Automated systems that validate identities help e-retailers stop criminals before they steal.
Thieves like to play e-retailers for fools. Some play a shell game, selling products they don't own and leaving e-retailers holding the bag after a con slips through undetected. Others hide behind stolen credit cards to make themselves look like legitimate buyers, and the retailer only catches on when a chargeback arrives. Thieves' tactics are many, but retailers' defenses are growing too.
55% of merchants say emphasizing and improving automated fraud detection capabilities is a top priority, according to a recent survey of 325 U.S. and Canadian merchants conducted by fraud management vendor CyberSource. A similar amount, 56%, say they already use an automated security tool to screen orders for fraud, but they are looking to add further tools that'll help them keep the 1% of total revenue they lose annually to fraud in their own bank accounts. 57% of merchants say they plan to add at least one more fraud detection tool in the next year.
Online retailers are arming themselves with a variety of tools to automate fraud screening, cut the time and money spent on manual reviews and the amount of money they lose to fraud. Anti-fraud tools help retailers evaluate transactions and let them set the rules for what they will let pass. Although not perfect, retailers using these systems are increasingly able to keep thieves at bay.
One retailer, who asked for anonymity for fear of provoking more attacks, fell victim to a scheme that cost her business close to $500 a day in chargebacks from credit card companies taking back the funds they paid her after customers said they did not make the purchases. The owner, referred to as Ilene and her business Stuffspot for the purposes of this article, tried to quell the activity by manually reviewing 30% of her orders. That was a burden in time, money and effort for the 22-employee retailer that brings in more than $14 million in sales annually.
"It was effective at stopping fraud," Ilene says. "But the issue was that it was also stopping good customers as well." That's because her staff couldn't always reach them by phone or e-mail to verify orders.
But since implementing in June an automated system from vendor Kount Inc. that screens for payment fraud, Stuffspot has been able to limit its fraud exposure, Ilene says. The retailer still manually reviews 8% of its orders, but both the number of manual reviews and the time to process them have declined by at least one-third, she says, and that continues to lessen as she refines the system's rules for identifying fraud.
In another example, e-retailer DiscountWatchStore.com used to spend roughly an hour and a half each day checking for fraud manually, says founder Zai Zhu. But implementing a tool called FraudWatch from e-commerce platform provider 3dcart Shopping Carts a few months ago cut that time by 40-50%. He says he chose the tool because his store operates on the 3dcart e-commerce platform and the cost was lower than that of competing systems. It costs him less than $100 per month. He declined to say how much DiscountWatchStore.com has saved by using the service, but says it has helped save him enough "to pay for the service many times over" because he gets fewer chargebacks. The tool assigns a risk score to transactions based on a dozen criteria, such as IP address, mailing address and bank verification, and posts that score within the order management system where Zhu can see it. He can then decide to let an order through, cancel it or investigate it further.
FraudWatch costs $9.99 per month for up to 500 fraud checks, $29.99 for up to 2,500 and $49.99 for up to 5,000, 3dcart says.
ThreatMetrix, another automated fraud detection technology provider that assigns a fraud score based on a variety of cues, lets merchants set rules that can immediately pass, block or hold transactions from going through. Merchants can also elect to automatically blacklist anyone from buying from their sites if they've been tied to previous fraudulent activity detected from across ThreatMetrix's network. ThreatMetrix monitors close to 114 million transactions a week, says Alisdair Faulkner, chief product officer.
Digital games, software and gift card retailer PC Game Supply blacklisted the 300 people for whom it received chargebacks during the first week of September, says owner Chris Letendre, bringing the list to more than 100,000 in two years since beginning with ThreatMetrix. The retailer reviews all credit card chargebacks on a weekly basis and uses the information to create new, stricter rules for the platform, he says. So far he's added 200 rules, including one that automatically blocks customers who try to pay over a virtual private network, or VPN. VPNs can make an IP address look like it is coming from another location, a common practice among criminals overseas who want to make orders look as if they come from U.S. buyers.
Stuffspot received four chargebacks between June and October using Kount's system, Ilene says, and all were prior to Stuffspot adding extra layers of defense. A LexisNexis integration available through Kount for an additional fee verifies consumer addresses and identities at checkout by instantly checking billions of public records and non-credit databases. If questions still remain about an order, Ilene says she then uses a tertiary tool called Targusinfo that verifies information, as LexisNexis does, but from different sources.
Those extra verifications save Stuffspot roughly $400 per month, Ilene says, because they snag criminals who repeatedly spam Stuffspot's checkout with random names, orders and fake address information in attempts to figure out which stolen card data will make it through. The credit card processor used to charge Stuffspot a fee for each attempt even though it declined the cards. Now that spam gets caught before it gets to the processor.
All told, including the cost of Kount, Stuffspot now keeps about 75% of what it used to lose to fraud. These savings come from requiring fewer staff paid to do manual reviews and fewer chargebacks and lost goods. Ilene declined to tell how much she pays for Kount, but says it was cheaper than other competitors she researched. Each LexisNexis check costs an extra $0.35-$0.75 she says, although she can direct those checks to run on only certain transactions; Targusinfo is similarly priced. "And I'd rather pay somebody to stop fraud than pay the fraudster," she says.
Retailers acknowledge that maintaining thick armor may mean they miss out on some legitimate sales, and they adjust their fraud-detection thresholds to ensure that the financial benefits of being careful outweigh them.
Letendre at PC Game Supply says he knows he blocks some good transactions with ThreatMetrix, but he works to keep those to a minimum. Blocking the bad even if he must swallow some good sale losses is vital, he says, because PC Game Supply is required by merchant processors to keep its chargebacks below 1% of gross revenue, otherwise it's fined or could lose their services.
He evaluates a new rule based on how it would affect the last 30 days of transactions. If the majority of legitimate transactions would still have made it through, he says he knows the rule is specific enough that he's not catching too many false positives.
PC Game Supply has gone from manually reviewing 100% of transactions two years ago to just 6% today, Letendre says. He's been able to save about $8,000 in payroll per month because he requires fewer employees to complete the checks. When he needs more help, he outsources excess work to India.
In that time, business also doubled for the retailer, he says. Without manually reviewing every order, transactions go through much quicker than before—a few minutes rather than 30 or 60, he says. "That's a big deal for customers purchasing digital products," he says. "The fact that they know they will get it right away has absolutely increased our sales."
E-retailers may be doing their best to arm themselves like Fort Knox, but crafty thieves still find ways to get around their defenses.
On Aug. 14, 30 transactions from 30 new fake accounts got past PC Game Supply's defenses, resulting in total losses of $1,800. All were traced to computers in Australia, Letendre says. A similar attack originating in China hit the retailer in July.
"It's not huge scale, but it could be a couple thousand dollars if you don't catch it right away," he says. And because PC Game Supply sells digital goods, once a product is redeemed it's gone forever.
Whenever a group of criminals attacks this way, Letendre immediately holds a conference call with his staff and experts from ThreatMetrix to figure out how to plug security holes. For example, they found a commonality in not only location but software with the Australian criminals upon which to base a rule, he says.
Like panning for gold, automated technologies to detect fraud help retailers sieve bad transactions out of the good.