Payment account takeovers force e-retailers to find new ways to tell good shoppers from bad.
One reason e-commerce took off faster in the United States than in other countries is that the vast majority of U.S. consumers have credit and debit cards. That provided an easy way for retailers to accept payment even though they could not physically take cash and did not want to risk billing an unknown customer.
But the growth of online shopping has made it more appealing for criminals to take over the credit and debit card accounts of legitimate consumersÑnot just steal the card number but take control of the account so that they can change information in ways that makes it easier for them to buy and take possession of valuable merchandise online. For instance, in 44% of the account takeovers in 2010 the criminal changed the cardholder's address, according to Javelin Strategy & Research. By changing the address on the account, a criminal can have items shipped to his address without a mismatch between billing and shipping addresses raising a red flag to the online retailer.
How serious of a problem is account takeover? In 2010, 13%, or 600,000, of all types of fraud victims suffered from account takeover, Javelin says in its 2011 Identity Fraud Survey Report.
Distinguishing good customers from criminals is a challenge every online retailer faces, and one that e-retailers must handle astutely in order to avoid offending honest shoppers. It's not a new challenge, but one that's constantly evolving with changes in technology and customer behavior. For instance, retailers in many cases can't rely on checking the address of a consumer's landline phone as a fraud-fighting measure now that many consumers only use cell phones. On the other hand, retailers are finding new ways to use Internet applications such as Google Maps to tell good transactions from bad.
How it happens
An account takeover often starts with a criminal stealing a credit card statement from a consumer's mailbox, says Phil Blank, managing director of security, risk and fraud at Javelin. From there, the miscreant contacts the card issuer and changes the mailing address. Criminals find that scheme easier than other methods, such as adding their names as registered users to accounts, he says. Online, a criminal might plant malicious software that captures web addresses, user names and passwords.
Dealing with fraud is expensive for e-retailers. For every $100 in fraud, an e-retailer could expect to pay an average of $233 in recovery costs, including penalties paid to financial institutions and the cost of replacing merchandise, according to the LexisNexis 2011 "True Cost of Fraud Study" released in September that surveyed 1,000 merchants
Criminals often use e-mail phishing attacks to pry information, such as a user name, password or other pieces of personal information, from recipients. Armed with this information, criminals can take over customer payment card accounts to rob money from them or to make fraudulent purchases at retail web sites, says Avivah Litan, an analyst who specializes in Internet security at technology research and advisory firm Gartner Inc.
Typically, criminals urge consumers to divulge credit and debit card information. The e-mail also may provide a link that, if clicked on, takes the recipient to a web site that looks like a legitimate site, but is actually controlled by criminals, to try to convince unwitting consumers to update their payment account information. Criminals then usually either sell that information to other criminals or use it to conduct fraudulent purchases.
Phishing sites generally try to get as much information as possible, says Julie Fergerson, vice president of emerging technologies at Internet security firm Ethoca Ltd. Not only do criminals hope consumers will reveal the credit card number and expiration date, but the card verification value, or CVV, code on the back of the card.
This code, a unique three- or four-digit card identification number that appears on the front or back of every credit or debit card, helps verify that the consumer has the card. A majority, 60% to 70%, of e-retailers ask for the CVV code, Litan says. Those choosing not to ask for the CVV may do so because their fraud costs are less than what it would cost to implement CVV verification, she says.
The cost of a fraud-prevention system will vary based on the e-retailer's needs, Litan says, with $50,000 annually as an average, but that fee could range from $30,000 to $600,000, or more, depending on the e-retailer. An airline, for example, will have higher fraud-prevention costs than a small e-retailer, she says. Litan says most of her data is from medium to larger e-retailers.
These fraud schemes force e-retail managers like Tim Elam, vice president and chief technology officer at BirthdayDirect.com, an online retailer of party supplies, to continually find new ways to keep ahead of the criminals.
BirthdayDirect.com employs daily scans to ferret out criminal attempts to crack the site and steal precious data. His concern is that criminals successfully getting past the site's defense could plant malware and log transaction data, making it easy for them to capture payment card details and log-in credentials.
The daily scans, combined with a raft of other tools, including software to double-check shipping and billing addresses, firewalls to keep out attacks and intrusion detection programs to look for attacks that made it past the first barrier, all help. For Elam, the peace of mind of the daily site scan is worth it. "It costs money, but in the long run it saves us money," Elam says. "It's another little piece of confidence." He did not disclose the cost of his fraud-prevention programs.
Elam's first line of defense is using his payment gateway's automated address verification service, which checks that the billing address for a credit card supplied by the shopper matches the address on file with the card-issuing bank. Assuming the address matches, and if the shipping address is the same or one that is on file with the bank, the e-retailer's payment service typically approves the transaction with no further review.