Criminals targeted Christmas Eve and shipping cutoff days for delivery by Christmas for fraudulent purchasing, a new study finds.
Merchants can minimize losses to fraud by adopting an approach that combines basic measures and advanced tools.
Merchants in the U.S. and Canada last year lost an estimated 1.4% of their online revenue-or about $3.6 billion-to online payment fraud, according to CyberSource Corp.’s 9th Annual Online Fraud Report. The good news is that, as a percentage of total sales, credit card fraud losses have been trending downward since 2004, when they were at 1.8% of online revenue. The bad news is that dollar losses due to fraud are climbing, as rapid growth in e-commerce creates more opportunities for criminals, and as new online merchants learn the hard way about the importance of implementing fraud-fighting tools and procedures.
Some merchants may actually be underestimating the impact of fraudulent activities on their revenue and profit picture. For example, chargebacks, which many e-retailers rely on to measure fraud, tell only part of the story. The CyberSource report notes that chargebacks-which occur when cardholders report fraudulent charges to credit card companies, who then charge back the purchases in question to the merchant-actually account for less than half of all fraud claims; the rest are related to direct credits merchants issue to consumers who claim that their accounts have been used fraudulently.
Credit card fraud is-or should be-a concern for any retailer with an Internet presence, or looking to build one. Criminals are using several new methods to attack online merchants, but there are also new steps e-retailers can take to better protect themselves and their customers.
Crooks in old television crime shows often offloaded their stolen goods at gritty local pawn shops, where shady owners haggled with them over price, based on how easily they could move the merchandise. Today’s cyber-criminals may be more tech-savvy, but their ultimate goal hasn’t changed: they’re after cash or something they can turn into cash-and fast.
Cyber-thieves use many methods to commit payment fraud. In addition to better-known techniques like phishing, which use images of trusted brands to trick consumers into revealing passwords and other account information, the following methods are also common:
Social engineering. Social engineering schemes focus on bypassing technology and adopting a person-to-person approach. For example, thieves posing as personnel at a payment card issuer’s security department may call cardholders and ask to verify account numbers and the three- or four-digit card identification numbers. Even though the percentage of individuals willing to provide this information is low, getting just two or three hits per 100 calls can make the effort worthwhile for criminals. Because card identification numbers were designed to help merchants validate that they were dealing with the actual cardholder, a criminal armed with a valid card account number and identification number is a bigger danger to online merchants because fraudulent purchases will be harder to detect.
Sequencing. With sequencing, criminals try to generate potentially valid credit card numbers via programs that are easy to use and widely available on the Internet. These programs start from a valid credit card number and attempt to extrapolate additional valid account numbers. Criminals run them against retailer web sites, trying sequenced account numbers over and over again to locate valid numbers.
IP spoofing. This technique exploits the fact that cyber-crimes are lower in certain areas of the country, such as the Midwest, as compared to other areas in the U.S. and some points overseas, such as Eastern Europe and Western Africa. As the name suggests, Internet protocol spoofing makes the IP address of the criminal’s computer appear as if it is located in a lower-risk area. Sophisticated hackers do this by routing their traffic through botnets (i.e., networks of computers that, unbeknown to their users, forward transmissions, such as spam, viruses and malware, to other computers linked to the Internet). Merchants should watch for orders from safe geographies that request products to be shipped to unsafe destinations, particularly overseas.
Reshipping. Because many merchants are already wary of shipping abroad, or to higher-risk areas in the U.S., thieves have employed reshipping to circumvent these concerns. In a reshipping scheme, thieves first use some form of deception-such as an e-mail or letter to individuals offering a romantic entanglement or a way to “make lots of money by working at home”-to line up unwitting middlemen and women. They then use their dupes to receive shipments of goods stolen from online merchants and reship them to the final destination, whether in the U.S. or overseas.
Fighting fraud, holistically
While there is no silver bullet that provides complete fraud protection, online merchants can minimize exposure to these losses by adopting a more holistic approach to the fight against fraud, one that combines basic measures with more advanced tools.
Merchants can minimize their exposure to online fraud by:
Asking for the card identification number. One of the most effective and easiest ways to defend against online fraud is requiring customers to enter the card identification number, which, depending on the card issuer, is typically in the signature panel or on the front of the card. This requirement ensures that the customer is in possession of the actual card, as opposed to having stolen the number from a paper receipt or off the Internet, or generating the number through hacker methods. At the same time, merchants can help prevent criminals from stealing card identification numbers by not saving them. The only place the number should permanently reside is on the card itself.
Deploying speed bumps. Internet merchants can reduce testing of sequenced account numbers by limiting the number of failed authorization attempts for a single order. This natural speed bump will prevent the criminal from testing one card number after another, often with automated scripts, while allowing for honest data-entry mistakes by legitimate customers.
Evaluating other identifying information. In addition to collecting the card identification number, merchants should collect other key identifying information such as the cardholder’s telephone number and billing address. For maximum protection, e-retailers, particularly those selling high-ticket, high-demand items like large-screen, high-definition TVs, should ship merchandise only to that bill-to address. This could seriously limit sales for some retailers, so each merchant should assess its business situation to determine whether additional steps to verify a customer’s identity-including seeking direct confirmation from the cardholder-are warranted, depending on the price of the item, where it’s being shipped, etc.