A second wave of attacks began midday Friday after much of the eastern United States was affected in the morning. Sites affected included Etsy, ...
Criminals are getting more technologically sophisticated, but retailers are far from being outgunned.
Just like e-retailers are pushing the technological sophistication of their sites to new heights to enhance the shopping experience, criminals are taking advantage of the latest web technologies to defraud e-retailers. From spoofing web sites to gather customer account data, to generating phony IP addresses for the computer used to make the transaction, to running applications that can crack the algorithms used to load value on gift cards, criminals are more technologically advanced than ever.
As a result, retailers of large ticket items such as computers, electronics and jewelry are actively being targeted by criminals. Such retailers are targets for two reasons: Reselling big ticket merchandise can net the dollars needed to fund other criminal activity, such as drug trafficking. And big-ticket buys result in fewer fraudulent purchases, which in turn reduces the risk of a criminal’s transaction patterns quickly being identified.
Fraud losses going up
Since 2000, fraud as a percentage of online sales in the United States has declined steadily, while fraud losses measured in dollars are up significantly. Through the first half of 2007, e-retail dollars lost to fraud were up 36% over the same period a year ago, according to Carl Clump, CEO of Retail Decisions Plc., which provides fraud prevention services to e-retailers. Driving the trend is that many of the most anticipated high ticket consumer products, such as the iPhone, are first introduced in the U.S., adds Clump.
“Fraud is part of organized crime and usually provides the funding for other types of crime,” Clump says. “Many of the tools criminals use to conduct fraud against e-retailers are as technologically sophisticated as the latest applications running on the retailer’s site.”
One of the most sophisticated scams is identity theft through the Internet. Web technology has made it easy for criminals to spoof web sites from financial services companies and e-retailers that include mechanisms for gathering personal information about consumers, including credit card account data. A stolen identity can be purchased for as little as $6, according to Jon Karl, founder and vice president of business development for Iovation Inc., provider of fraud management and customer authentication applications.
Once in possession of a stolen identity, criminals can beat most, if not all, the fraud detection solutions based on authenticating the identity of the shopper.
“Every day it is getting easier to spoof web sites and obtain high quality consumer identities,” Karl says. “A quality stolen identity can get fraudsters around most of the fraud controls used by e-retailers, because they are based on authenticating the customer.”
Cloaking their locations
Criminals have also become adept at altering the IP address on their computers to make it look as though they are initiating a purchase from the same country in which the credit card being used for payment was issued. Matching the country of origin for the IP address to that of the credit card, a practice known as geolocating, is a common fraud prevention practice by e-retailers.
“Criminals can use a virtual private network to sync up their IP address to the origin of the card so the transaction looks legitimate from that aspect,” explains Karl. “Retailers will usually question a transaction where the IP address of the customer does not match the origin of the card.”
Using a virtual private network to access a retailer’s web site enables criminals to enter the site through an Internet service provider in any country. “Credentials for accessing VPNs are regularly stolen and shared among criminals,” Karl adds.
Spoofing is not the only sophisticated application in a criminal’s bag of technological tricks. Criminals are increasingly using applications that can crack the algorithms used to load value on to gift cards. During the 2006 holiday shopping season, 27% of attempted gift card transactions were fraudulent, according to Retail Decisions. On Christmas Day 2006, when gift card redemption is exceptionally high, gift-card fraud accounted for 5% of e-retailers’ transactions.
“Gift cards are becoming one of the most fraud prone products, especially during the holiday season because of their popularity at that time of year,” Clump says. “It has become increasingly easy to load value on gift cards and get the transactions approved.”
The technological sophistication of criminals leaves little doubt that e-retailers can no longer effectively combat fraud using home-grown applications. Nor can they afford to continue passing fraud losses on to customers through higher prices, as comparison shopping sites are making it easier for shoppers to quickly locate the best price on an item.
“A lot of e-retailers regard fraud as the cost of doing business and will install home grown fraud prevention applications on the cheap,” says Clump. “Taking that approach provides a false sense of security. Home grown applications only see a limited universe of the scams being perpetrated, not the scams being run across multiple merchant categories or in other countries.”
Having a broader view of fraud is essential because criminals rotate scams by country, merchant segment and even over time, retiring a scam for several months or a year before reactivating it.
“Fraudsters targeting higher value items are very careful not to create any pattern that can tip off a new method,” says Karl. “The more tools fraudsters have, the more often they will cycle them to avoid detection.”
Even criminals recycle
One example is recycling a credit card account that has been placed on a warning list as potentially fraudulent. Once criminals know the card has been placed on a hot list, they will cease using it until it is removed from the list. “It costs issuers money to keep a card account on a hot list, so eventually it comes off the list and when that happens, fraudsters bring it out again,” says Clump.
Obtaining a broader view of fraud can be achieved through data sharing between retailers or through professional associations, such as the Merchants Risk Council, according to Karl. “Retailers don’t do enough data sharing on fraud trends,” he says. “Sharing data can help retailers identify patterns between the device used to conduct the fraud and its links to accounts and transactions.”