|
|
 |
|
Top of the News
Fraud update: Identity theft, hunting and phishing
An interview with CyberSource fraud expert Vic Dolcourt
Q: The press is full of stories about phishing and its impact on the consumer. What can you tell us about the impact of phishing on the eCommerce merchant?
A: Anything that causes consumers to question the overall safety of online shopping affects eCommerce merchants. Consumers read about the problem, they see examples of phishing sites online, and they begin to get edgy about the whole practice. It's hard to measure. And of course, any identity theft that results in illegal purchases can result in a chargeback to the merchant and that's plenty measurable and felt deeply by every merchant.
Q: Can phishing be prevented?
A: Phishing attempts probably can't be prevented. But we can certainly limit the success of those attempts.
Q: How?
A: Really, two ways. First, we all need to educate the consumer to never “click-through” on any type of unsolicited or non-validated email offer or notice requesting sensitive personal information, particularly from a financial institution, auction site or payment system. These are the favorite forms of the scam to collect consumer information.
Secondly, there are some effective tools to limit the exposure to phishing fraud. This type of fraud is a business, not a hobby, and generally, there is an organization of multiple individuals with special talents behind the enterprise. To make any business pay, you've got to have volume and lots of it and that's how we catch them. The individuals are driven by greed and their feeling of power. They worked way too hard to get that illegal information and they are going to use it a lot. And in doing that they sow the seeds of their own identification.
Q: And that means?
A: Volume. Equipped with illegal information, the robbers have access to credit card account numbers and usually Card Verification Numbers as well. It is not unusual for fraudsters to look up addresses or even change a consumer's address with their financial institution. Once they determine that a card account number works, they use it. To excess. Our systems see that kind of velocity in an instant. We immediately see IP address issues (“Hey, that computer is supposed to be in Alberta but these orders are all being input in New Jersey!”). We see shipping address issues, email address issues, the works. Users of our products can have pre-defined rules that will catch this.
Q: Are you sure there's no way to escape detection?
A: Of course there is; however, it runs counter to any crook's nature. If a fraudster were to obtain a flood of account numbers and only do one transaction per number, that could work for a while.
Q: Then why wouldn't somebody do that?
A: It would be way too hard, way too risky, and the payoff would be too small. With returns like that, you'd need a legitimate day job to support the fraud and that kind of misses the point for a bad guy, doesn't it?
Q: What about hunting? That's a less well known practice.
A: Not for long, I'll bet. Basically, it's a combination fraud and scam. It involves a fraudster masquerading as a legitimate employer and then “hunting” for an agent, actually an unwitting helper, to help trans-ship fraudulent purchases.
Q: Why do fraudsters need this type of help?
A: They don't need help to illegally acquire information. They're doing that successfully in a variety of ways. But many of these rings are operating from a remote location. There are centers of fraud in Eastern Europe, Africa, Asia, etc. Many of the crooks operating in these areas like to buy American or English products. So, they have a need to recruit someone that will trans-ship to them, since sellers of those goods have developed a high sensitivity to bad addresses. In general, they do not use the commercial trans-shippers, although occasionally they do.
Q: How do fraudsters recruit agents? And why would anyone help a fraudster?
A: The prospective agent doesn't know he or she is doing anything illegal. The bad guys prey on lonely people, people who are out of work, people that don't necessarily want to go to a workplace, or want to work part time. They meet them on dating websites, for example, and establish a long distance relationship, often complete with a phony picture. They make friends with their victims and over time ask them to do a “few little favors.” They might explain the favor by saying something like: “Things are so bad here in Nigeria, the government steals all the goods I order direct from manufacturers. They don't often bother personal packages, though. Do you suppose you could receive some stuff for me and then reship them to me in new wrapping?” Or other, similar appeals to the victim's sympathy. It's a lowlife tactic, but one that's unfortunately gaining ground.
Q: Is there a solution for this?
A: Well, as noted, tools pick up on multiple shipments to the same address and they've lost their cover. So the unhappy dupe gets caught resending stolen property.
Q: Well, won't all their schemes ultimately affect merchants and manufacturers?
A: Yes, and they are innocent victims, too. They end up bearing the fraud and the resulting chargebacks. But the truth is, eCommerce merchants who stay on top of fraud, who use available tools, are managing their losses and are beating fraudsters. We see it happen every day. This isn't a losing battle.
Q: Are you saying fraud isn't a serious problem?
A: Oh no, it's serious. But so is shoplifting and nobody predicts the demise of retail due to it. It's an annoyance, ranging from minor to major, that you deal with. If you've got a problem with crime in a brick and mortar store, you install modern tools to prevent it. The same holds true for virtual stores. The Tools are just different.
>To Top
|
The Transaction Insider:
By Doug Schwegman
Market Research Director
2004 Online Sales Review.
CyberSource merchant performance and preliminary estimates from other research companies indicate that the 2004 holiday sales season exhibited strong growth, beating early season forecasts. In early November forecasters published predictions ranging from 19% to 26% year on year growth. In our last article we observed that growth patterns in 2004 indicated a 4th quarter online sales growth approaching the level of 2003 and above published forecasts. The research company comScore Networks® recently announced holiday sales grew by 29% in 2004 approaching the 31% growth level reported by comScore for 2003 and beating pre-season forecasts.
Given the strong online holiday sales and 4th quarter performance in 2004, what can we look forward to for 2005 online sales growth? We would expect that most forecasters are likely to revise their 2005 online sales forecasts upwards later this year given the current trends.
Based on current trends reflected in the U.S. Commerce Department's quarterly survey of U.S. retailers (Commerce Survey), online sales (adjusted) by U.S. retailers are approaching $70 billion in 2004 which is approximately 24% growth over 2003. In 2003 online sales of U.S. retailers grew by 26% so online sales growth has remained strong in 2004.
According to comScore and other estimates, online retail sales are approximately 57% of total online B2C sales. On this basis total online sales for 2004 should exceed $120 billion. In future issues we will review forecasts and trends for online sales growth in 2005. Given the strong performance in online sales in 2004 we are optimistic about prospects for 2005.
>To Top
|
Market Updates
MasterCard® & Diners Club® Announces Alliance
MasterCard and Diners Club announced an alliance that will allow North American merchants to process Diners Club transactions as MasterCard transactions. Diners Club cards issued in the United States and Canada will be redesigned (and reissued) to include the MasterCard account number and carry both the Diners Club and MasterCard brand marks. These cards will be processed like a MasterCard transaction, but continue to provide Diners Club benefits to the cardholder. The change is being handled in phases, the first being issuance of corporate and personal cards in Canada, along with U.S. corporate cards. The second phase will include re-issuance of Diners Club cards to U.S. card members beginning Q2 2005. Diners Club cards issued outside of North America will carry the MasterCard logo on the back, but will maintain the Diners Club account number and primary branding. If accepted by U.S. or Canadian merchants these cards will be processed as MasterCard transactions. If accepted by merchants outside the U.S. or Canada, the cards will be processed as Diners Club transactions. For more information visit the Mastercard website.
Microsoft®, eBay®, Visa Share Phony Phish Site Info
From InformationWeek, February 15, 2005
Microsoft, eBay, and Visa joined forces Monday to launch a program to share information about phishing attacks.
The Phish Report Network, a database run by WholeSecurity, an Austin, Texas-based developer of anti-virus and anti-phishing solutions, is available now, and can be used by any company to report the bogus websites associated with phishing attacks.
Companies that subscribe to the network can access the database or receive real-time notifications of phishing sites. The idea is to give potential phishing targets an immediate heads-up so that they can notify customers, attempt to shut down those sites, or block them. Other companies, such as anti-spam software suppliers or Internet service providers, can join the group to receive notifications that they then roll into their spam defenses or site-blocking tools.
"Phishing is the fastest-growing segment of spam being sent worldwide today, victimizing both legitimate online companies whose brands are being hijacked and consumers who are unwittingly providing their personal information to criminals," said Ryan Hamlin, Microsoft's general manager of its safety technology group, in a statement. "The data that the Phish Report Network will provide can help Microsoft better defend our millions of users worldwide against these nefarious phishing attacks."
Other companies that announced participation in the network -- eBay and its payment affiliate PayPal, and credit card company Visa -- have been the target of numerous phishing scams.
The Phish Report Network database is up and running now. Companies can sign up by visiting the network's website.
MasterCard® Rule Changes
MasterCard announced changes that will affect card-not-present, Internet processing rates as of October 2005. The actual rate charged will be dependent upon whether the MasterCard® SecureCode™ authentication service has been used to process the transaction:
- Interchange rates will be increased above the current level if MasterCard SecureCode services are not used.
- Conversely, use of MasterCard SecureCode will drive interchange rates down, with the specific rate being dependent upon whether the transaction was:
- Fully authenticated by the issuing bank, or
- Only checked for enrollment and the cardholder was found to be "not enrolled" (obviously, merchants have no direct control over whether a cardholder is enrolled).
Merchants are advised to consult their acquiring bank or merchant account provider to determine how these new MasterCard rates can benefit them. CyberSource believes that these MasterCard rule changes, along with the liability shift offered by Visa's Verified by Visa program, justify merchants re-examining the trade-offs associated with implementation of Verified by Visa and MasterCard SecureCode authentication services.
2005 Online Fraud Report: 6th Annual
Benchmark Your Practices
How do you define “fraud problem”? While nearly 2/3rds of merchants surveyed have their fraud rate controlled to less than 1% of orders, they are losing more dollars to fraud and incurring increased costs to control the problem. Get our complimentary 2005 Online Fraud Report and discover new ways to look at your fraud process and the metrics you monitor. The full report includes detailed statistics on fraud rates, budgets, process metrics and more.
>To Top
|
Product Spotlight
CyberSource Solutions
More Merchants Using Global Services
More and more of our merchants are growing revenues by accepting payment methods unique to local markets around the globe. In fact, on December 20, 2004 we processed payments in 182 countries for our merchants. Merchants cite same-country revenue increases of up to 20% or more due to local payment type acceptance. If you're not accepting global orders or payment in local formats because you fear complexity or fraud risk, CyberSource can provide solutions that simplify both processing and banking hassles.
CyberSource offers global payment and risk management solutions that allow you to process multi-currency and local payment type transactions in nearly 240 countries, as well as settle payment in all major traded currencies. We provide the gateway and banking services necessary to process worldwide bank cards, bank transfers (Giros), country-specific cards (Switch, Solo, Carte Bleue, Carta Si, etc.), and direct debit (ELV). Our companion global risk and compliance services help reduce fraud risk and ease compliance with local tax regulations. Visit our website for details.
Advanced Velocity for Advanced Fraud Screen and Decision Manager
CyberSource has enhanced the velocity feature to increase control and fraud detection while at the same time reducing false positives (identifying an order as suspicious when it is actually a good order). Advanced Velocity allows you to select the detection interval.
The interface controlling the selections can be found under the Tools section of the CyberSource Enterprise Business Center. Advanced Fraud Screen merchants can select "Advanced Fraud Screen" and Decision Manager merchants can select "Purchase Frequency."
When activating these features for the first time, it is important to apply your new detection rules gradually. You will then be able to optimize fraud detection and reduction of false positives. It is recommended that you start by adding more detectors and then increasing the detection time frame.
One of the most powerful detectors of fraud is IP Address. Although it is designated an optional field, its use is essential in fraud detection. Not only is it used for velocity, it is also use to detect the country and state (county in the UK and department in France) where the order originates. We have recently reviewed the IP addresses for several million orders and have identified a number of Merchants are filling the field with repetitive IP addresses or improperly formatted data that cannot be used. The specifications for IP Address can be found in the applicable implementation guide in the Support Center. If you have questions, please contact Customer Support or your Technical Account Manger.
Chargeback auto-marking : automation of "Mark As Suspect"
Advanced Fraud Screen and Decision Manager merchants can immediately take advantage of a new CyberSource service at no additional charge - chargeback auto-marking. Here is how the service works:
- Arrange with your processor to electronically forward duplicates of the chargeback notices you receive to CyberSource. This in no way impacts the information you already receive.
- CyberSource receives a daily chargeback file and separates the items with fraud chargeback codes from other chargeback codes.
- CyberSource identifies the Score transaction associated with the chargeback and uses it to extract the information for the Negative List.
- CyberSource updates your negative list
- If the card account number, email address or ship-to address are used in the future, CyberSource will inform you in the reply, and you will be able to process the order under your normal exception processing business rules.
- Merchants that use Decision Manager's Case Management System for manual reviews will be able to access detailed information that identifies the reviewer that approved the order or the business rule that accepted the order.
>To Top
|
|
Coming Events
Hear us at:
Platinum Session of
Merchant Risk Council
March 8, 2005
Las Vegas, NV
Higher Education Users Group
March 28-31, 2005
Las Vegas, NV
Visit us at:
Merchant Risk Council
March 9-11, 2005
Las Vegas, NV
Higher Education Users Group
March 21-24, 2005
Las Vegas, NV
Internet Retailer™
Conference & Exhibition
June 7-8, 2005
Chicago, IL
Direct Response Forum
2005 Conference
August 8-9, 2005
Chicago, IL
PeopleSoft® Connect
September 18-22, 2005
Las Vegas, NV
>To Top
|
|
| |
|
|
|
