Mobile accounted for 25% of Ulta's e-commerce revenue during Q2.
Criminals use smooth talk and high tech to evade retailers’ fraud-detection systems. How savvy retailers counter their tactics.
Web merchants know thieves like to have orders delivered overnight so they only have to watch the delivery address for a short time before making off with their loot. That’s why the fraud systems online retailers use often flag a request for overnight delivery as a warning sign of fraud.
The problem is that the thieves have figured that out, and have come up with ingenious ways to avoid tripping those fraud alerts, says Bryan Whitney, contact center director at multi-channel retailer Urban Outfitters Inc. For instance, the thief might request standard shipping when placing the order, then call customer service a day later complaining that the retailer processed the order incorrectly and that he needs the package tomorrow. If the agent is not hip to the trick, the thief gets the order delivered overnight without setting off a fraud alert.
Or, knowing that retailers will look more closely at an order when the shipping address is not the same as the credit card’s billing address, some crooks will enter the card’s billing address when placing the order on a web site, then call the carrier to have the destination changed, Whitney says.
“The most interesting thing to me is the social engineering aspect,” Whitney says. “They really look for ways to circumvent our fraud controls.”
It’s part of the never-ending battle between thief and retailer. Both sides are employing high technology and social skills in novel ways to gain an edge. Retailers have to keep up to keep from being taken.
“Fraud is evolving,” says Allen Weinberg, a managing partner at Glenbrook Partners payments consulting firm. “Criminals adapt. As you plug one hole another one arises.”
Fraud is also increasing. In 2007, 1.3% of online sales later turned out to be fraudulent, up from 1.1% in 2006, according to payment security specialist CyberSource Corp.
Fraud is especially a concern for online retailers who sell high-ticket goods, such as The Watchery.com, whose average sale is $2,000.
“I just had a fraudulent order today that came from a university in Pennsylvania,” says Joseph Levy, founder and general manager of TheWatchery.com “Here’s a kid that’s probably going to school for computer systems and in his spare time using what he’s learning to place a $20,000 order with a stolen card.”
The retailer was seeing many fraudulent attempts to place orders, the majority of them for merchandise worth $7,000 or more, when it decided it was time to invest in more sophisticated antifraud technology. The e-retailer deployed a fraud-detection system from Accertify Inc., a company launched last year by a team of executives who developed the fraud-prevention program for travel web site Orbitz LLC.
Levy likes the Accertify system because it gives him the flexibility to decide what is risky, instead of the system automatically assigning risk when, for instance, the ship-to address is not the same as a card’s billing address. Many of TheWatchery.com’s legitimate customers buy gifts for their spouses, and send them to their work addresses so as not to spoil the surprise.
“The rules that apply for most retailers don’t apply for me and my customers,” Levy says.
The Accertify system analyzes several data points for each order, including price and other parameters Levy prefers not to mention for fear of tipping off criminals. The system also verifies the card’s billing address with the issuing bank.
Accertify says about 10 online retailers use its system, including TheWatchery.com and Urban Outfitters.
Speak the truth
Other new technologies and services are emerging to fight online fraud.
One new system called Victrio records phone calls customer service representatives place to consumers to check on suspicious transactions, and then cross-checks the voice of the consumer against an audio file of the voices of known criminals. The system was recently put to the test to distinguish five crooks’ voices out of a batch of 25 for an online luxury retailer. It scored 100%, says Tony Rajakumar, founder and CEO of Victrio and a former engineer at a speech recognition company.
Victrio is still building its database of audio files, which Rajakumar says will increase as more merchants sign on. “Most crimes come from career fraudsters,” he says. “Merchants aren’t just going to be hit by someone once, but 100 times. If they can put their voice in a database, it will help everyone.”
Another vendor, Ethoca Ltd., touts a fraud-prevention community that businesses, including e-retailers, can join for a fee. Members contribute customer information and can see data from others in the community.
Businesses not only share information on problem customers-such as those who commit fraud or habitually return items-but also about good customers. That helps participating retailers identify transactions that are likely to be legitimate, as well as those that are suspicious.
About 50 businesses have joined the network, which launched in 2005, including e-retailer TigerDirect.com, a subsidiary of Systemax Inc. Subscriptions to Ethoca range in price from $500 to $25,000 a month depending on size and usage.
Other services like one from Quova Inc. use geolocation technology to see where a visitor is coming from. The system can help e-retailers spot IP addresses associated with fraud or flag suspicious orders, such as a visitor from Romania attempting to make a purchase with a card tied to an address in Iowa.
Back to basics
While third-party providers are eager to offer services for a fee, Eric Archuleta, CEO of online music instrument retailer Musician’s Hut, has decided to fight fraud on his own. In-house business practices can go a long way in thwarting crooks, he says. And, he says, his company can’t afford the prices payment security vendors charge.
Requiring a consumer to enter a three- or four-digit code often called the CVV2 or CVC2 code is one basic step that helps, says Archuleta, who has a background in fraud prevention. The code was created by card companies several years ago to reduce fraud on card-not-present transactions.