The web retailer says it blocks more fraud without cutting off good transactions.
Paul Demery , Managing Editor, B2B E-commerce
With a stronger focus on fighting online fraud, web retailer B&H Photo, Video & Pro Audio has increased the percentage of fraudulent online payment card orders it blocks by about 20%, manager of fraud prevention Sam Lebovits says.
A few years ago, the retailer—which operates a single store in New York City and does most of its sales online at BHPhoto.com—caught only about 80% of criminal attempts to process online orders that turned out to be fraudulent and resulted in chargebacks, Lebovits says. But with tools that help it identify the riskiest transactions and verify good ones, the retailer now catches about 95%, he adds. B&H is No. 192 in Internet Retailer’s 2013 Top 500 Guide.
Chargebacks are payment transactions that credit card companies like Visa and MasterCard reverse, taking the funds from a merchant’s account. Typically this occurs after a legitimate card holder denies making the purchase or claims the products were damaged or otherwise faulty, and the card companies conclude that the merchant was at fault.
Like other online merchants, B&H must constantly balance the need to block the highest number of fraudulent transactions without also blocking many transactions from good customers. Even without completely blocking legitimate transactions suspected of possible fraud, and only routing them to a manual review to verify they’re from an authorized payment cardholder, merchants risk upsetting customers by interrupting their order fulfillment, Lebovits says.
By using risk management tools from both iovation Inc. and Retail Decisions to automatically score a transaction’s risk level before rejecting a transaction or routing it to manual review, B&H has been able to automatically accept a larger percentage of transactions and, in the process, make shopping easier for more of its good customers, Lebovits says. “We’re more comfortable having a greater tolerance level,” he says. “We don’t have to manually challenge so many transactions to see if they’re really legitimate, because we figure the fraudulent ones will be caught by iovation.” For example, instead of automatically accepting all transactions under $50 from U.S.-based IP addresses, it may increase its tolerance level to automatically accept all under $100 from U.S. IP addresses. Even if some of these higher-value transactions show potentially risky behavior like repeated log-in attempts, the retailer may tolerate them if iovation doesn’t flag them as coming from devices associated with prior fraud.
B&H uses Retail Decisions, or ReD, as its overall fraud-screening system to score transaction risk based on such criteria as the level of transaction value, the number of payment transactions a particular credit card account has attempted to process within the past few minutes, and whether the account has been associated with past fraud.
The retailer also uses iovation to score the risk associated with the particular device, such as a desktop computer or smartphone, that someone is using to place an online order. Iovation scores each transaction based on known information about a device’s transaction history, including whether it has been tied to reported fraudulent transactions, and whether an extra device is being used as a proxy to obscure a possibly fraudulent transaction. The company says it compiles such device data by tracking online transactions tied to about 1.5 billion Internet access devices, including desktop computers, laptops, tablets and smartphones, through a global network of online companies and Internet security professionals.
Lebovits notes that criminals often attempt to route fraudulent orders through a separate Internet access device, such as a smartphone, in an attempt to hide the IP address of the computer they’re actually using to place an order. Since the computer a criminal uses to actually place orders may have a known record of fraud, criminals use proxies to escape detection, he adds.
Using iovation’s ReputationManager 360 device identification technology, B&H has been able to increase the number of fraudulent transactions that it either automatically rejects or sends to manual review, Lebovits says. He notes that B&H now detects about 50% of fraudulent transactions with iovation’s technology, with most of the rest detected through its ReD system. Overall, about 5% of fraudulent transactions still may go undetected, and Lebovits says B&H is working to lower that number by scoring transactions with various combinations of risk criteria, such as each transaction’s country of origin, and the volume and frequency of orders tied to a particular account or device.
B&H’s experience in reducing online fraud through device identification or “device fingerprinting” technology is in line with improvements realized by other online companies, according to Andras Cser, principal analyst for security and risk management at Forrester Research Inc. “If a company hasn’t had device fingerprinting and then installs it, it can expect to realize a 25% to 35% reduction in fraud losses,” Cser says.
In recent weeks, iovation has been expanding the capabilities of its device identification system to provide a larger number of combined business rules for detecting patterns of fraud, says Scott Olson, the company’s vice president of product. “We’re allowing customers to combine multiple rules to identify patterns of risky behavior,” he says. For example, a retailer will now be able to use ReputationManager 360 to score as high-risk transactions coming from smartphones in a particular country with a history of high fraud rates, while also identifying transactions that appear to be using smartphones as proxies for desktop computers.
Iovation offers ReputationManager 360 over the Internet in a software-as-a-service model, which lets client companies subscribe to web-hosted software for fees equal to about a few cents per payment transaction, Olson says. Fees can vary based on transaction volume. Olson adds that it can also cost a few thousand dollars to set up the application and integrate it with a client’s e-commerce site, a process that typically takes about two weeks.