Criminals targeted Christmas Eve and shipping cutoff days for delivery by Christmas for fraudulent purchasing, a new study finds.
(Page 2 of 4)
"Fraud rings with a lot of stolen cards from a particular geographic area will rent space on a local IP server in that area to make the transaction look like it is being originated locally," says Rupert Young, head of product management for IP Intelligence at Neustar Inc., a provider of real-time information and data analysis solutions.
Retailers can detect such fraudulent transactions by reviewing the domain name associated with the IP address. They can also do so using a technique called proxy detection, which examines much more than the presented IP address of the shopper's computer to determine if a proxy server is being used and to establish the true geographic location of the shopper's IP address.
"Criminals are becoming more creative in how they disguise the IP address associated with an online transaction," Young says. "Proxy detection is a forensic approach to real-time fraud detection that helps further mitigate fraud risk by determining the legitimacy of the IP address the customer is using."
Fraudulent transactions are not the only threat to retailers. Data thieves also seek to penetrate a site's security defenses and skim customer account data. They can use that data to fraudulently open credit card accounts in the cardholder's name to make purchases, or sell the data to identity thieves.
Many retailers are not aware that each change to their web sites may open holes in their sites' security that hackers can exploit, experts say. It's common for a retailer to fail to thoroughly vet the code for new site elements to make sure they are bulletproof or to take the time to determine the impact the new code will have on a site's overall security. That may occur, for example, when a retailer adds a tracking code to its site to follow a consumer as she moves across the site to learn about her product preferences and make suggestions based on that information. And those failures may inadvertently open a backdoor to a hacker.
"A lot of retailers are in such a hurry to add new features to their sites they don't always make certain the new application is security hardened and that the rest of their sites remain secure once the new application is added," says Soumen Das, CEO for UniteU Technologies Inc., a provider of software-as-service e-commerce services.
That's particularly important when it comes to complying with the Payment Card Industry Data Security Council's standards for securing cardholder data. "PCI-compliance is all about data security and retailers need to realize that once they are compliant it is not a static badge of approval," Das says. "They must constantly evaluate the security of the customer data flowing through their web site." Major card networks like Visa, MasterCard and American Express created the PCI rules; retailers that fail to comply can be fined or lose their ability to accept payment cards.
Rather than spend the time to make sure a new application is secure and does not weaken the security of the retail site, UniteU Technologies protects new applications by loading them on its secure e-commerce platform and making them available to the retailer on demand.
"This way hackers can't hijack the application and write new Java scripts that instruct it to pick off customer data and route it to them," Das says. "There are different vectors of attacks criminals will use to infiltrate a web site and staying on top them requires a lot of due diligence."
Before retailers can effectively combat fraud, they first have to recognize its symptoms. Digging into its sales data, music e-retailer CD Baby, for example, discovered that it was being attacked by criminals on multiple fronts. Fraud rings were testing stolen credit cards by purchasing 99-cent music downloads. Others joined CD Baby pretending to be artists, creating albums using stolen music, then repeatedly buying the albums using stolen credit cards to earn artist royalties. Still others posed as affiliates and made purchases using stolen credit cards to collect fraudulent affiliate commissions.
The recurring fraud attacks drove chargebacks up to 2.6% of CD Baby's total transactions and in one month cost the retailer $26,000 in fraud losses.
To remedy the problem, CD Baby deployed the Kount Complete platform which includes several proprietary technologies and other well-known features, such as device fingerprinting and risk-scoring tools. The fraud-fighting technology helped CD Baby accurately identify which orders should be accepted, denied or manually reviewed. Chargebacks fell to less than 0.1% of total transactions. In addition, Kount's Order Linking tool, which identifies customers using stolen cards, significantly reduced the number of transactions the retailer has to manually review.
A constant battle
"Fraud schemes are not stagnant, which means the schemes criminals are using today could be different six months for now," Kount's Bush says. "The most effective fraud-fighting solutions use the latest technology and provide numerous hurdles for criminals to clear, such as velocity checks, proxy piercing and behavioral modeling." Velocity checks flag consumers making a large number of purchases in a short time period; behavioral modeling compares normal shopper patterns to a shopper's behavior as he moves through a retailer's site to detect abnormal behavioral patterns that may indicate fraud.
Security for mobile commerce represents a new challenge for retailers. Although criminals are not yet flocking to mobile commerce because the channel is still fairly new, fraud prevention experts expect that to change once purchases through smartphones and tablets becomes a bigger part of online retailing.
One issue that arises when it comes to mobile commerce is that it is harder to validate a mobile device's location than a computer's location. In e-commerce consumers typically use a fixed IP address in close proximity to their billing address, which can indicate they are who they claim to be. The same is true for mobile users connecting through a Wi-Fi network. But validating the location of mobile users via their IP address when they are connecting to a retailer's web site through a mobile gateway is trickier because the consumer's mobile carrier may route the connection through the first available gateway available to speed the connection. And the gateway may be hundreds of miles away from the customer's billing address.