E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Science With A Crystal Ball


Published on

E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Science With A Crystal Ball

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Science With A Crystal Ball

  1. 1. e-Fraud and Predictive Forensic Profiling - reducing losses by combining science with a crystal ball HB Prinsloo CDE (A division of Comparex Africa (Pty) Ltd) hermanp@ComparexAfrica.co.za Abstract: This article focuses on cyber crime, especially the effects of e-fraud on smaller e-merchants. It describes simple, cost-effective measures that the smaller e-merchant can implement in order to prevent fraudulent transactions and improve turnover and profit. List of key words: Cyber crime, on-line fraud, e-fraud, smaller e-merchant, micro e-merchant, e- business, prevention of e-fraud, predictive profiling, forensic profiling, predictive forensic profiling. 1 INTRODUCTIONA From the submission of this article’s abstract to the actual writing of this text, e-fraud has gained prominence in the South African news as a result of the theft of a relatively large sum of money between May and July 2003 by one cyber criminal from the Internet bank accounts of 10 clients of the Amalgamated Banks of South Africa Group (ABSA Bank), one of the largest banking groups in South Africa. A suspect was arrested towards the end of July and charged with 10 counts of fraud (Cruywagen, 2003:3). This was the first major incident of e-fraud to make news headlines over a number of weeks in South Africa. It has had the widest potential effect as the vast majority of the Internet using population in South Africa use Internet Banking as a convenient and cost-effective way of managing their personal financial affairs. Although it has only gained prominence in the minds of the general public recently, e-fraud has been with us in many guises for a number of years. 1.1 DEFINING E-FRAUD, E-CRIME AND CYBER CRIME At this juncture it is important to attempt to define the concepts of e-fraud and cyber crime. The terms “e-Crime”, “cyber crime,” "computer crime", "Information Technology crime," and "high-tech crime" are often used interchangeably. No universally uniform or accepted definition of cyber crime exists, partly due to the many guises of cyber crimes (Groebel et al.: 2001:17). 1
  2. 2. Cyber crimes can range from economic offences (fraud, theft, industrial espionage, sabotage and extortion, product piracy, etc.) to infringements on privacy, propagation of illegal and harmful content, facilitation of prostitution and other moral offences, as well as organised crime (cf. Goodman, 1997:468, Golubev, 2003:2; PCB, 2001a:8; Turnbull, 2001:5). At its most severe cyber crime borders on terrorism, encompassing attacks on human life and against national security establishments, critical infrastructure, and other vital elements of society (cf. Sweet, 2003:1; Messmer, 2002:1; CERT/CC, 2002:5; Schneier, 2003:1). The UN Manual on the prevention and control of computer-related crime provides the following definition of cyber crime: “Computer crime can involve activities that are traditional in nature, such as theft, fraud, forgery and mischief, all of which are generally subject everywhere to criminal sanctions. The computer has also created a host of potentially new misuses or abuses that may, or should, be criminal as well” (UN, 1994:7). Koenig (2001:8) defines cyber crime as: “A criminal offence that has been created or made possible by the advent of computer technology, or a traditional crime which has been so transformed by the use of a computer that law enforcement investigators need a basic understanding of computers in order to investigate the crime.” Broadly, this definition generally refers to two types of offences: • Crimes against computers or information on computers (e.g. attacks on network confidentiality, integrity and/or availability i.e. infringements on privacy, unauthorised access to and illicit tampering with systems, programs or data) • Traditional crimes that are committed with the use of computers or some form of information and communication technology (e.g. industrial espionage, theft, forgery, extortion, propagation of illegal and harmful content, facilitation of prostitution, etc.) (cf. McConnell International, 2000:1; Goodman, 1997:468; Turnbull, 2001:8.). On a global scale, society’s dependence on technology is increasing exponentially. The use of computers and computer technology has proliferated in all spheres of life and it plays a central role in such diverse activities as banking, transport systems, the financial markets, hospitals and telecommunications today. In this respect technology affects all of us on a daily basis in ways that we do not necessarily take into account. Our dependence on technology, combined with the cyber criminal’s perceived low risk of arrest and prosecution and the fact that legislation is not always adequate to facilitate the prosecution of trans-national cyber criminals, exponentially increases the risk posed by cyber criminals on society today (cf. Smith, 2002:5; Turnbull, 2001:19; Groebel et al.: 2001:15 & Smith 2000:1). In the USA, the average damage suffered by a physical bank robbery is US $3 200, compared to US $23 000 for the average swindle and damage of US $500 000 caused by the average computer crime (Belousov, 2003:1). In the physical environment, fraud was traditionally paper-based or 2
  3. 3. people-based, whereas the following are the means most often used to commit crimes on-line: • Message interception and alteration • Unauthorised account access • Identity theft • Manipulation of stocks and bonds • Extortion • Unauthorised system access (e.g. system damage, degradation, or denial of service) • Industrial espionage • Manipulation of e-payment systems • Credit Card Theft (cf. Glaessner et al. 2002:24; Graycar & Smith, 2002:4; & Centeno, 2002:11). Currently the most vulnerable aspects of technology have been identified by Etter (2001b:24) as: • Electronic commerce • On-line banking • Pharmacies with electronic prescription services and interfaces to medical aids • Health care services and records • Education. The vulnerability of information and communication technology (ICT) systems can be ascribed to the following interrelated factors: • Density of information and processes Billions of characters of data can be saved on a relatively small storage device. Vast amounts of data can be relatively quickly and easily destroyed or deleted. • System accessibility Computer systems were originally designed to allow multiple users to use the same computer. Today ICT systems and users can access and communicate with other systems across the globe. The fact that the system cannot be physically guarded makes it vulnerable, despite the plethora of ever-evolving security systems designed to protect a globally accessible ICT system. • System complexity The exponential growth in processing power and complexity in operating systems makes it impossible for even the designers of such systems to understand the number of logic states that are possible during execution in a multi-programming or multi-processing environment. This makes a system vulnerable to intrusion via an (unintentional) back door in the system. • Electronic vulnerability Computer systems rely on electronic and generally also telecommunications technology that are subject to potential problems with reliability, fragility, environmental dependency and vulnerability to interference and the interception of data. 3
  4. 4. • Vulnerability of electronic data-processing media The content and nature of the data on a storage device is not visible to the technicians handling it. Very sensitive data can be handled carelessly without the handler being aware of either the risk or the nature of the data. Equipment can be stolen from cars, or disks that contain very sensitive information can be mislaid. • Human factors In nearly any ICT environment, certain individuals require access to very sensitive information. A young IT technician could, for instance, have access to an organisation’s payroll data or R&D archive for the purpose of creating backups. Such a person could succumb to temptation, be bribed by competitors, or become disillusioned and destroy or disseminate very sensitive information, leaving very little evidence. “Insider” (full- or part-time employees, contracted workers, consultants, partners or suppliers) security incidents such as access abuse and equipment theft occur far more frequently than “external” attacks (cf. UN, 1994:7, 10; Settle, 2000:4; Centeno, 2002:14; Smith 1999b:5). Alarmingly, very few companies do standard background checks on staff members who are employed to work with sensitive data and are granted unrestricted access to systems (Graycar & Smith, 2002:7). A trusted insider may be recruited covertly by hostile parties long before any action associated with an actual attack (the so-called “sleeper” problem) or tricked into taking some action that breaches system security e.g. tricked into disclosing a password or opening an e-mail attachment that installs software that permits access by malicious outsiders (CSTB, 2002:5). Personal financial pressure is the most widely reported warning signal exhibited by employees prior to the discovery of internal fraud (KPMG, 1999:16). The following factors related to cyber crime complicate effective law enforcement and pose new and unique challenges for investigators: • The environment is a more favourable vehicle for fraudsters to communicate and act due to its anonymity, easy access, and rapid exchange of resources such as hacking programs and credit card numbers (cf. Gartner, 2001:15). • The possibility of committing computer-facilitated crime also makes it easier to automate and commit fraud on a larger scale (Schneier, 2003:1); the level of automation in attack tools continues to increase. Automated attacks commonly involve four phases: Scanning for potential victims; Compromising vulnerable systems; Propagating the attack; and Coordinating the management of attack tools. Since 1999, with the advent of distributed attack tools, attackers have been able to manage and coordinate large numbers of deployed attack tools distributed across many Internet systems. Today, distributed attack tools are capable of launching denial-of-service attacks more efficiently, scanning for potential victims and compromising vulnerable systems. Coordination functions now take advantage of readily available public communications protocols such as Internet Relay Chat (IRC) and instant messaging (IM) (CERT/CC, 2002:1). 4
  5. 5. • Attack tool developers are using more advanced techniques than previously. Attack tool signatures are more difficult to discover through analysis and more difficult to detect through signature-based systems such as antiviral software and intrusion detection systems. Three important characteristics are the anti-forensic nature, dynamic behaviour and modularity of the tools. As an example of the difficulties posed by sophisticated attack tools, many common tools use protocols like IRC or HTTP (HyperText Transfer Protocol) to send data or commands from the intruder to compromised hosts. As a result, it has become increasingly difficult to distinguish attack signatures from normal, legitimate network traffic (CERT/CC, 2002:2; PCB, 2001a:8). • Firewalls are often relied on to provide primary protection from intruders. However, technologies are being designed to bypass typical firewall configurations; for example, IPP (the Internet Printing Protocol) and WebDAV (Web-based Distributed Authoring and Versioning). Some protocols marketed as being “firewall friendly” are, in reality, designed to bypass typical firewall configurations. Certain aspects of “mobile-code” (ActiveX controls, Java and JavaScript) make it difficult for vulnerable systems to be protected and for malicious software to be discovered (CERT/CC, 2002:2). • Because of the advances in attack technology, a single attacker can employ a large number of distributed systems to launch devastating attacks against a single victim relatively easily. As the automation of deployment and the sophistication of attack tool management both increase, the asymmetric nature of the threat will continue to grow (CERT/CC, 2002:3). • The speed at which crimes can be committed. • The fact that a crime is not always immediately apparent. A cyber criminal can hack into a system and plant a program that is only scheduled to do something at some time in the future. Similarly, a cyber criminal can invade the computer of an innocent person and launch an attack from the computer making it appear that the owner of the computer perpetrated the crime. This makes it very difficult to catch and prosecute proficient cyber criminals (CSTB, 2002:5). • The lack of risk awareness. • Merchants are often small and new with limited security skills and budgets. They are selling new goods (digital content) that are more vulnerable to fraud (Experian, 2000:2). • The lack of cyber security skills and tools. Organisations often overlook significant risks i.e. system providers do not produce systems that are immune to attack, network and system operators do not have the personnel and practices in place to defend themselves against attacks and minimise damage (CERT/CC, 2001:1). • Users are more vulnerable. With increasing Internet connectivity from home and increasing PC power (available for hackers), average users know little about risks and the security tools available to protect their computers from external attacks. • Global reach (including issues of jurisdiction, disparate criminal laws and the potential for large-scale victimisation) makes legal prosecution more 5
  6. 6. difficult. Because transaction amounts are generally low, the electronic evidence tools and skills available are very limited. Legislation has not yet been fully adapted to the Internet environment and, where transactions have taken place across borders, complex jurisdictional and procedural issues may arise. The technical and legal complexities of investigating and prosecuting cyber crimes are complicated by the relatively low value of individual fraudulent transactions as well as the complex legal process for prosecuting cases of fraud within the legal systems of more than one country (cf. Experian, 2000:13; Smith 2002:5; CSTB, 2002:3). • Telecommunications can be used to further criminal conspiracies. Because of sophisticated encryption systems and high-speed data transfers, it is difficult for law enforcement agencies to intercept information about criminal activities. This has particular relevance to new international criminal activities (Giddens & Duneier, 2003:201). • The volatility or transient nature of evidence, including no collateral or forensic evidence such as eyewitnesses, fingerprints or DNA. • The high cost of investigations (cf. Centeno, 2002:3; Etter, 2001b:27; Etter, 2001a:6; Etter, 2002:5, 12; Graycar & Smith, 2002:2; Groebel et al., 2001:25 & McConnell International, 2000:2). According to Centeno (2002:12), the most common types of on-line card fraud reported are: • Bogus merchants collecting card data and disappearing, charging either unauthorised transactions, transaction amounts higher than agreed or unauthorised recurring transactions • Transactions performed with stolen card data (in the physical world or obtained through intrusion in merchant servers) or data generated with software tools • Consumers fraudulently denying transactions and getting a transaction reversed based on “card not present” legislation. Transaction reversal and refund, also called charge backs, are estimated to be 12 times more frequent for e-commerce than in the physical world, and two to three times more than for “MOTO” (Mail Order Telephone Order) sales. With a view to understanding what security measures are needed and, based on results of the analysis of fraud figures available, on-line payment risks can be classified into the following four categories: 1. Risk of merchant fraudulent behaviour: bogus merchants carrying out data capture, disappearing and charging unauthorised transactions; charging transaction amounts higher than agreed; charging unauthorised recurrent payments. 2. Risk of identity and payment data theft for further fraudulent use on the Internet or in the physical world (purchase, fraudulent card application, account take-over). Identity data can be stolen through e-mail (or even phone) scam, or through on-line unauthorised access to merchant or ISP servers, to bank servers, to consumers’ PCs or to transactional data. 6
  7. 7. 3. Risk of impersonation i.e. fraudulent use of (stolen) consumer identity and/or payment data, or software generated account numbers for purchasing. 4. Risk of a consumer fraudulently denying a transaction (cf. Centeno, 2002:3, 19; Graycar & Smith, 2002:4). According to Etter (2001b:23) cyber crime will increasingly feature in many trans-national crimes involving drug trafficking, people smuggling and money laundering and while many e-crimes will be ‘old style’ crimes simply involving the use of ICT, new forms of crime will also emerge. In addition, the barriers to committing crime, that is electronic crime, have dropped significantly and criminals are becoming younger. Etter (2001b:23) observes the it would seem that people who would not dream of stealing or maliciously damaging other people’s property in real life have no qualms or second thoughts about the opportunities and challenges presented by the Internet. 1.2 THE MOST PREVALENT CYBER CRIMES Technology has most certainly changed the risk landscape as far as fraud is concerned: Figure 1: Technology-enabled Fraud (CyberSource, 2002:6) Goodman and Brenner (2002:14) identify the following activities as the most prevalent cyber crimes: 1.2.1 Hacking and Related Activities Hacking, or gaining unauthorised access to a computer system, computer programs or data, opens a range of possibilities for inflicting damage (cf. UN, 1994: 13 & Groebel et al., 2001:43). Illegal infiltration of telecommunications systems means that eavesdropping, ranging from spouse monitoring to espionage has become easier (Giddens & Duneier, 2003:201). The ability to 7
  8. 8. hack into and steal telecommunications services means that people can conduct illicit business without being detected or simply manipulate telecommunication and cell phone services in order to receive free or discounted telephone calls. Giddens & Duneier (2003:201) and PCB (2001a:3) identify two types of hackers, namely, internal (including Internal Saboteurs) and external (including Political Hackers or Hacktivists, who hack either to highlight a lack of security or for personal reasons i.e. grudges. 1.2.2 Commercial Espionage Losses suffered through misappropriation of computerised intellectual property cost copyright owners close to $20 billion last year. Netspionage involves confidential information being stolen by hackers to sell to a competitor or to be used for individuals’ business exploits. Espionage was originally limited to governments but, with the advent of the Information Age, the rise of corporate espionage has been rapid. One tool used to steal secrets is TEMPEST (Transient Electromagnetic Pulse Emanation Surveillance Technology), which allows a scanner to read the output from a computer up to a kilometre away. It is non-invasive and virtually undetectable (PCB, 2001a:4). 1.2.3 Data Manipulation Computer fraud by input manipulation (also called “Data-Diddling”) is one of the most common computer crimes. Input manipulation is easy to perpetrate and difficult to detect, does not require sophisticated computer knowledge and could be perpetrated by a data capturer with limited data processing system access (UN, 1994:14). A more sophisticated form of data manipulation is the modification of software programs that are also difficult to detect. The most common example is the “Salami technique” where thin slices of financial transactions are stolen i.e. rounding down the cents in financial transactions and diverting the cents from millions of transactions to a bank account (Goodman and Brenner, 2002:15). 1.2.4 Computer Forgery Today most official documents are produced via a printout from a computer. Fraudulent altering and counterfeiting of documents have become easier with the availability of inexpensive, high quality scanners and colour printers (UN, 1994:14). 1.2.5 Viruses and other Malicious Programs Viruses and other types of malicious code-like “worms” and logic bombs can be very destructive. A calamitous virus may delete files or permanently damage systems. A Trojan horse, masquerading as a utility e.g. anti-virus software or animation, may copy user IDs and passwords, erase files or release viruses (Groebel et al, 2001:52; PCB, 2001a:8). The effect of viruses and other malicious programs are referred to as computer sabotage. Computer sabotage can be the vehicle for gaining economic advantage over a competitor, for promoting the illegal activities of ideologically motivated 8
  9. 9. terrorists or for stealing data or programs (also referred to as "bitnapping") for extortion purposes (UN, 1994:15). 1.2.6 Software Pirating The unauthorised reproduction of computer programs can mean a substantial economic loss to the legitimate owners. It has become relatively easy to violate copyright rules by copying materials, software, films and CDs (Giddens & Duneier, 2003:201). The problem has reached trans-national dimensions with the trafficking of these unauthorised reproductions over modern telecommunication networks (UN, 1994:16; PCB, 2001a:8). 1.2.7 Gambling, Pornography and other Offences against Morality On-line casinos have proliferated widely, despite the fact that gambling is illegal in many jurisdictions. The Internet is also being used to distribute drugs, pharmaceuticals, tobacco and liquor, again regardless of jurisdictional prohibitions. It is difficult to control pornography and offensive content in cyberspace (Giddens & Duneier, 2003:201). 1.2.8 Child Pornography Many types of paedophilic activity - viewing images, discussing activities, arranging tourism, enticing a child to a meeting - are carried out over the Internet. The Internet gives the paedophile the advantages of a wider scope of communications and the likelihood of eluding the law, given the jurisdictional problems that arise in prosecuting cases that transcend borders as is the nature of the Internet (cf. Giddens & Duneier, 2003:201; Groebel et al, 2001:65). 1.2.9 Cyber Homicide Cyber homicide - using computer technology to kill someone - has not yet been reported but could be perpetrated in future. An aspiring mass murderer could, for example, hack into a hospital’s computer system, learn about the medication prescribed for patients and alter the dosages, causing them to die (cf. Sweet, 2003:1; CSTB, 2002:6). 1.2.10 Stalking, Harassment and Hate Speech Stalking and harassment are malicious activities directed at a particular person. Cyber stalking can pose not only virtual but real threats to on-line users. The dissemination of hate and racist speech has a more general focus but can be equally traumatic for those it targets and is becoming more widespread because of the Internet. Stalking, harassment, hate-filled and racist speech perpetrated over computer networks is not universally considered to be illegal (Giddens & Duneier, 2003:201; Groebel et al, 2001:71). 1.2.11 Cyber Terrorism 9
  10. 10. Pollitt (1997:285) defines cyber terrorism as a “pre-meditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub national groups or clandestine agents”. There is a heightened vulnerability to electronic vandalism and terrorism in western society today due to the fact that much of modern life depends on computers and computer networks. For many people, the most visible interaction they have with computers is typing at the keyboard of a computer. Less visible are the computers and networks that are critical for key functions such as managing and operating nuclear power plants, dams, electric power grids, air traffic control systems and financial infrastructures. Computers are also instrumental in the day-to-day operations of companies, organisations and government. Companies large and small rely on computers to manage payroll, track inventory and sales and perform research and development. The distribution of food and energy from producer to retail consumer relies on computers and networks at every stage. In future, everyday items such as traffic lights, elevators, appliances and even pacemakers will become more and more connected to computer systems and thus vulnerable to attacks by cyber terrorists. Instructions for building incendiary devices can be placed on and downloaded from the Internet (cf. Giddens & Duneier, 2003:201; Groebel et al., 2001:48; Arquilla, 1998:1; Devost et al., 1996:7; Etter, 2002:14, Messmer, 2002:1; Blyth, 1999:16, CSTB, 2002:2, CERT/CC, 2002:5). 1.2.12 Money Laundering and Organised Crime Money laundering is estimated at between 2% and 5% of the world GDP (PMSEIC Working Group, 2000:4). Electronic money laundering can be used to move the illegal proceeds from a crime via Electronic Funds Transfer (EFT) to conceal the origin of the funds (Giddens & Duneier, 2003:201; Graycar & Smith, 2002:3). Even if money laundering remains largely tied to the off-line world, the capabilities of the Internet and other networks mean that there will be great incentives for money launderers to exploit this avenue (cf. Groebel et al., 2001:60; & Etter, 2002:15). 1.2.13 Internet Fraud, e-Commerce Fraud and i-Payment Fraud Fraud represents what is probably the largest category of cyber crime. The Internet has created what appears to be the perfect cyber crime - borderless fraud. So many different types of fraud are committed over computer networks that they have become almost impossible to police effectively (Groebel et al., 2001:57). There is an enhanced risk of electronic funds transfer crimes. The widespread use of cash machines, e-commerce and electronic money on the Internet heightens the possibility that some transactions will be intercepted (Giddens & Duneier, 2003:201; Graycar & Smith, 2002:3). Using computers, thieves can steal credit card details and siphon funds from banks. Cyberspace can be just as easily used to commit theft-by-threat or extortion. One of the most common types of cyber fraud is on-line auction fraud where the vendor may describe products or services in a false or misleading manner, or may take orders and money but fail to deliver goods or deliver counterfeit goods (Golubev 2003:2). A growth in 10
  11. 11. telemarketing fraud has been noted as well as fraudulent charity schemes and investment opportunities that are difficult to regulate (Giddens & Duneier, 2003:201). For the purpose of this paper, the term e-fraud will be used to denote cyber crimes relating to on-line credit card fraud and e-commerce. 11
  12. 12. 2 E-FRAUD GLOBALLY e-Fraud, notably fraudulent on-line credit card transactions via e-business sites on the Internet, is a global problem that is much more prevalent than “bricks and mortar” fraud, and also much more difficult to detect and prosecute. It leads to significant profit erosion and losses suffered by e- merchants (McConnell International, 2000:1). Some recent statistics include: • Identity theft complaints to US authorities rose by 40% each year from 1992 to 1997. The US Treasury Department estimated that identity theft causes losses of up to US$3 billion each year from credit card fraud alone (PCB, 2001a:5). • Visa recently surveyed 15 Banks from 12 EU countries. It found that credit card payments account for nearly half of all complaints, more than one in five of which came from people billed for on-line transactions who had not even shopped on the Internet (PCB, 2001a:5). • A recent report from the National Consumers Council revealed that 50% of Internet users are unlikely to supply their credit card details on the Internet because they think it’s too risky (PCB, 2001a:5). • Over 50 per cent of all fraud committed in the first half of 2000 were "cyber crimes” (PCB, 2001a:1). • Fraudulent transactions make up 1.06% of total on-line transactions compared to only 0.06% of off-line transactions. The Gartner Group estimates that on-line transaction fraud is 17 times higher than in-store fraud (Gartner, 2002:1). • In 2002 26 million adults used the Internet compared to fewer than 10 million in 1999. Over the same period, the number of adults making Internet card payments increased nine fold, from £1.3 million in 1999 to £11.8 million in 2002. Around 3% of all card payments to a total value of £9 billion were made over the Internet last year. This is expected to grow to 10% by 2012 (Apacs 2003b:10). • Direct sales over the Internet are expected to reach US$5 trillion in the United States and Europe by 2005 (McCardle et al., 2001:5). • Gartner (2002:1) estimates that in 2001 alone on-line fraud cost e- merchants US$700 million, excluding costs such as investigations, legal fees, etc. • One in six on-line customers have been the victim of credit card fraud and one in 12 have had their identity stolen on-line (Golub 2003:11). • It has been estimated that the typical identity theft victim learns about the crime only 14 months after it has occurred, sustains US$18,000 in fraudulent charges and spends 175 hours over two years restoring his/her clean credit and good name (PCB, 2001a:5). • Visa estimates that Internet transactions account for about 2% of its total transactions. However, of all the fraudulent transactions that Visa handles, 50% occur in Internet transactions (Verisign, 2002:9). 12
  13. 13. • In 2002 FBI Internet fraud centre complaints rose by 300% (Golub 2003:11). • A recent investigation by MSNBC reveals that while overseas-based criminals account for up to one third of all on-line fraud directed at United States e-businesses, there is no evidence of a single prosecution against these foreign perpetrators (Brunker, 2001:1). The US Treasury maintains an Official US Government System web page called the Financial Crimes Enforcement Network or FinCEN. Its mission is to support law enforcement investigative efforts and foster inter-agency and global cooperation against domestic and international financial crimes. FinCEN has issued warnings on transactions involving the following countries: o The Arab Republic of o Nauru Egypt o Nigeria o The Bahamas o Niue o The Cayman Islands o Panama o The Cook Islands o The Philippines o Dominica o The Russian o Israel Federation o Lebanon o St. Kitts & Nevis o Liechtenstein o St. Vincent o The Marshall Islands o The Grenadines (FinCEN, 2003:1). • Forty per cent of companies have been hit by the same fraudster more than once with 18 % saying that they had been hit three times by the same fraudster before the fraud was detected (PCB, 2001a:5). • More than 50 per cent of all fraud committed in the first half of 2000 were "cyber crimes". Internet fraud rose 46% towards the end of 2000. Seventy per cent of large companies in the UK were hit by fraud and each of the companies surveyed lost an average of £4 million every year as a result of fraudulent activity. Not only is about 60% of fraud committed from within but it was found that as much as 58% of this fraud was uncovered ‘by accident’! Recovery rates remain low (with as few as 20% of organisations able to recover half or more), and the scope for the commission of such fraud remains as high as ever with only 18% of victims ‘very confident’ about their future safety. Twice as many believe that the threat will be even greater in the next five years. Indeed, just under half the 3500 respondent organisations felt cyber crime was ‘the’ risk of the future (PCB, 2001b:1). • In the US, a survey done in March 2001 revealed that: o 85% of respondents (primarily large corporations and government agencies) detected security breaches o 74% reported serious breaches o 71% reported unauthorised access by insiders; 25% detected system penetration from the outside o 186 respondents reported losses of US$377m (compared to US$265m from 249 respondents in 2000) o most serious: Netspionage theft $151m reported by 6% of respondents (compared to US$66m in 2000) 13
  14. 14. o financial fraud was US$55m (compared to US$39.7m in 1999) o loss due to sabotage: US$27m (compared to US$10m combined previous 3 years) o 70% of respondents cited Internet connections as a frequent point of attack (compared to 59% in 2000) o 91% of respondents (as opposed to 79% in 2000) detected employee abuse of Internet access privileges (PCB, 2001b:1). Experian (2000:2) commissioned one of the most extensive research studies on the effect of Internet fraud on UK Retailers. Eight hundred (800) UK retailers were interviewed and it was found that: • Nine out of every ten Internet fraudsters in the UK were getting away with it! Only 9% of fraud cases reported to the police by UK on-line retailers resulted in prosecution. • 70% of companies thought that the Internet was inherently more risky than other routes to market, with the majority of respondents experiencing an increase in fraud on the Internet over the previous year. Fifty-two (52) per cent of on-line traders claimed that Internet fraud was a problem for their organisation and 55% said it was a growing problem. • Retailers became aware far too late that they had been victims of fraud. Almost half the companies (48%) said it could take more than a month before they were made aware that they had been the victims of card fraud. Eighteen (18) per cent said that it took up to seven weeks. • 11% of respondents had had their sites hacked into. • Only 15% of companies had automated systems for detecting fraud. The vast majority employ expensive and inaccurate manual processes. Only 52% use any external data to verify a customer’s name and address. • Fraudsters have realised that methods of prevention are currently so inadequate that they need spend little time or effort covering their tracks. Less than 10% of fraudsters bother with a redirection service at the goods delivery address, and only 10% make the effort to set up a false telephone account. • 58% of companies thought that the fear of fraud was a significant barrier to successful trading on the Internet. • Although Experian’s own client experience suggested an average level of charge backs of some 2.5% of sales, the survey indicated that retailers were experiencing lower than expected levels of fraud charge backs with 20% of companies experiencing charge backs in excess of 1% of sales as a result of fraud. Forty-eight (48) per cent report charge backs of between 0 and 0.5%, and 8% report levels between 0.5% and 1.0%. This may indicate that on-line retailers are reluctant to reveal the true extent of their on-line fraud problem. On the perception of fraud, 52% of UK Internet retailers claimed that Internet fraud was a problem for their organisation. Added to this, 58% of companies thought that the fear of fraud was a significant barrier to successful trading on the Internet and a similar number (57%) said that they had experienced an increase in fraud since using the Internet. Finally, 52% experienced a higher 14
  15. 15. rate of fraud on the Internet as opposed to other routes to market and the vast majority (70%) thought that the Internet was inherently more risky (Experian, 2000:5). From figure 2 below it is clear that the growth in e-commerce (turnover) has surpassed the growth in losses relating to e-fraud in recent years. Figure 2: Growth of e-Fraud and On-line Security Incidents compared to Growth in Web Commerce (or e-commerce) between 1998 and 2002 (Golub 2003:11) 2.1 E-FRAUD IN SOUTH AFRICA It is difficult to get an indication of the extent of e-fraud in South Africa and the effect that it has on South African e-merchants. One global survey that had significant South African input is the 2001 e.fr@ud survey, the major findings of which were that: • only 9% of respondents admitted that a security breach had occurred in their organisation within the previous 12 months • while most believed that the security of credit card numbers and personal information were by far their customers’ most important concerns, fewer than 35% performed security audits on their e-commerce systems, and only 12% had websites bearing the seal identifying that their e- commerce systems had passed a security audit • 79% stated that the highest probability of a breach occurring to their e- commerce systems would be perpetrated through the Internet or other external access (KPMG, 2001:35). As indicated in figure 3 below, South African respondents (together with French respondents) perceived the greatest likelihood of e-fraud happening in their organisations: 15
  16. 16. Figure 3: e-Fraud - Perceived Likelihood of Occurrence (KPMG, 2001:33) 2.1.1 Legislation against Cyber Crime in South Africa The 2001 e.fr@ud survey found that South Africa had no cyber crime specific laws in place (KPMG, 2001:35). 2.2 PROFILES OF CYBER CRIMINALS The following kinds of cyber or computer criminals can be identified: • The outside hacker – with or without criminal objectives, with increasingly sophisticated skills and tools. Even attacks with no direct criminal action can cost a company millions e.g. hacking into a web server and disabling a website. • The computer technology insider – disgruntled employees or ex- employees using their knowledge of an organisation’s IT landscape to delete data, expose data publicly, or sell data to competitors. A higher number of insider attacks as opposed to outsider attacks are reported. • The white collar criminal – is situation-motivated and sees himself as a business or personal problem-solver rather than as a criminal. The white collar criminal generally begins his/her career trying to hide errors, solve financial problems, get a better job and survive a short-term business downturn e.g. a loyal and trusted employee in financial difficulties who sells sensitive information to a competitor. • The career criminal – is an organised criminal with significant skills, resources and high financial gain motivation who views computers as tools of the trade. He works hard at mastering the technology and using it to accomplish his goals just like any other professional and sometimes make use of a young technology expert to do the work for him. The significant increase in both college students and unsophisticated fraud perpetrators seems to indicate that the Internet has become the first 16
  17. 17. choice for thieves who, in another age, might have just been “petty shoplifters or locker room pickpockets”. • The political activist or terrorist – uses computer crime to make a statement, launder money or expose certain information, and can make use of a young technology expert to do the work (cf. UN 1994:7; Groebel et al., 2001:23-24; Centeno, 2002:15; Smith, 1999a:3; & Turnbull, 2001:10): 2.3 PROFILES OF E-MERCHANTS WHO ARE AT RISK According to Verisign (2001:2), (Scutt, 2001:7) and Centeno (2002:15), the following e-merchant profiles are a greater risk for certain types of fraud than others: • Smaller merchants without robust security defences. Inexperienced or small merchants with no or limited risk management tools can fall prey to criminals using sophisticated spidering techniques and intelligent agents to identify vulnerable points. Criminals use this information to break into networks and other ICT infrastructure in order to steal smaller merchants’ account access information for hijacking or merchant takeovers. • High-visibility merchants. It's a double-edged sword. Merchants need to be visible to attract customers, yet fraud attempts are higher on merchants who advertise heavily or those who are in the news. Criminals know that merchants who are experiencing higher than normal transaction volumes due to a special promotion or a news story have less time to defend themselves against fraud. • Larger merchants with high transaction volumes. However, given the increasing sophistication of fraud protection systems deployed by larger e-commerce merchants, smaller merchants with little to no protection are starting to become targets of fraud. • Merchants who sell high unit value goods, such as electronic items and luxury goods that can easily be resold or sold on on-line auctions. • Merchants hosting on-line auctions, which represents the vast majority of consumer complaints in the US. • Soft goods merchants - Merchants that sell digital contents or software that can be downloaded from the Internet. The purchase of these goods does not require physical address information e.g. a shipping address, making it easier for criminals to disguise a fraudulent transaction. • Merchants who sell internationally. It is difficult to validate the address or identity of foreign buyers, and it is more difficult to investigate fraudulent activity from an overseas source. • All merchants face an increased risk of fraud during the holiday season and special sales promotions. Criminals know that you have limited time for fraud protection measures when sales volumes are high. Sales double in the 4th quarter, while Internet fraud rates triple. 2.4 BEHAVIOURAL TRAITS ASSOCIATED WITH FRAUDULENT TRANSACTIONS According to Experian (2000:7) the typical modus operandi of UK on-line fraudsters using card not present (CNP) fraud is: 17
  18. 18. “Real name at real address but not The fraudster gives a real name and the cardholder’s name” address, which would be verified by a data source like the voters’ roll. The name and address were probably supplied to the voters’ roll for the purpose of fraud but the card number given matched a different name. This suggests inadequate procedures for linking the name, address and cardholder’s name. “Cardholder’s name at real address but The fraudster gives a name that not the cardholder’s address” matches the account name but the address provided does not match the billing address. This again suggests that there needs to be a link between billing address and delivery address. “False name at real address” This can only work where no reference is made to a data source like the voters’ roll when authorising the transaction. “Cardholder’s genuine name and This illustrates a dilemma faced by on- address but parcel delivered to another line retailers who despatch goods to an address” address other than the cardholder’s billing address. In many cases e.g. presents these transactions will be genuine, but the process clearly lends itself to extensive abuse by fraudsters, and is an easy way to defraud an on- line retailer. Table 1 Typical Modus Operandi of UK On-line Fraudsters Centeno (2002:15) Scutt (2001:6) & Visa (2002b:1) identify the following behavioural traits associated with fraudulent transactions: • A first-time shopper performing more transactions than usual, using large order amounts, particularly when purchasing low-cost items • Ordering several of the same item • Attempting to make it hard to be traced by rushing orders (willing to pay a lot for expedited delivery), making overnight orders and shipping to Post Office boxes • Using an anonymous or free e-mail address or free web-based e-mail address • Requesting the use of a ‘bill to’ address that is different from the ‘ship to’ address or international delivery address • Using one single delivery address and multiple cards • Using a single card to multiple delivery addresses • Using multiple cards from a single IP address • Acting as bogus merchants. 18
  19. 19. 3 E-FRAUD AND ITS EFFECTS ON THE SMALL E-MERCHANT e-Merchants (the owners of e-business websites) are exposed by codes of conduct and legislation that have been put in place to stimulate public trust in and uptake of e-business: • Proof of Shipping. E-merchants are generally obliged, by their merchant agreement with the bank, to provide proof of shipping before funds are released into their bank accounts i.e. they have to have shipped the product or inventory to the consumer before the transfer of funds takes place (Mann, 1999:47). • Card not Present Transaction. At the same time, on-line transactions are considered "card not present" (CNP) transactions since the card was not swiped through a point of sale (POS) and the identity of the cardholder could not be verified in person. “Card not present” transactions imply that should a dispute arise between the cardholder and the merchant i.e. the cardholder alleges that he never made the transaction, the card company will refund or charge back the cardholder in full (with minimal investigation and for a period of 180 days or 6 months after the transaction date) whilst deducting the whole amount from the merchant as well as deducting a penalty payment from the merchant (Mann, 1999:14; Experian, 2000:7). • Charge backs. The issue of charge backs is highly sensitive to on-line retailers, and it is difficult to assess the true extent of the problem. In the case of a fraudulent transaction, the e-merchant loses everything: the transaction amount gets withdrawn from his merchant account, a penalty charge is levied and since the product has been shipped and delivered, the e-merchant suffers the loss of inventory as well as the shipping costs associated with the fraudulent transaction. In some cases, on-line retailers will actually meet the cost of fraud personally to avoid higher charge backs and the risk of losing their merchant’s licence. As portrayed in Table 1 below, 48% of UK Internet retailers admitted to 0.5% charge back as a result of Internet fraud; 8% said their level was up to 1%; and 20% said that their level was in excess of 1% of total transactions. However, a significant proportion (23%) refused to give an answer to this particular question (Experian, 2000:7). Charge backs as a UK Internet Retailers Percentage of Total Transactions Up to 0.50% 48% 1.00% 08% 1.50% 03% 2.00% 03% 3.00% 03% 4.00% 02% 4.50% 02% 5.00% 02% 19
  20. 20. 5-10% 02% 10%+ 03% Refused to say 23% Table 2: Charge Backs as a Percentage of Total UK On-line Transactions (Experian, 2000:7) 20
  21. 21. The UK Association for Payment Clearing Services (APACS) reported in their 2000 annual review that the major growth areas for card crimes were in counterfeit and card not present (CNP) fraud, which were largely responsible for the steep increases in 2000 losses suffered by the UK merchants and financial services industry (Apacs, 2001:23; Experian, 2000:7). Figure 4 below indicates that CNP and counterfeit card fraud made up a total of 55% of all fraud suffered in the UK. The effect of e-fraud on this trend is clearly visible in the exponential growth of these fraud categories in the preceding decade: Figure 4: Detailed Breakdown of Credit Card Fraud in the UK for the year 2000 (Apacs, 2001:20) For the year 2002 Apacs (2003a:18) reported that card not present (CNP) fraud, fraud committed via mail order, telephone and the Internet continued to grow (a 6% increase in 2 years if Figure 4 above is compared with Figure 5 below). Apacs (2003a:18) initiated a CNP Fraud Strategy Project that involves the development of sector-based forums of high-risk merchants alongside key banking members. The main objectives include developing best practice material and considering effective, legal forms of data sharing. 21
  22. 22. 2002 Fraud Losses by Category CNP / Application Fraudulent Fraud Posession of 2% Lost / Stolen Card Details 26% 26% Mail Non- Other receipt 2% 9% Counterfeit Card 35% Figure 5: Detailed Breakdown of Credit Card Fraud in the UK for the year 2002 (Apacs, 2003a:18) Experian (2000:5) found that 77% of on-line retailers in the UK took orders over the phone as well as the Internet; 13% took orders over the Internet only and 10% took orders only over the phone, directing on-line shoppers to a toll free number. On a general note, the overwhelming majority (96%) said that they conducted business on-line with card not present (CNP) transactions, and 95% said that their goods were of interest to thieves. Figure 6: The Exponential Growth of Counterfeit and CNP Fraud (attributable to the effects of e-fraud) in the UK during the decade 1991- 2000 (Apacs, 2001:19) 3.1 THE COSTS OF E-FRAUD 22
  23. 23. • Golub (2003:11) estimated the loss to e-merchants in terms of higher fees, charge backs, bank charges and loss of inventory, etc. as a result of the above three points to have been on average 7% of an e- merchant’s turnover in 2002. Verisign (2001:1) details the losses of an e-merchant who processes a fraudulent on-line transaction as: o Higher discount rate on merchant account. Because of the higher prevalence of e-fraud, discount rates for on-line transactions are typically 30 to 60 per cent higher than off-line or "brick and mortar" rates. o The merchant carries the financial loss of a fraudulent on-line transaction. According to CyberSource (2002:7), 31% of UK merchants did not know they were liable for losses incurred as a result of CNP fraud. Many were of the misconception that the Credit Card Company, bank or shopper would pick up the cost. o Inventory loss and shipping costs for physical goods that are fraudulently purchased and delivered are also carried by the merchant. o Charge back penalties assessed by the acquiring bank of US$15-US$30 per fraudulent transaction. In the UK, 20 per cent of UK business-to-consumer retailers are paying charge back fees in excess of one per cent of sales (Experian, 2000:8). o Increased discount rates assessed to the merchant as a result of processing fraudulent payments. o Labour cost for the merchant to investigate and resolve the charge back. o Higher administration costs on orders due to staff spending more time to screen orders. This may include calling the customer and confirming the order (CyberSource, 2002:8). o Fines and cancellation of merchants account. Fines and Five- to six-figure card association fines or the cancellation of a merchant's account when card fraud rates are consistently high (cf. also Weber, 2001:8). • Rejection of non-fraudulent transactions due to fear of fraud. In addition, according to Gartner Group estimates, merchants reject an estimated 5% of all transactions out of suspicion of fraud, while only 2% of transactions are actually fraudulent. The result is a significant amount of lost sales (up to 3% of sales volume) in an attempt to reduce fraud risk (Verisign, 2001:1). Grant (2002:1) reports that 7% of on-line sales are rejected for potential fraud but just 1.13% are actually fraudulent. • Non-completion of transactions due to lack of consumer trust. On an industry-wide level, it is also alarming that 23% of potential on-line shoppers do not complete a transaction because of fear and not wanting to enter their personal details on-line (Gobulev, 2003:3). • Scutt (2001:5) summarises the cost of e-fraud as follows: Cost of losing “valid” o Loss of order orders o Loss of customer loyalty 23
  24. 24. Cost of managing o Manually resolving bad transactions fraudulent orders (estimated at up to £40/order) Bank and Card Processor o Higher discount rates fees o Charge back fees o Fines o Termination of service for excessive charge backs Cost of goods sold o Merchants are 100% liable for mail order telephone order (MOTO) transactions Table 3: The Costs of e-Fraud From the above it is clear that some e-merchants stand to lose up to 10% of their turnover (and a much higher percentage of their profit, if any) to fraud- related costs (up to 7%) and the cost of rejecting sales in order to prevent e- fraud (up to 3%). This figure could be reduced by up to one third (4% of turnover) if a way could be found to improve the basis for rejecting potentially fraudulent transactions. According to Experian (2000:6), UK Internet retailers had a low take up of automated fraud detection systems, which suggested that products were scarce or not being used, if available. This suggested that automated solutions were too expensive. Fifty-five (55) per cent of these retailers employed manual fraud detection systems and only 15% used automated systems. Just over half (52%) said that they used external data to verify either the name or the address of the shopper. Of the number that used external information sources, 61% said they used the Postal Address File, which verified that an address was genuine but did not link address to name. Thirty-nine (39) per cent used the voters’ roll to verify name and address links; 29% used a telephone CD or bureau service to verify phone numbers and just 12% checked with a Card Hot List (APACS) to see whether the card number belonged to a stolen credit card. Only 25% of UK Internet merchants asked for a work e-mail address alongside a home e-mail address for added verification when taking an order. When asked what fraud solutions were most needed, the majority (63%) identified an urgent requirement for instant on-line personal identity verification systems that check both name and address and link cardholder details to a billing address. Many mentioned that more was required from the banks and card issuers to ensure that this requirement was met. A significant finding of Experian’s (2002:8) research on fraud amongst UK Internet merchants was the lack of sophistication in the modus operandi of Internet fraudsters. It appears that verification systems are so inadequate that fraudsters need make little effort to cover their tracks. In the experience of most on-line retailers, around 10% of fraud takes place with a re-direction service at the end of it and only 10% of fraud occurs with the fraudster having opened a telephone account in a false name. Another issue relates to the time delay in identifying that a fraud has been committed. In this respect, the majority of fraud becomes apparent after six 24
  25. 25. weeks. Thirty-three (33) per cent of companies said that it took over two months (eight weeks+) before they were notified that they had been victims of a fraud; and 18% said that it took between four and seven weeks. During this time, their site was vulnerable to repeat attacks. Interestingly, although the majority said that fraudsters tended to hit once on average, a sizeable number said that they had been hit twice, and 18% said that they were hit on average three times by the same fraudster before the fraud was detected. In fairness, the time delay is often due to the fact that the genuine cardholder has yet to open his/her monthly statement and report “unknown transactions” to the issuer. (Experian, 2000:8). With regard to overseas trading, Experian (2000:9) reports that UK Internet merchants found it difficult to authenticate overseas customers. The most common response from those merchants who traded overseas was the lack of data available to verify whether a name and address provided by a customer was genuine (33% of all companies). The responses to the question about what problems companies faced when trying to establish whether a customer was genuine, can be summarised as follows: Don’t accept non-UK customers or 45% conduct business overseas. No way of finding whether an 33% overseas customer is genuine through absence of effective databases. Have problems identifying the card 22% issuer. Table 4 Verifying Overseas Orders 25
  26. 26. Experian (2000:9) found a clear reluctance among UK Internet merchants to trade with non-UK customers. Sixty (60) per cent of UK Internet merchants said that only 10% of their Internet business was conducted with overseas customers; 12% said it was between 11% and 20% (see table below): 0-10% 60% 11-20% 12% 21-30% 08% 31-40% 02% 41-50% 05% 51-60% 02% 61-70% 02% 71-80% 02% Don’t know 03% None 05% Table 5 Trading with Overseas Customers Looking at fraud levels, there was a clear indication that overseas business was more prone to fraud. Twenty-six (26) per cent of the sample said that up to 10% of non-UK card transactions were fraudulent; 13% thought it was between 11 and 20%; and 22% didn’t know the answer (Experian, 2000:9). Less than half (43%) of those surveyed reported any fraud to the police and more than half (57%) of those who did encountered a ‘lack of interest’ from the police. More worrying is that a prosecution was set in motion in only 9% of the cases reported to the police. In 12% of cases the businesses tried to recover the defrauded money themselves, most of them opting for a debt recovery agent (Experian, 2000:13). 3.2 E-FRAUD PREVENTION Due to the impact of e-fraud on consumer trust and the complexity of legal prosecution, more and more emphasis will be placed on fraud prevention as the first step in reducing fraud. Apart from the criminological and legal aspects of e-fraud prevention (e.g. laws with stricter penalties, police having specialised units to track down cyber criminals), two main categories of e- fraud prevention can be recognised: a. The technological and process-related or hard measures of e-fraud prevention b. The human or soft measures of e-fraud prevention (cf. Centeno, 2002:21; Smith, 1999a:7; Smith, 2000:18, Smith; 2002:5). 3.2.1 Hard Measures of e-Fraud Prevention Different “hard” or technology-based security measures are proposed by card companies and banks to address the on-line payment fraud risks consumers and merchants face. These measures aim to provide data confidentiality and 26
  27. 27. integrity, consumer and merchant authentication for each individual transaction. Payment schemes are promoting security standards and best practice to increase information security at banks, merchants and service providers. The protection of consumers’ PCs is also increasingly stressed. Often overlooked, the consumers’ PC vulnerability is considered one of the major security threats by some security experts (Centeno, 2002:21). Figure 7: Comparison of Fund Prevention Methods (CyberSource, 2002:8) 3.2.2 Soft Measures of e-Fraud Prevention Recognising the importance of the human factor in building security, special attention is paid to non-technology based or “soft” measures since humans themselves may be the weakest link in securing information systems. The strongest cryptography will not help if a user compromises the password (Centeno, 2002:22). Three main groups of role players would need to be made aware of and educated about the risks of e-fraud: Organisations and Service Providers Perhaps the greatest risk of fraud to an organisation lies within its own staff. Smith (1999b:4) reports that fraud is most often carried out by employees, particularly at senior management level. The administration of modern technologically-based security systems involves a wide range of personnel from those who manufacture security devices to those who maintain sensitive information concerning passwords and account records. Each has the ability to make use of confidential information or facilities to commit fraud or, what is more likely to occur, collude with people outside the organisation to perpetrate an offence. 27
  28. 28. The following appear as key building blocks to reduce e-fraud at service providers: • Awareness of security risks at all organisational levels • Education of employees and end-users • Good internal security managerial, organisational and operational policies and procedures • Screening and monitoring of employees (Centeno, 2002:23; Smith, 1999b:3). The table below presents common general security mistakes that people commit in relation to computer security: User Security Mistakes • Opening unsolicited e-mail attachments, without verifying the source or checking the content • Failing to install security patches (specially Microsoft Office, Internet Explorer and Netscape) • Installing screen savers or games from unknown sources • Not making and testing backups • Using a modem while connected through a LAN • Writing down passwords or even storing passwords in password files • Leaving the machine on and unattended and leaving laptops unsecured and unattended • Poor password selection • Talking (about confidential data like passwords) • Failing to do transaction monitoring. Transaction monitoring software that can automatically screen all transactions and report suspicious transactions via an electronic alert is available (cf. Centeno, 2002:23; KPMG, 2000:15; Smith, 1999:5). Senior Management Security Mistakes • Assigning unscreened and untrained people to security maintenance and providing neither training nor time to learn • Failing to see the consequences of poor security. Senior managers, system and network operators in the private sector spend only as much on security as they can justify on business grounds, which may be much less than the business needs. The same is true of government agencies that must work within budget constraints • Failing to deal with the operational aspects of security i.e. following up fixes • Relying primarily on a firewall for security • Failing to realise how much money the business information and organisational reputation are worth • Authorising reactive short-term fixes so that problems re-emerge rapidly • Pretending problems will go away if they are ignored 28
  29. 29. • Not putting the correct policies and procedures to manage fraud in place • Failing to do pre-employment integrity screening on relevant employees and failing to institute red flag integrity screening of relevant employees during employment • Failing to keep all personal information in locked files and establish secure procedures for data services and failing to encrypt all personal and confidential information on computers • Failing to secure methods for disposing of personal information • Failing to appoint a 3rd party to carry out privacy audits/investigations that gauge how vulnerable records are to theft • Failing to verify the professional qualifications and integrity of 3rd party service providers or potential partners • Failing to limit the use of personal identifiers (Centeno, 2002:23; KPMG, 2000:8; Experian, 2002:7; Smith, 1999b:5; CSTB, 2002:6; Urban, 2003:21) Table 6: Common Security Mistakes Consumer Awareness Consumers can play a significant role in reducing merchant fraud risk by playing an active role and adopting a cautious attitude when shopping on-line. Recommendations for fraud prevention are: • Verify the merchant’s identity, company information (name, physical address and phone number) and use of codes of conduct or trust marks. Check the seller’s reputation (in online auctions) • Be suspicious about very advantageous deals from free e-mail addresses • Check whether secure socket layer (SSL) protocol is used for data protection • Check the company’s security policies and tools used, in particular the privacy policy and how personal details may be used • Look for insurance for buyers • Pay on delivery or with a credit card as this generally provides refund rights • Ask the bank for a random card number option • Keep a trace (e-mail), print the order screen, the terms and conditions and any communication with the merchant • Update your virus protection software regularly and when a new virus alert is announced in the media • Do not download files or click on hyperlinks sent to you by people you don’t know • Use a firewall program • Use a secure browser • Always log off and close Web browsers after on-line transactions 29
  30. 30. • Be careful with programs where merchants or entities want to remember your purchase data and allow you to use it again (e.g. cookies) OR server-based payment wallets • Do not store any financial data on your personal computer • Before you dispose of an old computer, delete all personal information • Avoid using easily available information as a password (cf. Centeno, 2002:24; Experian, 2002:7; Urban, 2003:18). Finally, consumers also have a significant role to play in identifying fraud promptly by analysing their bank and card service provider’s statements in detail. Faster fraud detection can contribute to fraud prevention by blocking a lost, stolen or counterfeited card or other stolen identity data, and by identifying a fraudulent merchant or a fraud pattern (Centeno, 2002:24). Merchant Awareness The contribution merchants can make to fraud prevention by screening fraudulent transactions is often overlooked. The lack of consumer authentication by issuer banks combined with merchants’ liability for fraudulent credit card transactions have motivated the development of merchant-based authentication solutions, thereby reducing on-line fraud by between 66% and 80%. These solutions sometimes combine “hard” and “soft” measures. They include address validation (in the US and the UK), on-line authorisation, customer follow-up (e-mail confirmation, etc.), customer history database consultation, fraud scoring systems, customer data format and content editing, rejecting orders with incomplete information, proof of delivery to the verified billing address, domain site check, application of additional measures for high risk purchases (call customer, ask for issuer bank and phone number, ask for exact name on credit card), stating on the website that anti-fraud measures have been put in place, etc. (Centeno, 2002:24) Merchant awareness and education is thus important and, to support it, some US organisations have been identified to provide merchant information of fraud types, statistics and best practices (cf. Antifraud.com, Scambusters.org). Merchants can do the following to combat the incidence of e-fraud: • Prevent errors – Prevent duplicate purchases – Use pick-lists, where feasible, on the order form • Collect complete customer billing/shipping information plus phone number and e-mail address for additional fraud screening and to facilitate follow-up communication with the customer • Establish a process for reviewing suspicious orders • Examine your charge backs to uncover any gaps to be closed with new rules • Create negative files to prevent repeat offenders 30
  31. 31. • Create positive files to maintain customer loyalty • Inform your customers of the company name that will appear on their statements so the customers are not surprised. (Scutt, 2001:26, 27). Risk management is effective if it reliably protects the organisation's business goals, assuming that the goals are achievable and sustainable. It is efficient if it does this at the lowest sustainable long-term cost. A framework or model needs to encompass both of these measures i.e. of effectiveness and efficiency if it is to be truly useful. To do this well, an organisation needs to be good at: • Defining and articulating its sustainable business goals, and understanding how these goals are achieved • Identifying and assessing risks that could prevent these business goals from being achieved • Controlling these risks to the extent that they do not threaten the achievement of the business goals • Making financial provision for these risks so that financial losses do not threaten the achievement of the business goals • Ensuring, over time, that the business goals continue to be reliably protected at the lowest overall cost (Caragata, 1997:54). Potential risks can be dealt with in two different but complementary ways: • One approach is to apply risk control techniques to mitigate the negative impact that these risks might impose on the business goals by reducing the potential frequency and/or severity of events that might result in unacceptable loss. This approach includes setting up a business early warning system. • The second approach i.e. loss funding ensures that these losses are adequately funded when they do occur and that cash flows and balance sheets are sufficiently protected (Caragata, 1997:55). 3.2.3 Risk Management Tools Available to Merchants to Combat e- Fraud The following risk management tools can be employed to protect merchants against e-Fraud: Hot Lists One of the first checks a merchant should put in place on his website or at his call centre is an internal hot list. • Any person who carries out a fraudulent activity that results in a charge back will have his/her details entered on the hot list. When the fraudster returns to the site and presses the ‘buy’ button to make a purchase, his/her personal details will be forwarded to the hot list and the transaction will be blocked. Hot lists are not an effective deterrent to 31
  32. 32. fraud on their own. They can only stop repeat offenders from attacking merchants’ websites and call centres and are incapable of detecting first- time fraudsters. And they are frequently out of date – fraudsters’ details only become available when the merchant receives a charge back, which can take up to 90 days to arrive (CyberSource, 2002:8). • The hot list service of a professional credit bureau can generally be accessed at a cost. These lists are more accurate and may also provide protection against fraudsters attempting to defraud a merchant for the first time. Negative / Positive Files All Internet merchants should create and maintain: • Negative Files that store all the attributes (e.g. name, address, card, etc.) of orders that resulted in charge backs or were blocked because of attempted fraud. • Positive Files on order to recognise “trusted customers” based on their name, address, card, etc. and therefore skip fraud checks (Scutt, 2001:16). • Negative and Positive files have the benefit of defending the merchant against repeat offenders. Orders from good customers can be identified and processed swiftly. Negative and Positive files can be used as the basis for automatic approval/decline • One drawback of Negative Files is that fraudsters rarely come back after being caught out. Good customers’ card numbers that were used in fraud attacks can become imbedded in a negative file (Scutt, 2001:17). Velocity Checks Most merchants will use a velocity check to back up a hot list. • Whereas a hot list is used to target known criminals, velocity checks are designed to identify fraudsters before they have a chance to act. Retailers will be looking at two patterns of on-line purchasing behaviour – velocity of use and velocity of change – to detect potential fraudsters. Velocity of use covers instances when criminals use fraudulently obtained credit card details to make multiple purchases on one site in the shortest possible time. Systems that check for velocity of use will note how often a certain e-mail address, credit card number or phone number has been used over a certain period to obtain goods. It will then block further suspect purchases. Systems that check for velocity of change search for instances where one detail on a credit card – for instance the expiry date – has been changed repeatedly to enable the fraudster to make purchases. Some criminals will have obtained customers’ credit card numbers over the Internet using a card generator. These systems cannot provide fraudsters with expiry dates so the criminal circumvents the problem by manually inputting different dates again and again until he gets the right one. Merchants can use software solutions on their servers to identity this type of behaviour (CyberSource, 2002:8). 32
  33. 33. Address Verification System (AVS) Originally designed for mail order and telephone environments, AVS allows for the verification of the billing address details provided by the purchaser with the actual billing address details held on file by the cardholder’s issuing bank. • This real-time check is carried out as part of the authorisation process and a response, based on the validity of the address provided, is returned to the merchant. Although not foolproof – as many as 75 per cent of orders receiving a ‘no match’ reading with AVS are valid – this check will allow merchants to better control fraud exposure through the knowledge that the billing address given by the consumer can be verified as genuine for that card (CyberSource, 2002:8). Card Verification • Card verification is a system introduced by several card issuers to assist the acquiring bank, issuing bank and merchant in validating CNP transactions. The check is based on three or four additional digits, distinct from the account number, that are printed on the front or back of the card. They do not appear in either the magnetic stripe or chip. These digits help to validate the card as genuine and to assist in determining that the purchaser is actually in possession of the physical card. As a measure to reduce the risk of fraud, merchants can request these card verification digits on their website payment page or verbally as part of a telephone order (CyberSource, 2002:8). Real-time Authorisation Real-time authorisation: • Validates that the card number is valid and that sufficient funds are available • Validates the expiry date for the card (not all processors) • Verifies the billing address for the card – AVS (in most cases, US only) • Where available, verifies the CVV2/CVC2/CID (special 3 or 4 digit PIN code), passed by the merchant, against the code on file for that card (Scutt, 2001:14). The benefit of Real-time Authorisation is that there is no need to validate an order once it has been declined. Unfortunately real-time authorisation does not protect the merchant from charge backs (Scutt, 2001:15). 33
  34. 34. Rules / Exceptions Rules are typically “If … then” expressions that flag certain types of transactions for review prior to processing. • Examples: o If the Amount is over 500 and the Shipping Type is “express” to a shipping address that does not match the billing address, then review the order before shipping. o If more than 2 DVD Players were ordered, if the Shipping Country is Romania, and the Shipping Type is “express”, then review the order before shipping. The benefit of Rules is that they allow the merchant to apply expert knowledge relevant to the business. Rules are customisable and can be modified as market conditions and fraud trends change. Rules make it easy to determine why a transaction is flagged. The main drawback of rules is that they require constant updating and monitoring to ensure that they are effective. Rules are only as good as the people who build them and they are, therefore, not effective at catching subtle patterns that may not be obvious to the merchant (Scutt, 2001:20). Use Any Boolean Expression Use Any Field in the Database o = equal to o Billing Address, City, Province, o != not equal to Postal Code o < less than o Shipping Address, City, Province, o <= less than/equal to Postal Code o > greater than o Credit Card Number o >= greater than/equal to o Current Time, Day, Month, Year o Item Count Use “*” as a wildcard o Quantity of a single item o Total Cost of Order Combine statements with o IP Address o AND o Item Serial Number o OR (Scutt, 2001:19). Table 7: Building Rules / Exceptions Statistical Models Statistical models, like a risk scoring facility are essentially “learn by example” tools that test the transaction attributes of an incoming Internet order with known fraudulent activity listed in the statistical model database. The output of a statistical model is typically a risk score (e.g. 1-100). Statistical models leverage historical and forensic data in order to catch new fraud attempts. The risk score is determined by evaluating numerous factors simultaneously. Subtle patterns that would normally be overlooked by the merchant will be highlighted by the statistical model. Unfortunately, most merchants do not have the required ample, accurate, and cleansed historical data required by a statistical model to provide accurate 34
  35. 35. results. Since multiple factors contribute to the risk score, it is sometimes difficult to interpret the score (Scutt, 2001:22). 35
  36. 36. Hybrid Solution (Arsenal Approach) A hybrid solution combines the attributes of the above strategies, for example: • Rules to enforce business rules or weed out bluntly fraudulent transactions • Real-time Authorisation to validate credit card number • Statistical Model to evaluate the overall risk • Rules to determine whether to Accept, Reject or Review the order (Scutt, 2001:24). • The overall return on investment (ROI) depends on many factors: o Overall fraud rates o Total volume of transactions o Margin on transactions o Cost to review order o In-house risk management expertise. • A multi-tool (hybrid) solution typically leads to the highest ROI because better screening reduces the volume of orders to be reviewed (Scutt, 2001:24). E-business was hailed as the great equaliser a few years ago as it enabled small merchants to compete on an equal footing with large multi-nationals selling to a potential international client base. With regard to e-fraud and the prevention of e-fraud the statistics and numbers above have shown that it is becoming very difficult for smaller e-merchants to survive and remain profitable if they cannot afford to subscribe to available fraud prevention services that would allow more accurate screening of transactions. 36
  37. 37. 4 THE FUNDAMENTALS OF PREDICTIVE FORENSIC PROFILING 4.1 THE PARETO PRINCIPLE It is nearly a century since Vilfredo Pareto (1848 - 1923) defined what became known as the Pareto principle (cf. Pareto 1906). Commonly known as the 80/20 rule, the Pareto principle describes the distribution of wealth in that, in any population that contributes to a common effect, relatively few of the contributors account for the bulk of the effect. JM Juran was the first person to generalise the Pareto principle and apply it to all areas of business as a means of focusing on the real problems or issues. Juran, the father of quality control, coined the phrase 'the vital few and the trivial many' that is regularly used to describe the Pareto principle. The Pareto principle is generally used in conjunction with the Lorenz curve (and the Gini Index) as a graphical representation of the actual deviation from an equal distribution situation (cf. Lorenz, 1905.) More recent research confirms that the Pareto principle is surprisingly accurate in almost all industry verticals. The following trends can be found at the bottom end of the customer base: • On average, 20% of a company’s customers contribute up to 85% of the profits whilst 40-50% of customers eliminate 50% of the profits • 50-60% of all customers are marginal or unprofitable • Unprofitable customers account for 35-45% of activity costs • Unprofitable customers consume 25-55% of total resources • Very small unprofitable customers consume more resources than all profitable customers combined (cf. Buttle, 1999: 5; Caufield, 1999:4; Hales, 1995:30; Humbarger, 2002:5; Reichheld & Sasser, 1990:108). The Pareto principle can be applied to three scenarios as far as the smaller e- merchant is concerned: • 1. Reduce the number of good transactions rejected as a precaution. In an attempt to minimise fraud, e-merchants are refusing suspicious transactions worth between 5% and 7% of total turnover. Research indicates that, of those rejected, the fraudulent transactions amount to between 2% and 3% of total turnover. This leaves transactions to the value of 3% to 4% of total turnover that are actually good customers that were rejected as a precaution. o If 20% of the good customers that were rejected are responsible for 80% of the lost turnover, identifying only 0.4% to 0.6% of the rejected customers could add 2.5% to 4% of total turnover to the bottom line. • 2. Reduce the impact of the most damaging fraudsters. If 80% of fraud related losses can be ascribed to 20% of fraudulent customers, fraud rates could be dramatically reduced if we could reduce the amount of transactions from customers that fall into the 20% of fraudulent transactions category. 37
  38. 38. o If we could find a way to reject orders from three quarters of the 20% most damaging customers, fraud related losses could be reduced by 60%. If the fraud related losses of the average e- merchant are 7% of total turnover that would lead to an increase of 4.2% in total turnover. • 3. Increase the impact of the best customers. If 20% of good customers are responsible for 80% of total turnover, the early identification of such customers will help us to serve them faster and better, which will lead to greater customer satisfaction and sales revenue from this vital 20% of the customer base. If we do not take into account the benefit of serving the 20% of customers that account for 80% of turnover better, and only focus on reducing the amount of good orders that are rejected as well as reducing the impact of the worst 20% of fraudsters, the impact on an average e-merchant’s business could be the following: Small e-Merchant with annual turnover of 300,000.00 Scenario 1: Current Situation Income 300,000.00 Sales 300,000.00 Expenditure 321,000.00 Staff 60,000.00 Stock 150,000.00 Shipping 40,000.00 IT, Hosting, etc. 60,000.00 Merchant Fees & Bank Charges 11,000.00 Profit (- Loss) -21,000.00 Scenario 2: Situation after Improvements Income 322,350.00 Sales 300,000.00 Improvements 22,350.00 Reduce amount of good transactions that 9,750.00 were rejected as a precaution @ 3.25% of turnover Reduce the impact of the most damaging 12,600.00 fraudsters @ 4.2% of turnover Expenditure 321,000.00 Staff 60,000.00 Stock 150,000.00 Shipping 40,000.00 38
  39. 39. IT, Hosting, etc. 60,000.00 Merchant Fees & Bank Charges 11,000.00 Profit (- Loss) 1,350.00 Table 8: Practical Example based on a Small e-Merchant Scenario 39
  40. 40. 4.2 A DEFINITION OF PREDICTIVE FORENSIC PROFILING In order to achieve the improvements as per the two scenarios in Table 8 above, and assuming that the small e-merchant cannot afford any sophisticated fraud prevention services or software, the following actions could be taken: Reduce the number of good transactions that were rejected as a precaution at an average 3.25% of turnover Establish a profile of good clients Forensic Establish a profile of all fraud attacks Forensic Use industry trends and research to refine fraudulent Predictive transaction risk profile Reduce the impact of the most damaging fraudsters at 4.2% of turnover Establish a profile of the top 20 most damaging fraudulent Forensic transactions and compare with the profile of all fraud attacks Three of the four activities identified above can be classified as forensic profiling activities. Forensic profiling can be defined as retrospectively analysing behavioural data in order to come up with a profile that could help with the early identification of a similar profile in future. Predictive profiling can be defined as creating a predicted model or profile, based on external data that could help with the early identification of an instance of the predicted model or profile in future. Combining the two forms of profiling in the four activities above should be able to give the small e-merchant some protection against e-fraud. It is vital to note, however, that the fraudsters’ modus operandi changes and that any profile created should be kept up to date to remain accurate. In the next section, some practical steps a small e-merchant could take are discussed. 40
  41. 41. 5 THE PRACTICAL APPLICATIONS OF PREDICTIVE FORENSIC PROFILING If it is indeed possible to achieve the improvements as per table 5 above, it may indeed be viable for the smaller e-merchant to introduce a simple yet effective fraud reduction strategy. Combining predictive rules based on international statistics with a merchant’s own forensic data could have a marked impact on a smaller merchant’s profitability and turnover. The following strategy may be of help to smaller e- merchants. 5.1 VERIFICATION PROVIDED BY CREDIT CARD COMPANY Credit card companies are developing more and more products designed to protect against losses relating to NCP transactions. Note that verification differs in terms of its extent, and the e-merchant should be careful to understand the exact features and extent of the verification service offered by the credit card company. Verification can range from the most basic algorithm check (i.e. only checking whether the card number is theoretically possible so that fraudulently generated card numbers would be verified) to sophisticated verification services that will verify that a number exists and that the details supplied (e.g. expiry date, billing address) are correct. In most cases verifications do not protect the merchant in the event of a charge back. Where available (and affordable), the smaller e-merchant should subscribe to services such as real-time verification (where all details are verified with the credit card company in real-time – while the order is being processed). 5.2 RULES / EXCEPTIONS A red flag, rules based “early warning system” can be effortlessly put in place by most e-merchants. A simple Excel spreadsheet with a drop down questionnaire or a simple access database could allow employees processing orders to identify and escalate potentially fraudulent orders. A predictive example of rules, based on current e-fraud statistics, could be: Is this an overseas order? Yes If Yes, which continent? Africa If Yes, which country? Algeria If No, which province? Does the credit card issuer country correspond with the Yes delivery and billing address? (i.e. Someone living in Johannesburg is unlikely to use a CC issued by an American bank.) Has the customer ever ordered before? Yes 41