23% of e-retail transactions on Thanksgiving and Black Friday came from mobile devices, according to payments security firm ThreatMetrix. However, 15.5% of retailers say ...
Sorting Good from Bad
As online criminals deploy new schemes, e-retailers fight back with new strategies.
Chief Technology Editor
Topics: 41st Parameter, Accertify, Aite Group, Bill Severance, Bodybuilding.com, CyberSource, DataCash, Eric Fishman, Ethoca, Flash, Gilt Groupe, Iovation, Julie Conroy McNelley, Julie Fergerson, Kount, Lexis Nexis, MasterCard, may 2011, Merchant Risk Council, online fraud, Retail Decisions, Steve Rouse, Troy St. Pierre, Verifi, Visa
Things are happening fast at Gilt Groupe Inc., where the excitement behind the invitation-only e-retailer's limited-time sales is attracting enough attention to win over loyal customers and send revenue surging.
Gilt specializes in selling designer fashion apparel through sales that typically last 36 hours, and it has been expanding into online travel and local deals with Jetsetter and Gilt City. Although the privately held company doesn't release sales figures, Internet Retailer estimates the online retailer's 2010 sales grew 150% to $425 million, up from $170 million in 2009.
Like any fast-growing e-retailer, Gilt is likely to attract more attention from criminals seeking to defraud it. Gilt has found a way to quickly respond to suspicious online orders, enabling it to keep a lid on fraud without expanding its fraud-management team, says Bill Severance, controller and chief accounting officer.
"Our business has grown a lot in the past year, but since we've implemented our new fraud management system last fall we haven't had to grow the team reviewing suspicious orders," he says.
Gilt last November replaced its in-house system with the Interceptas fraud-prevention platform from Accertify Inc. Since its deployment, the technology has helped Gilt better identify and quickly respond to suspected criminal activity, such as by automatically blocking orders over a certain dollar value that come from computer devices or accounts with a history of fraudulent activity, or sending them into manual review by staffers, Severance says.
E-retailers like Gilt must contend with criminals who have access to growing amounts of consumer information, much of it provided by consumers themselves on social networks and online forums. In response, technology vendors are introducing a variety of new systems that in many cases combine data from multiple sources to thwart the latest fraud exploits.
"In e-commerce, a lot of criminal activity is not the amateurs trying to get a quick hit like it was years ago," says Julie Conroy McNelley, senior analyst at payment technology research and advisory firm Aite Group. She says most cyber-crime is now conducted by organized groups out to capitalize on the abundance of consumer and transactional information on e-commerce sites and social networks. "Today, we refer to it as Fraud Inc."
Retailers appear to be keeping a lid on fraud losses, but at the cost of turning down more suspicious orders. Fraud losses totaled $2.7 billion last year at e-commerce sites in the U.S. and Canada, including government, education and not-for-profit organizations as well as retailers of consumer products, event tickets and travel services, according to an annual report by CyberSource Corp., a provider of technology to detect and prevent fraud. Those losses represented 0.9% of total sales (for more detail, see page 96). Although those figures were down from 2009, when $3.3 billion in fraud accounted for 1.2% of sales, e-commerce sites rejected more suspicious orders last year, at a rate of 2.7%, up from 2.4%. That suggests e-commerce risk managers are working harder to block criminal activity.
Julie Fergerson, a co-founder of the fraud-fighting organization Merchant Risk Council and vice president of emerging technologies at fraud-prevention technology and services firm Ethoca, says new types of organized online fraud continue to pop up and grow.
For example, she says, a growing trend is what's known as a triangulation scheme. It works like this: A criminal might set up a bogus auction site, advertise popular and expensive products such as $3,000 laser color printers for a sharply reduced price of $2,000, then use a stolen credit card to purchase and ship such products from legitimate e-commerce sites. Unsuspecting customers pay the criminal the $2,000 per order. By the time the legitimate retailers get word that the $3,000 printer sales were fraudulent and the orders have been charged back to their accounts, the crook is long gone with the $2,000 in cash for each order.
Casting a wider net
Retailers are responding by spending more to block fraud. According to Forrester Research Inc., 29% of online retailers plan to invest in payment and web site security systems this year, up from 21% last year. And vendors, seeing the demand, are expanding their tools for stopping fraud and flagging suspicious orders.
McNelley says a number of vendors provide platforms that offer a full suite of such services, either with their own technology or by integrating with others. They include Accertify, CyberSource, Kount Inc., Retail Decisions, LexisNexis and Verifi.
Also of note, she adds, are several recent developments. CyberSource offers a new payment card account database of 60 billion annual card transactions developed with its parent company, Visa Inc., that provides historical account information based on transactions that occur online, in stores and through contact centers. LexisNexis recently launched a hosted retail fraud management system combined with Kount's device identification technology, enabling retailers to risk-score transactions and automatically flow the most suspicious ones to fraud analysts. And Retail Decisions, which operates in 172 countries, has extensive global transaction data that can provide retailers with early warning of new fraud trends emerging around the world.
DataCash, a London-based risk management unit of MasterCard International, recently introduced a risk management software system for the popular Magento open-source e-commerce platform. And Ethoca recently launched two applications for e-retailers: Issuer-Confirmed Fraud Alerts, which provides merchants with real-time alerts from banks about payment card accounts that have been stolen or compromised; and FraudStop, a service that lets merchants contribute and share information about incidents of online fraud with one another as well as with law enforcement agencies.
Risk management firm 41st Parameter Inc. recently patented Time Differential Linking, a security application that detects when a mobile device is being used to make an unusually large number of repeat attempts to access an online account. TDL is deployed as part of 41st Parameter's DeviceInsight application, which helps to compensate for the lack of Flash objects on the iPhone, iPad and other Apple Inc. mobile devices. Flash objects are similar to web site cookies that risk managers can use to track activity on web sites to identify devices associated with fraud, says 41st Parameter chief innovation officer Ori Eisen.