The Green Sheet Online Edition
April 12, 2010 • Issue 10:04:01
The worldwide fraud web exposed
If the amount of online fraud can ever be characterized as at a respectable level, then the time may be now. Although fraudulent payments have long plagued online merchants, e-commerce fraud seems to be ebbing, or at least stagnating.
That is the finding of CyberSource's 11th Annual 2010 Online Fraud Report: Online Payment Fraud Trends, Merchant Practices and Benchmarks. According to the report, e-commerce merchants lost 1.2 percent of their revenue to fraud in 2009, compared with 1.4 percent in 2008, 1.8 percent in 2004 and 3.6 percent in 2000.
The report went on to say that 2009 was also the first year since 2003 that the industry saw a drop in total online revenue lost to fraud: $3.3 billion in 2009, compared with $4 billion in 2008.
Two decades of online fraud
Merchants paid relatively little mind to data security when e-commerce emerged some two decades ago, industry insiders say. Entrepreneurs envisioned windfall profits flowing from the exciting new medium of the Internet.
Yet the new frontier was not without peril, and many who disregarded security and jumped impetuously into the mix paid a price, according to Carl Clump, Chief Executive Officer of payment security provider Retail Decisions Inc. (ReD). "In those heady days of the late '90s to early 2000s, Internet companies were after grabbing market share and, in their haste, failed to consider issues like fraud," Clump said.
But sources say there has been a noticeable shift in recent years among e-commerce providers toward a more vigilant security stance - the number of merchants using some type of fraud prevention strategy has increased significantly, with many enlisting third-party security providers.
A simple equation
That merchants have taken a more aggressive stance toward fraud is no surprise, as they have a large financial stake in the fraud equation. Unlike the brick-and-mortar space, where card issuers and merchant acquirers tend to cover some or all the costs of fraud, liability for e-commerce-based fraud rests exclusively with merchants - an arrangement established at the Internet's inception.
It thus appears that, despite the heedlessness with which many businesses initially jumped onto the e-commerce bandwagon, card issuers were wary of potential perils from the beginning. Without question, those dangers are many.
For one, e-commerce has given rise to a number of methods for picking off individual card numbers. Among the favorites found in a hacker's bag of tricks is the phishing scam (fraudsters pose as legitimate financial institutions, usually banks, and request consumer payment information through e-mails or the like) and keylogging (malware intercepts a computer's keystrokes, potentially including the entry of payment information).
For most data thieves, such methods require an inordinate amount of work for relatively small gain. Phishing and keylogging usually involve the interception of just one card number per computer, and their rates of success can be low. Even when such attacks work, they tend to yield too few card numbers at too slow a rate to make the effort worthwhile for enterprising hackers.
Indeed, for all the talk of consumer fears relating to the entry of payment information online, analysts say the e-commerce environment has never been a major hotspot for stealing data.
According to Nicholas Percoco, Vice President of Spider Labs for information technology security provider Trustwave, as few as one in six data breaches occur online. "From a theft standpoint, it's much more common that people are getting data from brick-and-mortar environments," he said.
That does not mean the e-commerce space is immune to large-scale breaches. As with brick-and-mortar merchants, e-commerce environments are most vulnerable to large-scale breaches wherever merchant data is stored, Percoco said. In the e-commerce sector, merchants commonly store customer card data in back-end portals used for chargebacks and recurring billing - but that connect to their main gateways.
According to Percoco, about 90 percent of successful attacks on e-commerce sites involve "SQL injection," whereby hackers use special commands to access private storage areas - essentially fooling merchants' systems into granting access. He said such attacks are generally made possible by lazy programming and generic codes easily guessed at or broken by computer-savvy invaders.
Percoco said adherence to the Payment Card Industry (PCI) Data Security Standard (DSS) all but guarantees that hackers won't access merchants' private databases.
Those measures, Percoco noted, involve things like "secure development practices" (sites locked down by difficult-to-break passwords and sophisticated command codes) and frequent vulnerability self-scanning to ensure the lack of holes or defects in systems.
Percoco also said data traveling or sitting online should be encrypted with a state-of-the-art encryption scheme, rendering it useless even if it is accessed by an unauthorized party. But, he added, not every encryption scheme automatically entails impenetrability; smart hackers can crack weak encryption methods. For proper encryption methods, merchants and their service providers should again refer to PCI DSS guidelines, he said.
Of course, the best way for merchants to protect cardholder data is to avoid storing it in the first place. "We have a catchphrase here: if you don't need it, don't store it," said Bob Russo, General Manager of the PCI Security Standards Council. Regarding what is stored, Russo said such data must be rendered unreadable, be it through encryption, truncation, tokenization or some other method.
Sources said tokenization (replacing card information with an alphanumeric substitute) is an increasingly popular practice for protecting stored data.
The biggest conundrum around e-commerce security, however, seems not to be stopping the theft of data but preventing its use online (whether it's stolen online or someplace else). E-commerce affords unique luxuries for spending stolen data - among them anonymity, a host of spending options, rapid purchasing and the easy sale of stolen numbers to parties around the world.
With merchants taking their lumps over the years, interest in online fraud prevention has grown - and advancing with it are methods of fighting fraud.
Of those methods, two are by far the most commonly used: card verification number (CVN) and address verification service (AVS).
In the CyberSource fraud report, 77 percent of online merchants said they required entry of a CVN for purchases in 2009; 76 percent said they used the AVS (which compares a purchaser's stated address to one on file at the card owner's bank or credit card issuer).
"There's been a big shift [in the use of CVN] in the last five years or so," Merchant Risk Council Program Manager Paul MacKay said. "In the early days it wasn't something even consumers were familiar with. Now it's almost an expectation of consumers from a security standpoint."
CVN authentication is used by online merchants to certify that payers have the physical card in hand when they're entering data for a purchase.
The CVN is the three- or four- digit number printed on the front or back of credit and debit cards, separate from the main card number. (Whether the number is three or four digits, on the back or the front of a card depends on the type of card. The card companies also have different names for it - CVV2, CVC2, CID et cetera.)
Hackers who break into the networks of either brick-and-mortar merchants or the processors they connect to tend to get all the main payment data from the compromised cards (card numbers, expiration dates and so forth), but not the CVNs, which aren't stored on the magnetic stripe used for in-person payments.
Thus, an online shopper who can provide all the data pertaining to a particular card except the CVN is likely using stolen card information - otherwise they'd have the card in hand, CVN and all.
Ironically, however, the widespread use of CVN as a security check has made more widely available to fraudsters the very information used to thwart them. Because many online transactions require entry of a CVN, hackers who steal those transaction records may have the CVN along with everything else (although its storage by online merchants is forbidden by PCI DSS rules).
In any case, analysts agree that requesting the CVN isn't by itself sufficient to combat online fraud.
Other security measures include telephone calls to cardholders and acceptance of payment in conjunction with third-party providers, with whom customers register payment information in exchange for a token ID and/or password.
Providers of this latter service (exact protocols for which differ with each one) include PayPal, Google Checkout, Bill Me Later, Verified by Visa and MasterCard SecureCode.
At the same time, merchants and merchant service providers who implement fraud fighting programs must be wary of business lost to consumer "abandonment" (leaving an online transaction midway through the process) and false positives caused by overly aggressive fraud defenses.
U.K.-based ReD is one of a number of companies that help merchants combat fraud through complex data analysis used to flag or stop transactions bearing the stamp of fraud. ReD uses a software program that analyzes wide-ranging global payment data along with the transaction data of its clients.
According to ReD's Clump, the goal of any anti-fraud service is to maximize revenue by striking a balance that prevents as much fraud as possible without rejecting legitimate transactions - or inconveniencing customers to the point that they leave the Web site and shop elsewhere.
"What we do is totally nonintrusive," Clump said. "The response time is less than a second, so before your finger is off the send button we've decided whether the transaction's valid or not.
"Very often we find that retailers are rejecting perhaps up to 8 percent of domestic transactions and saying, 'Our fraud's under control, great.' But they're rejecting far too many, because fraud is really of the order of 1 to 2 percent.
"Very often we end up relaxing a retailer's rules, which means his fraud is still kept under control, but he actually starts to see more valid transactions that historically he would have rejected."
Steve Mott, CEO of payment consulting firm BetterBuyDesign, contends that the fraud rules for e-commerce should be re-written altogether.
"The historical problem is that people are using mag stripe cards, which should never have been thought of as a means by which you could do transactions ... over public networks," he said.
With that in mind, Mott said the best way to guard against fraud is to dramatically limit the amount of payment information used on the Internet.
He said one approach would be a mandatory program for all consumers, resembling ones like Verified by Visa and MasterCard SecureCode, where card information is tokenized by a third-party provider.
Consumers would then conduct payments with the pseudo card number - both limiting the amount of real data travelling over the Internet and thwarting the use of stolen card numbers online (assuming the stolen card is protected by the tokenization program).
Mott also suggested the use of offline channels between token provider and e-merchant for conveying data following a purchase.
But Mott noted one potential vulnerability: what if a token is issued to the wrong person? "The account setup is the Achilles heel of every security system," he said.
That point was echoed by Theodore Svoronos, Vice President, Business Development & Strategic Partnerships at Group ISO Inc. He said authentication of a payer's identity was the most crucial missing piece to e-commerce security. "The saddest thing in the world is enrolling the wrong guy," Svoronos said. "You could have the strictest system ever made, but if you haven't vetted out the true identity of the individual, you've enrolled a bad guy."
Svoronos suggested that online transactions, including online banking or money wiring, use "knowledge-based authentication" - asking a consumer a question that only he or she could theoretically answer. Svoronos said such information can be culled from an array of online databases using advanced software programs.
He noted that questions would be arcane and personal, such as, "What was the color of your previous car?" or "What is your brother's middle name?" The questions, randomly generated, would be required for registering into any type of online payment service.
The use of such questions is one example of "third factor authentication" - a practice that e-commerce should use across the board, in one form or another, Svoronos said.
Another example is the use of a PIN code. Online PIN debit is currently offered by a company called Acculynk, which has contracted with a handful of firms, including several airline companies, Mott said.
Yet, as it stands now, on Web sites where the service is offered consumers have the option of either doing PIN- based or non-PIN-based transactions. That would seem to undermine the security provided by PIN codes, since fraudsters can simply choose the non-PIN option. On the other hand, making online PIN entry mandatory would be a stellar way to fight fraud, Mott said.
But Mott said the most important factor in the current fraud fight may be the very thing that is revolutionizing the payments world on every other front: the mobile phone. Mott contends that, with the explosion of mobile commerce, the payments and retail industries have a great new tool for further reducing fraud.
"My view, and the view of a lot of people, is mobile commerce has the potential to make e-commerce much safer because you have a very important extra set of information: a phone number, network, identification of the device and location of the device," he said.
"You get somebody doing an Internet transaction over a mobile phone in Latvia and the owner of that phone account has never been to Latvia, there's a pretty good chance that's a bogus transaction."
There is also a pretty good chance that fraudsters are already working on a strategy to counter this roadblock. So the fraud fight continues.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.