SAN FRANCISCO (03/05/2000) - You'd think Audri and Jim Lanford would know a thing or two about online credit card fraud. Founders of Internet retailer Netrageous.com, they also publish ScamBusters, an online newsletter about Internet fraud that is read by everyone from merchants to state attorneys general.
But in February 1998, Netrageous, which sells e-commerce marketing information and services, fell prey to a credit card scam by an unlikely fraudster: an employee of a ski and sports equipment shop in California. The scam artist gathered names and credit card numbers from the ski shop patrons, then used a free e-mail service to open accounts under the names on the credit cards. Next he placed orders with Netrageous, using the stolen card numbers and billing addresses, neatly bypassing the traditional security checks put in by credit card processors.
Because the billing and shipping addresses didn't match, Netrageous did further checks, in accordance with ScamBusters' own security guidelines, but when the e-mail accounts appeared to match the credit card information, the company approved the orders and shipped the items. Soon the owners of the credit cards complained that they had never placed the orders. Stephanie Sebeck, Netrageous' VP of operations, did some detective work and pieced together how the scam went down. In conversations with the card owners she found that they all lived in California, they all enjoyed skiing and they all had shopped at the same ski shop.
Sebeck says even after Netrageous pinpointed the person responsible for the scam, there was little the banks, the police or the free e-mail provider would do. The amount of the theft was not big enough for the police to get involved.
And the free e-mail provider said it could do nothing without a search warrant.
It's not just small-business owners who suffer from Internet fraud. Shortly after setting up an e-commerce site in December 1998, Casio discovered that some large orders of the company's most popular products - handheld computers and digital cameras - had been placed with stolen or forged credit cards. The company never recovered the merchandise and was forced to pick up the bill, says Robert Shapiro, Casio's manager of legal affairs.
The company was no retailing neophyte: It operates seven stores in the U.S. and had been successfully taking catalog orders by phone and fax for years. But the experience was a rude awakening to some of the pitfalls that face merchants online. Credit card fraud on the Internet is a serious, largely unacknowledged problem. Much has been made of threats to consumer security and vulnerability to online fraud, but the fact is that U.S. consumers face little risk: Federal law caps their liability for unauthorized charges on their cards at $50 - though this has not stopped many credit card companies from exploiting fear of fraud by promoting protection schemes that afford little, if any, extra protection. The real risk belongs to merchants, which can find themselves - as Casio and Netrageous did - stuck with the tab, with no one to turn to for help.
Merchants bear the brunt of the responsibility for fraudulent credit card transactions online. Not only can credit card companies do little to help them, the merchants say, but the firms also deny that e-commerce fraud is a problem at all. "The lesson in all this is there is not a whole lot of protection for the merchant," says Netrageous' Sebeck. "The Internet has gotten a bad rap. It has been portrayed as a place where anyone can take your credit card numbers.
The reality is, the merchants are the ones who end up eating the costs of the fraud."
"The Net's Dirty Little Secret"
Ask credit associations like Visa and MasterCard about credit card fraud on the Internet and you'll get a no-nonsense response. "There are always people trying to create the impression that there is a problem out there," says Steve Ryan, senior VP at eVisa, the credit card association's online unit. "We don't have a fraud problem." Ryan says there's little difference in the rate of credit card fraud, whether the transaction is face-to-face, by mail order or phone order, or by online sale. "In terms of percentage of fraud they track about the same, at less 0.09 percent," Ryan says. Officials at rival MasterCard peg overall fraud rates at about 0.08 percent and will say only that the rate of fraud for Internet transactions is roughly the same as for other "non-face-to-face transactions" such as mail orders and phone orders. At American Express, officials refuse to discuss fraud rates offline or online.
But the story from many merchants and industry insiders is far different.
Virtually all Internet sales involve a credit card, and retailers as diverse as consumer electronics sellers, apparel makers and operators of porn sites all say their e-commerce operations have been fallen victim to credit card fraud.
Research on e-commerce credit card fraud rates is sketchy. Some research has been done by security software companies, which have an interest in highlighting the issue.
But preliminary data gathered by the Internet Fraud Prevention Advisory Council, a nonprofit group of merchants and software makers formed in October 1999, points to rates ranging from 2 percent in some product categories to as much as 40 percent in others. Interviews with dozens of merchants and industry insiders suggest that data is accurate. Not every retailer says fraud is a problem. Some of the largest and most established online merchants say they have successfully put in place systems to protect themselves. "We don't find it to be a very large issue," says Frank Han, senior VP of product development at eToys. But even retail giant Amazon.com suggests the issue is serious. In recent filings with the Securities and Exchange Commission, Amazon says its "ability to prevent fraud perpetrated by third parties through credit card transactions" is one of the key factors that could affect operational results.
Even the lowest reported numbers are significant and could be devastating for a merchant.
A fraud rate of 2 percent is 20 times higher than the overall rates of credit card fraud reported by Visa and MasterCard. In the retail business, where margins are razor thin, a 2 percent hit on sales might represent half a company's profits. In addition to lost sales, merchants that are victims of fraud are charged a penalty for every chargeback - the refund issued to consumers for unauthorized charges. If chargebacks become frequent, banks will charge a merchant a higher commission rate for credit card transactions or drop them altogether.
"This is an area that if we didn't keep under control, it would eat us," says Greg Drew, president and CEO of electronics seller 800.com. It's not only merchants that say online fraud is real. Credit card industry giants like First Data, which processes 6 billion credit card transactions a year on behalf of 1,400 banks and more than 2 million merchants, say online credit card fraud is taking a toll on e-commerce merchants. "The risk of chargebacks is much greater [online] than in the real world," says Steve Citarella, a senior VP of risk management for First Data Merchant Services. Fraud and chargebacks "are the Net's dirty little secret," says Bill Scheurer, founder and CEO of PocketCard.com - a Visa card for teenagers - and a 15-year veteran of the credit card industry. "It's a vulnerability that people don't want known and exploited."
Merchants vs. Banks
Merchants are reluctant to talk in detail about their problems with fraud.
Their fear is twofold: If they say they've been victims of fraud they're perceived as having lax security and could be targeted for more fraud; if they say they're not victims they could be targeted by hackers who want to prove themselves. But in private conversations dozens of merchants and industry insiders report the problem is pervasive. While all retailers are at risk, anecdotal evidence suggests small and midsize merchants are most vulnerable, lacking the resources to seek help.
Many vent their frustration against a system they feel is stacked against them.
In most cases of credit card fraud in the U.S., consumers face little risk beyond inconvenience. If transactions are charged to a stolen card, the consumer is liable for a maximum of $50, regardless of whether the charges were made online or off. In fact, the Fair Credit Billing Act gives the benefit of the doubt to the consumer: In most cases where consumers complain that charges to their cards were unauthorized, the charges will be deleted. Even the recent highly publicized case in which a hacker stole thousands of credit card numbers from online merchant CD Universe, those whose card numbers were stolen faced little more than the inconvenience of getting a new card.
While the rules protecting consumers are the same online and offline, the rules that spell out who's responsible for unauthorized charges are not. In the case of a face-to-face transaction, the merchant that follows established rules - checking the signature, verifying codes on the card - is typically not liable.
The issuing bank that approved the transaction is saddled with the chargeback.
But when dealing with a number instead of a card, the merchant is always liable. While the rules are the same for mail order and telephone orders - "MOTO" in industry parlance - as they are for online transactions, the Internet makes it easier for criminals to put merchants at risk.
"Everything is stacked against the merchants," says Tom Suhadolnik, president and COO of online retailer Cigar.com. "Visa and MasterCard set the rules. If you don't have a customer present or a signature, you are out of luck."
Burdened with the fraud risk, online merchants have little recourse. Some say they resent the inadequate support they receive from the credit card associations. Many, like Casio, are forced to buy expensive fraud-detection packages or devote significant in-house resources to fight the problem. "They are leaving a great deal of it on the lap of the merchant," says 800.com's Drew.
MOTO in Overdrive
When shoppers make an online or offline purchase, the complex gears of the credit card payment process are set in motion. While many of the steps are the same whether the sale is at a physical store or a Web site, the safeguards available for each are far different. The credit card transaction starts when the card information is sent from the merchant to the "acquiring bank" - the bank that provides the merchant with its credit card processing account.
The information then moves on to the networks run by credit card associations, most notably Visa and MasterCard, and is routed to the bank that issued the shopper's credit card, also known as the "issuing bank." That's the bank that will perform a number of checks to verify that the card is valid, that it is not over limit and has not been reported lost or stolen. If the transaction is accepted, the acquiring bank will issue an authorization - a move that will set aside the needed funds in the buyer's account and notify the merchant of the approval.
Once the merchant has authorization, it will issue a request to "capture" the funds. The request, once again, will flow from the merchant to the acquiring bank, through the credit card association's network to the issuing bank. The final step is when banks settle accounts, which typically happens after hours.
The issuing bank transfers the funds to the acquirer, which then passes them on to yet another bank, the merchant's bank. Credit card transactions are further complicated by a number of third parties. Payment processors like First Data and Paymentech often take care of one or several of the transaction stages, providing their own verification services.
And other companies such as HNC Software often stand between merchants, payment processors and banks, providing additional checks to combat fraud. A number of security checks are set up in the system: magnetic strips, signatures and, more recently, a three-digit code. But for the most part these were designed to ensure the security of face-to-face transactions.
For MOTO orders, additional checks were put in place, most notably address verification services, or AVS, which are performed by payment processors to make sure the credit card billing address and shipping address coincide. But the Internet makes the risk of fraud much greater. With telephone orders, "you have a consumer talking to a customer service rep on the phone," says Carolyn Brackett, VP of Internet commerce at First Data. " In an Internet transaction you have a computer talking to a computer. The risk of the transaction goes up." What's more, savvy fraudsters can attack merchants from anywhere in the world with simple software scripts that target hundreds if not thousands of merchants simultaneously. When it comes to credit card fraud, says PocketCard's Scheurer, "the Net is like MOTO on steroids."
Diamonds and Stereos
On the Internet, bad transactions take many forms. The most popular is identity theft, where a fraudster gathers personal data - including name, address, Social Security number and other vital information - from unsuspecting individuals and applies for credit cards under assumed names. In a recent highly publicized case, fraudsters gathered the personal information of some 7,000 Department of Defense workers, including several high-ranking military officers, from the Congressional Record, and then ordered illicit cards.
While identity theft isn't new, the Internet has made it easier. Hackers and crackers have broken into sites where information is stored. In some cases, criminals posing as legitimate online merchants have gathered the information themselves from unsuspecting consumers. Valid credit card numbers can also be generated automatically. The Internet is peppered with hacker sites that offer software to generate seemingly valid card numbers.
The so-called credit card generators use sophisticated algorithms to create numbers whose first four digits are those used by valid issuing banks. The card generators spit out a string of 12 additional digits that, when checked, match patterns used in valid cards. Even though no bank has ever issued a card with the generated number, transactions on the phony cards are often authorized by the credit card system. Online fraud is also perpetrated the old-fashioned way:
Cards are stolen in the real world and used to buy things online.
It appears that what consumers fear most - that credit card information will be intercepted once they click on the Buy button - is rare. "I don't know of a single case of a credit card sniffed in flight," says Tom Arnold, CTO of CyberSource, a San Jose, Calif.-based company that sells software to online merchants to help detect fraudulent transactions. Merchants and industry groups say fraudulent Internet orders tend to fall into two categories: items that can easily be exchanged for cash, and transactions that do not require physical shipment of goods.
The former includes products like consumer electronics, diamonds and gift certificates, the latter downloadable software and subscriptions to adult entertainment sites. At a recent conference, Brigid Bonner, VP of e-commerce, technology and strategy at Target.com, says gift certificates and diamonds are the items most often sought by fraudsters at the site. Danni Ashe, president of Danni's Hard Drive, an adult-content site with annual revenues of about $6 million, says her company has faced substantial problems with fraud - virtually 100 percent of transactions originating in some overseas countries are fraudulent.
And a leading consumer electronics merchant who asked not to be named says 1 percent to 2 percent of orders placed at the site were fraudulent, and that the bad orders originated from certain geographical areas. Most notoriously, all the orders originating from a set of four ZIP codes in New York were fraudulent, the company says. "There's nothing new about fraud," Arnold says.
"As solutions come up to trick fraudsters, there will be new ways to perpetrate fraud." Arnold, who has testified before Congress about credit card fraud on the Internet, says the Net just gives fraudsters powerful new ways to practice their craft.
Arnold's company, CyberSource, didn't start out in the fraud-detection business. Founded in 1994 as Software.net, the company was built on what was then a daring new idea: selling software over the Internet, both shrink-wrapped and in electronic form. But the e-commerce site became a victim of its own success. By April 1996, Software.net was a hit not just with software buyers but also with software thieves. "It did more fraudulent business than real business," Arnold says.
Things got so bad that the company's bank put Software.net on probation, threatening to terminate its credit card processing account if it did not deal with the problem. So Software.net took things into its own hands and began collecting information about transactions, names, and billing and shipping addresses, as well as ZIP codes, e-mail addresses of buyers, IP addresses of the buyers' Internet service providers, product types and a slew of other data points.
The company combined the data to assign a score to each transaction: The higher the score, the higher the risk the transaction was fraudulent. So many checks were needed because of shortcomings with the existing credit card authorization system, Arnold says. The system worked and soon thereafter Software.net split in two, renaming the fraud detection portion of the company CyberSource and the e-commerce business Beyond.com. Both are now independent publicly traded companies. No Seat at the Table
Merchants that are victims of fraud, including Casio and Netrageous, say there is little that law enforcement could or would do on their behalf. Sometimes the fraudsters are in a different state or, worse, a different country, and merchants say they don't know who to turn to.The items stolen may have too little value to get law enforcement involved, even though repeated small thefts can quickly put a merchant out of business.
Law enforcement officials say they take the issue of credit card fraud over the Internet very seriously. But the U.S. Secret Service, the lead federal agency responsible for fighting credit card fraud, says law-enforcement agencies are limited in the number of cases they can pursue. "If a prosecution is not going to result in incarceration, the U.S. attorney is not going to get involved," says Greg Regan, special agent in charge at the Secret Service's Financial Crimes Division.
Criminals often know the limit in various parts of the country and move from city to city using credit cards to steal goods amounting to a total just below what would trigger a prison sentence, Regan says. Merchants say they're frustrated with law enforcement and with a system that does little for them.
"There is no one in the system sticking up for the merchant," says Allen Jost, VP of Internet risk management at HNC Software. In 1991, HNC developed Falcon, a computerized automated system to detect credit card fraud, and the company now conducts checks on behalf of banks that are responsible for 350 million credit card accounts, or about half the total number of accounts.
"All the rules are made by the credit card association and they are controlled by the issuers," Jost says. "The merchants are taking the brunt of the responsibility, as they should. But they have no representation in the card associations." Part of the problem, according to some merchants, stems from the myriad players that make up the credit card payment system - the merchants, issuing banks, acquiring banks, merchant banks, credit card associations, third-party payment processors and security software makers, to name a few.
All the diverse players are linked by a byzantine set of relationships and alliances. While ultimately everyone has an interest in reducing overall fraud, each player in the game has its own vested interest and constituency or customer group to protect. Some merchants claim that because banks are not responsible for fraud in online transactions - credit card associations are in essence owned by the banks - there is little incentive for them to invest heavily in fighting fraud.
"The banks have put in sophisticated measures to protect themselves but have not put many resources into protecting the merchants," says Riss Estes, cofounder of Clear Commerce, a maker of fraud-protection software for merchants. In recent years HNC retooled its Falcon software, which was primarily intended to protect banks, into eFalcon, a system aimed at serving merchants.
Credit card companies dispute such accusations.
"Visa does a great job of managing fraud," says eVisa's Ryan. Likewise, MasterCard and American Express both say they're working aggressively to manage fraud and increase the levels of protection afforded customers. "Fraud is a recipe of a lot of different things for a lot of different environments," says Vincent De Luca, VP of fraud control at MasterCard. "We look at the Internet as the same type of challenge as [that presented by] other types of fraud." But others suggest that credit card protections were designed for the offline world, where merchants and consumers interact face-to-face, and that they are now obsolete.
As a larger percentage of the economy moves to the Internet, the banks will be faced with an increasing number of online transactions that they are not set up to handle, says one industry insider. "This is an emerging market and we are all getting smarter," says First Data's Brackett. "The fraud masters are getting smarter too. And our responsibility is to get smarter faster than they are."
Credit card companies have been playing this cat-and-mouse game for a long time. Visa and MasterCard point to improvements they've made over the years:
Magnetic strips were added to the cards; later they implemented AVS; currently, the card associations and banks are pushing yet another three-digit number, called CVC2, which should provide further guarantees.
To guard online transactions, the credit card associations have thrown their weight behind the Secure Electronic Transaction, which would give transactions a high degree of security. But SET is a technology-heavy solution that requires shoppers to install software on their systems, and it has failed to be adopted in the marketplace. Credit card companies have invested millions of dollars in the system and are still pushing the SET protocol, but most in the industry doubt it will take hold. Do-It-Yourself Security
For the time being, many merchants are beefing up their security with software from companies such as CyberSource, HNC, Clear Commerce and others.Some have developed their own solutions. "We had to figure out on our own how to deal with it," says Danni's Ashe. The 30-person company has four staffers dedicated to building databases of bad card numbers, bad e-mail accounts and a slew of other data points to verify transactions. Unlike sites that sell physical goods, the adult site cannot take more than a few seconds to approve a transaction, as its customers typically want immediate service. So the company was forced to have one person check orders manually for suspicious signs.
"If anything throws up a red flag, we reject it," Ashe says. Merchants say these solutions, although costly, lead to substantial drops in rates of fraud.
But they also fear that they could be rejecting valid orders and alienating potential customers. Online retailers have created groups like the Internet Fraud Prevention Advisory Council and the Internet Fraud Council, which are gathering data and creating a venue for merchants to collaborate without fear of losing a competitive edge or becoming the target of fraud. The two groups are considering a merger.
Credit card and security companies are also looking at new technologies, such as smartcards, fingerprint readers or retina scanners, that might help reduce the risk of online transactions. American Express, for instance, is busy promoting the Blue Card, which includes a chip. The company gives customers who request a Blue Card a free card reader to connect to their PCs. But such a system will be effective only when card readers are in widespread use and merchants require that a transaction originate from a card reader. So far they don't, and the protection offered by the chip is little more than feel-good marketing. Credit card companies say that smartcards have become effective in some European countries where they are in wide use.
Some security companies are taking a stab at addressing security concerns with mechanisms that completely bypass credit cards. First Data, for instance, is promoting the TeleCheck system, which would let merchants accept checks for online transactions. By the end of the year, First Data will also facilitate cash payments for online orders through its Western Union unit. With that system, shoppers can place an order online and notify the merchant that the payment will be wired from a Western Union office. The merchant will ship the order only after the money had been transferred.
But the system is likely to face some resistance, as it undermines one of the e-commerce's most salient assets: convenience. Ultimately, the greatest challenge faced by e-commerce companies is that they are doing business in a medium where it's easy to conceal one's identity and assume someone else's.
"Until there are popularly accepted ways of confirming who's who on both sides of the transaction, merchants are going to have this risk," says PocketCard's Scheurer. That's not likely to happen anytime soon.