Online Credit Card Fraud

Jan 2002

Bill Rini

Contrary to popular belief, merchants are far more at risk from credit card fraud than are consumers. While consumers may face headaches trying to get a fraudulent charge reversed, merchants lose the cost of the product sold, pay chargeback fees, and face the possibility of having their merchant account closed. Though exact estimates are difficult to come by, it's safe to say that if you offer a product or service online, criminals will attempt to commit fraud against your company.

The purpose of this white paper is to look at the different types of fraud online merchants may encounter, how criminals attempt to take advantage of you, and how internet retailer eToys developed a comprehensive fraud detection system that kept fraudulent orders at manageable levels. While the focus of this document will be mostly on Visa and MasterCard type transactions, the ideas and concepts generally prove valid with other credit cards such as American Express and Discover with only minor differences

Examining Online Credit Card Fraud

The first shock to hit many companies when they first begin selling products over the internet is that merchants have almost no protection against online fraud. Taking a credit card payment over the internet constitutes what the credit card companies refer to as a Card Not Present transaction. An offline merchant swipes a credit card into a terminal and receives a signature on a credit card receipt. If the card later proves to be stolen or the charge is disputed, both the merchant and the customer are usually made good by the credit card company. When there is no customer signature or the card was not present at the time of the transaction, as is the case with almost all online credit card transactions, the credit card company will reimburse the customer and the merchant is left unprotected (legally the credit card company may enforce a $50 liability onto the card holder but they frequently waive the fee to keep the customer happy). To add insult to injury, the merchant is fined a chargeback fee (usually $15) and may incur higher processing fees in the future. In extreme cases, the merchant may even have their credit card processing privileges taken away if the merchant has too many chargebacks. Additionally, it is almost impossible for the merchant to successfully dispute a chargeback claim. Unlimited merchant liability is what makes online credit card fraud especially appealing to criminals. Credit card companies seldom pursue the fraud and it is left in the hands of the merchant who, in most cases, doesn't have the time, resources, or expertise to file a criminal complaint or conduct their own investigation.

Online credit card fraud against merchants can be broken out into three major categories:

Organized Fraud
Opportunistic Fraud
Cardholder Fraud

Organized Fraud is a form of organized crime. The criminals use identity theft or some other means to apply for valid credit cards under someone else's name. Once issued, they set up a drop location where they have goods delivered to (usually a vacant house or apartment) and they spend the cards up to their limit. When the bill comes 30 - 45 days later, there's nobody there to pay it and the criminals move on to another credit card. A minor variation on this theme is the hacker/cracker using software to generate seemingly valid credit card numbers. Both types of criminals are normally looking for items that can be easily converted into cash. These are probably the hardest criminals to catch because they know all the ins and outs of the system and are constantly altering their techniques as soon as an anti-fraud measure begins to show any level of success.

Opportunistic Fraud is, quite simply, fraud that is committed because the opportunity happens to present itself. Perhaps a waiter, a little short on cash, copies down the credit card info from a customer and then goes online and buys his wife a nice birthday present. There are a million variations on this but essentially, the person committing fraud doesn't normally do this for a living. They are amateurs who happened to take advantage of an opportunity.

Cardholder Fraud is when the legitimate cardholder is the person committing fraud. Sometimes they claim they never received the merchandise. Sometimes they claim they never ordered the merchandise. Whatever the excuse, the cardholder knows how card not present transactions are treated by the credit card companies and aims to take advantage of the system. Even if the merchant calls the customer and confirms that they placed the order, when the bill comes they can claim they never heard of the company and the credit card company will stick the merchant with the liability. A minor variation on this type of fraud which I still consider Cardholder Fraud is the spouse or children who use the card and then deny the charges. Usually the actual cardholder is completely ignorant of the unauthorized use but the result is still the same for the merchant.

Controlling Online Credit Card Fraud

There are actually quite a few tools and common sense tips to help you control online credit card fraud and I'll outline some of those below. Later when I discuss the anti-fraud measure at eToys we'll examine some more advanced techniques and outline some state of the art fraud management ideas. But before we begin any discussion of controlling online credit card fraud, I want to make it clear that there is absolutely no reasonable way to completely eliminate online credit card fraud. You must accept the fact that you will incur credit card fraud losses and work to keep them within manageable ranges rather than trying to eliminate them entirely. If you adopt that mindset, you can look at risk objectively which tends to be half the battle.

1. Do Mod10 algorithm testing. Mod10 is an algorithm that will tell you if the card number being presented could be a valid card number. It doesn't mean that number was ever issued, or that the card number is an active account, but it will tell you whether the digits the customer typed in could be in the range of valid credit card numbers issued by the major credit card companies. This test should be the first test applied to any credit card number you process. If the card fails Mod10, it will fail all other attempts to authenticate and process a charge against the card.

2. Obtain an authorization and AVS check on every transaction. When a merchant processes a credit card transaction, normally they must receive an authorization for the dollar amount of the order. This usually guarantees that the card is a valid card number and that the person has available credit for the amount being requested. In the US the credit card companies make available AVS (Address Verification Service) which you can use to further verify the validity of the card. AVS matches the billing address provided by the customer with the zip code held on file at the issuing bank. While there are numerous reasons why the card may fail AVS (recent change of address, AVS computers down, etc.), an AVS failure should be a red flag that needs further investigation.

3. Be extremely wary of orders where the shipping and billing addresses are not the same. Obviously if you are in a business that sells items traditionally given as gifts (flowers would be an example) this may be difficult but if the majority of your customers bill to the same address they shop to, be cautious of orders that are being shipped to a different address.

4. Consider using CVV2/CVC2 authentication. Beginning Jan. 1, 1997 for MasterCard and Jan. 1, 2001 for Visa all newly issued credit and debit cards will carry a 3 digit non-embossed number on the back of the card (American Express has the number on the front of the card). This number is not included in the data contained on the magnetic stripe of the card and is not printed on credit card statements or anywhere else. It should provide some sense of verification that the person entering the CVV2/CVC2 number actually has the card in front of them. There are some industry claims that the use of CVV2/CVC2 along with AVS can reduce fraud rates by as much as 26%.

5. Pay extra attention to orders that are for dollar amounts greater than the norm or consist mostly of one type of item. Criminals trying to commit fraud will often place large dollar orders for specific items that they know they can resell easily. For instance, if you sell DVDs and you receive an order to 25 of the same title, you should investigate further. Customers who place multiple small orders should draw your attention as well. Some criminals are aware that cautious merchants scrutinize large transactions so the criminal simply places many smaller orders rather than one large one.

6. Be suspicious of orders that are placed for rush or expedited delivery. Since criminals aren't paying the shipping fees they normally don't care about the extra cost and they want the order shipped as quickly as possible. The longer the order sits around before shipping the greater the chance the fraud will be uncovered.

7. Any order consisting mostly or entirely of high ticket items should receive extra scrutiny. High ticket items usually have a high resell value so they tend to be on the shopping list of many criminals.

8. Be alert of orders that originate from email addresses issued by free hosting providers like yahoo.com, hotmail.com, etc. Many sites simply will not accept orders from email address originating at free hosting providers. While this may be extreme due to the widespread use of Hotmail and Yahoo addresses, it should at least set off some warning bells when combined with other warning signs.

9. Keep an eye out for orders from multiple accounts/credit-card-numbers being shipped to the same delivery address. This may indicate a drop box or drop location where criminals are having orders delivered to.

10. Orders being shipped to an international address should earn a closer inspection. Pay particular attention if the card or the shipping address is in an area prone to credit card fraud. According to a ClearCommerce survey, the top 12 international sources for online fraud are Ukraine, Indonesia, Yugoslavia, Lithuania, Egypt, Romania, Bulgaria, Turkey, Russia, Pakistan, Malaysia, and Israel. The same survey also showed that the 12 countries with the lowest fraud rates are Austria, New Zealand, Taiwan, Norway, Spain, Japan, Switzerland, South Africa, Hong Kong, the UK, France, and Australia. Interestingly, the US placed 13th.

11. Watch for multiple orders being placed over a short period of time. Many criminals will attempt to run up a card before the owner finds out or in the case of a stolen identity before the first bill arrives.

12. Pick up the phone. If you have any suspicions about an order call the contact phone number given by the customer and attempt to confirm the details of the order. If you still don't feel comfortable, call the issuing bank and ask to confirm the account details.

The eToys Case Study

Background:

eToys was an e-commerce company focused on the children's market with over $150 million in annual revenues and 200,000 products for sale. I served as the Director of Software Development for eToys from 1998 - 2000. eToys had both US and international divisions (UK & Germany) utilizing the same payment processing and fraud detection systems.

The Challenge:

eToys was unique in the fact that it had an extremely low fraud rate. However, that low fraud rate came at a very high cost. Customer Service personnel manually processed all orders suspected of being fraudulent which resulted in both an increased cost per order as well as delays in order fulfillment. The man-hour cost to process each suspected fraud had increased to an amount greater than the average loss per fraudulent order. In other words, if the average fraud loss was $20 (excluding chargeback fees), eToys was spending $25 in labor to catch each fraud. The objective was to decrease the man-hour cost while at the same time avoiding any increase in the number of chargebacks which at the time was running at one half of one percent of gross sales (for comparison, the industry average for similar online retailers was 1.5% - 2% of gross sales).

Approach:

Just as the problem was unique, our approach would be as well. eToys' previous policy concerning the flagging of suspicious orders created too many false positives. In other words, Customer Service spent too much time manually processing orders that should have been approved. We did a careful study of the cost to process each flagged order and our goal was to hit the intersection between man-hour cost and fraud loss. For this we took a two-pronged approach. First we refined the fraud detection algorithms to be more accurate and second we reduced the number of orders sent through the fraud detection process. We created a point based system that assigned a weighted value to each type of red-flag that an order set off. We also created a positive points system that gave back points based on certain other factors as well (length of time as a customer, previous purchase history, etc.). What we ended up with was a system I termed Green, Yellow, and Red. A Green customer was anybody who had been a customer for at least 90 days and who had made at least two purchases since becoming a customer with at least one of those purchases occurring in the last 30 days. Based on our research of previous customer frauds, if a customer established a history over time, it was highly unlikely that they would later turn fraudulent. These criteria were carefully selected based on the following assumptions:

Credit card fraud rings (Organized Fraud) usually did not use a single credit card for 90 days. They normally fail to make payment the first month and the card is frozen soon after.
Customers were only allowed to associate one account to a credit card number (they could associate many cards to an account but only one account to a card number). This was implemented to prevent someone using a stolen credit card number from creating a new account. If the legal card holder was already a customer, any attempt to assign the card number to a new account would not be accepted.

A Yellow customer was any customer who had not yet met the Green customer requirements (or who had previously been a Green customer but later become disqualified) and did not have a previous fraudulent transaction. We put orders from Yellow customers through the full process and examined them carefully.

The Red customer was someone we determined to have been fraudulent in the past. Either the credit card, the address, or some other criteria was flagged as being suspicious. Red customers were not allowed to process their order in checkout and were asked to phone our customer service department.

While the idea was to minimize the number of orders being processed by the fraud detection system by allowing good customers (Green) to bypass the process, there was still a need to ensure that risk was kept minimal. Below is a partial list of checks performed broken out by the status of the customer:

Yellow Customers Only Both Green & Yellow Customers

Express Shipping AVS

Billing and shipping address not the same MOD10

Order total over $200 but less than $500 Credit card authorization status

High Fraud Product Order total over $500

Medium Fraud Product

Low Fraud Product

Multiple gift certificate purchase

Redemption of gift certificate in excess of $50

The High, Medium and Low Fraud Product checks were based on an analysis of previous theft patterns. Certain products such as video games were a higher theft risk than say baby bibs. We ranked each product as to whether or not it was a high, medium or low risk item and assigned points accordingly.

After assigning points to each order based on the criteria outlined above, the order was then compared to a fraud threshold limit. Orders with a point total equal to or exceeding the fraud threshold limit were sent to customer service for manual examination. Orders with point totals below the fraud threshold limit were sent to order fulfillment at the warehouse. The point values assigned could be adjusted in real time to react to any trends that began to occur. For instance, if a fraud ring began trying to make multiple gift certificate purchases, the customer service department could raise the point value for the multiple gift certificate purchases above the fraud threshold limit thereby guaranteeing that any order with multiple gift certificates would be sent immediately to customer service for manual review.

The fraud threshold limit was a number that was constantly fine tuned by the customer service department depending on multiple factors. For instance, during the peak holiday season, eToys would process between 25,000 - 30,000 orders a day. If the fraud threshold limit was set too low, the customer service department would be flooded with orders that had to be manually examined. If the number was set too high, too few fraudulent orders would be caught. Customer service usually adjusted the number along with traffic volumes. During slow times, the threshold was lowered and during periods of heavy volume the fraud threshold limit was raised so only the orders with the highest point totals were manually examined.

Conclusion:

After launching the updated fraud detection systems, the false positive rates dropped substantially below our estimates while the total number of chargebacks decreased as well. In the 12 months following deployment, the new fraud detection systems were credited with saving over $3 million in fraud and labor expenses.

Advanced Fraud Prevention

While I left out some of the more proprietary fraud detection methods utilized by eToys, I can offer some suggestions as to where eToys was headed in the future.

Credit Checks: Depending on the types of transactions you handle, you may want to consider running a credit check on your customers before approving their purchases. Of course that comes at a price and that price may be prohibitive to most companies. The message is that there's another layer of protection if you need it.

Reverse IP Checking: Many frauds occur from IP (Internet Protocol) addresses that are not valid or are not what you think they are. I can give you an email address bill@example.com which seems valid but if you check who owns example.com (via the whois utility), perhaps you'll find that the owner of that domain name has a telephone number of 000-000-0000 and an address of 123 Main St., Anytown, Ca. 00000. That should give you some concern and you should flag customers coming from any domain that doesn't fully disclose itself.

Domain / IP Checks: If I tell you that my email address is bill@aol.com, it should be of some concern if the IP address I'm placing the order from is not in the block of IP addresses owned by AOL.

Geo-Location: Using utilities like traceroute you can follow the path that TCP/IP packets take going from one point to another. If you use this tool to uncover the path between your website and the person placing the order, you may discover, for instance, that while your customer's billing and shipping addresses are in the US, the person placing the order is logged in from an ISP in Russia. As with many fraud precautions, this could be legitimate, but it's probably worth a phone call to the customer's US phone number to confirm. Redwood City, Ca. based Quova Inc. offers a service similar to the one described above. Instead of performing a real time traceroute check (which can take 20 or 30 seconds) they have compiled a database of IP addresses and countries of origin.

Bad Customer Databases: Bad customer databases tend to be somewhat controversial but it is not uncommon to find them being used by some of the largest merchants in the US (both online as well as traditional). Basically, a bad customer database is a database of credit card numbers that have been in some way involved in a fraud being committed against a merchant. An informal consortium of merchants then shares that information with one another so that someone who hits one merchant can't also hit another merchant using the shared database. This tends to put an end to many of the Cardholder Fraud type of incidents.

Zip Code Mapping: Often you will discover certain zip codes produce fraud rates that are significantly different than your norms. You may wish to apply more rigorous fraud prevention standards to orders being billed or shipped to addresses within zip code areas statistically more prone to credit card fraud. Keep in mind that professional criminals are aware of this fraud prevention technique and will often offer address information which attempts to bypass this.

Sanity Checks: Certain data sets normally have a natural relationship to other data sets and you may want to consider in investing in performing these sanity checks. For instance, a billing address with a zip code of 90405 (Santa Monica, Ca.) normally should have a contact phone number associated with it that is in the 310, 213, 323, 818 or 562 area code. If a customer presents a billing address in Santa Monica and a telephone number in an area code that does not correspond, the order should raise some suspicions (for example 212, New York City, NY). Many vendors cell zip code and area code databases or you can subscribe to services that will provide the information to you.

Fraud Reviews: If fraud starts to become a problem for your business, someone should be assigned the task of reviewing fraudulent transactions with the goal of identifying where the criminals are slipping through the cracks. This may require extensive data mining experience in order to uncover trends that may not seem obvious but the results often far outweigh any additional cost. Criminals do nothing but think of ways to get over on you and if you have become a target, you should commit at least an equal level of resources at stopping them.

Summary

Every merchant has to worry about online credit card fraud. Some merchants sell high value items and can tolerate few losses while other merchants may sell items like downloadable software which costs the merchant nothing in the event of fraud but may result in the termination of their merchant account if they incur too many fraudulent transactions. One of the most important factors in controlling fraud is understanding the customer and implementing security measures that can adapt to the level of risk in a transaction. The better you get at understanding your customers, the better you will become at identifying and controlling fraud.

If you would like to see how Window Six can help your company with controlling fraud or in other areas involving internet and wireless technologies, please see contact us.