Nobody likes being ripped off. But for online retailers, the pain of being ripped off by unethical consumers, identity thieves and bogus-card gangs has been magnified by what they consider to be the not-my-problem attitude of credit card issuers and card associations like Visa and MasterCard.
Tom Mahoney, a network administrator at Franklin & Marshall College in the US, recalls vividly the shock he and his wife felt shortly after they launched their own e-business in 1997 and discovered not only the threat of fraud but also the double whammy from the credit card companies.
"We thought from the beginning something was fishy -- getting orders for herbs and personal care products with U.S. credit cards, all . . . for shipping to Yugoslavia," says Mahoney. He recalls that his card processor had assured him that if he had an authorization number for the transaction, then "all was well." But then the chargebacks started coming in, and banks refused to honor the transactions and added penalty fees for Mahoney's business.
Mahoney says he called some of the banks and was shocked to discover that many of the credit card numbers in question had never even been issued to cardholders, yet they were granted authorization numbers. "That's when I learned that something was wrong with the system," he says.
Today, credit card fraud is pegged as a US$160 million annual problem for just the top 25 online retailers, according to Gartner. But there are some glimmers of hope for improvement.
One encouraging sign is that Visa International and MasterCard International recently started full-scale marketing of credit card systems that require online purchasers to supply additional passwords or security codes (Verify by Visa and MasterCard's similar SecureCode). It's an attempt to provide an online equivalent of the in-store signature. Even more important, from the retailers' perspective, merchants that join the programs will finally be freed from most of the liability and onerous chargebacks that so irked Mahoney. Instead, banks will absorb the costs of fraud themselves.
But merchants, analysts and even Visa and MasterCard acknowledge that no one is out of the woods yet and that the new programs don't cover every situation. It may be a few more years before the two companies' programs reach critical mass and begin to show significant results. Plus, there's some concern that the pop-up window that requires the new codes will drive some legitimate customers away.
"The Visa and MasterCard programs won't solve all the problems. They are just one tool in the arsenal," says Mick Lester, director of Web services at K-B Kids, a unit of KB Holdings. Still, he says, "with the liability shift to the card issuer, I definitely think merchants should jump aboard."
For now, Lester says that even with Verify by Visa and SecureCode, K-B Kids won't abandon its homegrown fraud-busting methods, such as verifying and comparing card and shipping addresses, as well as flagging and scrutinizing transactions involving expensive items.
K-B Kids also uses a scoring system to look for fraud, says Lester. The system weighs every aspect of a transaction for its risk potential. K-B Kids even maintains its own "negative database" -- a file of card numbers that have generated problems in the past, including those used by consumers who claim that they haven't received their shipments and refuse to pay.
Although K-B Kids and other large retailers (notably Amazon.com) have invested heavily in proprietary fraud-prevention methods, many smaller organizations haven't been able to afford those investments, and as a result, they've been flocking to third-party services and consortia.
For his part, Mahoney launched an organization called Merchant 911, which provides its members with a confidential forum to share fraud-prevention methods and air gripes about banks and credit card companies. Mahoney also makes available a selection of databases and antifraud tools.
Meanwhile, on the West Coast, IT veteran Dan Clements has set up an organization called CardCops.com that provides a forum for merchants and consumers to share information about what he calls "compromised" credit cards. Shoppers who think their card may have been stolen or misused can e-mail him at NeighborNetWatch@CardCops.com.
But Clements, CEO of the organization, says some of his best information comes from "the underground" -- IT professionals at merchant companies who are privy to information about cards that may have been hacked by thieves, a problem that merchants are often reluctant to report.
Clements says his staff of 12 also hunts out bogus or suspect cards by doing targeted Google searches and visiting chat rooms where, he says, cards are often first tested by crooks.
But perhaps the most significant fraud-fighting effort is the Merchant Risk Council, which until recently was known as the Merchant Fraud Squad. "We are organized much like a neighborhood watch," says Cathy Black, a board member of the nonprofit group and the director of fraud prevention at American Express.
The Merchant Risk Council has scores of members, including many large corporations. It's secretive about its work and methods because, as Black explains, whenever a story comes out about a fraud-fighting strategy, the "bad guys" learn how to change their methods. However, she says the focus is on sharing emerging trends and information in a secure environment.
For example, at the group's annual conference in March -- which was closed to the press -- there were presentations on "global trends in cybercrime," "predictive models for fraud" and "emerging fraud schemes," according to the group's Web site.
The group is also powerful enough to lobby vendors to change their practices. For instance, Black says the Merchant Risk Council persuaded some delivery companies to watch for suspicious activity such as unusual shipping patterns.
But, as Black notes wearily, fraud isn't going away, no matter what merchants and card companies do. "There is no magic bullet -- all the fraud solutions have a shelf life -- we will always have to continue to migrate toward new solutions," she says.
How One Merchant Battles Fraud
Even small and midsize online merchants that lack the clout of big businesses can do plenty to defend themselves from credit card fraud. A case in point is Computerized Horizons, a small software company in the US. R. Scott Perry, the company's technology specialist, says that some bad experiences with card fraud a few years ago -- compounded by chargebacks and chronic inaction on fraud from card companies -- compelled his organization to act.
"Since we deal primarily with businesses, all of whom have their own domain name, one of our main tools to help detect fraud is to see if the billing address for the credit card matches the address that is listed in the Whois record for their domain or is nearby," says Perry. (Whois is a domain directory at www.networksolutions.com.) Like many other methods, this is inexact and subjective. Mismatches just raise questions about the buyer's legitimacy and, taken with other indicators, could lead Computerized Horizons to turn down the sale.
Another tool calculates the distance between the area covered by a ZIP code and the area usually associated with the customer's telephone numbers. Again, mismatches raise questions about the legitimacy of the order. Even the IP address from which an order is placed can help hint at fraud. "At the very least, this will show the country that the person placing the order is located in," says Perry.
For foreign orders, Perry uses the Merchant 911 Web site, which has a database of credit card issuers that identifies the country in which a card was issued. This can be cross-referenced with the country that the IP address is registered to and the one in the billing address. Orders that originate from or include a "free" e-mail address also raise a red flag.
Perry says the best fraud-detection tool is often just comparing new orders against prior orders to look for patterns that aren't typical, such as the time of day when the order was placed. Perry says his job would be easier if all credit card companies maintained a database of stolen cards, but he's doubtful that will happen anytime soon. So, like other merchants, he will continue to improvise and develop work-arounds to keep card fraud from putting him out of business.
Possible Signs of Fraud
- Country of origin. Orders from Romania, Macedonia, Belarus, Pakistan, Russia, Lithuania, Egypt, Nigeria, Colombia, Malaysia and Indonesia have a very high incidence of fraud and often have unverifiable addresses.
- Untraceable e-mail address. In many fraudulent orders, the customer's e-mail address is provided by a free e-mail service, which is relatively untraceable.
- Express shipping. Most fraudulent orders specify overnight or one-day shipping.
- Shipping address differs from billing address. If you are selling valuable items, it's a good policy to ship only to the billing address of the credit card holder.
- Suspicious billing address. If the billing address is something generic like 123 Main St., the order could be fraudulent. Use Internet mapping tools to see if the address can be verified.
- Request to leave at door. Someone placing a very valuable order who specifies that the package is to be left at the door could be using an unwitting person's house as a drop-off point. You should require a signature upon delivery.
Source: Yahoo's "Smart Selling" Web page