Ian Paton admits he was shocked to discover how little he knew about internet security in general and internet retailing in particular. He considers protecting online business against fraud, by supporting the business in internet sales.
However, this has been an exciting, educational and wonderful journey for me over the last six months. I would also add that my views are mine and not necessarily the views of my employer. (thought I had better get that one in early). I have been in the retail security business for over seven years and for almost three years have headed up the security department of Focus DIY which has over 200 stores in the UK. Our internet retailing site is still in its infancy and has certainly not yet reached its true potential and I, as I have discovered like many of my security industry colleagues, was not part of the equation when a working party got together to put in place retailing on the internet.
In fact my first real involvement came about when we received accumulated charge backs for one period that almost dwarfed our total sales for that week and we were talking in five figures. These charge backs came about simply because we were not taking proper care when allowing orders on the internet to become transactions without taking the simplest of precautions. Now I should also point out that the people who dealt with the internet sales were not security practitioners in any way, as with most retailers, so it is not meant as criticism of them.
We had a meeting, discussed what was happening, looked at the platform and service provider for our transactions and discussed in particular the parameters that needed changing to prevent fraudulent transactions being accepted on our system. We were instantly successful in cutting back on charge backs the first week. Unfortunately we also made it so difficult to get accepted that sales were negligible. So back to the drawing board and another meeting. That I have to admit is where I really became interested in retail internet security. There is still a belief in the industry that Internet security is a "tecky" subject that is best dealt with by "teckies".
However, when put in perspective the way we deal with internet fraud is very similar to how we dealt with cheque fraud 10 years or more ago. The customer appears without a cheque guarantee card or wants to buy goods over the card limit. What did we do. Used common sense as much as anything, asked for proof of identification and made a considered judgement on the risk. All it appears to me we are doing is moving these checks to the faster world of the internet.
I do not believe you need to spend fortunes on your internet system; rather there are ways of protecting your sales from fraud that are economical and effective. Some may think my practices too basic and time consuming. However, there are three parts to this and these are.
? They are basic.
? They work
? They saved my company money
E-Commerce is a very complex area and simply means conducting of business by means of the internet. This may involve businesses dealing with each other (B2B) or indeed businesses dealing with consumers. It is now possible to obtain anything over the internet and whatever it is you want be that a product or service it is obtainable on the internet.
UK payments association APACS has published research which insists the internet is a "very safe" medium through which to buy products online, after online credit card fraud has jumped from £23.2m in 2005 to £33.5m in 2006. APACS said they were sure that combating internet fraud could be achieved using "common sense".
Now, on the other side of the aisle are all the credit card fraudsters. Stealing money and merchandise from both merchants and card holders. Who pays for all that theft and loss? Consumers do! Higher transaction fees, higher merchandise prices, insurance, interest charges and that list goes on and on. So what happens to the whole credit card merchant system, when no one cares to prosecute the thieves anymore? Well; that day is already here. Police in the UK are no longer accepting direct reports from credit card victims. Under the new regulation which began in April, its now the responsibility of the bank to determine which credit card crimes will be passed on to the police for investigation. They are allowing the little fish get away and just passing the cost on to consumers. If your UK Visa card gets used by some fraudster, it might not even get reported to the police as a crime! I suppose if the fraudulent charges are not large enough, they will just consider it a CODB (cost of doing business) and pass it on as a higher monthly charges or fees. Amazing!
Last year in the UK, over £430m went missing because of credit and debit card fraud. That means one in every three UK cardholders is the victim of credit card fraud. I suppose it is now so widespread that the police are simply overwhelmed and don’t want to handle such a large case load. Critics of these new UK regulations are saying that the banks are trying to sweep that figure under a rug by now under reporting the misuse and thefts. This is amazing situation when a banking or financial authority does not report a crime but passes that cost along to consumers.
Basically we internet retailers are being targeted and will continue to do so unless we find a safer way of doing business. The internet is not "a safe" place to do business and is unlikely to be made one in the near future. The increases described clearly show that customer not present (CNP) fraud is becoming increasingly a real issue and we can expect little, if any help from the police authorities. A common problem throughout society I fear.
Evaluating the strengths and weaknesses of key fraud deterrent initiatives so you decide which one will best suit your online business.
Our host is Venda, who have recently teamed up with Paypal for future payments, and they deal with the site security. All areas of the user account and checkout process are accessed through secure http (https). Also all access to back-end control panel is accessed in this way. This ensures that any intercepted network traffic cannot be used. Integration with payment gateway (Datacash) is always encrypted and there is no "top level" access at back-end control panel from outside Venda’s offices (top level can decrypt and access card details). The infrastructure used ensures that no unencrypted cardholder details are ever stored on disk. No orders are automatically accepted. All orders have to be ‘released’ for dispatch by the warehouse. This means they are able to review all orders and query anything that looks suspicious. The Venda platform allows rules to be set up to automatically evaluate orders for the purpose of fraud checking. A weighting system is set up to give a score to each order. Based on this score, the order is accepted, placed on hold or rejected.
All card payments are validated online at the time of entry. The following checks are performed before deciding if the order should be accepted, rejected or placed on hold for manual review depending on the business rules that we set up.
3D secure involves a separate authorisation process from the issuing bank. A pop-up window requests that the customer enters their secret card-related password to authorise the payment. The authentication is performed on a third domain separate from the issuer and acquirer. The Venda platform allows us to blacklist any part of an order/payment/customer. If we receive a charge-back, the appropriate part of the order/payment/customer can be blacklisted by pressing a button alongside the card number, address etc. If that customer or card is used again, the order will be placed on hold and the order processor warned. Venda will not provide detailed information about their security system as this itself could be a security threat.
Establishing best practices of ensuring sales remain maximised whilst fighting online fraud so you can evaluate what charge back is acceptable in the sales vs. profit relationship
What is an acceptable charge back? This varies from the hardened security practitioner, like myself, who believes that no shrinkage is acceptable to the non-security minded practitioner who does not understand what shrinkage is or what damage it does and who does not consider it. I would suggest that at the onset these sales are looked upon like any other sale and a "shrinkage margin" allowed. My suggestion would be that in doing this you look at the following:
What is the cost benefit? Do you spend more on preventing fraud than fraud actually costs?
Business model for shrink
Look at transaction Approval thresholds.
Split into amount groups and then what damage these sales do by way of shrink? Is it possible to simply allow any sale of below £50 or £100. Is it the case that fraudulent transactions only occur once you get into the more valuable sales areas and the easier to sell on items like power tools etc. You can therefore identify where the fraud is occurring and often pick out items. An great example being that we tried to retail Sat Nav units and very quickly discovered this was attracting all sort of people who encouraged our Sat Nav to get lost. We took the business decision to stop retailing these on the internet. Perhaps once you reach a certain level of sale it automatically goes for second level approval. By looking at some of these things you can come up with an "acceptable" shrinkage margin which can then be monitored as frequently as you wish to decide if it is to high or low. Shrinkage, in the context of retail internet, I would describe as;
"The difference in margin brought about by the loss of goods by fraud"
Many people do not appreciate what shrinkage damage actually does and to give a very simplistic viewpoint. If your margin is 50pc and you lose goods worth £10 then the damage that does is the amount of sales required to make £10 profit or in other words you need to make £10 margin to nullify the theft. Therefore a sale of £20 is required to cover the £10 theft. Now I accept it is not an exact science because the theft has still occurred and the sale would have to have been additional but it is basically correct. Therefore again the theft of £10 goods represents a sale of £20 which doubles the damage.
Understanding key simple but effective steps that the small – medium sized retailers can use to deter online credit card fraud
So to some simple and basic checks that can be done and while these have to be done manually can prove effective;
Recognise the "strange" order. Does the purchaser of a sit on lawn mower worth £1200 really going to have an address Flat anything never mind flat 17/3? You may laugh but we have had such an order and funnily enough it was an attempt at fraud.
Would a likely purchaser called John Harrison have an e-mail address [email protected] or indeed would Mohammed Azziz be likely to have an e-mail address [email protected] ?
Why is there no landline number and does the mobile number always go to answer machine? Call and ask for confirmation of the card details. It is amazing how many people do not have the card to hand but will call back and never do. Or they were using another persons card and will call back; but never do. We use 192.com and check addresses on the voters roll etc. this at least gives some idea as to who stays at the address and in particular what type of premises the order is going to. One of my favorites is a free web site called www.checkmyfile.com This site allows you to do a free check on any postcode and gives various bits of information including the generics of type of resident, risk of credit defaulting etc. It is all generic information but can give a real clue
The majority of calls we make or checks we do as a result of referred orders prove to be attempts at fraud. The rare occasion that they are genuine and have for some reason become suspicious is dealt with simply as a customer service call and does not cause offence. In fact I would suggest the customer gains confidence in our service realising we do checks on orders. I consider that far too often we look for high-tech resources to solve problems when we have the resources to hand and in this instance I do not think there is much to take on the personal and direct approach towards possible fraudulent activity. It is also true that as soon as the fraudster realises that checks are in place and orders will be cancelled they will move on to another unsuspecting retailer. Conversely once a fraudster gets into your system and starts getting orders through they will not only keep doing so but will start telling others how they do it and then you do have a problem that escalates. Therefore get in the first blow.
Assessing what internal help should be made available to fight the fraudster so you can ascertain who in your workplace should take responsibility for the fight
Who takes responsibility for fighting the fraudster? This to me is a simple partnership that should be led by security or loss prevention but in partnership with IT and trading/marketing. Support is required from all quarters and an acceptance that technology and security can be combined to produce, what we are all after of course, as high a margin profit as possible for our internet sales operation.
Concluding
I consider that there will be no real decline in on line fraud in the future. Chip and Pin has removed chunks of the previous credit card fraud but evidence shows some of this is simply being displaced to CNP fraud. Customer Not Present fraud will continue to be the lucrative choice for the fraudster due to the inability and unwillingness of the police to pursue this. That accepted then we have to look at more and more "attempts" on whatever system we employ and get to grips with the damage being done, make fraud as difficult as possible to others, much in the same way as I would do in my stores and in reality make our internet service as uncomfortable and risky to the fraudster as possible, while retaining customer confidence and making the internet shopping experience as pleasant as possible for our customers. A difficult balance but not impossible.
