Cybercriminals are smart - E-retailers must be smarter


Trying to stop criminals from making fraudulent transactions and stealing cardholder account data is a bit like playing whack-a-mole. As soon as retailers stop the thievery by plugging one hole in their systems, criminals find a way to breach their defenses. In many cases, it's the tiniest weaknesses in a retailer's web site that criminals zero in on and exploit.

Criminals never stop seeking ways to make money from fraud and data theft, and as e-commerce grows it makes for an ever more appealing target. That's why retailers can never let their guard down, no matter how diligently they police their sites. In 2011, for example, while fraud as a percentage of transaction volume for U.S. and Canadian e-retailers declined to 0.6% from 0.9% in 2010, dollar losses grew to $3.4 billion from $2.7 billion, according to CyberSource, a subsidiary of payment card network Visa Inc.

Several factors make e-retailers prime targets for criminals. The first is that it's easier on the web than in the physical world to commit fraud. There are many ways criminals can mask their identities, such as by using proxy servers to hide their true location or by creating an alternative IP address for the device being used.

Online merchants are also open 24/7, which means criminals can operate around the clock and from anywhere in the world. Finally, the cost of entry to committing cyber-crime is low. Anyone with a computer and an Internet connection can commit online fraud or steal card data.

"Preventing fraud and data theft is an ongoing business problem and a big cost for e-retailers, because criminals are well organized and always working to get better at beating the system," says Bill Cohn, principal product manager for Litle & Co., a payments management company specializing in card-not-present transactions. "Merchants aren't going to be able to get completely away from the problem, but the more emphasis they put on fraud management and data security, the faster they can take preventive measures that will reduce fraud losses."

Triple whammy

To effectively combat cyber-criminals, e-retailers must continually upgrade their fraud detection systems and defenses to protect cardholder data. Merchants that don't stay on top of new fraud trends will not only fall behind advances by cyber-crooks, they will set themselves up for huge fraud losses. To make matters worse, a retailer's poor security record can lead to stiff fines from the credit card networks and require high-priced fixes to its payment and security systems.

Ongoing upgrades in fraud detection and data security reduce those risks and costs. "The key is constantly adjusting fraud and data protection strategies," says Rich Rezek, head of global product management for ReD (Retail Decisions), which specializes in fraud detection. "Rules and strategies that worked yesterday will need to be adjusted based on what happens today. Merchants need to learn everyday about the strengths and weaknesses of their fraud strategy and adjust it accordingly or risk becoming stagnant."

Retailers, however, cannot depend on a blanket fraud detection strategy, especially if they sell a wide variety of merchandise. "Retailers that sell hard goods and soft goods need fraud prevention strategies for each product, because each product has a different set of fraud characteristics," Rezek says. "If customers can buy online and pick up in-store, retailers need a strategy for that part of their business, too. Each part of a retailer's business needs its own fraud prevention strategy that is continually adjusted."

Make it fast

Criminals' growing sophistication in skirting fraud-prevention tools and maximizing their yields from online fraud makes real-time fraud detection a must. At the same time, consumers expect a retailer will prevent fraud without hindering their online shopping trips in any way. Fraud prevention strategies that slow site performance, even by a second, can diminish a customer's goodwill, hurt the retailer's brand and lose sales.

"Fraud detection has to be done in real time because it takes place during checkout when consumers are anxious to conclude their online shopping trip, but it can't impact the customer experience in any way," says Steve Rouse, chief operating officer of Kount Inc., a provider of turnkey fraud and risk-management solutions. "If a customer has to wait longer than he would like for a transaction to be authorized, or if the retailer asks for too much information to validate his identity, it can lead to impatience on the part of the customer and a lost sale."

Running a consumer's card through a fraud screen should take place in about 300 milliseconds, which is as fast as it takes to authorize a credit card at a store checkout counter, according to Rouse. Retailers can further streamline the fraud-screening process by reviewing the rules they have in place to validate a customer.

"We recommend that retailers only ask customers for data they really need. For example, a retailer selling downloadable content, such as games, really does not need to ask for a shipping address, because nothing is being shipped," Rouse says. "Being more selective about the data needed to validate the customer can make for a faster, smoother checkout process that does not compromise fraud prevention."

No data to protect

While real-time fraud detection strengthens retailers' defenses against cyber-criminals, many consumers still have doubts about the security of e-retail sites, and some remain reluctant to use their credit cards online. Their fear is that criminals will intercept the data during the transaction or hack into a retailer's database and steal credit card data stored there.

To ease these fears, transaction processors such as Litle & Co. are urging retailers not to store cardholder data on their servers and to use tokens in lieu of actual card numbers. Tokens are facsimiles of card account numbers generated by a token server; even if a criminal obtains a token, he won't be able to use it to make another purchase. The token is generated when the merchant submits the card account data for authorization to the processor, which generates a token and returns it to the merchant. The processor stores the actual card account data on a secure server, freeing the merchant to erase card data from its system.

But the retailer can keep the token on file and use it again if the cardholder makes another purchase in the future. "Tokens are useless to criminals because they are not legitimate card numbers," says Litle & Co.'s Cohn. "As the creator of the token we hold the key to decrypt it and match it with the card number and merchant it is linked to, so if a criminal attempts to use a token we would detect and decline it."

Tokenization usage by Litle and & Co. merchants has grown threefold in the year since its inception.

In 2011, the company added PayPage, a front-end application that transmits card account data collected at the checkout page through a shopper's web browser directly to a secure tokenization server. PayPage returns a token—not the card number—to the merchant so the retailer never sees the card data; as a result, the retailer need not build systems for protecting card data, even for a short time.

A team approach

As effective as tokenization is at protecting consumer card data and reducing fraud risk, it remains just one arrow in a retailer's fraud-fighting quiver. The growing sophistication and organization of fraud rings has created the need for retailers to have better real-time data to flag potentially fraudulent transactions.

One way to keep up with fraud as it happens is for merchants to exchange data about suspicious transactions with the banks that issue credit and debit cards. Although merchants and card issuers have shared information in the past, they did not necessarily exchange detailed data about suspicious transactions, such as what was purchased or where it was to be shipped. Nor did they always share the data in time to stop shipment of the order.

Very often the retailer would ship the goods, the criminal would sell them and weeks later the legitimate cardholder would see the charge on his card statement and complain. The result was a chargeback, in which the retailer must refund the money received for the purchase and take a loss for the value of the merchandise shipped.

"A significant percentage of chargebacks are fraud," says ReD's Rezek. "Sharing better data sets about transaction activity and cardholder behavior between issuers and merchants can help identify fraudulent transactions as they occur, even on orders that initially got approved, but have yet to ship."

ReD's Fraud Alert service sends daily transaction data from ReD's merchant clients to the issuers of cards used at those merchants. If the card issuer spots a transaction outside the cardholder's normal pattern of activity, the issuer can immediately contact the cardholder to verify the transaction. If the cardholder says she did not make the purchase, the card issuer turns down the transaction and the retailer is alerted to the possibility of fraud.

"It's a much clearer validation process that gets merchants and card issuers working together by sharing more detailed data sets on a daily basis," Rezek says.

ReD also uses analytics, rules, neural network technology and pooled data to identify all the components of a fraudulent transaction and the linear and non-linear relationships between those data across multiple merchant categories in real time. The company even monitors online chat rooms used by criminals to exchange stolen card accounts to build its negative card file.

Even with the growing sophistication in fraud detection technology, a retailer's fraud prevention strategy still comes down to its appetite for risk. Newer merchants, for instance, tend to be more focused on marketing to grow their business and less inclined to reject a lot of suspect transactions. Merchants more prone to fraud, such as those that sell consumer electronics that can quickly be resold for cash, tend to have a lower risk tolerance.

"Managing fraud by manually reviewing orders is expensive and time-consuming, and often results in lost sales and customer insults," says Kount's Rouse. "While every situation is different, most retailers will benefit greatly by reducing manual reviews and introducing automation into the process."

Implementing simple and inexpensive checks is an important first step for retailers seeking to balance risk with other business objectives. One practice is tracking transaction velocity on a card. For example, a retailer may want to manually review the next order from a customer who has placed five orders in a 24-hour period.

"Customers with high transaction velocity in a short period should be flagged and approval slowed down a bit," Rouse says.

Nor should retailers overlook requiring a customer to enter her three-digit CVV number on the back of her card. CVV numbers are intended to prove the customer is in possession of the card, and not a criminal entering a stolen account number.

"A lot of retailers don't ask for it," Rouse says. "It's an easy and inexpensive fraud detection tool to implement at checkout, and if it is not entered or entered wrong it can be one indication of potential fraud."

These simple techniques are helpful, but often not enough to stop today's sophisticated criminals. Advanced technologies available from fraud-prevention services providers are often needed to round out an effective fraud reduction strategy. For example, Kount uses real-time dynamic scoring models to evaluate card-not-present transactions and links orders from around the globe to uncover hard-to-detect fraud schemes. The company also uses a proxy-piercing process to identify the Internet nodes used by the access device to connect to the proxy server. That helps to determine the user's true geographic location and enables a retailer to reject transactions from areas where it cannot ship or that are known to initiate a lot of fraud.

Cost control

A tricky aspect of fraud that retailers need to monitor and address is chargeback-related fraud. The tepid economy in recent years has fueled a rise in what some call friendly fraud, that is, transactions by normally law-abiding consumers who decide they want to keep an item without paying for it. They may have realized they butted up against their credit limit after making the purchase or decided they could not afford their purchase after receiving the item. Regardless, the customer decides he wants to keep the item.

What typically happens next is that the consumer will claim he did not receive the item, though in fact he did. The merchant may know it shipped the merchandise and want to dispute the chargeback, but that can be costly. To help retailers offset the cost of disputing friendly fraud, Litle & Co. streamlines the process of gathering the information merchants need to dispute chargebacks. Additionally, Litle & Co. automatically analyzes the characteristics of the transaction to determine the likelihood of winning the dispute and whether the cost of the dispute will exceed the price of the item in question.

"It's tough to distinguish friendly fraud from legitimate fraud and there is a cost for merchants to dispute a chargeback. The more merchants can lower dispute resolutions costs, the better," says Litle & Co.'s Cohn.

Global expansion

As e-retailers expanding into other countries offer local payment options, such as bank transfers, as a way to attract consumers that don't have a credit card or who prefer to pay with cash, they need to be aware that those payment options come with their own set of fraud risks.

Debit cards, which are commonly used in many countries outside the United States for online purchases, such as in Germany, are prone to account takeovers by criminals that gather confidential cardholder data through e-mail phishing attacks aimed at consumers. Once armed with this information, such as account numbers and government identification data, criminals can successfully masquerade as the accountholder, making online purchases using the accountholder's PIN and other personal and account information.

"Retailers doing business internationally need to understand the fraud patterns around each payment option in the countries where they do business and the type of fraud being perpetrated in each country," says ReD's Rezek.

With fraud rings becoming better organized and more sophisticated in how they attack merchant defenses, the onus is on retailers to evolve their data protection strategies and upgrade their fraud prevention technology to stay one step ahead.

"Retailers can't afford to sit still when it comes to fraud, because there is always a risk when it comes to an online transaction," Rouse says. "Successful fraud prevention comes down to being able to evaluate transactions in real time for fraud without affecting the customer experience."

Originally reported at Internet Retailer.