The never-ending battle against online fraud generates an ever-growing technology arsenal
By AndreaMcKenna Findlay
How high is credit card fraud on the Internet? The card companies say one thing and the payments processors and merchants say another. But one thing both agree on: It urgently needs to be stopped.
Visa U.S.A. reports that overall fraud amounts to 8 cents per $100 in charge volume and that card-not-present fraud—so far, mostly catalog and mail-order sales which still outstrip Internet sales—is as high as 16 cents per $100 in sales. What’s the Internet rate? Could be as much as 24 cents per $100, Visa says.
Could be higher, say others. “It’s true that online fraud is greater than offline fraud,” says Jeff King, director of product management at payments processor CyberSource Corp. “The payment associations say online fraud is three or four times higher than offline fraud but our merchant customers say it’s more like 10 times higher.”
Whatever the rate, online merchants are acutely interested in the fraud rate because they bear the brunt of fraudulent transactions. In the offline world, the credit card companies and merchants have 50 years of dealing with fraudulent transactions and more than 15 years of electronic authorization and capture of transactions to help them keep the fraud artists in check. Banks and credit card companies have gotten sophisticated in protecting themselves from offline fraud and merchants have devised many methods for making sure that the card issuers don’t push the fraud chargebacks onto the merchants.
But it’s a different world online where many of the rules are still being written and procedures put in place, criminals are still devising new ways of ripping off merchandise and merchants are carrying almost all the liabilty. “It’s really a challenge to keep up with fraud online,” says Greg Keene, chief technology officer of Qsent Inc., a provider of databases to fight fraud. “Online fraud happens even faster than offline because crooks are more anonymous and they have access to more technology with the web as a platform.”
Easing the pain
But where there’s pain, there is relief. A number of payments processors, spotting the pain of retailers, have come up with solutions to fight online fraud. Some of them are extensions with a web-twist of what’s available in the real world and some of them wouldn’t exist without the web.
Among the innovations:
l Neural networks, well known in the offline world, have been adapted to the high-speed, super-velocity that the Internet makes possible for fraud,
l Online address and phone authentication services are now using information no more than 24 hours old,
l Identifying IP addresses tells merchants almost instantly where an online transaction is originating and compares that to shipping address or cardholder billing address as well as if a an order is coming from a high risk country,
l Cardholder authentication systems from the payment associations, their bank members and certified processors ask for passwords similar to what consumers are accustomed to doing at an ATM.
Experts say online fraud is not a whole lot different from offline fraud, but that technology has made it move faster. “Some of the new fraud is really the old fraud in a new way,” says Wesley Wilhelm, director of risk management and consulting for HNC Software Inc.
For instance, stolen numbers and counterfeit cards are now used both
offline and online and rings of international thieves are hitting web sites as well as stores. But fraudsters have an edge today because they can use web-based information technology-open to anyone with a browser and an Internet connection—to learn the legitimate addresses and phone numbers for stolen cards, Wilhelm notes. They need such data to complete online purchases.
Neural networks, long used in the offline world, are key to flagging such fraudulent transactions on the web. Neural networks identify patterns on credit cards transactions, customer histories and order histories, among other details. What makes web applications of neural networks different is that web products update information in real-time. Offline neural networks are bogged down by the typical 30- to 90-day delay in which the fraud is first noticed in the billing cycle and the time it takes the banks and merchants to investigate the transactions. Online neural networks are trained to flag transactions based on suspicious information provided during the checkout process, such as address, IP, names, locations as well as card numbers. Much of that information is not available at a store’s point of sale.
“We’re getting a broader and broader picture of the fraud data as well as non-fraud data so merchants can see the difference,” Wilhelm says. “We’ve got transactions from all segments of the ‘Net and today it’s a more realistic picture of what’s going on.”
HNC ‘s e-Falcon software is used by 1,500 merchants online, Wilhelm says. HNC has fraud models for computers, electronics, gift certificates and general merchandise and can develop segment-specific models for retailers customized to show fraud trends for whatever the retailer sells.
Understanding fraud patterns can help merchants with cost analysis by allowing them to ease up on business rules that may be keeping them from making sales. For example, a merchant who decides never to accept non-US transactions may be missing out on global sales. “It could be that only a small percentage of non-US transactions are fraud, which means maybe 90% of those transactions are good,” Wilhelm says. “When you can catch that small percentage of fraud, you’ve just increased your sales.”
Offline vs. online
Mountain View, Calif.-based CyberSource, a major processor of online transactions, this month will launch a neural network product called the Advanced Fraud Detection Service. The service will access Visa International’s Virtual Intelligent Risk Technology which will allow the processor to compare Visa’s offline and online transaction databases to determine fraud patterns. The CyberSource product is able to react in real time by connecting to the Visa VIRT system, instead of waiting the 30 to 90 days for a fraudulent transaction to appear on a cardholder’s account. “The reason it’s important to have online and offline data is because fraud trends change so quickly on the Internet,” King says. “Real-world buyer behavior is static and bad guys are very sophisticated. They adapt to stay ahead of the trends. Having offline data allows us to validate more transactions against the norm.”
Another fraud-busting method that has moved from offline to online is address and phone number verification. Many online retailers already are familiar with checking to see if phone numbers and addresses correspond with billing and shipping addresses. But new technologies, such as Qsent’s iQ411, are giving retailers more streamlined options to do so. The Portland, Ore.-based company last year launched its iQ411 product, the first licensed web-based directory information listing service which allows merchants to input a phone number and get back a name and address to verify orders.
The service streamlines what today is a cumbersome and expensive process of checking suspicious transactions with telephone company directory assistance, Keene says. Keene stresses that the information is updated nightly, not a small consideration given that the Baby Bells update as many as 500,000 records every day. “Our information is 98% accurate because it comes from an updated source,” Keene says. Qsent built its system based on relationships established with all the former Baby Bell companies, which provide access to 140 million records.
Keene says checking numbers takes two-tenths of a second, which does not slow down online checkout. Retailers must input code so a retail system can connect with the iQ411 system while a transaction takes place. That coding takes only a few hours to complete, he says. Address verifications start at 42 cents and fall with volume, Keene says.
Hang up the phone
The Sharper Image, which sells on the web, through catalogs and in stores, says it has saved $1,000 a month just in directory assistance fees since it installed the iQ411 system last summer—and that’s not counting the time it took staffers to obtain the information, says Paul Towey, senior manager of operations. Sharper Image, which has had its fraud rules in place for about 15 years with its catalog business, checks transactions above a certain amount.
Towey says it’s difficult to tell by how much fraud has been reduced, but the savings in reduced directory assistance bills is obvious.
Using the Internet to verify cardholders’ home addresses isn’t the only way the web is verifying addresses. ClearCommerce Corp. last year rolled out an updated version of its GeoLocator product that identifies the IP address of the customer placing the order. The IP address identifies the server where the order originates. Once the server is identified, its location can be matched against the address of the person placing the order. ClearCommerce says the service will flag mis-matches; that is, if the server is in Argentina and the customer’s cardholder address puts him in Missouri. Further, it can identify servers in high-fraud countries and give the merchant the option of accepting or rejecting the order.
One particularly devastating example of international fraud that might have been detected if the IP address could have been identified was responsible in part for doing in Flooz.com, the online currency company. CEO Robert Levitan says Flooz, which was having money and funding problems to begin with, was forced out of business after it was hit by $300,000 in chargebacks from a Russian crime ring using stolen credit cards to buy Flooz. Levitan says the crooks ordered Flooz in increments just under $100, the amount the company flagged for scrutiny to prevent fraud.
“Our new product is one more bullet in the gun to help prevent this kind of international fraud,” says Julie Fergerson, vice president of emerging technologies at ClearCommerce. ClearCommerce’s FraudAnalyzer neural network generates risk scores for online transactions from a database of online transactions at 40,000 merchants. From that, it identifies and ranks the relative risk of accepting orders from various countries. It has found that the top ten fraud countries account for more than a third of international online fraud (see box) while generating less than 5% of international orders.
Who is that person?
ClearCommerce also identifies the 10 lowest-risk countries. Retailers who routinely block all international orders for fear of fraud may be missing out on global sales that otherwise would be good sales, Fergerson says.
One of the most vexing problems of online card payment for merchants has been merchants’ inability to do anything themselves to verify the identity of the customer. In the store, at least, clerks can check the signature and observe the behavior of the customer. Plans to distribute smart cards to consumers or to get consumers to install small peripheral card readers on their computers have gone nowhere because most consumers don’t see a compelling value to the new technology.
So the card companies are trying to adapt real-world procedures to the online world. Last year, Visa introduced its Verified by Visa Payer Authorization Service, which allows cardholders to choose passwords for online purchases. Merchants who participate in the Verified by Visa program download software to trigger a password box at checkout. If the cardholder correctly enters the password, the transaction proceeds and the merchant is relieved of risk. If a cardholder forgets the password, the payment processor prompts her with a clue. If she still can’t enter the password, the transaction will not be complete.
While merchants worry about adding a step that could alienate customers while they’re checking out, Visa says 66% of consumers it surveyed last November said this new system is worth doing if it protects their credit card information online. They also said they would not view the password prompt as a hassle at checkout because they already use passwords for security in other parts of their lives.
Visa says this is the first system that alleviates merchants of the risk of accepting transactions. Other card-association initiatives have required actions such as asking the cardholder for the card verification number on the back of the card. The thinking was that knowing the number would indicate that the cardholder had the card in hand and was not using just a stolen number. But while that may have prevented some fraudulent transactions from taking place, it had the dual problems of introducing another inconvenient step for the customer and still leaving the merchant liable for the transaction. “Those things are great but those tools are all geared to help the merchant help themselves,” says Jim McCarthy, senior vice president of the eVisa group. “They do nothing to alleviate risk; they only mitigate it. Verified by Visa is the first thing that helps reduce fraud on the Internet.”
McCarthy says the password shifts more liability to card-issuing banks. “The process represents signing the receipt at the point of sale,” McCarthy says. “If it’s authorized then it can’t be charged back. We’re not trying to move the fraud around. We’re trying to drive transaction disputes out of the equation.”
McCarthy says Visa hopes to reduce chargebacks to at least the level of direct mail’s 14 to 18 basis points.
Safety = sales
CDNow.com, online seller of music and videos, last October became one of the first merchants to try the Verified by Visa program. So far, it is pleased with the results and customer acceptance of the system. “We saw the program as a great idea for two reasons: it helps consumers feel more comfortable about using their card online and it helps use reduce chargebacks,” says Samantha Liss, vice president of marketing and promotions, whose group handles the Visa relationship. She says the software was not onerous to install and the process is seamless to the consumer. “They know they have a VPAS card so the process doesn’t’ slow them down,” she says. Visa says the program is too new to track the number of transactions using the system.
Visa is promoting Verified by Visa to consumers with print, online and television advertising, while participating banks also are marketing it to their cardholders. CDNow, for one, expects to acquire additional customers once the marketing campaign gets underway. And, Liss says, CDNow expects those customers to be more likely buyers than other prospects because Verified by Visa will alleviate their fraud fears.
The choices available to fight fraud are myriad and each merchant needs to understand its own problems and culture before choosing one, analysts say. The decision, they add, rests not just on technological solutions. “The three things merchants should balance are using technology to reduce fraud, increase sales by making smarter risk management decisions and automating some of those processes so they don’t need a roomful of people to check up on fraud,” says HNC’s Wilhelm.
Using different components in a risk management system is key, says Mikael Hook, lead analyst for Internet payments and billing technology at Current Analysis, a Virginia-based company that evaluates products and market developments. He says every merchant should include the human component in conjunction with fraud-fighting technologies. “Technology can flag fraud but human review can check and even save orders,” Hook says.
Wilhelm also stresses the importance of cost-benefit analysis in developing a risk-management strategy. Merchants must assess their own level of fraud, the potential for fraud based on the fraud history for the products they sell and how much they can afford to spend in time and money.
Even with all the new technologies, the fight against online fraud is far from over. And if the real world is a guide—and it surely is in this case—fraud will always be with us. But technology is a good first step because it can help eliminate some of the facelessness of online transactions. Say Qsent’s Keene: “Anything retailers can use to make buying online less anonymous will help them reduce fraud.”
andrea@verticalwebmedia.com
