In 2007 alone, $3.6 billion was lost to online fraud. This white paper shows how to block scam artists, reliably and affordably—while ensuring that real customers always have access.
Reducing Loss
Introduction
Industry data states that losses from online payment fraud in the U.S. and Canada have steadily increased as e-commerce has continued to grow 20% or more each year. A leading industry report 1estimates that in 2007 US$3.6 billion in online revenues was lost to online fraud. Merchants have being combating fraud using various techniques and technologies, but even so, 81% of merchants are engaging in manual order review, and on average one third of all orders are reviewed, resulting in high transaction costs.
Various methods of transaction verification, both automatic and manual, are used in relation to verification of credit card data itself, such as:
. Real-time authorization from credit companies
. The credit card Address Verification System (AVS)
. Card verification codes (CVV2 for Visa, CVC2 for MasterCard, CID for American Express)
. Scrutinizing orders that are unusually large or request overnight shipping
. In-house evidence data collected from previous fraudulent activity ("negative files" etc.)
All these methods are effective some of the time, but all are subject to both false positives and false negatives. In addition, some merchants can use some of the available forms of host intelligence that are available such as blacklists and IP geo-location lists to screen based on some form of reputation or location.
On the whole, the threat of online fraud has led merchants to over-compensate, spending large sums of money to identify and block suspicious transactions. While they have probably succeeded in minimizing the number of fraudulent transactions that get through, insufficient attention is paid to the false positives that lead to loss of revenue from legitimate customers. It may well be that considerably more revenue is
Reducing Loss
lost from spurned customers, than is lost from fraud. In fact, according to CyberSource, the share of incoming orders merchants declined to accept in 2006 due to suspicion of payment fraud was 4.1%. If only 20% of these turned out to be valid, then as much as US$1.6 billion may have been lost from loss of valid sales. It has been estimated that for every dollar lost to direct fraud, about four dollars worth of valid orders are declined.
Why everything you know about e-commerce fraud is "broken"
Limitations of traditional methods While the various technologies and protections built into the credit card "system" are helpful and prevent fraud by amateurs, they were originally designed to prevent fraud attempted by means other than the Internet. Professional internet fraudsters are using much more sophisticated measures, and are constantly finding better ways to circumvent detection, as we will discuss later in this paper.
Simply put, the nature of the problem is that:
. Personal data can be lost or stolen by keystroke logging, phishing, blog scraping, and card theft.
. Fraudsters can use stolen credit card details to perform online transactions - often the stolen details can include information such as address and card verification codes that can circumvent the credit card authorization systems.
. Fraudulent transactions can be performed quickly using automation, from anywhere in the world. Of course there are various transaction tracking and authentication technologies that can be used to help mitigate the problem, but they have their own drawbacks:
. Improved authentication methods, such as multi-factor authentication using PIN-code tokens, installed client software or call-back methods such as SMS - these methods are more practical for repeat visits to a single merchant, such as in on-line banking, and suffer from increased support overhead.
. Transaction profiling systems (also called "fingerprinting" by their proponents) that also take some machine identifiers and turn them into "fingerprint" hashes - these are a system of intelligence local to the merchant (not shared with other merchants), that would need repeat customer visits to be reliable, so are less effective for the majority of commerce on the Internet done today.
2
Reducing Loss
IP geo-location One large US financial institution recommends that if the location of the ordering computer is more than 500 miles from the ship-to address, then this can be... [download for more]
