Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The DNA of Online Payments Fraud

An in-depth look at the roots of online credit card and debit card fraud.

  • Login to see the comments

  • Be the first to like this

The DNA of Online Payments Fraud

  1. 1. Christopher Uriarte Chief Technology Officer & Head of International Development Retail Decisions Understanding the DNA of E-Commerce Fraud The Tools, the Technologies and the Techniques
  2. 2. Sample of ReD’s Clients and Focus Sectors America Europe Asia Pacific Other Travel Telephony Retail Oil Banking
  3. 3. About Retail Decisions: A Market Leader Retail Decisions (ReD) is a London-based specialty provider of transaction and card issuing service to banks, retailers, oil companies and telcos worldwide • One of the leading global providers of transactional card fraud prevention and payment services – Touched approx.16 billion card transactions per year for blue chip clients around the globe; 160 billion card transactions per annum worldwide (2007) – 20+ years experience in card fraud prevention • Fully-managed Fraud Prevention and Payment Services focused only on large and blue-chip customers: Merchants, Issuers and Acquirers • Blue-chip client base of more than 300 companies • Largest pre-paid gift card issuer in Australia • Strong service offering throughout all pieces in the payment value chain: merchants, processors and banking institutions
  4. 4. Where We Sit & Where the Data Comes From Fraud Prevention & Gateway Services (CP&CNP) ReDShieldTM ReD1GatewayTM CardExpressTM Fraud Prevention for Acquirers & Processors PRISMTM Fraud Prevention for Issuers PRISMTM Fraud Prevention for Merchants Fraud Prevention for Banking Institutions
  5. 5. Complexity Malicious individuals continue to evolve schemes in an effort to obtain greater anonymity and higher return on investment with less risk Time C2C Networks Online Ad Fraud Higher net return $ Malware /Sniffers Triangulation Shipping fraud Friendly Fraud Good Source: 2008 PCI SSC Community Meeting Bad Re-Shipping fraud Increased Complexity
  6. 6. Implanted chips Criminals implant a chip directly into Point of Sale equipment The chip holds up to 1,000 account numbers Major occurrences in Taiwan, Malaysia and Brazil
  7. 7. Purpose Built Skimmers • Small battery operated skimmers can hold up to 1 million account numbers at a time • Devices are mainly produced in Malaysia and China • Manually manufactured from standard POS equipment • The skimmers were introduced to US in 1998
  8. 8. Counterfeit Fraud Increasing examples of large, sophisticated counterfeit card manufacturing operations 170,000 cards seized in Taipei, Taiwan
  9. 9. Arrests in card scam Wednesday, February 28, 2007 By Paul Grimaldi Journal Staff Writer The men allegedly stole the information by switching out checkout lane keypads with one of their own machines and then retrieving the units a few days later so they could copy the account data. To achieve this, they took shelf stocking positions at the supermarket, which gave them legitimate access to the facility during late hours in the evening. They recorded the stolen information on blank bank cards that they used to get money from ATMs in the area, the police said. Organized & Social Arraigned yesterday in the thefts of credit-card and debit-card information — and more than $100,000
  10. 10. Diversified Rings of Collusion Organized Criminal to Criminal Networks Financial Services Credit application fraud, identity theft , account takeover Online Retail Credit card fraud, affiliate and click frauds, shipping fraud Online Gaming Credit card fraud, gold farming, account take-over, griefing Internet Dating/Social Networks Email spam, money solicitation (419 scam), predatory behavior Online Gambling Cheating & collusion, money laundering
  11. 11. CVV2s contain: 1: Name, Address, Post/Zip code, Phone number, Name on Card, CC Number, Expiry, CVV2 2: Name, Address, Post/Zip code, Phone number, Name on Card, CC Number, Expiry, CVV2 3: Name, Address, Post/Zip code, Phone number, Name on Card, CC Number, Expiry, CVV2
  12. 12. Organized Crime
  13. 13. Malware & Botnets • Easy to find & customizable by user • Designed to monetize fraud not disrupt systems • Utilizes phishing attack info • Prevalent in online advertising & affiliate fraud • Very low detection & apprehension rate • Very high ROI rates • High rate of mutation
  14. 14. Moving the Cash
  15. 15. Attacks on Specific Payment Instruments • As electronic payments evolve, criminals evolve their targets and their strategies • Specific payment instruments have come under significant attack – Alternative payment: PayPal, Bill Me Later, etc. – Gift Card (Plastic and Virtual): Schemes used in, both, the acquisition and redemption of gift cards – Private Label cards • Merchants are often “two steps behind” the criminal after launching or adjusting payment strategies
  16. 16. This is what it’s come to… Source: ShopRite stores, New York City area, December 2009
  17. 17. Gift Card Acquisition Fraud Rates: Three Top 10 Retailers Virtual Gift Cards Plastic Gift Cards Overall Bankcard Fraud Rates Fraud Rate: % of Transactions % of Overall $ Value % of Transactions % of Overall $ Value % of Transactions % of Overall $ Value Large Retailer “A” (Apparel, Home Goods) 0.80% [1.50%] 1.00% [1.70%] 0.03% [0.60%] 0.03% [0.90%] 0.16% 0.34% Large Retailer “B” (Mixed Retail) 4.10% 10.6% 2.10% 3.05% 0.41% 1.30% Large Retailer “C” (Mixed Retail) 1.70% [6.70%] 2.60% [5.5%] 0.70% [2.7%] 2.80% [2.6%] 1.5% 3.2% • Gift Card Fraud: Defined as the fraudulent purchase of a virtual or plastic gift card • Retailers displayed above have significant, established gift card programs Key: June – December 2008 [January-February 2009] • Retailers profiled represent major North American retailers with total combined annual revenues exceeding USD $476 billion (2008)
  18. 18. Private Label Card Fraud Examples: Three Top 10 Retailers Private Label Cards Other Cards Types Fraud Rate: % of Transactions % of Overall $ Value % of Transactions % of Overall $ Value Large Retailer “A” (Apparel, Home Goods) 0.08% 0.23% 0.16% 0.34% Large Retailer “B” (Mixed Retail) 0.44% 1.56% 0.41% 1.30% Large Retailer “C” (Mixed Retail) 0.50% 0.98% 1.5% 3.2% • Merchant sample includes 3 very large, established major retailers with significant transaction volumes and private label portfolios • Includes CNP Fraud rates for transactions taken place in 2008, with the exception of Retail “B”, whose statistics are from July to December 2008 • Base on Retail Decisions merchant assessments, April 2009 (delay introduced to allow for confirmed fraud/chargeback resolution window) • “Fraud Rate” is defined as known-fraud, but not necessarily chargebacks. Some fraud is detected and denied before a chargeback occurs. Actual chargeback rates for Other Card Types is significantly lower than reflected above
  19. 19. 2002 2010 ??? Are We Here Now??? Time Value of fraud Solutions implemented to reduce fraud Time lag for solutions to take affect New solution is implemented to reduce fraud Familiarity with weaknesses in cards and technology increases fraud Fraud begins to rise as new technologies are cracked and new weaknesses are found Implies Innovation ??? The Fraud Lifecycle
  20. 20. What This Means In Regards to Fraud • Credit card fraud continues to become more of an organized, professional crime – the case studies prove it • CNP fraud continues to aggressively increase. As more countries adapt Chip and PIN solutions, fraud will continue to migrate from CP to CNP channels • APACS 2007 Fraud Study: For the first time, more than 50% of fraud was CNP fraud. Update with new state • As other countries implement Chip and PIN solutions, both CP and CNP fraud will increase in non-Chip and PIN geographies • ID Theft continues to increase, replacing counterfeit schemes, which are no longer valid in Chip and PIN geographies • Since fraud is aggressively expanding, legacy fraud prevention techniques are becoming less and less effective
  21. 21. Merchant Fraud Assessment 90%+ Of All Orders Merchant Order System, Storefront, Website, etc. ACCEPT ORDER DENY ORDER CHALLENGE ORDER (Manually Review) Fraud Prevention System and Tools (Proprietary or Outsourced) ~2% Of All Orders 2%-8% Of All Orders (Where Applicable) • Challenges or outright Deny categories may not work for all types of merchants • Merchants must find the balance: • Too many manual reviews = too much staffing cost • Too many outright denies = too many false positives • No Fraud Prevention system is perfect: You will have false positives. You will require manual review. Today’s strategy is to let the Fraud Prevention system identify ~95% of all good and bad orders and manually review the rest
  22. 22. Key Metrics Merchants Must Track: • Manual Review Rate (“Outsort Rate”) - % of orders reviewed by a person before shipped or cancelled • Outright Deny Rate - % of orders rejected by the fraud system without performing a manual review • Fraud Rate – Overall percentage of fraud, usually measured in % of overall transactions and % of $ value • Customer Insult Rate – Falsely identifying good customers as fraudulent OR degrading service to good customers as a result of slow/cumbersome fraud processes (e.g. manual reviews take so much time to complete that shipping windows are missed) • Revenue at Risk – How a particular fraud strategy could affect revenue When This Happens: This Could Happen: Manual Review Rates Increase   Fraud Rates - Decrease  Staffing Costs - Increase  Revenue at Risk - Decrease  Customer Insult Rate – Potential to increase (slower order turnaround)  Scalability – becomes challenging (Double my orders = Double my staff??) Manual Review Rates Decrease   Fraud Rates - Increase  Staffing Costs - Decrease  Revenue at Risk – Potential to increase  Customer Insult Rate – Potential to increase (due to higher deny rates) Hard Deny Rates Increase   Fraud Rates - Decrease  Staffing Costs - Decrease  Revenue at Risk – Increases (Much more false positives)  Customer Insult Rate – Increase Highlighted in red : The most typical and critical results in each respective category Balancing Metrics
  23. 23. The "More Tools Create Greater Complexity" Challenge Transaction Data Negative Data Device ID Check Address Validation Proxy Detection Neural Score Business Rules No Matches Everything’ s OK; First time buyer No History Address is Good; No match of Name to Address Could be behind a University proxy Score: 362 Should you accept it? Should you outright deny it? Should you manually review it?
  24. 24. New Tools and Techniques: The Challenge Some technologies don’t fit our existing paradigms Some technologies are expensive Some address very specific fraud scenarios More tools and technologies can actually make decision making more difficult Some may require additional customer data, such as SSN/last 4 or ask personal validation questions Cost per transaction increases when more techniques and technologies are added to the suite of fraud tools Fraud Evolves. Will these be valid in 2 years? 1 year? 6 Months? Could lead to increased manual review costs, false positives and customer dissatisfaction
  25. 25. Merchant vs. Issuer Fraud Prevention Merchant Fraud Prevention • Screening is transaction-centric • Primary goal is to protect loss of goods while staying out of compliance programs (e.g. Visa RIS) • Primary focus on CNP channels • Historical perspective on cardholder is relatively limited • Transaction Data set is very robust – Who? What? When? How? • More focus on real-time screening • Many more detection tools exist due to robust CNP data set Issuer Fraud Prevention • Screening is more account- centric • Primary goal is to protect losses within issuing portfolio • Not primarily focused on CNP – in fact, CNP is often removed from some screening models • Historical perspective on cardholder is comprehensive • Transaction Data set is limited: Basic account and transaction details • Less focus on real-time screening (although this is changing) • Certain tools can be deployed much more effective (e.g. neural networks) Consolidated Merchant / Issuing fraud prevention systems do not exist today!
  26. 26. Identify Your Vulnerabilities • System and IT • Business model weaknesses • Defined payment strategy • Product Delivery • Customer service and business policies • Systems designed for the future • Manage to Total Cost of Payment
  27. 27. Thank You! Please feel free to contact me with any questions! Christopher Uriarte Chief Technology Officer, Retail Decisions US: +1 (732) 452 2440 UK: +44 (0) 1483 728700