Driving Payment Innovation - Know Your Enemy


Published on

Understanding Payment Fraud Risks and Exposures

Published in: Business, Economy & Finance
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Driving Payment Innovation - Know Your Enemy

  1. 1. “ KYE” - KNOW YOUR ENEMY Understanding Payment Fraud Risks and Exposures Andrea Wilson, CEO First Atlantic Commerce Ltd
  2. 2. Agenda <ul><li>The Shadow Economy – KYC or Know Your Enemy? </li></ul><ul><li>Current Trends in Online Fraud </li></ul><ul><li>2008 - 2009 Online Fraud Statistics </li></ul><ul><li>Current Online Fraud Detection Tools </li></ul><ul><li>Payer Authentication – Who’s Protected and How? </li></ul><ul><li>Our recommendations </li></ul>
  3. 3. The Shadow Internet Economy <ul><li>Online fraud continues to be a growing and costly experience for all online merchants; </li></ul><ul><li>Fraudsters are far more sophisticated and understand the card processing systems far better than most merchants! </li></ul><ul><li>Identity theft is the single largest threat to non face-to-face transaction processing; </li></ul><ul><li>Phishing, Skimming, Spoofing, Malware, Server Hacking, Credit Card Number Generators, Counterfeiters, Black Market Card and Billing Address Lists, Key Stroke Loggers are all prevalent methods used by fraudsters today to obtain personal and financial information! </li></ul><ul><li>The “Shadow Internet Economy” is a staggering $105 billion underground business causing havoc worldwide. </li></ul>Copyright First Atlantic Commerce Ltd 2009
  4. 4. The Shadow Internet Economy <ul><li>Existing fraud detection methods are proving to be outdated and easily manipulated by clever fraudsters who employ; </li></ul><ul><ul><li>Undetected Malware programmes, trojoans, spyware </li></ul></ul><ul><ul><li>CVV2 data manipulation </li></ul></ul><ul><ul><li>Device Skimming and Card Counterfeiting </li></ul></ul><ul><ul><li>Phishing/ID theft </li></ul></ul><ul><ul><li>Authorisation Response Message Data Manipulation </li></ul></ul><ul><ul><li>Verified By VISA and SecureCode™ Enrolment Phishing Scams </li></ul></ul><ul><ul><li>Online banking web site phishing scams </li></ul></ul><ul><ul><li>Nigerian money transfer emails </li></ul></ul>Copyright First Atlantic Commerce Ltd 2009
  5. 5. The Shadow Internet Economy <ul><li>PCI data standards and Merchant PCI and SDP certification helps in ensuring hackers cannot easily get access to your systems to compromise card numbers and transaction data, however, fraudsters are finding holes in web servers and generating malware programmes to compromise information; </li></ul><ul><li>Phishers have become experts in high-jacking web site designs </li></ul><ul><li>They rely on sophisticated IRC chat room interfaces </li></ul><ul><li>Hackers are generating (and selling) credit card numbers using software purchased ‘ for educational purposes only ’ online; </li></ul><ul><li>They are purchasing black market card number lists; </li></ul><ul><li>They are counterfeiting credit cards through mag stripe skimming devices; </li></ul><ul><li>CHIP and PIN is driving more fraud to easier targets – online merchants; </li></ul><ul><li>Card-not-present and Internet merchants are obvious and easy targets for credit card fraud. </li></ul>Copyright First Atlantic Commerce Ltd 2009
  6. 6. The Shadow Internet Economy <ul><li>Maksym Schipka, Senior Architect at MessageLabs </li></ul><ul><li>Malware Writer $300-$3500/programme; $25-$50/update </li></ul><ul><li>Identity Collector (Phisher) - $0.001 - $5/identity </li></ul><ul><li>Stolen “active” credit cards - $0.50 to $5/card </li></ul><ul><li>Botnet Owner (remote control network of computers) – from $200/hr to $10million depending on network compromised </li></ul><ul><li>Malware Distributor – 2.5% of credit card sale amount </li></ul><ul><li>CC Fraudster – 30% of goods price </li></ul><ul><li>“ Drop” Website Developers - $200 - $2000/site </li></ul><ul><li>Malware Guarantor – 2-5% of the deal </li></ul><ul><li>Courtesy of Combating CyberCrime Conference London 2009 </li></ul>
  7. 7. The Shadow Internet Economy <ul><li>Maksym Schipka, Senior Architect at MessageLabs </li></ul><ul><li>“ For as little as $250 you can buy a custom written malware and for an extra $25 a month you can subscribe to updates that will ensure that your malware evades detection.” </li></ul><ul><li>“ The vast majority of malware authors (viruses, trojans, spyware) do not distribute it themselves. In fact, they make great play of offering their software ‘for educational purposes only’ in the hope that this offers some immunity from prosecution.” </li></ul>Copyright First Atlantic Commerce Ltd 2009
  8. 8. Copyright First Atlantic Commerce Ltd 2009
  9. 9. <ul><li>Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. Robert Baldwin, Heartland's President and chief financial officer said it wasn't until mid January that investigators uncovered the source of the breach: </li></ul><ul><li>A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients. </li></ul><ul><li>Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates. </li></ul><ul><li>&quot;The transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month,&quot; Baldwin said. &quot;At this point, though, we don't know the magnitude of what was grabbed.” </li></ul><ul><li>Source: Washington Post.com </li></ul>
  10. 10. <ul><li>RBS WorldPay, formerly RBS Lynk, is the United States-based payment-processing arm of The Royal Bank of Scotland Group . RBS announced in December 2008 that an unauthorized party had improperly accessed the company's computer system. </li></ul><ul><li>Compromised prepaid cards included 1.5 million payroll and open-loop gift cards, approximately 100 of which had experienced actual fraud, according to an RBS statement. The bank says hackers also may have accessed the Social Security numbers of approximately 1.1 million individuals. An RBS WorldPay spokesperson says no identity theft has been reported on individuals whose personal information was compromised in the breach. Neither the RBS spokesperson nor Ross would confirm media estimates of the amount of fraud committed on the payroll cards. </li></ul><ul><li>Source: Cardline Global </li></ul>
  11. 11. KYE - Know Your Enemy <ul><li>Excerpts from Interview with a Professional Phisher </li></ul><ul><li>Started at age 14. Now 19 </li></ul><ul><li>>20 million identities phished so far via social networking worms </li></ul><ul><li>Works 3-4 days a week </li></ul><ul><li>Uses web software programme called MyOwnChanger.com </li></ul><ul><li>Low entry costs - VPN’s, dedicated servers, proxies and network traffic is encrypted. All payments are made through eGold. </li></ul><ul><li>Anti phishing deterrents in Explorer 7 and Firefox 2 cause slowdowns but it makes phishers more “motivated” </li></ul><ul><li>“ Lazy web developers are the reason I’m still around phishing ” </li></ul><ul><li>Source: http://ha.ckers.org/blog/20070508/phishing-social-networking-sites </li></ul>
  12. 12. KYE – Know Your Enemy <ul><li>Excerpts from Interview with a Professional Phisher </li></ul><ul><li>“ Social networking sites, make me $500 to 1k through CPA deals. 5 times out of 10 the person uses the same password for their email account. Now depending what is inside their email inbox determines how much more profit I make. If an email account has one of the following paypal/egold/rapidshare/ebay accounts even the email account itself, I sell those to scammers ($5 /pswd). All in all, I make 3k to 4k a day. I only phish 3-4 days a week. Depends on how much time I invest. The more time I invest the greater the outcome.” </li></ul>Copyright First Atlantic Commerce Ltd 2009
  13. 13. Copyright First Atlantic Commerce Ltd 2009 This is a phishing email The Bank of Bermuda email domain was hijacked
  14. 14. Copyright First Atlantic Commerce Ltd 2009 Highjacked URL from Jliangpartnership.co.uk Copyright year is different This is the Phished site
  15. 15. Copyright First Atlantic Commerce Ltd 2009 This is the real web site
  16. 16. KYE – Know Your Enemy <ul><li>The Anti Phishing Network Group is dedicated to wiping out Internet scams and fraud; </li></ul><ul><li>The site contains detailed global information on reports of phishing scams. http://www.apwg.org </li></ul><ul><li>They work along side another site called Millers Miles in the UK that tracks online phishing email scams and web sites. http://www.millersmiles.co.uk </li></ul><ul><li>Millers Miles has over 1,490,599 phishing scams in their database </li></ul><ul><li>This information is public available for all merchants to reference </li></ul><ul><li>Much of the world’s phishing is isolated to specific geographies including Eastern Europe, Russia, China and the USA </li></ul><ul><li>Most targeted industries: Financial Services 52%; Payment Services 18%; Auctions 25%; Retail 1% </li></ul>Copyright First Atlantic Commerce Ltd 2009
  17. 17. Current Trends in Phishing Anti Phishing Network Group 2008 Statistics April May June         Number of unique phishing emails rec'd by APWG from consumers 24,924 23,762 28,151 Number of unique phishing web sites detected 20,410 20,317 18,509 Number of brands hijacked by Phishers 276 294 227 Country hosting the most phishing websites CHINA Turkey USA Contain some form of target name in the URL 28.30% 23.20% 26.10% Longest time online for Phished site 30 days 31 days 30 days Source:www.apwg.org
  18. 18. Current Trends in Phishing Countries Hosting Phishing Sites in Q2 2008       www.apwg.org       APRIL   MAY   JUNE China 25.15% Turkey 25.73% USA 18.93% USA 16.68% USA 17.16% Turkey 17.92% Russia 8.23% Japan 11.23% Poland 13.56% Poland 7.15% China 9.17% Greece 6.86% Turkey 5.79% Poland 7.41% China 5.87% Germany 3.97% Russia 3.27% Russia 4.28% Republic of Korea 3.12% Greece 2.11% France 2.48% Greece 2.61% France 2.08% Republic of Korea 2.38% France 2.32% Republic of Korea 1.60% Bulgaria 2.28% Romania 2.21% Netherlands 1.60% UK 2.16%
  19. 19. Current Trends in Phishing <ul><li>Phishing based trojans are ‘crimeware’ which is designed with the intent on redirecting end-users network traffic to a location where it was not intended to go; </li></ul><ul><li>This includes crimeware that changes DNS-specific information and automatically redirects browsers to a fraudulent web site; </li></ul><ul><li>The USA and China host the highest percentage of either phishing-based keyloggers or trojan downloads in Q2 2008 </li></ul><ul><li>Phishing Activity Trends Report Q2 2008: </li></ul>  April May June USA 38.67% 32.12% 30.98% China 9.68% 28.67% 24.95% Russia 8.23% 6.06% 5.74% Republic of Korea 3.81% 2.18% 2.17%
  20. 20. Copyright First Atlantic Commerce Ltd 2009
  21. 21. Copyright First Atlantic Commerce Ltd 2009
  22. 22. Current Trends in Online Fraud Copyright First Atlantic Commerce Ltd 2009
  23. 23. Copyright First Atlantic Commerce Ltd 2009 22,169 Downloads
  24. 24. Current Trends in Online Fraud Copyright First Atlantic Commerce Ltd 2009
  25. 25. Current Trends in Online Fraud <ul><li>Since 2000 the percent of online revenues lost to payment fraud has been slowly declining from 3.6% in 2000 to 1.8% in 2004 to 1.4% in 2008; </li></ul><ul><li>2009 CyberSource 10 th Annual Online Fraud Report estimates that $4 billion in online revenues was lost to online fraud (North America region) – down from $5.5 billion in 2007. </li></ul><ul><li>Chargebacks understate true fraud losses by as much as 50%. The remainder occurs when merchants issue refunds in response to a consumer’s claim of fraudulent account use. </li></ul><ul><li>International transactions have a 3.5% higher risk factor than domestic transactions resulting in rejection of international transactions 3.5 times more than domestic transactions. </li></ul><ul><li>Source: Cybersource 2009 Online Fraud Report </li></ul>
  26. 26. Card Fraud Worldwide 2007 ISSUER Total Volume ($billions) Fraud Losses ($billions)       VISA $5,636.26 $3.21 PIN Debit $2,347.40 $0.16 MasterCard $2,276.10 $1.50 AMEX $647.30 $0.22 Discover $118.91 $0.07 JCB $60.94 $0.04 Diners Club $30.11 $0.01 Magstripe credit/debit other $691.00 $0.15       TOTALS $11,808.02 $5.55 Source: 2008 Nilson Report Issue 915  
  27. 27. Online Fraud Statistics 2008 <ul><li>Nilson Report Nov 2008 states: </li></ul><ul><li>Over past 10 years the card industry has succeeded in reducing “opportunity fraud” from lost or stolen cards, and fraudulent applications; </li></ul><ul><li>Opportunity fraud accounted for 21.07% of total fraud losses suffered in 2007 or $1.17billion; </li></ul><ul><li>Counterfeit cards accounted for 33.52% of all fraud losses or $1.86billion in 2007. Counterfeit cards are being produced using compromised/hacked account data stored by merchants, networks, processors; </li></ul><ul><li>Card-Not-Present fraud amounted to 38.04% of total fraud losses or $2.11 billion. Five years ago CNP fraud accounted for roughly 25% of total fraud losses; </li></ul><ul><li>Total fraud losses based on the above research - $5.55 billion </li></ul>
  28. 28. Online Fraud Statistics 2008 <ul><li>In 2008 North America surveyed merchants said : </li></ul><ul><li>Merchants processing > $5million/yr online are employing six or more fraud detection/screening tools and are utilizing more automated decision systems; </li></ul><ul><li>Merchants processing >$100 million/yr online are employing 7.7 fraud detection/screening tools; </li></ul><ul><li>Stolen card numbers are the most popular exploit of online fraudsters. They try multiple identities, emails, zip codes and details with the same credit card numbers until they find a combination that makes it past the fraud and issuer authorisation systems; </li></ul><ul><li>Stolen cards are repeatedly “tested” by processing small transactions until the limit is reached or the account blocked. Often this testing is done across multiple merchant sites; </li></ul><ul><li>Without industry data sharing this cannot be properly tracked. </li></ul><ul><li>Source: Cybersource 2009 Online Fraud Reports </li></ul>
  29. 29. Online Fraud Statistics 2008 <ul><li>In 2008 UK/EU surveyed merchants said : </li></ul><ul><li>Efforts to tackle online fraud are being hampered by a lack of coordination across multiple channels (and cross border cooperation); </li></ul><ul><li>Fraudsters are divided into two groups – less sophisticated “chancers” targeting small merchants with simple techniques; and sophisticated professionals who are testing defences of larger merchants in pursuit of significant data or financial rewards; </li></ul><ul><li>Lack of consumer education regarding phishing and password protection is a significant problem; </li></ul><ul><li>Only 17% of merchants believe the police are effectively tackling cybercrime citing lack of resources and not following up on significant “tip-offs” of addresses where they knew fraudsters were located. </li></ul><ul><li>Source: Cybersource 2008 Online Fraud Reports </li></ul>
  30. 30. Online Fraud Statistics 2008 <ul><li>According to the recently published 2008 Identity Fraud Survey issued by Javelin Strategy and Research , 8.1 million Americans were victimized by identity fraud – a crime amounting to $45 billion; </li></ul><ul><li>The total average cost of a data breach last year reached $202 per record, a 2.5% increase since 2007 (the study was conducted by the Ponemon Institute , a privacy and data-protection research group); </li></ul><ul><li>Of the average $202 per record cost, $139 was attributable to lost businesses as a result of the breach; </li></ul><ul><li>Breaches that originated with outsourcing companies, contractors, consultants, and business partners accounted for 44% of the breach total, up from 40% in 2007. </li></ul><ul><li>Third-party breaches cost an average of $231 per record, compared with $179 for breaches originating from within the organization that owns the data. </li></ul>
  31. 31. Online Fraud Statistics 2008 <ul><li>The total average cost per company surveyed was more than $6.6 million per breach, up from $6.3 million in 2007 and $4.7 million in 2006; </li></ul><ul><li>Javelin reports seeing an increase in “ Vishing ” which is identity theft over the phone. Consumers receive an email requesting them call a given phone number instead of being directed to a phishing web site; </li></ul><ul><li>Consumers are told about security warnings of fraudulent activity on their accounts or plastics; </li></ul><ul><li>Customers are then told to “call the bank back at this number” and input your account numbers, card details and private information. </li></ul>
  32. 32. Online Fraud Statistics 2008 <ul><li>In 2008 UK/EU survey: </li></ul><ul><li>Merchants surveyed were asked to rate the biggest threat to income losses: </li></ul><ul><ul><ul><li>Increased price competition </li></ul></ul></ul><ul><ul><ul><li>Competition from International Markets </li></ul></ul></ul><ul><ul><ul><li>Online Fraud activity </li></ul></ul></ul><ul><ul><ul><li>Reduced consumer demand </li></ul></ul></ul><ul><ul><ul><li>Data Theft </li></ul></ul></ul><ul><ul><ul><li>Product Quality </li></ul></ul></ul><ul><li>Merchants surveyed were asked to rate the biggest threat to technical losses: </li></ul><ul><ul><ul><li>Online Fraud </li></ul></ul></ul><ul><ul><ul><li>Internal Systems Failure </li></ul></ul></ul><ul><ul><ul><li>Software Viruses </li></ul></ul></ul><ul><ul><ul><li>Competitors Technical Advancements </li></ul></ul></ul><ul><ul><ul><li>Data Hackers </li></ul></ul></ul><ul><li>Source: Cybersource 2008 Online UK Fraud Reports </li></ul>
  33. 33. Current Fraud Detection Tools <ul><li>Fraud ‘detection’ tools are those used to identify the probability of risk associated with an online transaction or to validate the identity of the purchaser. Results from detection tools are then interpreted by humans or rules systems to determine if the transaction should be accepted. The systems do not guarantee that a fraud will not occur and certainly will never prevent a chargeback initiated by the consumer. Consumer behaviour cannot be predicted or prevented by fraud detection tools. </li></ul><ul><li>“ Detection Does Not Equal Prevention ” </li></ul>
  34. 34. Current Fraud Detection Tools <ul><li>So How Do You Protect Your Business? </li></ul>
  35. 35. Current Fraud Detection Tools <ul><li>The most popular tools used to assess or gauge online fraud are different for merchants processing over $25 million USD per annum in sales. The larger North American merchants use more risk-specific scoring models, negative and positive lists and sophisticated data sharing tools. They also spend considerably greater effort on chargeback management. </li></ul><ul><li>Company specific fraud screening solutions, external fraud systems and consumer behaviour models rated the highest in the large merchant category survey. </li></ul><ul><li>Source: Cybersource 2009 Online Fraud Reports </li></ul>
  36. 36. Current Fraud Detection Tools – USA/Canada Current Fraud Detection Tools 2006 2007 2008 >$25mm/yr Address Verification AVS 79% 80% 78% 87% Card Verification CVV2/CVC2 69% 74% 74% 80% Fraud Screening (internal) 38% 39% 27% 42% IP Geolocation (Address Point Verify) 35% 37% 35% 48% Negative Lists (in house) 34% 36% 38% 67% Order Velocity Monitoring 33% 35% 28% 54% Automated Decision Scoring 32% 34% 34% 50% Manual Review 25% 22% 22% 33% Chargeback Management 22% 20% 20% 33% Customer behaviour analysis   29% 20% 22% Customer order history     47% 54% 3-D Secure (VBV and SecureCode) 29% 25% 27% 39% Positive Lists   17% 17% 32% Device fingerprinting     6% 7% Consumer challenge questions 5% 6% 5% 7%
  37. 37. Current Fraud Detection Tools <ul><li>In the UK and Europe the use of online fraud tools trends are different from that of the USA. Merchants spend considerably more time manually reviewing transactions and use CVV2, AVS and Verified By VISA/SecureCode continue to remain the primary automated fraud solutions. </li></ul><ul><li>The fastest growing anti-fraud tool in the past year has been 3-D Secure™ due to June 2007 Maestro SecureCode mandate. 71% of UK/EU merchants now claim to have implemented 3-D Secure™. </li></ul><ul><li>One significant difference is with the use of IP Geolocation services in the detection of possible fraud. 48% of North American merchants use IP Geolocation, whereas only 23% of European merchants use IP Geolocation. </li></ul><ul><li>Device Fingerprinting has been identified as the top fraud tool to add in 2009. </li></ul><ul><li>Source: Cybersource USA/UK 2008 Online Fraud Reports </li></ul>
  38. 38. Current Fraud Detection Tools – Comparison Fraud Detection Tools >$25mm/yr North America 2008 UK Europe 2008       Card Verification CVV2/CVC2 80% 79% Address Verification AVS 87% 78% Manual Review 22% 67% 3-D Secure (VBV and SecureCode) 38% 59% 3rd Party ID checks 39% 49% Automated Decision Scoring 54% 30% Fraud screening (industry) 18% 36% Fraud screening internal 42% 38% Negative lists 18% 29% Chargeback Management 20% 37% Industry Hot Card information 18%   21% Customer Device Fingerprinting 7% 8% IP Geolocation 48% 26%
  39. 39. Top Fraud Detection Tools – to be implemented Fraud Detection Tools to be Implemented in 2009 North America UK Europe Customer Device Fingerprinting 47% 17% IP Geolocation 27% 11% Fraud services (internal) 20% 12% Customer Order History 17% 6% Card Verification CVV2/CVC2 16% 8% Customer Behaviour Screening 13%   13% 3-D Secure (VBV and SecureCode) 11% 19% Negative lists/Shared Services 10% 13% Telephone Verification 10% 19% Multi- Merchant Fraud Models 9% 15% 3rd Party ID checks 9% 20% Automated Decision Scoring 7% 18% Chargeback Management 7% 23% Address Verification AVS 6% 16%
  40. 40. Current Fraud Detection Tools <ul><li>Address Verification Services (AVS): </li></ul><ul><li>Address Verification Service is a North American based service whereby the Card Issuing bank matches the street and Zip/Postal Code information entered by the consumer to the information held on the bank’s systems; </li></ul><ul><li>Issuers DO NOT decline authorisations based on AVS responses – they simply provide the AVS code in the auth response message; </li></ul><ul><li>AVS is a North American service and not many international processors or acquirers support USA AVS verification; </li></ul><ul><li>AVS Line 2 scamming is now prevalent making this tool unreliable as a verification tool – data is bought from card list brokers; </li></ul><ul><li>AVS is subject to a significant rate of “false positives” because it can be fooled into providing a partial match AVS score; </li></ul><ul><li>Large merchants typically use AVS as a pre-screening service prior to fulfilling orders . </li></ul>Copyright First Atlantic Commerce Ltd 2009
  41. 41. Current Fraud Detection Tools Used <ul><li>Geolocation </li></ul><ul><li>Geolocation is used to identify the geographic origin of an order based on I.P Internet address of the customer’s browser; </li></ul><ul><li>The data returns specific information about the IP address associated with the originating ISP transaction request including: </li></ul><ul><ul><ul><li>IP address </li></ul></ul></ul><ul><ul><ul><li>Country (long and short name) </li></ul></ul></ul><ul><ul><ul><li>City </li></ul></ul></ul><ul><ul><ul><li>Region (State, Province etc) </li></ul></ul></ul><ul><ul><ul><li>Zip Code </li></ul></ul></ul><ul><ul><ul><li>Domain Name </li></ul></ul></ul><ul><ul><ul><li>ISP Name </li></ul></ul></ul><ul><ul><ul><li>Latitude + Longitude </li></ul></ul></ul><ul><ul><ul><li>Time Zone </li></ul></ul></ul><ul><ul><ul><li>Proxies </li></ul></ul></ul>Copyright First Atlantic Commerce Ltd 2009
  42. 42. Current Fraud Detection Tools Used <ul><li>Device Based Fingerprinting </li></ul><ul><li>Traditional Fraud Service providers are now offering more intelligent services including PC fingerprinting; </li></ul><ul><li>The service determines within whether an online transaction is coming from a computer that has a history of fraud or abuse; </li></ul><ul><li>Could be an issue with virtual devices and dynamic IP addresses/roaming </li></ul><ul><li>New technology so not much analysis regarding fraud reduction available yet </li></ul><ul><li>Customer Spending and Behaviour Analysis </li></ul><ul><li>Reviewing consumer behaviour, spending patterns and charges provides a lot of information about your client; </li></ul><ul><li>Web site traffic and transactional flows are profiled to watch for and detect suspicious shopping or surfing behaviour (ie large quantities of electronics purchased with rapid check out); </li></ul><ul><li>Repeat customers have typical patterns of shopping or browsing behaviour which fall into normal parameters. </li></ul>
  43. 43. Current Fraud Detection Tools Used <ul><li>Negative Files and Cross Industry Data Sharing </li></ul><ul><li>Are based on previous cardholder processing and purchasing information across multiple merchant and acquirer systems; </li></ul><ul><li>Somewhere in history this cardholder has de-frauded a merchant or is an habitual chargeback offender, which is why they are in the negative database; </li></ul><ul><li>Unfortunately a lot of consumers get placed on the negative file as a result of someone else’s fraudulent use of their card or deliberately by merchants competing for consumer transactions ; </li></ul><ul><li>Negative files can be very useful if part of an overall data sharing solution. ETHOCA is an example of a data sharing service that combines decline data, chargebacks and suspicious transaction information at the card number level. </li></ul>Copyright First Atlantic Commerce Ltd 2009
  44. 44. Current Fraud Detection Tools Used <ul><li>Decision Matrices, Risk Scoring Software and Data Sharing </li></ul><ul><li>Determine if a transaction should be accepted, rejected or suspended for review based on risk parameters set up in the fraud system; </li></ul><ul><li>Only as good as the data within the risk matrix database which is why cross-industry sharing is so important going forward; </li></ul><ul><li>Fraud is dynamic which means the matrices must always be updated and refreshed with ‘current data’ trends </li></ul><ul><li>Fraudsters learn over time and vary their strategies so the systems must be regularly “tuned”; </li></ul><ul><li>Still requires manual review of exception items </li></ul><ul><li>They can be expensive for small merchants but worthwhile for larger merchants who need cross industry information to reduce fraud exposures. </li></ul>Copyright First Atlantic Commerce Ltd 2009
  45. 45. An Example
  46. 46. The numbers in ( ) represent your own data ‘ Hits’ = Suspicious Activity
  47. 47. Current Fraud Detection Tools Used <ul><li>ETHOCA Data Sharing </li></ul><ul><li>Fraud Reduction – Leveraging ‘Advisory Codes’ such as velocity and data inconsistencies (e.g., multiple emails per card) can detect upwards of 30% of card related fraud </li></ul><ul><li>Comparing merchants to their industry peers reveals that for some merchants 10% of rejections are actually good orders </li></ul><ul><li>Link Analysis – Up to 15% of fraud that is undetected by traditional means can be spotted by ‘linking’ common data elements across multiple merchants and industries </li></ul><ul><li>So far over 40 companies/partners now share their transactional data through ETHOCA including RBS, TigerDirect, British Airways, Emirates Airways, others </li></ul><ul><li>Source: Keegan Johnson – CEO ETHOCA </li></ul>
  48. 48. Current Fraud Detection Tools Used <ul><li>Manual Order Review </li></ul><ul><li>Merchants claim they manually review 1 out of every 4 online transactions; </li></ul><ul><li>Used specifically to manage payment fraud; </li></ul><ul><li>Must be done in conjunction with other tools like AVS, CVV2 match checks, internal chargeback analysis etc </li></ul><ul><li>One consequence of using multiple automated fraud tools is that more transactions are flagged up for manual review adding additional work to back office admin functions; </li></ul><ul><li>This requires merchants to divert more ‘qualified’ staff to order review, increase time to review, improve accuracy of the manual review process (and train staff to know what to look for); </li></ul><ul><li>Merchants report on average they only provide 4-6 weeks of training to review orders!. </li></ul>Copyright First Atlantic Commerce Ltd 2009
  49. 49. Current Fraud Detection Tools Used <ul><li>CVV2 </li></ul><ul><li>CVV2 stands for Card Verification Value; </li></ul><ul><li>Consists of the last 3 digits printed on the VISA plastic signature panel which is not recorded anywhere else on the card; </li></ul><ul><li>Is known as CVC2 with MasterCard and CID with AMEX/Discover; </li></ul><ul><li>CVV2 can assist a merchant to differentiate between consumers who have the physical plastic in their possession at the time of the transaction and those that don’t (but not always); </li></ul><ul><li>However CVV2 is only as useful as the Issuer who validates the data and declines the authorisation based on No Match responses </li></ul><ul><li>Changes in Card Association regs in 2007 now allow merchants to represent chargebacks for RC 83 if the Issuer does not participate in CVV2 match checking. </li></ul>Copyright First Atlantic Commerce Ltd 2009
  50. 50. Current Fraud Detection Tools Used <ul><li>CVV2 </li></ul><ul><li>Not all Issuers participate in CVV2 verification, so the presence of CVV2 in the auth request should not be used to ‘assume’ the cardholder that’s performing the transaction is in possession of the actual plastic - unless the Issuer has replied with a CVV2 Match ‘M’ response; </li></ul><ul><li>There are more Issuers now who decline authorisations for CVV2 mismatch – this is encouraging. </li></ul>Copyright First Atlantic Commerce Ltd 2009
  51. 51. Current Fraud Detection Tools <ul><li>The real cost of chargebacks : </li></ul><ul><li>In 2008 merchants reported that it takes on average 1.8 hours to handle ONE chargeback (time consumed on research, documentation and representment); </li></ul><ul><li>Over the past 4 years fraud-coded chargebacks (RC23/83) have been represented successfully between 43-53%; </li></ul><ul><li>Over 1/3 of merchants surveyed confirm they dispute 90% of their fraud chargebacks; </li></ul><ul><li>In 2007 large merchants reported 57% of their fraud was RC83 chargebacks. This has dropped to 48% in 2008; </li></ul><ul><li>Having an efficient representment process enhances the merchant’s chances of successfully representing a fraud coded chargeback </li></ul><ul><li>Friendly-Fraud is on the rise with the downturn in the credit markets; </li></ul><ul><li>Merchants MUST get diligent with managing this issue or face large fines and risk losing their merchant account. </li></ul>Copyright First Atlantic Commerce Ltd 2009
  52. 52. Current Fraud Detection Tools <ul><li>The real cost of chargebacks : </li></ul><ul><li>Given the time involved, the administration efforts, fines, penalty fees merchants are finding it makes more economic sense to encourage consumers to contact them directly to receive a credit/refund then to process a chargeback; </li></ul><ul><li>If merchants are evaluating fraud losses solely on the basis of RC83 chargebacks, the actual rate of fraud loss is likely 2x higher simply because of the number of Refunds being processed and consumer complaints resolved in other ways (ecash credits etc); </li></ul><ul><li>Implementing Verified By VISA/SecureCode also reduces fraud coded chargebacks by ‘guaranteeing’ liability shift back to the issuer for qualifying Reason Codes. </li></ul><ul><li>Source: Cybersource USA/UK 2008 Online Fraud Reports </li></ul>
  53. 53. Chargebacks Vs Refunds Source: Cybersource 2009 Online Fraud Report
  54. 54. Current Fraud Detection Tools Used <ul><li>The Payer Authentication Process </li></ul><ul><li>Issuers and Acquirers register independently and the service is not inter-dependent </li></ul><ul><li>Issuers can have credit card BINs registered but not their cardholders; alternatively neither can be enrolled - this drives the merchant chargeback liability shift conditions for ‘attempted’ 3-D Secure requests; </li></ul><ul><li>Merchants ONLY have chargeback liability shift rights if BOTH the Acquirer and the Merchant are registered with VBV/SecureCode – however chargeback liability shift is not contingent on whether the Issuer or cardholder participate in 3-D Secure™. </li></ul>Copyright First Atlantic Commerce Ltd 2009
  55. 55. How Does 3-D Secure™ work? <ul><li>The Payer Authentication Process </li></ul><ul><li>VBV is a global service so once Merchants are enrolled by participating acquirers all VISA transactions can be authenticated with VBV for a fraction of the cost of other fraud detection services; </li></ul><ul><li>Verified By VISA liability shift is guaranteed for ‘attempted’ transaction authentication (global) even if the cardholder is NOT enrolled in VBV with their Issuer; </li></ul><ul><li>If an enrolled VBV Merchant attempts to authenticate the cardholder through Verified By VISA and either the cardholder and/or their Issuer doesn’t participate, the transaction is flagged as an ‘attempt’ (ECI=6) and these transactions are included in the liability shift programme for specific chargeback reason codes (RC23, 83). </li></ul>Copyright First Atlantic Commerce Ltd 2009
  56. 56. How Does 3-D Secure™ Work? <ul><li>The Payer Authentication Process </li></ul><ul><li>After June 30 th , 2007, online merchants will no longer be able to process Maestro debit transactions unless they implement MasterCard SecureCode™; </li></ul><ul><li>MasterCard SecureCode has implemented merchant-only liability shift in all Regions except the USA; </li></ul><ul><li>This means if a merchant is registered with a participating acquiring bank in EU, Asia/Pacific, SAMEA, LACR regions and they attempt to authenticate the cardholder – they have chargeback liability shift protection for chargeback RC 37 and 63 (if the transaction is authorised); </li></ul><ul><li>USA has not opted into this liability shift on ‘attempted’ SecureCode transactions yet. </li></ul>Copyright First Atlantic Commerce Ltd 2009
  57. 57. What are the Problems with 3-D Secure ? <ul><li>3-D Secure™ Issuer Blocks </li></ul><ul><li>In specific countries Issuers are blocking 3-D Secure attempted transaction requests – those tagged with an ECI 6 value; </li></ul><ul><li>There is compliance that clearly states Issuers can be fined for not authorising 3-D Secure attempted (ECI 6) transactions however it doesn’t seem like the enforcement mechanisms are in place to penalize Issuers; </li></ul><ul><li>Mexico Issuers are blocking ECI=6 authorisation requests; some banks in Eastern Europe also </li></ul>Copyright First Atlantic Commerce Ltd 2009
  58. 58. What are the Problems with 3-D Secure? <ul><li>3-D Secure™ Phishing Scams </li></ul><ul><li>Consumers are emailed with a Verified By VISA or SecureCode enrolment request which includes actual language from the VBV or S/C web sites as well as the same fonts, layout and logos; </li></ul><ul><li>Consumers either click on a link or are redirected to a site that looks exactly like their card issuer VBV enrolment site; </li></ul><ul><li>Ironic that the one programme designed to assist merchants and consumers with prevention of fraud is in itself a victim of phishing fraud </li></ul>Copyright First Atlantic Commerce Ltd 2009
  59. 59. This is a phishing site
  60. 60. This link redirects to the phish site
  61. 61. What are the Problems with 3-D Secure? Copyright First Atlantic Commerce Ltd 2009
  62. 62. VBV Enrolment Phishing Scam <ul><li>VBV Phishing Scams </li></ul><ul><li>This VBV enrolment phish had already targeted 24,011 consumers who had innocently registered; </li></ul><ul><li>21,086 VISA BINs and card numbers were obtained as a result; </li></ul><ul><li>The fraudulent site was tracked to an IP address in Uruguay; </li></ul><ul><li>The scam was locked down by VISA within hours of being reported – however you can see just how many people were victimized by the phish; </li></ul><ul><li>The data collected is extremely valuable on the black market for identify theft, counterfeit cards and online fraud ! </li></ul>Copyright First Atlantic Commerce Ltd 2009
  63. 63. VBV Enrolment Phishing Scam <ul><li>So why is 3-D Secure phishing so “easy” to pull off? </li></ul><ul><li>Both Verified By VISA and MasterCard SecureCode online web sites list every registered Issuer in alphabetical order; </li></ul><ul><li>If you select a specific Issuer, the VBV or SecureCode enrolment site (legitimate one) displays; </li></ul><ul><li>This can be recreated by the ‘phishing’ fraudster and within hours thousands of cardholders are fooled into providing personal information, card data, PINs, passwords and bank account numbers; </li></ul><ul><li>“ Activate the Verified by Visa feature - It's easy and only takes a few moments to activate your card. You can do it right here on the secure Visa site or when prompted during the checkout process at one of our participating online merchants. Either way, your information is protected .” </li></ul>Copyright First Atlantic Commerce Ltd 2009
  64. 64. Copyright First Atlantic Commerce Ltd 2009
  65. 65. Copyright First Atlantic Commerce Ltd 2009
  66. 66. Copyright First Atlantic Commerce Ltd 2009
  67. 67. Copyright First Atlantic Commerce Ltd 2009 This is legit VBV registration site
  68. 68. Copyright First Atlantic Commerce Ltd 2009 This is a phishing site
  69. 69. Summary – Fraud Detection versus Prevention <ul><li>Fraud ‘detection’ tools are those used to identify the probability of risk associated with an online transaction. They do not guarantee that a fraud will not occur and certainly will never prevent a chargeback from being initiated by the consumer. </li></ul><ul><li>Fraud ‘prevention’ tools like CVV2 and 3-D Secure do provide guarantees against fraud coded chargebacks and are fully sponsored by the Card Associations. </li></ul>Copyright First Atlantic Commerce Ltd 2009
  70. 70. Summary – Fraud Prevention <ul><li>The top fraud detection and risk mitigation services being implemented in North America and Europe in 2009 are 3-D Secure™, IP Geolocation (geoblocking, proxy server detection), Computer Device Fingerprinting, Data Sharing systems and implementation of experienced chargeback analysis and management personnel. </li></ul><ul><li>…… .. Detection Assists With Fraud Prevention </li></ul>Copyright First Atlantic Commerce Ltd 2009
  71. 71. Summary – Fraud Prevention <ul><li>OUR CONCLUSIONS </li></ul><ul><li>Merchants must implement PCI compliant security requirements to reduce risk to malware/trojan/spyware attacks, transaction pre-authentication solutions including AVS, CVV2, IP Geolocation and data sharing services in addition to Verified by VISA and MasterCard SecureCode – WHY? </li></ul><ul><li>Pre-authentication services pre-screen transactions to filter out ‘obvious’ or suspicious fraudulent transactions. 3-D Secure provides guaranteed chargeback liability shift on the not-so-obvious and seemingly legitimate transactions. </li></ul>Copyright First Atlantic Commerce Ltd 2009
  72. 72. Summary – Fraud Prevention <ul><li>OUR CONCLUSIONS </li></ul><ul><li>KNOW YOUR ENEMY – you will then know your customer! Watch for behaviour patterns that don’t seem “normal” for customers at your site </li></ul><ul><li>Implement a face-to-face authentication system so you can “see” if your customer is the same as the photo ID they provided. SKYPE is free – anyone can use it. Why doesn’t the gaming industry verify new clients by looking directly at them? It seems like a great deterrent to ensuring criminals don’t register for your sites and therefore reduce your exposure to fraudulent payment transactions. </li></ul>Copyright First Atlantic Commerce Ltd 2009
  73. 73. Summary – Fraud Prevention <ul><li>OUR CONCLUSIONS </li></ul><ul><li>Pre-authentication and automated screening services cannot predict ‘human behaviour’ which results in chargebacks. Habitual chargeback offenders (the “friendly fraud” culprits) are aware of this and will use this excuse over and over again </li></ul><ul><li>3-D Secure™ is there to protect online merchants from habitual chargeback offenders by allowing fraud chargebacks to be represented under the liability shift guarantees regardless of whether the cardholder is enrolled or not. </li></ul>Copyright First Atlantic Commerce Ltd 2009
  74. 74. Summary – Fraud Prevention <ul><li>Useful References </li></ul><ul><li>Cybersource Annual Fraud Reports (USA and UK) </li></ul><ul><li>Anti-Phishing Working Group </li></ul><ul><li>Nilson Reports </li></ul><ul><li>Message Labs – the Online Shadow Economy reference docs </li></ul><ul><li>Online newsfeeds – read about what’s going on elsewhere with respect to phishing, skimming, malware attacks, data attacks and advise your own staff. Education and information is key to identifying dodgy consumer behaviour or transactions </li></ul><ul><li>Javelin Research Reports </li></ul><ul><li>USA Federal Trade Commission – Internet Fraud and Safety info </li></ul><ul><li>Watch the blogs and chat rooms – they are fascinating! </li></ul>Copyright First Atlantic Commerce Ltd 2009
  75. 75. <ul><li>Thank You! </li></ul><ul><li>Andrea Wilson </li></ul><ul><li>CEO First Atlantic Commerce Ltd </li></ul><ul><li>WWW.FIRSTATLANTICCOMMERCE.COM </li></ul><ul><li>+(441) 294-4620 </li></ul><ul><li>Email ‘awilson@fac.bm’ </li></ul>Copyright First Atlantic Commerce Ltd 2009