Online fraud continues to be a growing and costly experience for all online merchants;
Fraudsters are far more sophisticated and understand the card processing systems far better than most merchants!
Identity theft is the single largest threat to non face-to-face transaction processing;
Phishing, Skimming, Spoofing, Malware, Server Hacking, Credit Card Number Generators, Counterfeiters, Black Market Card and Billing Address Lists, Key Stroke Loggers are all prevalent methods used by fraudsters today to obtain personal and financial information!
The “Shadow Internet Economy” is a staggering $105 billion underground business causing havoc worldwide.
PCI data standards and Merchant PCI and SDP certification helps in ensuring hackers cannot easily get access to your systems to compromise card numbers and transaction data, however, fraudsters are finding holes in web servers and generating malware programmes to compromise information;
Phishers have become experts in high-jacking web site designs
They rely on sophisticated IRC chat room interfaces
Hackers are generating (and selling) credit card numbers using software purchased ‘ for educational purposes only ’ online;
They are purchasing black market card number lists;
They are counterfeiting credit cards through mag stripe skimming devices;
CHIP and PIN is driving more fraud to easier targets – online merchants;
Card-not-present and Internet merchants are obvious and easy targets for credit card fraud.
“ For as little as $250 you can buy a custom written malware and for an extra $25 a month you can subscribe to updates that will ensure that your malware evades detection.”
“ The vast majority of malware authors (viruses, trojans, spyware) do not distribute it themselves. In fact, they make great play of offering their software ‘for educational purposes only’ in the hope that this offers some immunity from prosecution.”
Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. Robert Baldwin, Heartland's President and chief financial officer said it wasn't until mid January that investigators uncovered the source of the breach:
A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients.
Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.
"The transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month," Baldwin said. "At this point, though, we don't know the magnitude of what was grabbed.”
RBS WorldPay, formerly RBS Lynk, is the United States-based payment-processing arm of The Royal Bank of Scotland Group . RBS announced in December 2008 that an unauthorized party had improperly accessed the company's computer system.
Compromised prepaid cards included 1.5 million payroll and open-loop gift cards, approximately 100 of which had experienced actual fraud, according to an RBS statement. The bank says hackers also may have accessed the Social Security numbers of approximately 1.1 million individuals. An RBS WorldPay spokesperson says no identity theft has been reported on individuals whose personal information was compromised in the breach. Neither the RBS spokesperson nor Ross would confirm media estimates of the amount of fraud committed on the payroll cards.
Excerpts from Interview with a Professional Phisher
“ Social networking sites, make me $500 to 1k through CPA deals. 5 times out of 10 the person uses the same password for their email account. Now depending what is inside their email inbox determines how much more profit I make. If an email account has one of the following paypal/egold/rapidshare/ebay accounts even the email account itself, I sell those to scammers ($5 /pswd). All in all, I make 3k to 4k a day. I only phish 3-4 days a week. Depends on how much time I invest. The more time I invest the greater the outcome.”
Copyright First Atlantic Commerce Ltd 2009
Copyright First Atlantic Commerce Ltd 2009 This is a phishing email The Bank of Bermuda email domain was hijacked
Copyright First Atlantic Commerce Ltd 2009 Highjacked URL from Jliangpartnership.co.uk Copyright year is different This is the Phished site
Copyright First Atlantic Commerce Ltd 2009 This is the real web site
Current Trends in Phishing Anti Phishing Network Group 2008 Statistics April May June Number of unique phishing emails rec'd by APWG from consumers 24,924 23,762 28,151 Number of unique phishing web sites detected 20,410 20,317 18,509 Number of brands hijacked by Phishers 276 294 227 Country hosting the most phishing websites CHINA Turkey USA Contain some form of target name in the URL 28.30% 23.20% 26.10% Longest time online for Phished site 30 days 31 days 30 days Source:www.apwg.org
Current Trends in Phishing Countries Hosting Phishing Sites in Q2 2008 www.apwg.org APRIL MAY JUNE China 25.15% Turkey 25.73% USA 18.93% USA 16.68% USA 17.16% Turkey 17.92% Russia 8.23% Japan 11.23% Poland 13.56% Poland 7.15% China 9.17% Greece 6.86% Turkey 5.79% Poland 7.41% China 5.87% Germany 3.97% Russia 3.27% Russia 4.28% Republic of Korea 3.12% Greece 2.11% France 2.48% Greece 2.61% France 2.08% Republic of Korea 2.38% France 2.32% Republic of Korea 1.60% Bulgaria 2.28% Romania 2.21% Netherlands 1.60% UK 2.16%
Over past 10 years the card industry has succeeded in reducing “opportunity fraud” from lost or stolen cards, and fraudulent applications;
Opportunity fraud accounted for 21.07% of total fraud losses suffered in 2007 or $1.17billion;
Counterfeit cards accounted for 33.52% of all fraud losses or $1.86billion in 2007. Counterfeit cards are being produced using compromised/hacked account data stored by merchants, networks, processors;
Card-Not-Present fraud amounted to 38.04% of total fraud losses or $2.11 billion. Five years ago CNP fraud accounted for roughly 25% of total fraud losses;
Total fraud losses based on the above research - $5.55 billion
Stolen card numbers are the most popular exploit of online fraudsters. They try multiple identities, emails, zip codes and details with the same credit card numbers until they find a combination that makes it past the fraud and issuer authorisation systems;
Stolen cards are repeatedly “tested” by processing small transactions until the limit is reached or the account blocked. Often this testing is done across multiple merchant sites;
Without industry data sharing this cannot be properly tracked.
Efforts to tackle online fraud are being hampered by a lack of coordination across multiple channels (and cross border cooperation);
Fraudsters are divided into two groups – less sophisticated “chancers” targeting small merchants with simple techniques; and sophisticated professionals who are testing defences of larger merchants in pursuit of significant data or financial rewards;
Lack of consumer education regarding phishing and password protection is a significant problem;
Only 17% of merchants believe the police are effectively tackling cybercrime citing lack of resources and not following up on significant “tip-offs” of addresses where they knew fraudsters were located.
The total average cost per company surveyed was more than $6.6 million per breach, up from $6.3 million in 2007 and $4.7 million in 2006;
Javelin reports seeing an increase in “ Vishing ” which is identity theft over the phone. Consumers receive an email requesting them call a given phone number instead of being directed to a phishing web site;
Consumers are told about security warnings of fraudulent activity on their accounts or plastics;
Customers are then told to “call the bank back at this number” and input your account numbers, card details and private information.
Fraud ‘detection’ tools are those used to identify the probability of risk associated with an online transaction or to validate the identity of the purchaser. Results from detection tools are then interpreted by humans or rules systems to determine if the transaction should be accepted. The systems do not guarantee that a fraud will not occur and certainly will never prevent a chargeback initiated by the consumer. Consumer behaviour cannot be predicted or prevented by fraud detection tools.
The most popular tools used to assess or gauge online fraud are different for merchants processing over $25 million USD per annum in sales. The larger North American merchants use more risk-specific scoring models, negative and positive lists and sophisticated data sharing tools. They also spend considerably greater effort on chargeback management.
Company specific fraud screening solutions, external fraud systems and consumer behaviour models rated the highest in the large merchant category survey.
In the UK and Europe the use of online fraud tools trends are different from that of the USA. Merchants spend considerably more time manually reviewing transactions and use CVV2, AVS and Verified By VISA/SecureCode continue to remain the primary automated fraud solutions.
The fastest growing anti-fraud tool in the past year has been 3-D Secure™ due to June 2007 Maestro SecureCode mandate. 71% of UK/EU merchants now claim to have implemented 3-D Secure™.
One significant difference is with the use of IP Geolocation services in the detection of possible fraud. 48% of North American merchants use IP Geolocation, whereas only 23% of European merchants use IP Geolocation.
Device Fingerprinting has been identified as the top fraud tool to add in 2009.
Address Verification Service is a North American based service whereby the Card Issuing bank matches the street and Zip/Postal Code information entered by the consumer to the information held on the bank’s systems;
Issuers DO NOT decline authorisations based on AVS responses – they simply provide the AVS code in the auth response message;
AVS is a North American service and not many international processors or acquirers support USA AVS verification;
AVS Line 2 scamming is now prevalent making this tool unreliable as a verification tool – data is bought from card list brokers;
AVS is subject to a significant rate of “false positives” because it can be fooled into providing a partial match AVS score;
Large merchants typically use AVS as a pre-screening service prior to fulfilling orders .
Are based on previous cardholder processing and purchasing information across multiple merchant and acquirer systems;
Somewhere in history this cardholder has de-frauded a merchant or is an habitual chargeback offender, which is why they are in the negative database;
Unfortunately a lot of consumers get placed on the negative file as a result of someone else’s fraudulent use of their card or deliberately by merchants competing for consumer transactions ;
Negative files can be very useful if part of an overall data sharing solution. ETHOCA is an example of a data sharing service that combines decline data, chargebacks and suspicious transaction information at the card number level.
Not all Issuers participate in CVV2 verification, so the presence of CVV2 in the auth request should not be used to ‘assume’ the cardholder that’s performing the transaction is in possession of the actual plastic - unless the Issuer has replied with a CVV2 Match ‘M’ response;
There are more Issuers now who decline authorisations for CVV2 mismatch – this is encouraging.
Given the time involved, the administration efforts, fines, penalty fees merchants are finding it makes more economic sense to encourage consumers to contact them directly to receive a credit/refund then to process a chargeback;
If merchants are evaluating fraud losses solely on the basis of RC83 chargebacks, the actual rate of fraud loss is likely 2x higher simply because of the number of Refunds being processed and consumer complaints resolved in other ways (ecash credits etc);
Implementing Verified By VISA/SecureCode also reduces fraud coded chargebacks by ‘guaranteeing’ liability shift back to the issuer for qualifying Reason Codes.
Issuers and Acquirers register independently and the service is not inter-dependent
Issuers can have credit card BINs registered but not their cardholders; alternatively neither can be enrolled - this drives the merchant chargeback liability shift conditions for ‘attempted’ 3-D Secure requests;
Merchants ONLY have chargeback liability shift rights if BOTH the Acquirer and the Merchant are registered with VBV/SecureCode – however chargeback liability shift is not contingent on whether the Issuer or cardholder participate in 3-D Secure™.
VBV is a global service so once Merchants are enrolled by participating acquirers all VISA transactions can be authenticated with VBV for a fraction of the cost of other fraud detection services;
Verified By VISA liability shift is guaranteed for ‘attempted’ transaction authentication (global) even if the cardholder is NOT enrolled in VBV with their Issuer;
If an enrolled VBV Merchant attempts to authenticate the cardholder through Verified By VISA and either the cardholder and/or their Issuer doesn’t participate, the transaction is flagged as an ‘attempt’ (ECI=6) and these transactions are included in the liability shift programme for specific chargeback reason codes (RC23, 83).
After June 30 th , 2007, online merchants will no longer be able to process Maestro debit transactions unless they implement MasterCard SecureCode™;
MasterCard SecureCode has implemented merchant-only liability shift in all Regions except the USA;
This means if a merchant is registered with a participating acquiring bank in EU, Asia/Pacific, SAMEA, LACR regions and they attempt to authenticate the cardholder – they have chargeback liability shift protection for chargeback RC 37 and 63 (if the transaction is authorised);
USA has not opted into this liability shift on ‘attempted’ SecureCode transactions yet.
In specific countries Issuers are blocking 3-D Secure attempted transaction requests – those tagged with an ECI 6 value;
There is compliance that clearly states Issuers can be fined for not authorising 3-D Secure attempted (ECI 6) transactions however it doesn’t seem like the enforcement mechanisms are in place to penalize Issuers;
Mexico Issuers are blocking ECI=6 authorisation requests; some banks in Eastern Europe also
So why is 3-D Secure phishing so “easy” to pull off?
Both Verified By VISA and MasterCard SecureCode online web sites list every registered Issuer in alphabetical order;
If you select a specific Issuer, the VBV or SecureCode enrolment site (legitimate one) displays;
This can be recreated by the ‘phishing’ fraudster and within hours thousands of cardholders are fooled into providing personal information, card data, PINs, passwords and bank account numbers;
“ Activate the Verified by Visa feature - It's easy and only takes a few moments to activate your card. You can do it right here on the secure Visa site or when prompted during the checkout process at one of our participating online merchants. Either way, your information is protected .”
Fraud ‘detection’ tools are those used to identify the probability of risk associated with an online transaction. They do not guarantee that a fraud will not occur and certainly will never prevent a chargeback from being initiated by the consumer.
Fraud ‘prevention’ tools like CVV2 and 3-D Secure do provide guarantees against fraud coded chargebacks and are fully sponsored by the Card Associations.
The top fraud detection and risk mitigation services being implemented in North America and Europe in 2009 are 3-D Secure™, IP Geolocation (geoblocking, proxy server detection), Computer Device Fingerprinting, Data Sharing systems and implementation of experienced chargeback analysis and management personnel.
Merchants must implement PCI compliant security requirements to reduce risk to malware/trojan/spyware attacks, transaction pre-authentication solutions including AVS, CVV2, IP Geolocation and data sharing services in addition to Verified by VISA and MasterCard SecureCode – WHY?
Pre-authentication services pre-screen transactions to filter out ‘obvious’ or suspicious fraudulent transactions. 3-D Secure provides guaranteed chargeback liability shift on the not-so-obvious and seemingly legitimate transactions.
KNOW YOUR ENEMY – you will then know your customer! Watch for behaviour patterns that don’t seem “normal” for customers at your site
Implement a face-to-face authentication system so you can “see” if your customer is the same as the photo ID they provided. SKYPE is free – anyone can use it. Why doesn’t the gaming industry verify new clients by looking directly at them? It seems like a great deterrent to ensuring criminals don’t register for your sites and therefore reduce your exposure to fraudulent payment transactions.
Pre-authentication and automated screening services cannot predict ‘human behaviour’ which results in chargebacks. Habitual chargeback offenders (the “friendly fraud” culprits) are aware of this and will use this excuse over and over again
3-D Secure™ is there to protect online merchants from habitual chargeback offenders by allowing fraud chargebacks to be represented under the liability shift guarantees regardless of whether the cardholder is enrolled or not.
Message Labs – the Online Shadow Economy reference docs
Online newsfeeds – read about what’s going on elsewhere with respect to phishing, skimming, malware attacks, data attacks and advise your own staff. Education and information is key to identifying dodgy consumer behaviour or transactions
Javelin Research Reports
USA Federal Trade Commission – Internet Fraud and Safety info
Watch the blogs and chat rooms – they are fascinating!