The Green Sheet Online Edition

June 27, 2011 • Issue 11:06:02

Fraud, the conversation starter

By Nicholas Cucci
Network Merchants Inc.

Living in this age of technology means personal financial information is increasingly vulnerable to fraudsters. According to a study by the Bureau of Justice Statistics, 23 percent of consumers subjected to identity theft lost money due to the fraud. The average out-of-pocket loss was $1,870, but half suffered losses of $200 or less.

The emotional impact of identity theft is often far more painful than the actual financial loss. Now, with instances of cyber fraud, it is becoming more important for merchants, banks and processors to be proactive about guarding card information and the personal details included with it.

The Sony breach

Despite card issuers' efforts to protect customer card information, we have still seen two large breaches in 2011, the ones at Sony Corp. and Michaels Stores Inc. In the Sony breach, over 100 million card numbers were exposed. Because of the breach, the Sony network went down for 23 days and only recently was restored. Sony expects to be fully back up by the end of June.

Sony's Playstation Network breach is likely to cost the company well over $100 million. However, this breach could cost Sony even more as the estimate does not include lawsuits filed against Sony from users of the hacked network.

Sony's servers were hacked between April 17 and 19, which impacted three networks, the Playstation Network, Qriocity and Sony Online Entertainment services. Sony discovered the breach on April 19, but did not disclose any information publicly until April 26.

On May 28, Sony offered its Playstation Network and Qriocity customers the services of Debix, an identity protection firm, with the first 12 months of protection free of charge. But is that enough to make consumers happy? Will this be the new aftermath trend for breaches? Only time may tell, but it's definitely a start in the right direction.

The Michaels breach

The Michaels breach was a little different. Ninety POS terminals were tampered with in Michaels stores in 20 states. Michaels used terminals and PIN pads that were Payment Application Data Security Standard certified. However, the attackers got around the security by swapping out the compliant PIN pads with compromised ones.

Due to the Michaels breach, the U.S. Secret Service is now investigating fraud incidents linked to POS device tampering. But the breach would have been relatively easy to avoid if store managers had been paying attention to what was happening in their stores.

How to avoid breaches

An axiom in the fraud prevention world is that fraudsters will always travel the path of least resistance. The more safeguards merchants have in place, the less likely it is fraudsters will spend the time required to gain access to their systems. Here are eight basic fraud prevention tips for ISOs and merchant level salespeople (MLSs) to pass on to merchants:

1. Watch out for multiple orders with different "bill to" and "ship to" addresses. Check the IP geo-location, and compare it with the billing address to help verify the validity of the charge.

2. Start keeping a database of prior fraud attempts once you have found a fraudulent charge. You will want to keep information such as the customer name, shipping/billing address, phone number, IP address and e-mail address. Make sure to designate a section in your database where you can input comments.

3. Detect patterns. Multiple orders being shipped to the same address but using different credit card numbers should throw up a red flag. Also, when fraudsters try to use stolen credit card numbers on online checkouts, they often submit the same credit card number multiple times with different expiration dates because the expiration date is what they are missing.

4. Suspect free e-mail accounts. A majority of fraud originates from free email services. Many businesses today refuse to accept orders from free email accounts or non-ISP email domains. Depending on the value of the purchase, merchants can call or request more information before the order is further processed.

5. Enroll in payer authentication programs. Programs such as Verified by Visa and MasterCard's SecureCode use personal passwords to confirm identities of card users. When merchants use this program, card issuers may incur some of the losses for online fraud that would otherwise be the responsibility of merchants.

6. Have BINs checked. You can use the first six digits of the credit card that contain the bank identification number to determine if the issuing bank and the credit cardholder are in the same country. However, merchants need to keep in mind that some legitimate transactions occur even if cardholders and issuing banks are in different countries.

7. Employ the AVS. The address verification system (AVS) is only available in the United States and in four European countries. It checks whether the cardholder's address and ZIP code match the information at the issuing bank. Merchants should be aware that the AVS can fail because of certain issues, such as cardholder address changes.

8. Call customers. With the high volume of transactions today, it may not be the best way to spend your time, but an occasional phone call will benefit merchants in many ways. Phone calls give retailers an opportunity to welcome customers and develop relationships with them for future ordering.

   If a merchant calls a person who claims to have never authorized a certain charge, the merchant simply cancels the order and advises the person to call his or her credit card company to get a new card issued. Doing this will solidify your merchants' relationships with customers (and potential customers) and help prevent further fraudulent charges.

Get the conversation started

Merchants can also help themselves by staying alert and proactive when it comes to POS terminal security. Here are a few tips to follow to guard against POS attacks:

• Remain compliant: Merchants should be Payment Card Industry (PCI) Data Security Standard (DSS) compliant at all times, not just on their certification dates. Retailers must also maintain Payment Application DSS compliance standards for PIN entry devices. Compliance mandates that only tamper resistant PIN pads be used.

• Know your employees: As negative as this may sound, background checks should be performed on potential employees to help eliminate candidates who could be working with fraudsters. Know your customers, but know your employees better.

• Assess your risks: Retail chains are always easy targets for fraudsters. Multilocation operations are especially vulnerable to attacks. If one retail location is hit with a POS attack, take a risk assessment of all other locations in the chain. Hiring a third-party organization to perform a security review is a good idea.

With the expansion of e-commerce, fraudsters are becoming increasingly sophisticated, and identity theft and credit card fraud are taking on new aspects every day. Therefore, it is more important than ever that ISOs and MLSs inform merchants on what steps to take to ensure they do not become the next breach victims.

Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at ncucci@nmi.com.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.