Ecommerce and Payment Fraud Prevention

Sunday, February 27, 2011

rebekah donaldson


Ecommerce Payment Fraud Prevention: Looking for the Great Leap Forward

Article by Julie Fergerson

The Fraud Arms Race

Being in the e-commerce fraud space at the very beginning has given me a unique perspective on fraud prevention tools. When I enabled our first merchant to go live in 1995 on ClearCommerce, the very next day I saw the first fraudulent transaction. I liken online payments and online fraud to breathing in and breathing out. You can't do one without the other.

First, bad IP addresses

With that said, in the early days, fraud prevention was easy. We just had to take a look at the IP address of the criminal and add that to a negative file. That worked for almost two years. Then the crooks discovered that was how we were catching them, and they started rotating IP addresses.

Then came AVS

Next as an industry we added Address Verification (AVS) where we matched the credit card number to the numeric portion of the street address and zip code. This worked very well for the early adopters, but once mass adoption of AVS was supported by merchants, the effectiveness declined, the fraudsters knew that now when they steal the data, they also need to steal the billing address and zip code.

Next, there was CVC

Then rolled out Card Verification Codes (CVC), the three digit number on the back of Visa and MasterCard and 4 digits on the front for American Express.  The effectiveness of this tool proved to be really good for the first 3 years and then again, once implemented by the majority of merchants within a very short period of time, less then 12 months, the effectiveness of the tool declined.

More escalation

Over the years merchants have tried a number of things: collecting more data from consumers, looking at the location of IP addresses, grabbing browser data, collecting information about the computer the consumer is using, etc. Each of these things once implemented by a majority of merchants declines in effectiveness. The fraudsters simply adapt, share how to beat the new detection method with each other, and then collect the required info or fake it.

The battle between merchants and fraudsters is an arms race with no end in sight. There is no predictive tool, no scoring system, no set of rules, no identifying tag that can reliably sort fraudsters from genuine shoppers forever, because the fraudsters have the advantage of all working to the same goal and being willing to share their techniques as soon as the last great scheme is broken.

Criminals have incentive to share

There is actually profit-making incentive for criminals to share, because not sharing dramatically decreases the likelihood that the crook will be caught. If only one crook is doing something, it makes him stand out and merchants and law enforcement can isolate him and work together to put him out of business, but if he shares with his friends and "colleagues", and everyone is cracking the new scheme, it decreases the probability that any individual fraudster will be caught. So, as soon as one figures it out, it takes very little time before they all know.

Moreover, the harder we make the trap to break, the more we ensnare, annoy and turn away good business, and ironically, the fraudsters are actually better at entering the correct information and figuring out what is required than real consumers.

The goal is to sell

And the purpose of an ecommerce site is to sell. There are only so many hoops customers will jump through before they say this is too inconvenient or too intrusive or too complicated.

Our industry is at a stage where we don't need better tools; to make a great leap forward, we need better data.

A 360 degree view

The answer is to share histories. Every merchant has a piece of the puzzle. Every card issuer. Every payment processor. Every fraud vendor. We must collaborate and work together just like the fraudsters do against us to win, because that is the only technique that doesn't suffer performance decline over time, and actually works better and better the more of us who join in.

With better data, we have better insight, and interestingly, the detection tools gain back some of the performance-over-time decline when you can eliminate a substantial amount of noise from their fraud model.

Imagine a platform that isn't compromised over time by criminals... where performance actually increases in effectiveness as adoption increases.

Possibly Related Articles:
PCI fraud Authentication ecommerce IP Address Card Verification Codes
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.