The home improvement chain also said the malware responsible for the breach has been removed from all stores.
(Page 2 of 2)
The short number is not stored on the card’s magnetic stripe and so it can’t be acquired by skimming, a technique crooks use to capture card data at checkout counters or at ATMs. Therefore entering the code is meant to prove the consumer has the card in hand-and not just a number that can be obtained by swiping a card through an inexpensive magnetic stripe reader.
Some merchants have expressed concern that asking customers to complete another step during checkout could lead to cart abandonment, but Archuleta says that’s not his experience. Today, about 40% to 50% of card-not-present merchants capture the security code, estimates payment consultant Steve Mott of the firm BetterBuyDesign.
Musician’s Hut also cross-checks the billing address of the credit card with the address on file at the issuing bank. “We will only ship on a full match,” he says.
And, the retailer treats international orders with extra caution. “Banks overseas don’t go through the same verification procedures as those in the U.S.,” says Archuleta.
Indeed, the rate of fraud associated with international orders was more than two-and-a-half times as high as on domestic orders for U.S. and Canadian e-retailers last year, according to CyberSource.
And so, Musician’s Hut requires international customers provide copies of the front and back of two forms of government-issued ID and their signature. “If they go to that much trouble, they are likely not going to scam us,” Archuleta says.
While Archuleta says it takes time to manually review suspicious orders, and place follow-up calls, he notes an added bonus-the opportunity to build a relationship with the customer.
“There’s a big difference between a conversation that starts with ‘Hi, we’d like to know why you’re stealing from us,’ and ‘Hi, we’d like to talk with you about your order,’” Archuleta says. “When we’re on the phone validating with someone we try to make them feel as comfortable as possible. Any contact with a customer can be positive contact.”
But for the purposes of preventing fraud, savvy retailers should ask some questions that a thief might find hard to answer, says Ori Eisen, founder and chief innovation officer at 41st Parameter, a company that specializes in detecting and preventing online fraud. That could include a question such as, What are your nearest cross streets? “If the person lives there, that’s something he should easily know,” Eisen says. “You’ll know right away if he starts to fumble.”
For every safeguard retailers deploy, crooks probe for ways to defeat it.
“We had a compromised card from Miami, and the fraudster had the cardholder’s Social Security number,” says Levy. Having such personal information can make it easier for a thief to call the card issuer and change the billing address to match a shipping address where he can safely receive merchandise.
And crooks are going after systems set up by major card networks specifically to address online fraud, Verified by Visa and MasterCard SecureCode. In both systems, a cardholder who registers chooses a password to enter when making an online transaction, adding another layer of security. Levy says he encountered one crook who had nabbed a consumer’s Verified By Visa code, enabling him to thwart the security system.
Where do the crooks get such confidential data? Levy points to phishing attacks, fake e-mails disguised as messages from a bank or financial institution in an attempt to get consumers to reveal personal data. They are especially effective in fooling older consumers, Levy says.
But, with many consumers now educated about standard phishing attacks, crooks have learned to personalize their e-mails to make them seem more authentic, a technique called spear phishing that is aimed at defrauding wealthy individuals, says Joey Peloquin, a senior security consultant in the software division of technology provider Hewlett-Packard Co.
A con artist may call an executive’s secretary seeking to pry out some personal information, or scour Securities and Exchange Commission filings of the target’s company.
“It’s evolved into a highly effective tactic this year and last year,” Peloquin says. “They will find out, Joey has an account with Fidelity and does his banking with Washington Mutual. They will even see what membership organizations a CEO belongs to-that he owns a Porsche and that he is a member of a Porsche organization.” The crooks then use that information to try to extract financial data from the target with personalized e-mails.
Beyond spotting loopholes, scammers also are discovering ways to look more legit.
Crooks have for years used IP spoofing, in which a criminal in a country with a high fraud rate, such as Nigeria, disguises the location of his device so that it appears to the online retailer that the visitor is coming from a safer area.
That has more recently been extended to make use of Internet-based phone systems. Crooks use Voice Over Internet Protocol systems to obtain phone numbers with area codes that match a stolen card’s billing address, says Mike Long, vice president and chief product strategist at Accertify. VoIP systems often let users choose their own numbers, Long says.
And the criminal element has always been among the leaders in social networking, with underground hacking web sites swimming with tips about the easiest retailers to con. “They will say that such and such merchant doesn’t use address verification or doesn’t capture the CVV code,” Long says.
With word of vulnerabilities spreading at Internet speed, online retailers can ill afford to become the talk of the town in Hackersville.
Click Here for the Guide to Payment Security Products & Services