New Techniques to Deal with Online Fraud

Online fraud in U.S. e-commerce as a percentage of revenue is trending down, from 1.8% in 2004, to 1.4% in 2006. That’s the good news. The bad news, however, is that the dollars lost to fraudulent merchandise purchases are growing dramatically, at about 20% per year. In 2006, this meant an aggregate loss of $3 billion in the U.S. and Canada, according to the CyberSource 8th Annual Online Fraud Report.

For online merchants, most fraud loss stems from four sources:

1. Fraudulent orders from buyers who do not intend to pay, most of whom use stolen credit cards or gift cards.

2. Identity theft by criminal gangs, who create “spoof” websites purporting to be financial services like banks or PayPal, or e-tailers like Amazon, and trick consumers into providing their personal information, which they then use to make purchases at legitimate merchants.

3. Hackers, who use techniques like “SQL injection,” typing non-letter characters at the end of web page identifiers, to bypass a retailer’s network, get into the underlying database and steal consumer information. Another new scam popular among hackers is cracking the algorithms used to load value onto gift cards. According to Retail Decisions., 27% of attempted transactions via gift card during the 2006 holiday shopping season were fraudulent.

4. Mistaken rejection of truthful orders based on suspicion of fraud. The number of fraudulent orders has been steady, at about 1%, for several years. But merchants rejected 4.1% of orders in 2006, according to CyberSource.

Online merchants are fighting back, as hard and fast as they can. Some of the new techniques include:

  • Data sharing. Etailers who are sick and tired of losses are cooperating with each other through such associations as the Merchant Risk Council. They can share details not only about known fraudsters, but also about patterns and trends, in order to identify bad orders more effectively.
  • New software tools. Traditionally, e-merchants relied on software that compares the credit card billing address to the product shipping address, and other address-verification strategies. But many new tools are becoming available to help detect fraud. Iovation, for example, provides a tool that “fingerprints” the physical device used to fraudulently access a merchant’s site, like a computer or a PDA. The next time that device attempts access, the transaction can be flagged and rejected. Another new tool from GFI monitors computer networks for intrusions.
  • Secure data transfer. WebPay, a new service from ACH Direct, relieves retailers of worrying about hackers by transferring all financial data to ACH servers, which also hosts the transaction pages. From the consumer perspective the ACH involvement is invisible.
  • Consumer guarantees. BuySAFE lets merchants offer a money-back guarantee to their customers, to reassure them that they are dealing with a legitimate seller.
  • Multiple payment options. As stolen credit and debit cards increase, merchants are offering customers other ways to pay, like PayPal, Google Checkout and electronic checks. Another new option is Bill Me Later, a service from I4 Commerce, which allows merchants to offer instant credit to their customers, and offload the entire payment issue.
  • Neural fraud detection. Retail Decision ReD Shield technology allows retailers to flag and review suspicious transactions that would not otherwise have been identified, using sophisticated neural-based predictive modeling.
  • PCI-DSS compliance. The large credit card companies, like Visa, MasterCard and American Express, have put together a set of 12 rules for online merchants called Payment Card Industry Data Security Standards. While only a third of the largest merchants are yet in compliance, the payment industry will continue to press their merchant customers to invest in the software and processes that they believe will improve security and reduce fraud exposure.
  • Risk management. Online merchants recognize that they cannot eliminate all fraud. But they can improve profits by analyzing their exposure, and identifying the optimal amount of fraud prevention activity for their business.
  • Don’t fight it. Some merchants are giving up. According to CyberSource, the average merchant manually examines up to a third of their online orders, and accepts 85% of them. The cost of fraud claims administration and manual review of suspicious orders may simply outweigh the losses, especially for lower-ticket items that are less of a target by fraudsters.

Original Publication

Back to Articles and Columns »