When it comes to protecting their web sites from hackers and data thieves, e-retailers have their hands full. They can't rest because criminals regularly turn to increasingly sophisticated schemes to defeat retailers' security systems.
For proof, consider one of the latest plots being used by fraud rings. The fraud ring first poses as an affiliate site that funnels transactions made with stolen credit cards to the retailer. It then pockets the affiliate commissions retailers pay for the new traffic. Meanwhile, other criminals are launching denial-of-service attacks seeking a profit. They bombard a retailer's site with traffic to render the site inaccessible to legitimate consumers, then demand money from retailers to stop, or use the attack to distract a retailer's information technology department while they plant a worm on the retailer's server. Once the worm has been planted, it captures customer data at checkout that can later be used to steal consumers' identities.
What's more, e-retailers may soon have to contend with a new wave of fraud as banks in the United States convert to issuing credit and debit cards with chips in them. The consumer must enter a PIN, which the card's chip recognizes, making these so-called EMV cards less vulnerable to fraud at store checkout counters. In Europe and other regions where banks have migrated to chip cards criminals—effectively prevented from committing fraud by copying the magnetic stripes of payment cards—have shifted their focus to defrauding online retailers. That's why experts predict criminals currently targeting bricks-and-mortar retailers will move their business online in droves in coming years as this transition takes place in the United States.
While there are threats galore, there are also safeguards that online retailers can put in place to avoid criminal attacks and minimize fraud. Implementing these technologies can also boost sales and customer satisfaction by reducing the number of good transactions flagged as suspect, the frequency of successful frauds that force consumers to complain and banks to issue chargebacks, and by generally making customers feel more secure when transacting online.
Understanding the symptoms
"Retailers may have the resources needed to tackle fraud and secure their sites, but their expertise does not lie in these areas," says Don Bush, vice president of marketing for Kount Inc., a provider of fraud and risk-management solutions. "In the case of fraud, there are a lot of symptoms that retailers don't recognize, such as high return rates despite low chargeback rates, that suggest there is a fraud problem."
For example, one scheme multichannel retailers may fail to catch is when a criminal purchases an item online with a stolen credit card, picks it up in a store and, within a day, returns it for a cash refund or gift card. He then can purchase another item that can quickly be sold for cash or sell the gift card itself.
"Fraud prevention is a management issue because it impacts sales and revenue, and retailers that approach it from that perspective are going to have a fuller understanding of how fraud impacts their business and what they can do to correct the problem," Bush says.
One of the biggest pain points for e-retailers when it comes to fraud prevention is manual reviews of suspect transactions. Surveys suggest e-retailers on average manually review about 25% of their total transactions. In some cases, however, that figure can exceed one-third of all transactions. Manually inspecting that many transactions for telltale signs of fraud requires an army of fraud analysts to decide within seconds whether to approve the transaction.
"More than half of a retailer's fraud budget is for fraud analysts that review transactions, which makes manual reviews a costly proposition," says Greg Wooten, chief executive officer for SecureBuy, a SignatureLink company and provider of dynamic fraud detection applications.
The cost of manual reviews extends beyond the salaries of the fraud analysts, he says. Each review produces risks. For instance, if a retailer places an impatient customer's legitimate order under review, he might abandon his shopping cart, or, if a retailer has stringent rules, its analysts might end up denying legitimate transactions.
To rectify the problem, Wooten recommends e-retailers ask a customer a validation question at checkout for high-risk transactions. SecureBuy makes this possible by linking e-retailers with credit card issuers through the Visa and MasterCard networks by way of a risk-based deployment of 3D Secure processing, an XML-based protocol that adds a layer of security for online credit and debit card transactions.
SecureBuy has reengineered the 3D Secure process to prompt high-risk shoppers with a security question, without creating a pop-up window. Instead, at checkout the security question appears in the shopping cart, typically below the cardholder's credit card information. When the correct answer is provided, the consumer continues the checkout process without the need for manual review. The entire process takes place in seconds, and the retailer also gets a discount on its interchange fees. For the 40% of issuing banks not using the 3D Secure protocol, approval is granted automatically by the card brand.
"As executive assistant director of the FBI, I saw mobile and e-commerce payment fraud skyrocket, costing the economy billions of dollars every year," says Shawn Henry, a member of SecureBuy's board of directors and president of security firm CrowdStrike Inc. "One of the key ways to substantially reduce fraud is the ability to identify the criminal and/or their actions before the crime is committed. Utilizing risk-based passive and active authentication, captured signatures, certified sales receipts, and true chain of custody, SecureBuy takes this concept to an unprecedented level. This is game-changing technology for securing online commerce."
Matching IP addresses
Retailers, however, should not limit themselves to just one form of fraud detection because criminals are adept at portraying themselves as legitimate customers.
Fraud rings often use proxy servers to hide the fact they are operating out of countries where online fraud gangs operate. Many have recently added a new twist to the scheme: matching IP addresses to the city or state where the stolen credit card was issued, rather than relying on a single IP address from a country that is not likely to raise a red flag.