a high rate of online fraud.
Efforts to overcome phishing and other methods of fraud may never be completely successful, experts say, because the business case-the ease of launching and changing attacks and the size of potential rewards-is too attractive to too many criminals. But there is reason to have hope, Jevans says, particularly as ISPs, retailers and law enforcement agencies cooperate in sharing information and using the latest fraud-prevention tools. “There may never be a complete technological solution, but we can make online fraud a lot harder to do,” he says.
The trick is to never let down your guard, says Schaff of Ice.com. In addition to using technology and active risk management staff to catch phishers wherever they pose a threat, Ice uses Ambrion Software to conduct constant internal tests of its web site firewalls and e-mail filters and also retains an outside auditing firm to conduct manual audits of its security systems. “Criminals are getting more sophisticated, but we, too, can be trend-setters,” Schaff says. l
Help from Congress
With a number of bills addressing data security and identity theft submitted in the U.S. Congress, among those attracting most attention are legislation introduced this year by Sens. Diane Feinstein (D-Calif.), Charles Schumer (D-N.Y.) and Bill Nelson (D-Fla.).
Feinstein has introduced the Notification of Risk to Personal Data Act, which requires companies holding consumer data to notify consumers whenever their data has been breached. The bill requires companies to produce a detailed description of data that may have been compromised and imposes a penalty of $1,000 per individual that a company failed to notify, or up to $50,000 per day.
Schumer and Nelson have introduced an identity theft prevention bill, the Comprehensive Identity Theft Prevention Act, that would create an office of identity theft in the Federal Trade Commission, require data providers to register with the FTC, and require additional safeguards to prevent fraudulent access to data.
The bills are in committee awaiting hearings.