Fraud Intel Forum

Seeing Data from the Sony, Epsilon, or Other Data Breaches?

Julie Fergerson — Wed, 18 May 2011 17:10:00 GMT

The pros will use the data from the latest massive database breaches. And, in a sense, merchants should too -- by participating in the PCI Certified service from Ethoca that compiles fraud information for National Cyber-Forensics & Training Alliance (NCFTA) analysis.

Stay up to date: follow Ethoca at @ethocanews

Protecting merchants from today’s fraud risks requires today's most advanced fraud screening. Here's how to do it.

There have been so many thefts of payment card numbers that retailers have to consider every credit and debit card number suspect, says Jonathan Penn, an analyst at Forrester Research Inc. Penn who is quoted in a recent article by Don Davis in Internet Retailer. Davis writes,

"'There are new incidents we learn about every week, and there are many others we don’t learn about,' Penn says. 'Anything could be compromised at this point.' Penn says retailers should avail themselves of the latest fraud-fighting techniques that vendors are offering. As examples, he pointed to Ethoca, which aggregates data about fraud from many retailers...."

Penn hit the nail on the head. The pros will use this data. And, in a sense, merchants should too -- by participating in the effort to compiles fraud information for National Cyber-Forensics & Training Alliance (NCFTA) analysis.

Done the right way, sharing credit card transaction data is not only consistent with consumers’ interests – it improves consumer protection from fraud activity. In fact, stopping ecommerce fraud benefits the whole ecommerce ecosystem – consumers, merchants, issuers, and other parties. Doing it requires innovative use of shared data.

Ethoca's fast, secure communications hub enables organizations to reduce their own fraud losses and contribute to catching fraudsters. Something no other anti-fraud tool does. And something that's urgently needed now.

As Davis reported in a January 2011 article on Ethoca's Crosstalk report, a criminal armed with a stolen credit card is likely to use it to make fraudulent purchases at more than one web merchant.

“Our research shows not only the importance of sharing data, but how quickly it needs to be shared in order to be effective, and what kind of difference it makes to share it across industries,” said report co-author Daniele Micci-Barreca, a principal at consulting firm Elite Analytics.

That's why merchants who share data should do so in real-time or near real-time. With speed, digital goods and services can be shut down before fraudsters are able to get or use them.

Using Ethoca's platform, member organizations can compare confirmed fraud information to increase fraud detection. The NCFTA will analyze compiled data for fraud trends and links between cases. As Ken Blotteaux, NCFTA VP of Technology and Tactical Operations Ken Blotteaux said last month, "Ethoca’s PCI Certified technology enables secure collaboration to develop confirmed fraud intelligence.”

For your own sake and the sake of consumers, join in the secure collaboration to stop ecommerce fraud »

Note: stay up to date -- follow Ethoca at @ethocanews.

New Guide: Precedents, Best Practices for Ecommerce Data Sharing

Ethoca Technologies — Fri, 29 Apr 2011 13:00:00 GMT

This new guide covers best practices and precedents for sharing ecommerce data to stop payments fraud - the first such guide for Europe, the US and Canada. Free PDF »

By Darryl Green

We've rolled out a new guide -- this one authored by Mike Bradford of Regulatory Strategies -- detailing the precedents and best practices for sharing data to stop ecommerce fraud. I think the top takeaway from it is that it's high time for ecommerce to catch up to other industries on data sharing.

As Mike points out in this first-of-its-kind report, there is a strong public interest argument for data sharing. Done the right way, sharing credit card transaction data is not only consistent with consumers’ interests – it improves consumer protection from fraud activity.

Indeed, stopping ecommerce fraud benefits the whole ecommerce ecosystem – consumers, merchants, issuers, and other parties. Doing it requires innovative use of shared data.

Take Ethoca’s Issuer Confirmed Fraud Alerts™ service for example: leveraging shared data, Fraud Alerts™ automatically delivers confirmed and canceled fraud alerts from issuers to merchants in real time. Months after its debut, users included over 100 of the world’s top internet retailers by volume. It's probably stopping fraud right now, today, that would have resulted in fraud losses. (One user wrote to us that, at his company, it has “assisted us in preventing losses on 40% of the activity that was not caught by our fraud screening system.”)

Ethoca is keenly aware of the need to keep fraud data private and secure while fighting fraud. As experts at fraud detection involving card-not-present transactions, we ask our partners, members and, ultimately, consumers to trust us with their credit card transaction data. We feel a grave responsibility to uphold that trust, and a commitment to privacy lives in every employee of Ethoca; and it is deeply ingrained in the culture of our organization.

The tension between innovation and regulation is particularly evident in privacy and data protection regulations – a key topic of this report. Mike has done a spectacular job in summarizing the global regulatory environment for sharing data and proposing a simplified means of navigating the complexities that arise from trans-jurisdictional compliance.

As discussed here in the Fraud Intel forum, fraudsters figure out how to circumvent conventional fraud prevention tools as they reach mass adoption. But an approach built on data sharing performs better over time, due to a network effect. This network effect is a powerful anti-fraud weapon for both merchants and consumers – and, as Mike discusses here, it has been at work for years in other industries. Ethoca just brought it to ecommerce.

Darryl Green is Chief Governance Officer at Ethoca and a co-founder. More »

Online Credit Card Fraud Across Merchants Happens More Than You Might Think

Julie Fergerson — Fri, 28 Jan 2011 16:18:00 GMT

In 10% of the 25,188 cases of confirmed fraud that Ethoca studied, a single credit card was used to commit fraud at more than one merchant.*

I just finished work on a new report called “Fraud Attacks Cross Industries,” co-authored with Dr. Daniele Micci-Barreca, a principal at Elite Analytics and an expert in fraud detection applications of pattern recognition and data mining technologies.

Daniele and I collaborated to find out, among other things, how frequently fraudsters attack more than one online merchant using the same stolen credit card. We looked at thousands of cases of confirmed fraud involving 95 merchants that represent 61% of the top 500 Internet merchants (as measured by revenue and as defined by Internet Retailer).

I'll talk about the findings in a Feb. 22 webinar. Meantime, here's one example of what turned up:

In 10% percent of the cases studied, a single credit card was used to commit fraud at more than one merchant. In other words, one in ten of the credit card numbers that appeared in the dataset had transactions at more than one merchant in the study.

Translation: it's common for fraudsters to hit multiple ecommerce sites.

This finding is signficant because traditionally every stakeholder in a card-not-present transaction has tried -- on their own and with incomplete information -- to distinguish between legitimate and fraudulent purchases. But given how common it is for fraudsters to hit multiple ecommerce sites, it's clear that Rambo-style fraud management won't work as well collaborative fraud management.

Tip of the iceberg

*NOTE: I think what we observed is the tip of the iceberg. We only looked at one slice of data: merchants enrolled in Ethoca's Fraud Alerts program, and, of those, only credit card numbers - no other data elements.

It is likely that merchants not participating in Ethoca’s program also experienced attacks from the same fraudsters, which would increase the estimates. And, if we matched by additional data elements, like shipping addresses, phone numbers, email addresses, or IP addresses, we would likely find more cases of a single fraudster hitting multiple merchants.

At least you're not alone

It's tough to look at how these fraudsters behave and not feel resigned to a certain level of fraud losses. But if merchants collaborate with each other, with banks, and with PSPs we can shrink losses and reduce fraud. I still believe collaboration is the only fraud prevention tool that increases in effectiveness over time – the only one the crooks cannot compromise. It is common practice in other industries, and we need to look at the lessons learned by banks in fighting fraud.

Get report

Webinar sign up

A Whirlwind Year: Collaborative Fraud Management in 2010

Ethoca Technologies — Sun, 23 Jan 2011 11:00:00 GMT

The collaborative fraud management approach performs better over time due to a network effect. This network effect got stronger in 2010 and is picking up speed.

By Steve Frook

2010 was an whirlwind year. A few weeks ago, the Issuer Confirmed Fraud Alerts™ service was nominated by users for the Merchant Risk Council's METAward for the best new innovation in fraud prevention in 2010. And just before that, Ethoca was named one of the 25 most innovative Canadian companies! Most importantly, participants in the Ethoca network collaborated to catch ecommerce fraud that they’d otherwise never have caught.

Fraud Intel articles that struck a chord

Looking at year-end stats, it seems the three most popular pieces we published here in 2010 were:

Some others that struck a chord: Keegan’s articles on the pros and cons of 3D Secure; Julie’s piece on how fraud prevention tactics get less effective with widespread adoption; and Darryl’s discussion of the difference between following the law and earning trust.

Expansion

In March we rolled out the Ethoca360 eCheck Fraud Solution™; introduced the Ethoca360 Signals™ card-not-present fraud service; and launched the Ethoca360 SE data-driven fraud prevention service. Then over the summer, we started 96 companies on the Alerts service. Among the users are 10 of the world's top airlines, 25 top retail chains, 10 of the world's top etailers, the top 2 hardware retailers, the leading digital goods sellers, 4 of the world's largest computer companies, the 2 largest online dating companies, the biggest alternative payments providers, and 10 of the leading consumer electronics retailers. Today, 17 of the top 20 etailers ranked by Internet Retailer magazine are using this system. And in August, we landed Julie Fergerson as Ethoca’s VP of Emerging Technologies.

Honing the business case for collaborative fraud management

Discussions with users, at industry conferences, and with analysts and reporters helped to hone the business case for collaborative fraud management. Keegan presented on it to top online retailers at the Merchant Risk Council Semi-Annual Platinum Meeting in September. Andre discussed data sharing at the MRC’s European e-Commerce Payments and Risk Conference. They both spoke with card issuers in October about the benefits banks can receive from collaboration. And at ATPS 2010, Julie presented on data sharing, and fielded questions from fraud managers at the world's top airlines. Along the way, Ethoca helped Infosecurity, Internet Retailer, MSNBC, Nilson Report, and Pymnts.com with media coverage of online payments fraud during 2010.

Thank you!

Thanks for following Fraud Intel. Watch this space for new pieces on CNP fraud prevention and please chime in!

Receive new blog articles
Follow on LinkedIn
Receive news releases

Online Payment Fraud - Attack Speed and Cross Industry Targeting

Julie Fergerson — Thu, 30 Dec 2010 19:44:00 GMT

When attacking more than one company, crooks complete all their attacks 86% of the time in less than 24 hours. Also, crooks don’t stick to just one industry. We saw crooks who targeted airlines also try to buy from computer electronics retailers and apparel retailers on the same day. Subscribe today so you get an email when the next report comes out.

Coming soon: new report to tell patterns identified in 25,000 confirmed fraud cases

Ethoca’s Issuer Confirmed Fraud Alerts achieved great adoption by eCommerce retailers in Q4. Our customer base now represents 61% of all eCommerce retail transactions (as ranked by Internet Retailer).

Now that we have insight into so many confirmed fraud cases -- over 25,000 in just the past 3 months -- we are able to analyze what the criminals are up to and strengthen our fraud detection systems.

Soon we'll publish a new report with observations and analysis of the criminal activities. Here is a preview:

Attack speed

Observation: When attacking more than one company, crooks complete all their attacks 86% of the time in less than 24 hours.

Takeaway: That means fraud prevention tools, data sharing, any scrubbing that is done, must be real-time or near real-time to catch the crooks activities.

Cross-industry targeting

Observation: Crooks don’t stick to just one industry. We saw crooks who visited airlines on the same day also attempt to purchase from computer electronics retailers and apparel retailers.

Takeaway: So data sharing in a given industry is helpful, but surprisingly, the crook was more likely to go to other industries than to target attacks in the same industry.

Stay tuned - new report on the way

Look for our announcement about our research in the coming months. We will provide links to subscribers to access the new report as soon as it is available. Meantime, happy New Year!

Questions or comments? Please post below.

Savvy Etailers Thrive Despite Devious Fraud Schemes

Keegan Johnson — Thu, 16 Dec 2010 19:32:00 GMT

Good news: Online consumers are spending about 12 percent more this holiday season than last. Bad news: Cybergangs are active too. Now is the time to invest in innovative card fraud detection and prevention.

As part of a team working to stop online shopping fraud, I tend to focus on the bad things fraudsters do to online merchants and banks. Today let's talk about some good news, and look at why 2011 may be the year for a great leap forward in CNP fraud management.

$1 Billion spent online at least one day this week

Consumers are spending around $1 billion online at least one day this week, according to a story in Internet Retailer. More shoppers visited stores and websites over the Black Friday weekend -- and spent more -- this year than they did in 2009, according to a National Retail Federation survey. This year 212 million shoppers took part, up from 195 million last year. And the average shopper spent $365.34, up from last year’s $343.31. Total spending reached an estimated $45.0 billion. Department stores and clothing stores saw gains, while discounters saw a slight decline in sales.

Online spending holding steady at about 12 percent

"Americans continue to demonstrate a significantly greater willingness to spend online this year than in seasons past,” comScore chairman Gian Fulgoni told Internet Retailer.

On Cyber Monday, online sales were up 19.4 percent, with consumers boosting the average order value from $180.03 to $194.89, an increase of 8.3 percent. ComScore reported $11.64 billion in U.S. retail e-commerce spending for the first 26 days of the November–December 2010 holiday season. That’s up 13 percent from the same period last year.

Even Thanksgiving Day -- traditionally a lighter day for online holiday shopping -- saw a 28-percent increase to $407 million.

But popular retail sites attract cybergangs too

Unfortunately, frausters are visiting popular retail sites, too. Sophisticated fraud systems deter the vast majority of attempted fraud, but cybergangs are always inventing new card fraud schemes.

A few months ago, police in the UK arrested a pair of teenagers linked to a massive cybercrook forum. The eight-month investigation dug deep into a global Web forum with almost 8,000 members. The police found 29 forum topics about such things as phishing kits, tutorials and sites that have been carded. The fraudsters were buying and selling passwords and PINs, exchanging malware and sharing advice on how to avoid detection. Police recovered more than 65,000 compromised credit card numbers.

2011: the Year of Collaboration

If fraudsters are collaborating to steal from issuers and merchants, issuers and merchants need to synch up to thwart them. With the proper protocols in place, collaboration enables issuers and merchants to benefit from one anothers' transaction experiences while not sharing the data itself. Merchants stop more fraud losses, card issuers slash fraud management costs, and consumers have a safer environment in which to shop.

That's why I'm looking forward to 2011, when issuers, merchants, and other stakeholders can make a big leap forward in collaborative fraud prevention.

Learn more

See how Ethoca enables real-time collaboration between card issuers and online retailers, and download a PDF with our top six anti-fraud tips for the holidays.

Tip 6: Ensure Anti-Fraud Rules are Multi-Channel

Julie Fergerson — Wed, 01 Dec 2010 18:55:00 GMT

In this 6 part series, Ethoca offers tips for merchants based on the top fraud trends observed this year.

Getting multi-channel right

The big trend among retailers is to go multi-channel, and criminals are following right on their heels.

By 2011, the internet will play a role in 45% of all retail sales according to McKinsey & Company highlighting the rapid shift of traditional retailers to multi-channel. They project that growth rates at retailers who get multi-channel right will be more than 100 basis points better than those who don't, with larger profit margins resulting. (Source: October 2009 McKinsey Quarterley: The Promise of Multichannel Retailing.)

The US Census Bureau quarterly reports on eCommerce sales show that while overall retail sales have been falling since even before the recession began (**note: early returns this year indicate that retail is experiencing a big rebound with sales up across the board, but the largest gains are coming online), online sales have been increasing since the beginning of 2009 – that is, through out most of the economic downturn. Those kinds of returns and have been driving most traditional retailers to multi-channel sales as fast as they can go, and driving investment in online and MOTO channels in particular.

Fraudsters are channel hopping

Where the money goes, crime follows, and fraudsters are channel hopping more than ever. And, technology is making it easy. Because of Voice Over IP technology, fraudsters can place orders by telephone just as easily as over the internet. Fraudsters have been seen testing one channel, and then using the other to exploit holes found in fraud detection systems.

So, once a crook is identified, make sure that your negative lists and link analysis is applied across all channels, and that rules are tuned accordingly to detect fraud wherever it occurs in your stores. And then, make sure the same fraud checks and best practices you have in place for the Internet are applied to your call centers.

Top 6 anti-fraud measures for online merchants:

Be unfriendly to friendly fraud. More >>
Be careful not to flag repeat customers as suspicious when they don't have a digital fingerprint. More >>
Monitor cancelled orders triggered by fraud screens, and the resulting call center complaints to maximize revenues More >>
Test fraud rules to make sure you are able to catch coupon fraud. More >>
Tune fraud screening processes to handle very high AVS mismatch rates resulting from gift cards. More >>
Ensure your fraud rules are multi-channel. More >>

Download a PDF of all tips >>

Tip 5: Tune Fraud Screening Processes to Handle Very High AVS Mismatch Rates Resulting from Gift Cards

Julie Fergerson — Fri, 19 Nov 2010 16:38:00 GMT

In this 6 part series, Ethoca offers tips for merchants based on the top fraud trends observed this year.

Tuning fraud screening processes

Gift cards are quickly becoming the number one present, which means they will be heavily used immediately after the holidays.

AVS rules do not work with gift cards, so if you haven't accounted for this, you will end up with a huge spike in orders being referred for manual review right after the holidays. You can avoid this by tuning your fraud screening processes now.

Plan for a high number of AVS mismatch and no match responses after the holidays and make sure your fraud rules support it. Some merchants even program in by gift card bin range to bypass their AVS check. But, whatever you do, don't let the success of your gift card program become a fraud management nightmare.

Top 6 anti-fraud measures for online merchants:

Be unfriendly to friendly fraud. More >>
Be careful not to flag repeat customers as suspicious when they don't have a digital fingerprint. More >>
Monitor cancelled orders triggered by fraud screens, and the resulting call center complaints to maximize revenues More >>
Test fraud rules to make sure you are able to catch coupon fraud. More >>
Tune fraud screening processes to handle very high AVS mismatch rates resulting from gift cards. More >>
Ensure your fraud rules are multi-channel. More >>

Download a PDF of all tips >>

Tip 4: Test Fraud Rules to Ensure You Catch Coupon Fraud

Julie Fergerson — Thu, 18 Nov 2010 19:59:00 GMT

In this 6 part series, Ethoca offers tips for merchants based on the top fraud trends observed this year.

Coupon fraud soars

Coupon fraud is expected to set new records this holiday season. Earlier this year, the Wall Street Journal reported that coupon fraud increased by 14% from 2008 to 2009. The actual number of fake coupons redeemed rose to 10 basis points, or 3.3 million coupons out of the 3.3 billion issued. However, Coupon Information Corp, a non-profit organization that monitors fraud for food companies reported 198 fake coupons in the first quarter of 2010, more than the total number of counterfeits detected in the previous decade combined.

The problem is exacerbated by the increasingly common publication of online coupons for consumers to print at home, and prevalence of very sophisticated graphical editing tools which enable creation of highly realistic fakes – virtually undetectable unless you know what to look for. Online coupon fraud is that much harder to detect, and growing even faster.

Testing your ruleset

Rumors of black Friday deals have been circulating in the coupon communities for at least a couple of months. Work with your marketing team before the holiday season starts and test your ruleset to ensure you catch coupon fraud, but also allow valid coupon deals to flow through the system easily.

Top 6 anti-fraud measures for online merchants:

Be unfriendly to friendly fraud. More >>
Be careful not to flag repeat customers as suspicious when they don't have a digital fingerprint. More >>
Monitor cancelled orders triggered by fraud screens, and the resulting call center complaints to maximize revenues More >>
Test fraud rules to make sure you are able to catch coupon fraud. More >>
Tune fraud screening processes to handle very high AVS mismatch rates resulting from gift cards. More >>
Ensure your fraud rules are multi-channel. More >>

Download a PDF of all tips >>

Tip 3: Carefully Monitor Cancelled Orders Triggered by Fraud Screens

Julie Fergerson — Thu, 18 Nov 2010 11:04:00 GMT

In this 6 part series, Ethoca offers tips for merchants based on the top fraud trends observed this year.

Carefully monitor cancelled orders triggered by fraud screens, and the resulting call center complaints, to maximize revenues

Measure the number of orders you cancel, and monitor throughout the holiday season how many frustrated consumers call into the call center to ask why their order was canceled.

On average the “customer insult rate”, or the rate at which legitimate customer orders are wrongly challenged or cancelled, as measured by call center complaints results in about a .16% loss in revenue. Some merchants perceive this as quite low, but that means $1,600 lost for every million in revenue, which can be quite substantial when every dollar matters this holiday season.

Moreover, at least half of those whose orders are wrongly rejected simply give up after the first try, and take their business elsewhere, so the call center complaints significantly understate the true customer insult rate.

Tune your review process to keep this number as low as possible.

Top 6 anti-fraud measures for online merchants:

Be unfriendly to friendly fraud. More >>
Be careful not to flag repeat customers as suspicious when they don't have a digital fingerprint. More >>
Monitor cancelled orders triggered by fraud screens, and the resulting call center complaints to maximize revenues More >>
Test fraud rules to make sure you are able to catch coupon fraud. More >>
Tune fraud screening processes to handle very high AVS mismatch rates resulting from gift cards. More >>
Ensure your fraud rules are multi-channel. More >>

Download a PDF of all tips >>

Tip 2: Be Careful Not to Flag Repeat Customers as Suspicious When They Don't Have a Digital Fingerprint

Julie Fergerson — Mon, 08 Nov 2010 19:36:00 GMT

In this 6 part series, Ethoca offers tips for merchants based on the top fraud trends observed this year.

Consumers and privacy rights organizations are increasing sensitive and militant about protecting online privacy. There are plenty of warning signs that some techniques commonly used to fight fraud such as digital fingerprinting will get swept up, or already have been affected by calls for stronger privacy protection.

Privacy protection issues

Immediately following the 2010 midterm elections, calls were made by Republican members of Congress for much stronger privacy regulations affirming the importance of consumer privacy protection to underpin healthy ecommerce (see report in Washington Post blog). Earlier this year in the last session of Congress, a weak privacy bill was introduced but not passed, and was lobbied strongly by a unified front of 10 privacy watchdog organizations for increased protections.

Echoing these calls and alerting consumers to how much they don't know about online privacy, a recent multi-part in depth expose by the Wall Street Journal described how how consumers are being routinely spied on and how detailed behavioral dossiers linked to personally identifiable information are being created. We believe that strict regulation is inevitable, and many companies will be moving quickly to block loopholes that have allowed "digital fingerprints" to be assembled, and your fraud systems may be affected.

Tracking changes

For example, privacy concerns have caused Adobe (flash cookies), and new versions of web browsers to change their policies and no longer automatically let merchants track consumers as repeat buyers. Such "anonymous" markers commonly used in lieu of personally identifiable information to track activities by a specific user or device, are being targeted by privacy advocates because it has been shown that this can be (and has been) linked to PII.

These changes affect anti-fraud techniques such as digital fingerprints and device IDs, which are becoming much less reliable predictors of both good customers and fraudsters as browser data other factors once used to identify site visitors are increasing blocked or not available. And, at the recently concluded Merchant Risk Council Platinum meeting held Sept 30 – Oct 1 in Austin (see MRC Recaps, Day 1 + Day 2), several presenters outlined how digital fingerprinting and device ID technology was the latest technology solution to be systematically defeated by fraudsters.**

Higher false positive rates

The net is, although these approaches will still work for most shoppers, you are likely to see much higher rates of false positives -- good orders that look suspicious, and if a consumer is not recognized from a digital fingerprint, it doesn’t mean they should necessarily be treated like a fraudster, it many cases it just means they have upgraded their software.

Tuning fraud rules

You'll need to tune your rules to support this change so that the number of orders you manually review is kept in line with actual expected fraud attack rates.

** A recent Fraud Intel blog post by Ethoca VP of Emerging Technologies, Julie Fergerson, detailed how virtually all anti-fraud technologies decay in effectiveness over time, and the reason why.

Top 6 anti-fraud measures for online merchants:

Be unfriendly to friendly fraud. More >>
Be careful not to flag repeat customers as suspicious when they don't have a digital fingerprint. More >>
Monitor cancelled orders triggered by fraud screens, and the resulting call center complaints to maximize revenues More >>
Test fraud rules to make sure you are able to catch coupon fraud. More >>
Tune fraud screening processes to handle very high AVS mismatch rates resulting from gift cards. More >>
Ensure your fraud rules are multi-channel. More >>

Download a PDF of all tips >>

Tip 1: Be Unfriendly to Friendly Fraud

Julie Fergerson — Thu, 04 Nov 2010 08:01:00 GMT

eCommerce payment fraud continues to be a prime target for cybergangs in 2010, and as sales volumes start their rapid Christmas ascent in November leading up to Black Friday and Cyber Monday, the fraudsters are also getting ready with a whole new set of threats that merchants need to watch out for. In this 6 part series, Ethoca offers tips for merchants based on the top fraud trends observed this year.

So-called "friendly fraud", (also known as "I didn't do it fraud") is rising due to the continuing bleak economy and rising joblessness. ("Friendly fraud" is fraud committed by the cardholder or someone known to them.) Most of the fraud checks in place are designed to detect 3rd party fraud, and merchants are likely to miss the majority of friendly fraud.

Year-over-year increase in friendly fraud

In 2010, 10% of all merchants (online and offline) reported an increase in year-over-year friendly fraud according to the LexisNexis True Cost of Fraud Study, following 2009's even larger 19% of merchants. Friendly fraud has been on the rise for more than 3 years as we continue to struggle through the worst economic conditions in memory, so don't expect it to improve this Christmas.

Within the study's reported figures, a more specific story emerges depending on what kind of merchant you are. Large merchants (1 in 5) are most likely to report increases followed by 16% of medium-sized merchants and 7% of small merchants. Not surprisingly, online merchants are the hardest hit, with 23% reporting an increase, and 23% of total losses attributed to friendly fraud.

Be prepared to respond to your bank

As a merchant, what you need to know is that banks also are aware that friendly fraud is an increasing problem, and are being much tougher on consumers and demanding affidavits and proof when the cardholder says "it wasn't me". Make sure you are prepared to respond to inquiries from your bank in a timely manner, ensure your papers are organized and that the sale is well documented (proof of delivery, who signed for the package, details of the order, bill-to address matches ship-to address, etc.).

There is nothing friendly about being stolen from, especially at Christmas. Be prepared to fight back and be unfriendly to friendly fraud.

Other references:

Top 6 anti-fraud measures for online merchants:

Be unfriendly to friendly fraud. More >>
Be careful not to flag repeat customers as suspicious when they don't have a digital fingerprint. More >>
Monitor cancelled orders triggered by fraud screens, and the resulting call center complaints to maximize revenues More >>
Test fraud rules to make sure you are able to catch coupon fraud. More >>
Tune fraud screening processes to handle very high AVS mismatch rates resulting from gift cards. More >>
Ensure your fraud rules are multi-channel. More >>

Download a PDF of all tips >>

Merchant Risk Council Platinum Meeting - Day 2 Recap

Keegan Johnson — Tue, 05 Oct 2010 12:29:00 GMT

Notes on Day 2 presentations by Ethoca, ICE, and 41st Parameter

Perhaps the most interesting takeaway from Ethoca's presentation is that facilitating collaboration between issuers and merchants via Ethoca's real-time communications hub and secure data repository is a true win-win scenario.

Up to 40% of all alerts received resulted in stopping fraud. This is significant, because all the orders affected had already passed through fraud scrubbing at the time payment was accepted by the system, and unavoidably, some alerts are too late to stop the order from going out. Of course this percentage will vary by merchant and by fraud attack rate, but in general, the more committed a merchant is to processing orders quickly to ensure customer satisfaction, and the more orders processed, the more important these alerts are as a component of managing fraud.
On the other hand, it's a common misperception that fraudulent CNP chargebacks don't cost the issuer much, so it is often assumed that there is little benefit to issuers in collaborating to help stop fraud. As we heard, nothing could be farther from the truth. What's been missing is a cost-effective infrastructure to distribute huge volumes of data to merchants in near real-time, and get the "order refunded" feedback necessary to avoid issuing a chargeback.
Issuer reported savings included 25% of operational and chargeback submission costs, and up to 25% of the costs associated with 3D Secure liability.

There was great response from the merchants in the audience who expressed strong interest in getting more issuers involved. An important learning for Ethoca is that a key to making this kind of collaboration work is making it extremely clear and simple what each party must do and what each party gets. Clarity, transparency and simplicity build trust, especially at the early stages, and without trust it's really hard to get collaboration off the ground. Contact us for more information.

Operation eMule - Investigation of an Underground Economy - A Case Study on Merchant and Law Enforcement Collaboration (Keith Cramsey and Michael Pak, ICE)

Jason Calhoun from Rossetta Stone discusses importance of merchants working with law enforcement to catch fraudsters. Use one point of contact; use a standard data format; be open and share data.
Mike Peterson from Dell Financial Services: key is link analysis; watch out for fake job sites; if you're employed 'shipping from home', you might really just be distributing stolen goods. Law enforcement can't take the time to follow-up on every lead; if merchant requires subpoena, law enforcement just moves on. One of the challenges of working with law enforcement is different jurisdictions (across state) - central communication is key. Verizon tips on working with law enforcement.

Conference Wrap-Up (Matt Lane, 41st Parameter)

The demise of tagging as a fraud identification and marketing intelligence tool. New privacy features are restricting access to cookies and use of local objects, which means a decreased effectiveness for fraud management.
DeviceID vs Device Intelligence (uses Timestamp of local computer ); 70% of merchants seeing degradation in effectiveness of tagging.
41st crediting Julie Fergerson for outlining that any fraud management technique degrades over time.

Additional Notes

To learn more about why Julie says all fraud tools and techniques degrade in performance over time, see her recent blog post e-Commerce Payment Fraud Prevention: Looking for the Great Leap Forward.

Ending thoughts

An over-arching theme at this meeting was collaboration -- everyone seemed to be talking about it. There was the law enforcement round table on collaboration, Autotrader's talk on creating an internal collaborative security and fraud function in your organization, Patrick Peterson from Cisco talking about how the criminals are collaborating forcing us to do the same, Julie Fergerson discussing how the evolution of 10 years fraud management has brought us full circle and how collaboration is the only approach whose effectiveness does not decline over time, my talk about issuer-merchant collaboration, and the merchant-law enforcement collaboration case study. And, it seemed that most of the buzz in the halls had something to do with collaboration.

I am glad to see that. Collaboration has been our mantra since the beginning. So let me just end with one final thought on collaboration and fraud.

The sooner we see patterns the better

Fraud happens because we don't discover it in time. Eventually, of course, fraud turns up as a chargeback, but that could be 30-60 days at the earliest, and months after the "purchase" in the worst case. The sooner we see the pattern, find a link to other orders gone bad, detect anomolies, or find out that a credit card is compromised, the better chance we have of cutting losses -- chargeback fees, shipping costs, stolen goods and order processing costs.

Fraud as a time problem

Thinking of fraud as a time problem, rather than as a security problem or a predictive accuracy problem leads to an insight that seems obvious when you say it. Minimizing cost means that ideally we stop fraud before it happens -- at T(0). And, if not T(0), then at the time closest to zero. That's the goal.

In a nutshell, that is precisely why collaboration is likely the best fraud prevention technique of all. It is the most efficient and simplest method for early detection of new fraud attacks. By working together we can react faster, smarter and better.

Thanks to the MRC for another great meeting.

Merchant Risk Council Platinum Meeting - Day 1 Recap

Keegan Johnson — Fri, 01 Oct 2010 05:04:00 GMT

Notes on Day 1 opening remarks and award presentation; plus presentations by a Cisco Fellow, Apple, Cybersource, Visa, Mercator, and an MRC Co-Founder

This year's fall Platinum Meeting of the Merchant Risk Council celebrates the 10th anniversary of the its founding. Our own Julie Fergerson was one of the co-founders, and is a board member emeritus and so was invited to participate in the opening remarks alongside Tom Donlea, Executive Director of the MRC, and Greg Abbott, the Texas Attorney General.

In opening remarks, Donlea noted that global eCommerce has grown to an estimated $400 billion, and that online retail sales continue to grow rapidly.

Abbott was to be honored with the Spotlight Award from the Identity Theft Resource Center (ITRC) in recognition of his vigorous enforcement of Texas laws requiring shredding of documents containing personally identifying information. The end result of identity theft that results from this PII falling into the hands of criminals is often card-not-present payment fraud.

Julie is also a board member of the ITRC, and participated in the making the award presentation. David Morales, Deputy First Assistant Attorney General accepted the award on behalf of Mr. Abbott. The Texas Attorney General's office enforced more than $100,000 of fines against companies that carelessly disposed of personal data.

The awards presentation kicked off the conference and set the tone for discussions of how fraudsters ply their trade and how merchants can fight back.

Sessions

During the meeting we actively tweeted significant data points, statements and factoids discussed by the presenters. Here, I will simply recap in bullet form the key tweets and takeaways from each session. If you'd like to follow us tomorrow in real-time, follow the Twitter hashtag #MRCfall2010.

A Journey into the Criminal Underworld: Understanding the Enemy (Patrick Peterson, CISCO Fellow)

Patrick Peterson from Cisco talking about criminal forums getting together to share data about how to steal from companies. One spam group using >2000 URLs per week ... Crazy amount of urls to burn every week. Every 5 minutes spammers change dns server ip addresses ... Wow. One spam group grossing $100 to $120M per year; Glamed and spamit running most successful spam and fraud rings in the world.
Zeus is the most successful Data theft malware out there; estimated 1.6M bots in Zeus botnets. Fragus most effective service to infect computers from websites.

Additional Notes

In a recent blog article, Ethoca discussed how Zeus is being used to emulate 3D Secure (Verified by Visa and MasterCard SecureCode) password/signup screens, hijacking the poor design of this CNP anti-fraud scheme to phish for unwitting shoppers' bank details and card info. See 3D Secure: Doesn't Make the Grade (part 2 of 3 part series) for more detail about how.
Coincidentally, the Manhattan DA's office indicted more than 60 people, mostly "cybermules" hired to get cash out of the bank after legitimate bank accounts were compromised and money transfered to the mules accounts, all as a result of the Zeus trojan. It appears that the masterminds in this particular scheme reside in Russia, and most of the mules came to the US (from Russia) on student visas with the explicit intent of commiting this fraud.

New Advances in Fraud Data Mining (Dave Moriarty, Apple)

Dave Moriarty of Apple says chargeback rate is a poor metric because it is too slow ... Instead measure fraud pressure. # cancelled fraud correlates well to # fraud orders ... Interesting. Make sure you tag EVERY fraud order whether it is shipped or not ... Crucial step. 51% of chargebacks have already been identified as fraud; you need to monitor fraud on orders shipped in order to respond/adapt to new attacks; discovering fraud attack patterns by leveraging agents manual exp, but you need to use automated/statistical review.
Clustering is an easy statistical tool (match all know fraud based on each dimension - e.g. Product, amount, adress ...); detect fraud basic strategy (create model of expected behaviour, measure behavious, highlight anomalies).
Find people who are buying more than they can consume; use link analysis and link on 1 dimension (e.g. Address) and see how other dimensions change - fraudsters will behave different. Speed of detection and adaption key to defense against fraud.
Dave receiving award for being on MRC board for 10 years ... Well deserved!

Determining the True Cost of Payment Security (Dave Glaser, CyberSource)

CyberSource talking about calculating the true cost of fraud. Check out www.cybersource.com for whitepaper on calculating true cost of implementing security to combat fraud. Personnel costs = 60-70% of all security costs, 18% technology, 7% pci validation.
For large business, personnel can account for up to 87% of security costs.

Mobile: The New Payments Landscape (Bill Gajda, Visa)

Visa talking about emerging payment trends; mobile payments as key contributor to growth; looking to extend 3DSecure to mobile platform.
Mobile payments to become more secure then internet payments due to location based services and phone biometrics; a 10% increase in mobile penetration can increase GDP by 0.6%
Verizon/att mobile offering vs Visa mobile? How will visa/att mobile fare? Visa says mobile operators will have problems co-operating and are underestimating difficulty of payments
Also Visa says ... Can you trust mobile operators to complete payment transaction if they are dropping calls :)

Universal Authentication: Trekking to Find the Holy Grail (George Peabody, Mercator Advisory Group)

The holy grail is being able to trust someone identified through a universal authentication system (without checking yourself). Universal auth improve security and convenience, improve online privacy, increase online volume, reduce risk of data breach.
Organizations working on universal auth (nstic, open identity exchange, kantara, oasis).
Prediction from mercator that universal auth starts to become more reality around 2015 , but not widespread until later. Universal auth will ultimately be implemented by multiple provides, single provider is not good idea.

Observations from an MRC Founder: Ten Years of e-Commerce Growth and Challenges (Julie Fergerson, MRC Co-Founder (and Ethoca VP, Emerging Technologies)

MRC was created because 10 years ago, crooks were organized and sharing info, merchants were not. 10 years ago, CNP fraud (chargeback) rates were over 1% + highest at big merchants. Biggest retailers at 9% on 2003 MRC survey! Tools got better, merchants communicated thru MRC. Fraud rates fell steadily, although dollars lost kept climbing until 2009.
Device id is starting to degrade as fraudsters start to figure out how to get around it. Arms race: all fraud technologies work well in beginning, but eventually performance degrades.
Bio-metrics is 7+ years away. Collaboration is the only tool that won't degrade over time. Collaboration needs to be done on neutral ground; needs to be open to anyone interested.
2 dramatic changes: crooks monetizing stolen data faster + violent (organized) criminals moving to cybercrime. These changes mean many more criminals + expanding operations, and future losses will be higher than ever.
Formalized collaboration necessary now to get the upper hand + must be global because sell globally and crime is global.

Additional Notes

Ethoca CEO Andre Edelbrock described the concept of facilitated collaboration in his recent blog post Data Sharing Without Sharing Data: Now That's Collaboration.
Julie elaborated on why and how fraud tools degrade in performance over time and why there is an escalating arms race with fraudsters in her recent blog post e-Commerce Payment Fraud Prevention: Looking for the Great Leap Forward.

That's today's recap. And, here's another reminder to look for our live coverage of the conference on Friday via tweets by following the hashtag #MRCfall2010.

3D Secure: Doesn't Make the Grade

Keegan Johnson — Tue, 28 Sep 2010 17:12:00 GMT

Despite the name "3D Secure", security is the biggest failing of the protocol.

In the first article of this series I gave a quick introduction to the 3D Secure protocol for CNP fraud prevention, discussing the origin and purpose of the technology, its market presence and penetration for e-commerce transactions and geographic differences in prevalence. In Part 2 of this 3-part series, we evaluate how well the rubber meets the road, examining successes and failures of 3D Secure, particularly from the perspectives of merchants and consumers -- the parties most affected by how it works. (If you aren't familiar with what 3D Secure is, or haven't heard of the brands "Verified by Visa" or "MasterCard Securecode" before, then you may wish to read my introduction in Part 1 first.)

3D Secure Successes and Failures (Part 2 of 3)

As we discussed in part 1 of this series, 3D Secure has had a spotty record since its introduction to the market in 2001. In the early days, the systems were buggy and poorly communicated to consumers, and as a result caused very high shopping cart abandonment rates. Cardholders saw only hassle, or worse -- a potential phishing scheme, and merchants saw only costs with no benefits.

It is worth noting that the card associations and issuers had and have a vested interest in seeing 3D Secure succeed. On the internet, cash is not a payment option, which is why services like PayPal and BillMeLater have become so successful. But, even with the rapid rise of alternative payments mechanisms, payment cards are still the preferred choice of nearly 60% of consumers for online shopping according to MasterCard. To protect the competitive market position for payment cards, it is critical that consumers perceive that entering a entering a credit card number to pay online is safe. That, and providing online merchants with an enhanced payment guarantee were the principal goals behind development of 3D Secure.

Evaluating the successes and failures of 3D Secure, I do so from that perspective -- has it met it's stated goals of addressing cardholder concerns about the safety of online shopping and stopping fraud, and has it done so effectively, meeting the success factors and objectives for authentication in the virtual world, which according to MasterCard include:

High security
Coherence (across services and channels)
Cost-effectiveness (because it addresses a mass market)
Convenience (to drive customer adoption)

particularly from the perspective of cardholders and merchants.

High security

Despite the name "3D Secure", security is the biggest failing of the protocol. On this criteria, I'll refer to expert opinion.

Earlier this year, a paper detailing security flaws in 3D Secure was published by researchers from Cambridge University in the UK. The paper ("Verifed by Visa and MasterCard SecureCode: or, How Not to Design Authentication") documents several serious problems including:

Confusing the user -- hiding security cues
Activation during shopping
Informed consent and password choice
Liability shifting (from issuer to consumer)
Mutual authentication (highly vulnerable to "man-in-the-middle" attack)
Inconsistent authentication methods
Privacy

Perhaps the most troubling security flaw from a fraud perspective is related to the "activation during shopping" issue noted above.

Whether on initial setup, or to reset a password that the user has forgotten, the only additional piece of information required besides what is on the credit card is the cardholder birthdate.

Birthdate is almost trivial to find with a quick online search, and if I have your stolen wallet in my possession, it is almost certain that I have your card details and your birthdate (driver's license). So the thief can simply click "forgot password" and in seconds, add the extra layer of "authentication" at which point the fraudster can use your credit card as if he was a legitimate buyer with virtual impunity, protected from detection by the 3D Secure scheme itself.

Also, because the 3D Secure signon screen is virtually impossible to distinguish from a phishing attack, it either encourages consumers to break good habits and become more vulnerable to phishing attacks, or to be fooled by a phishing attack posing as a 3D Secure screen.

This isn't just speculation -- one adaptation of the Zeus trojan pops up a fake 3D Secure screen when you go to logon to your bank account. With over 100,000 infected PCs in the UK alone, it is known to have fooled thousands of people into sending all their sensitive financial details directly to the fraudsters, thereby leveraging the bad design and poor authentication approach of 3D Secure as a weapon against itself.

Once the consumer has surrendered their banking details and password to a fraudster, this can be used to perpetrate either identity or account takeover fraud, perpetuating the cycle. And, depending on implementation (no, it isn't consistently implemented, adding to cardholder confusion), it's also possible to bypass 3D Secure if as a consumer you don't want to use it, or to simply reset the password at time of purchase.

I won't belabor each of these security issues in detail -- you can read all about them in the paper (click here to download - 160Kb pdf) -- but simply note that they are serious and numerous.

3D Secure grade for security -- F.

Coherence across services and channels

We assume by coherence that the schemes mean consistency of user experience when interacting with SecureCode or Verified by Visa, regardless of product (credit or debit) or level of card. This is good for cardholder familiarity and recognition that this is a security feature, as well as branding and hopefully positive associations that go along with it.

Coherence has been moderately well achieved, although not without problems. In markets such as the UK, where there is high penetration of 3D Secure, cardholders generally recognize that they are seeing a security feature from their issuing bank. It will look more or less the same within that family of card services, so from a simple perspective, it has achieved elementary coherence.

However, there are caveats. Different issuers use different software, as do the PSPs, and each merchant can choose to use it a bit differently. So, the look and feel, and even what the cardholder can do (bypass 3D Secure or not, for example) are a bit different even within a card brand. There is less coherence from one bank to the next within a card family (MasterCard or Visa), but MasterCard and Visa also have differing policies and implementation rules, so if I have both cards and from different banks, it is much more likely I'll experience variations in how they work.

Across "channels" is a different story. As 3D Secure is a technology for online use only, it's hard to see how it could be used for mail order or card present transactions. However, since consumers wouldn't expect that, we don't think that's a big issue.

3D Secure grade for coherence -- C.

Cost effectiveness for a mass market

Depending how cost effectiveness is evaluated, I'd have to say this is the criteria that 3D Secure succeeds best on, and it was probably the driving factor in implementation. It is relatively inexpensive for merchants to participate, and it does absolve them of fraud liability for issuer-authenticated "I-didn't-do-it" types of cardholder chargebacks. Moreover, the card brands typically offer a reduction in interchange fees of 50 basis points for merchants that have adopted the technology and offer signup (and use) to all cardholders, whether or not its use it enforced.

The flip side of this observation is that by shifting liability to the issuer, the protocol removes a key incentive for the merchant to monitor their own fraudulent transactions closely, unless they end up on a Global Chargeback Monitoring Program list for having too high a fraud rate. Thus, if the issuer "authenticates" a fraudster, the merchant will take the revenue and escape the pain, likely increasing the total fraud borne by the system and ultimately resulting in excessive costs being passed back to cardholders and merchants over time.

In general, because the merchant still needs to avoid the GCMP list, and 3D Secure does not eliminate all fraud, or shift liability for all reason codes, merchants will still need to run their own fraud detection tools or subscribe to additional services to keep fraud to an "acceptable" level.

Although Visa and MasterCard claim that cart abandonment of legitimate transactions is low, they don't measure those who avoid sites or shopping online altogether because of it. Nor do they acknowledge that many legitimate customers forget their passwords or that their password or the authentication process could be compromised. All of these things result in "false positives" that cost good business.

Overall, merchants are a bit better off, issuers are considerably worse off, and the costs to the card schemes are simply part of their branding to improve the perception of online shopping safety.

3D Secure grade for cost effectiveness -- A-.

Convenience

No question that over time, 3D Secure has become convenient for merchants to implement as most issuers now support it, as do most PSPs. It requires little effort to integrate and start using it today.

For consumers, however, 3D Secure is extremely inconvenient. It requires remembering at least one, if not many additional passwords, often results in being locked out after 3 failed attempts, conflicts with pop-up blockers, and because it has the same appearance as a typical phishing screen encourages unsafe internet behaviors.

Many object in principle to the weak security, and actively try to avoid sites that require it. Even in the UK market where online shoppers will encounter MasterCard SecureCode or Verified by Visa on virtually all their purchases and are increasingly being forced to register, many still resent it and refuse to patronize retailers that use it.

3D Secure grade for convenience -- C+.

What do users (cardholders + merchants) say?

Above, I've tried to paint an objective picture of the successes and failures of 3D Secure, as much as can be done. Below, I've collected a random sample of tweets by users of SecureCode and Verified by Visa. (The tweets are transcribed exactly as they appeared, with errors and choice language left in -- if it was clean enough to print -- but usernames removed.) What is clear is that those who have bad experiences have really bad ones. You can do the same experiment yourself by searching for these keywords.

I've said it before and I'll say it again: Verified by Visa stinks.
I HATE Verified by Visa!!! It won't let me activate my new card so I can't pay for my stupid flights! It NEVER works! #Angry
Trying to pay for flights by the verified by visa thing keeps saying that there's an error :( I don't know what to do!!!!! #Help
how does "verified by Visa" manage to be such a perfect combination of phishing and bad password design? paypal so much better
ugh verified by visa why are u not working with my card!? I want my concert tickets and you are standing in my way grrrrrr
Bloody verified by Visa -- pin asked me for 9 digits when mine is 8 so it failed -- then reset failed -- now been on hold for ages GRRRR
Christ, I hate 'verified by VISA'. I can always feel my blood pressure rising to dangerously high levels whenever I use it.
Verified by Visa.... you annoy the hell out of me!!
I hate SecureCode. It's insecure, inconvenient, and makes me not want to buy things online.
Unable to book a flight on BA website, cause the embedded mastercard "secure code" was considered unsafe. #fail #securecode
Oh. My. Lord. I just made it past #mastercard #securecode! That's a first! It's a win! (but only because the service is such a #fail)
@arstechnica: Security researchers blast credit card verification system - http://arst.ch/den [another reason for me to hate SecureCode]
#ING (.nl) doesn't allow for special characters in their #Mastercard #SecureCode ...Stupid security #fail - Don't restrict passwords!
"Forgetting your MasterCard SecureCode and abandoning your order. Priceless"
@MasterCard your "securecode" thru @ticketmaster is ridiculous & a hindrance while your "help" section offers NO help for retrieval. #FAIL

Summary

Although rapidly becoming commonplace in Europe, MasterCard SecureCode and Verified by Visa are both still rare in North America. But common or not, 3D Secure is mostly a #FAIL in the eyes of merchants and consumers. By our grading on the criteria that 3D Secure set for itself, it is an overall "C", succeeding mostly by fiat rather than merit.

As we read the tone of the tweets, we actively searched for something positive to balance things out a bit, but there is not a single positive remark or quote about 3D Secure by anyone who isn't trying to sell it. Our conclusion: something that achieves the original goals of 3D Secure is needed, but there has to be a better way to do it.

A final recommendation for those who want to read more about the successes and failures of 3D Secure is to read this blog column titled "Verified by Visa: a conversion rate killer?", by Graham Charlton of econsultancy.com. It identifies the biggest problem that merchants see after implementing 3D Secure -- immediate drop-offs in sales. I would especially encourage you to read the 50 comments at the end, the majority by UK merchants who are resigned to having to use 3D Secure, but strongly disliking it.

In the final article of this series, I'll review the impact that 3D Secure has had on fraud and discuss the hidden costs, especially those borne by card issuers.

Who Pays for All the Card Fraud That You Don't? You Do!

Ethoca Technologies — Tue, 21 Sep 2010 16:14:00 GMT

Fraudsters are trying to find out which sites are easy marks, and to reverse engineer the fraud screening rules so they know how to escape detection when they have good stolen data.

Bob Sullivan at MSNBC details a case of misappropriated parts of a consumer's identity being used over and over again with dozens of different credit cards. Our own Julie Fergerson was quoted offering a diagnosis of what had happened. It was a "card testing scheme."

Card testing scheme unravelled

You can read the whole story here (or you can read the American Banker version, "ID Theft Packaged" here), but here is a synopsis:

Gemma Meadows' Bank of America VISA credit card was compromised
Fraudulent purchase attempt was made
Bank of America detected suspicious card use and called Gemma to confirm whether purchases were legitimate
Gemma confirmed purchases were fraud
VISA card was cancelled and new card issued
For next 2 months, steady stream of goods arrives on her doorstep, sometimes 3 or 4 times daily, from different merchants, all in her name but linked to many different compromised cards
Gemma puzzles over why and what to do about it, expending considerable effort to return all packages, call merchants, report to police, and wondering if it will ever end

In Gemma's case, her card really was compromised. Banks are now making up to 100 calls to detect 1 or 2 bad cards - all those false positives identified by the anti-fraud systems are referred to as the 'customer insult rate'. It's a big part of the Total Cost of Fraud (TCoF). And when a call like the one made to Gemma results in a card being cancelled because the consumer says "No, that wasn't me", we call that an Issuer-Confirmed Fraud.

What were the fraudsters after?

What happened next to Gemma isn't as common as having your card compromised and misused, but is an increasing phenomenon related to the soaring attack rates - the ever increasing attempts made to perpetrate CNP fraud at online merchants. The criminals were engaged in a card testing scheme, cycling through various details from a variety of stolen cards - sifting through batches of compromised card data recycling details like name, phone number, email address, home address, along with the card number, CVV2 number and expiry dates.

They are looking for all the variables and combinations that trigger fraud systems, whether a shopping site can detect multiple cards from the same email or same IP address as suspicious, whether certain types of goods have tighter screening rules than others, whether a merchant will accept international orders, or whether the card is issued in one country but the order is being placed in another, and myriad other ways to do a virtual break-and-enter. Basically, they are trying to find out which sites are easy marks, and to reverse engineer the fraud screening rules so they know how to escape detection when they have good stolen data.

Netting it out, criminals often spend far more effort testing for site vulnerabilities than we do safeguarding against them.

It's evidence of the increasingly professional and organized cybercrimimal gang activity, and it's precisely because a) CNP fraud is a lucrative target, and b) e-commerce sites have upped the ante with better and better anti-fraud tools in an escalating "arms race". Read "e-Commerce Payment Fraud Prevention: Looking for the Great Leap Forward" for more on the escalating battle between fraudsters and retailers.

Many (most?) consumers unaware and don't care how fraud happens

But, as I read all the comments at the end of the story, it was clear to me that there is a lot of naivete among consumers. Most don't know how card fraud happens, and many seem to care only about the inconvenience. And, an unintended consequence of being absolved of any liability for the cost of card fraud by issuers and by the law is that consumers don't know what it costs, or who pays, and many seem not to care.

Surprise - it's them. You and me. Everybody. And I would argue that their complacency means that it costs all of us more than it should.

Misconceptions

There's plenty of evidence of consumer complacency, and perhaps even a cavalier attitude towards fraud, as well as lack of understanding. I encourage you to read the comments attached to this article, because in many ways they're even more enlightening than the article itself.

I do commend those who realized that this costs everyone and who chided those who thought the recipient should just keep all the proceeds of fraud, but there was a disturbing thread among a vocal minority who seemed to think that it's OK, because somebody else pays. It's an eye-opener, whether you are a consumer, bank, merchant, fraud vendor, or anyone else in the payment chain. Here's a quick summary with misconception on left, reality on right:

Misconception	Reality
It wasn't really stolen (someone was randomly sending gifts in the mail), so I'm entitled to keep it. No harm, no foul.	It's never no harm, no foul. Fraud costs everyone, and we all need to fight it to reduce costs and stamp it out.
Merchants won't refund the account unless there is a chargeback. Because the consumer is the one inconvenienced, and no one will do anything about the fraud, she should just sell everything on eBay.	Merchants can avoid chargebacks and fees (which are costly) if they know there was a fraud and issue a refund. Everyone is inconvenienced and everyone pays.
The banks eat the charges and that's why we pay high fees and interest rates.	Only partly true - unless it is a 3D Secure transaction, the merchant pays the costs, as well as chargeback fees and fines. While that does mean it hurts merchant profits, merchants will pass on any costs they can, which again means that you and I are paying in higher prices.
If everyone did the right thing and returned fraudulent orders back to the merchant, they'd have so many returns they'd be forced to pay more attention to the orders and testing schemes wouldn't work.	Online merchants are highly motivated to stop fraud already - it costs them the merchandise, chargeback fees, manual review costs, shipping costs and they could lose their ability to accept cards at all if there's too much fraud. The testing schemes are not affected by what the merchant does, and they won't stop unless the merchant stops accepting online orders.
Fraudsters don't benefit because they sent the goods to someone else's house.	The whole point is to detect vulnerabilities and go back for the big kill later. The small stolen goods don't matter - fraudsters are gaining critical intelligence.
The seller can/should just wait until payment has been cleared - that would stop all fraud.	It would stop all fraud because it would stop all ecommerce. Merchants usually don't find out about fraud until the person whose card was compromised complains and the card issuer sends a chargeback 4-6 weeks, and occasionally as long as 6 months later. Prior to that, from the merchant's perspective, payment has been made and received through the acquiring bank.
The merchants must not have been using AVS.	AVS is practically useless today as a fraud check. The decline in AVS effectiveness was profiled in this article about the fraud arms race - fraudsters have enough good address data to easily get around it, and generally do a better job than consumers of entering the right data. But, it is practically certain that the merchants were all using AVS because it isn't really optional.

This just scratches the surface, but I'm sure you get the idea. Consumer understanding of fraud is neither deep nor wide, and we've done such a good job in telling them they have "no liability" that it seems to be implied that there is no cost. To put the kibosh on fraud, we need to change that understanding - not in a way that scares the consumer, but in a way that motivates them to help solve the problem.

Ecommerce Payment Fraud Prevention: Looking for the Great Leap Forward

Julie Fergerson — Fri, 17 Sep 2010 14:45:00 GMT

The Fraud Arms Race

Being in the e-commerce fraud space at the very beginning has given me a unique perspective on fraud prevention tools. When I enabled our first merchant to go live on my payment system (1995 on ClearCommerce) the very next day I saw the first fraudulent transaction. I liken online payments and online fraud to breathing in and breathing out, you can't do one without the other.

First, bad IP addresses

With that said, in the early days, fraud prevention was easy, we just had to take a look at the IP address of the criminal and add that to a negative file. That worked for almost two years. Then the crooks discovered that was how we were catching them, and they started rotating IP addresses.

Then came AVS

Next as an industry we added Address Verification (AVS) where we matched the credit card number to the numeric portion of the street address and zip code. This worked very well for the early adopters, but once mass adoption of AVS was supported by merchants, the effectiveness declined, the fraudsters knew that now when they steal the data, they also need to steal the billing address and zip code.

Next, there was CVC

Then rolled out Card Verification Codes (CVC), the three digit number on the back of Visa and MasterCard and 4 digits on the front for American Express. The effectiveness of this tool proved to be really good for the first 3 years and then again, once implemented by the majority of merchants within a very short period of time, less then 12 months, the effectiveness of the tool declined.

Never ending escalation

Over the years merchants have tried a number of things, collecting more data from consumers, looking at the location of IP addresses, grabbing browser data, collecting information about the computer the consumer is using, etc. Each of these things once implemented by a majority of merchants declines in effectiveness. The fraudsters simply adapt, share how to beat the new detection method with each other, and then collect the required info or fake it.

The battle between merchants and fraudsters is an arms race with no end in sight. There is no predictive tool, no scoring system, no set of rules, no identifying tag that can reliably sort fraudsters from genuine shoppers forever, because the fraudsters have the advantage of all working to the same goal and being willing to share their techniques as soon as the last great scheme is broken.

Criminals have incentive to share

There is actually profit-making incentive for criminals to share, because not sharing dramatically decreases the likelihood that the crook will be caught. If only one crook is doing something, it makes him stand out and merchants and law enforcement can isolate him and work together to put him out of business, but if he shares with his friends and "colleagues", and everyone is cracking the new scheme, it decreases the probability that any individual fraudster will be caught. So, as soon as one figures it out, it takes very little time before they all know.

Moreover, the harder we make the trap to break, the more we ensnare, annoy and turn away good business, and ironically, the fraudsters are actually better at entering the correct information and figuring out what is required than real consumers.

The goal is to sell

And we can't forget, the purpose of our e-commerce site is to sell. There are only so many hoops we can ask customers to jump through before they say this is too inconvenient or too intrusive or too complicated. Our goal is to make sales and keep customers coming back, not to make it so difficult to buy that the only ones who'll keep trying are the crooks.

Our industry is at a stage where we don't need better tools, to make a great leap forward we need better knowledge. Better data.

A 360 degree view

The question is how can you know enough to unmask the criminal - to positively identify him as a thief. You have to fill in the pieces of the puzzle - who he is, where he is, what his behaviors are, what his history is, his signature patterns - until he stands out in obvious relief from the masses of legitimate shoppers. But where do we acquire the data to construct this 360 degree view of the fraudster?

The answer is by pooling everything we know into a single place. Like a physical puzzle, one piece does not a picture make. You need many interlocking pieces before you can start to tell what the image really is.

Every merchant has a piece of the puzzle. Every card issuer. Every payment processor. Every fraud vendor. We must collaborate and work together just like the fraudsters do against us to win, because that is the only technique that doesn't suffer performance decline over time, and actually works better and better the more of us who join in. With better data, we have better insight, and interestingly, the detection tools gain back some of the performance-over-time decline when you can eliminate a substantial amount of noise from their fraud model.

Making collaboration work

I joined Ethoca because they figured out how to make this collaboration work. Because what Ethoca has created is a platform that doesn't become and cannot be compromised over time by criminals and where the unexpected happens - performance actually increases in effectiveness as adoption of collaboration increases.

I'm looking forward to working with our customers and partners to maximize collaboration and the benefits to all stakeholders.

Tip of the Hat to Julie Fergersen

Andre Edelbrock — Fri, 10 Sep 2010 21:32:00 GMT

Fergerson developed some of the original payment and anti-fraud systems. View bio >>

Welcome!

We don't normally post information about Ethoca in this blog, but today I'm making an exception as we welcome Julie Fergerson as our VP of Emerging Technologies, a role in which she will be working with many of our customers and partners to define the future of our product, developing use cases for collaboration and ensuring that our products meet the right industry needs. She is one of the true thought leaders in our industry, having personally developed some of the original payment and anti-fraud systems, and holding patents and patents pending in this space.

I'm excited to introduce her to our followers, and know you'll get to know her as she blogs here, and meets with many of you in the field to ensure our products and services are meeting the right needs and leveraging data sharing concepts in the best ways possible.

If you are interested in reading more about her extensive background and what she brings to collaborative fraud management, check out the press release from yesterday announcing her joining the team at Ethoca.

Welcome aboard Julie.

Data Sharing Without Sharing Data. Now That's Collaboration!

Andre Edelbrock — Fri, 10 Sep 2010 18:45:00 GMT

Facilitated collaboration, with formally structured protocols, makes legal and ethical data sharing possible. Doing it requires a system that makes sure all the participants can benefit from one another’s transaction experiences while not passing around the data itself.

Last week, I participated in a roundtable session on ‘data sharing’ at the Merchant Risk Council’s inaugural European e-Commerce Payments and Risk Conference in Amsterdam. It was a great opportunity to exchange insights with other industry leaders from many countries.

Data sharing is great!

Imagine if there were no restrictions on what we could share to stop fraud. Walmart and Amazon would tell each other when they caught a fraudster, what email was used, his IP location, what was attempted to be purchased, when it happened, dollar value, name, credit card number, etc. No fraudster would ever succeed at stealing more than once or twice, and we'd have good enough pattern recognition and linked data that in many cases, we'd stop them before they tried to use a compromised card, account or data the first time.

That's the real promise and power of data sharing.

But sharing data? Yikes!

Unfortunately, we live in the real world, and companies don't just hand each other their customer and sales data. The reality is that sharing has its limits, and it's those limits that allow so much fraud to slip through our fingers. It's the fear of what the term 'data sharing' implies that often prevents us from doing anything at all.

In our discussions with merchants, card issuers, bank, payment processors, acquirers and the like we found that 'data sharing' implies informality and lack of structure, which immediately raises concerns about privacy, security, data integrity and trust.

The term also raises legal concerns about what data, if any, can be shared. This is particularly true in Europe, which has stricter controls and regulations around privacy and varies by jurisdiction. Legal authorities and governments often assume that ‘data sharing’ means that account information is simply passed around between private parties with no regard for the individual's rights.

(For more on this see discussion in FinExtra about "unauthorized access" -- which is exactly the fear that sharing conjures up, and part of the reason that the Data Protection Act exists.)

When we collaborate, we can share experiences and knowledge without sharing the data

"What", you say?! That's some fancy verbal gymnastics. But, there is much truth that if we think about data sharing and the value it can provide differently, and expand the concept to one of collaboration where independent management, structure and governance are applied, we can escape the trap that everyone thinks data sharing is a great thing in theory, but few want to subscribe to it in practice.

Ethoca prefers the term 'facilitated collaboration', with a full set of formally structured protocols to make legal and ethical data pooling possible. It’s a system that makes sure all the participants can benefit from one another’s transaction experiences while not passing around the data itself.

That means things like the strictest conformance to PCI across all PII, highly secured access, the management, auditing and certification of data integrity by independent authorities, access to information and anonymized experiences not the data itself.

Strict protocols build trust

Ethoca has already proved that facilitated collaboration can work on a large scale. Our strict protocols build trust among the participants. The merchants, issuers and other stakeholders know the data can't be mined for marketing purposes or accessed for any purpose other than fraud/risk management. The information is hashed and encrypted so that even Ethoca security experts can’t see personally identifying information. Participants also get large benefits, being able to leverage one another’s payment and fraud experiences and stop ecommerce fraud that they’d never catch otherwise.

So is the difference between ‘sharing’ and ‘collaboration’ only a matter of semantics? No. As my colleague Darryl Green wrote recently, collaborative fraud prevention is the future – and trust is the key.

Your turn

We'd love to hear about your experiences with data sharing. Why has it worked or not worked for you? What value would you get from facilitated collaboration versus data sharing? Please share your feedback in the comments below.

3D Secure: Does it Make e-Commerce Any Safer?

Keegan Johnson — Wed, 01 Sep 2010 13:50:00 GMT

3D Secure is the generic name given to a protocol; the three branded versions are "Verified by Visa" (VbV), "MasterCard SecureCode", and JCB International's "J/Secure".

In this 3-part series, I examine what 3D Secure is and why it was developed, discuss its successes and failures from the perspectives of merchants, consumers, banks and security experts and how it's been adopted in different geographies, and finally conclude with an evaluation of how well it addresses the problem it set out to solve and whether better approaches might exist. I invite your questions and comments regarding your personal 3D Secure experiences.

Introduction: Part 1 of 3

Our European readers are likely very familiar with 3D Secure in some form, but here on the other side of the Atlantic, not so much. So, first some background.

3D Secure is the generic name given to a protocol originally designed by Visa that is promoted as offering an added layer of security through user authentication to prevent payment card fraud. Visa offered the scheme to other card associations who have implemented it under their own branding. The 3 branded versions are Verified by Visa (VbV), MasterCard SecureCode, and JCB International's (Japan Credit Bureau) J/Secure.

Poorly implemented and marketed (there is lots of market confusion about what it is, even in Europe where it has high penetration and most online shoppers have encountered it at least a few times), you may hear any of these 4 terms bandied about. Know that they are all basically the same thing. If you want to dig in to more detail, this Wikipedia article covers the basics.

Why use 3D Secure?

MasterCard offers this business case on their website:

70% of online shoppers are very concerned about security and fraud issues
26% would purchase more frequently online if there were more security protection from a card
44% of those likely to use SecureCode would be likely to buy more online
66% of online consumers who do not make purchases online cite security concerns as the main reason

As this series of articles will discuss, if security, consumer protection, and increased sales are the real issues, we'd all be better off not using 3D Secure technology, because it isn't secure, doesn't offer any additional protection to the consumer beyond the "zero liability" for fraud that is already guaranteed, and often causes sales to drop because consumers don't understand it, don't trust it and don't like the inconvenience.

The sales pitch versus the reality

Most merchants who chose to adopt 3D Secure do so because it shifts liability for card-not-present fraud to the card issuer on 3D Secure-authorized transactions. Without this economic incentive, it's unlikely 3D Secure would have gained significant market traction.

In some industries with high risk profiles and large dollar sales (e.g. airlines), and where there are limited choices and demand is relatively inelastic (if I want to travel from Toronto to Atlanta, for example, I have only 2 practical choices, unless I'm prepared to take the time to drive), this liability shift and reduced fraud cost outweighs lost sales and what consumers think about the inconvenience.

As a result, purchasing tickets is one of the most likely places consumers are likely to encounter 3D Secure in the US. In most other business categories, there is simply too much competition for retailers to risk offending, inconveniencing or confusing customers.

It's different in Europe

Adoption in Europe has been much broader than in North America. We speculate that part of the reason for this is that the US e-commerce market was much more established when 3D Secure was introduced, with many more merchants and much more competition within categories. Thus merchants are less willing to do anything that might introduce a perceived inconvenience or a reason for consumers to go elsewhere.

In the UK, the MasterCard Maestro brand which is one of the most widely used cards, basically issued an ultimatum that if merchants wanted to accept their payment cards online, they would need to use 3D Secure. This single spur to adopt has dramatically changed the game there, making ability to accept online payments a critical factor in adoption, although it hasn't completely mitigated concerns about security, lost sales or consumer fear of fraud.

As a result of this enforced implementation, adoption in the UK market for instance, has risen from below 20% to around 80% of UK merchants in just 3-4 years, although there are some notable holdouts. Amazon, the world's largest online retailer (by far), refuses to use 3D Secure, citing consumer inconvenience. Amazon also has very sophisticated fraud systems in place already, so stands to lose more in sales and customer goodwill than it would gain in fraud savings.

Summary

In summary, 3D Secure has had a spotty record since it was introduced by VISA nearly 10 years ago in 2001. In the last few years, it has become much more successful in Europe than in North America where it is still an oddity. It has helped lower fraud a little bit, particularly in the UK market (but not the Total Cost of Fraud - a concept which we'll touch on in future articles that helps explain lack of market traction), but at the expense of consumer angst and lower sales for many merchants.

In the next article in this series, I'll detail the complaints about 3D Secure and why merchants and consumers generally don't like it, and the cost burden it imposes on card issuers.

Unequal Rewards & Penalties: Do Issuing Banks Really Have Nothing to Lose to CNP Fraud?

Keegan Johnson — Wed, 25 Aug 2010 16:25:00 GMT

A million small frauds equals one big take. The New York Times detailed an unusual case of credit card fraud and an injunction filed by FTC, but missed that card issuers bear the costs of fraud too. CNP fraud is a pernicious problem for merchants, cardholders, issuers, and other parties in the payment chain.

KISS (Keep It Small, Stupid) proves an effective fraud strategy

The NY Times reported this weekend on an unusual case of credit card fraud filed by the FTC in a Chicago federal court involving more than 1 million cardholder accounts and over 100 fake merchant accounts over a period of at least 4 years. It’s a sign of how much the internet and automation have changed the fraud game, enabling massive scams by employing the KISS (Keep It Small, Stupid) Principle.

More than $10 million stolen through <$10 fraudulent charges

The suit claims that more than $10 million was stolen by placing just a single fraudulent charge for less than $10 on more than 1 million different credit and debit cards.

Card-not-present transactions (i.e. online sales) were recorded by 16 shell companies operating under more than 100 different merchant IDs.

The fake companies, set up with bogus websites and phone numbers to look real when they applied for merchant accounts, were created using stolen identities, and the money was quickly moved out of the US to bank accounts in several different east European countries.

Few complaints due to plausability of charges

The interesting vulnerability exposed is how easy it is to fly under the radar if you make everything plausible and seemingly random, and don’t do anything to stand out.

Criminals carefully set up fake companies with familiar sounding names so that nothing would stand out on the cardholder statements. By only attacking each card once, and for a small amount, it’s a safe bet that the majority of consumers didn’t even notice.

The one dumb error was posting a number of transactions for as little as 20 cents. According to the FTC, there were more complaints about the 20-cent charges than the 9 dollar ones because they appeared odd -- again, it’s about plausibility.

FTC investigates after a million transactions

There were incredibly few complaints of any sort though, because it took nearly a million transactions before the FTC had enough complaints registered to start an investigation. The lesson: KISS.

You can read the full stories here:

$9 Here, 20 Cents There and a Credit-Card Lawsuit – NY Times story
FTC Obtains Court Order Halting International Scheme …. – FTC press release
Complaint – as filed by FTC (3.1MB pdf)
FTC’s Memorandum for Asset Freeze, Restraining Order, etc – explaining scheme in detail (4.8MB pdf)

Average cost to card issuing bank: $15 per transaction

My main point for this article was to focus on a throwaway comment from Gartner analyst, Avivah Litan. She is quoted:

“If a credit card is physically swiped in the transaction, the bank that issued the card is on the hook for fraudulent charges. If it is a phone or Internet purchase — called a card-not-present transaction — the bank that hosted the merchant account that received the ill-gotten charges must make restitution.”

And the writer of the article draws the conclusion that because the acquiring bank is on the hook for the fraudulent charges, that the issuer has “little motivation to be greatly concerned about online fraud”.

Really? The acquirer is indeed stuck with many charges of between 20 cents and 9 dollars, since none of the merchant accounts were legitimate, but is there really no cost to issuers in this case?

On the contrary, our analysis shows that it costs the card issuing bank an average of $15 per transaction in labor and paper trail costs (getting consumers to file affidavits, issuing chargebacks, etc), plus fees assessed by the card scheme for each chargeback. More, in fact, than the maximum $10 charge that the acquirer had to eat.

Across more than 1 million fraudulent transactions in this single case, that’s over $15 million – not exactly chicken feed, and certainly not “little motivation” to seek a solution.

CNP fraud affects all parties in the payment chain

The takeaway is this: CNP fraud is a pernicious problem, and it affects, inconveniences and costs everyone involved. Merchants for sure, but also issuers and cardholders.

The $15 in overhead costs may not compare to a $500 loss taken by a merchant of electronics goods, for example, but the issuers are getting hurt on each and every fraud. Consider that if a bank the size of JPMorgan Chase could eliminate these costs, that would represent by our guesstimates a savings of $1.5 – 2.5 million annually – a savings that is pure profit to the bottom line.

I’d argue that that’s plenty of motivation for any issuer, and it is an achievable target with more industry collaboration.

And, that would be good for everybody.

The Smart Ass Carders We Love to Hate

Andre Edelbrock — Tue, 17 Aug 2010 16:37:00 GMT

A video on BadB.biz promotes credit card fraud as a lighthearted affair.

The French police have apprehended a Russian carder reputed to be among the largest sources of stolen credit card dumps for extradition to face charges in the US.

I applaud the transnational cooperation to nail those who trade in your credit data to defraud merchants (especially online) everywhere. This is a key link in the chain that creates card not present (CNP) fraud.

We know that biting off the head of the serpent will ultimately create a number of smaller snakes who go elsewhere to perpetrate their crimes, but today we can celebrate that one has been caught, and is likely to do some big time.

If you have any doubts about how reprehensible these guys are, consider that Vladislav Anatolievich Horohin, aka BadB, even made an advertising video to promote his services -- see it above or at Wired magazine's site.

Collaborative Fraud Prevention Is the Future – and Trust Is Key

Ethoca Technologies — Thu, 10 Jun 2010 10:00:00 GMT

Darryl Green is Chief Governance Officer (Co-Founder) and Executive Director at Ethoca

Beyond legal compliance: what it takes to be worthy of trust

I can’t stand privacy law.

Not for the reasons you might think are obvious for someone in my position (i.e. we can’t do what we want with impunity). I dislike it for what it represents and what it could, and in some cases appears to, be evolving into.

The fact is, I’m very much against doing what we want with impunity. At Ethoca, we are experts at fraud detection involving card-not-present transactions. We ask our partners, members and, ultimately, consumers to trust us with something very valuable (their credit card transaction data). We have a responsibility to earn that trust every single day. The concept of respecting and securing that data has to, and does, permeate every decision we make and every action we perform. The gravity of that trust lives in every employee of Ethoca and is deeply ingrained in the culture of our organization. Replacing these obligations with a regulatory compliance regime is both inefficient and distorting.

Taking responsibility

First, some brief background so you know my personal bias: I’ve studied law and worked briefly as a lawyer before finding the joy of entrepreneurship. I have, over the years, come to the conclusion that nearly all law can be summarized as, “Don’t be a dick.”

Of course, you need a little more granularity than that. If I ever ran for public office on a platform of legal simplification, I would suggest that there be laws against dickness in the first, second and third degree, and against unintentional dickness for those who have not thought about the consequences of their actions.

Any more granular than that and you start to run into problems. (I may be exaggerating to make a point, but stay with me.)

Trying to create a regulatory regime to deal with an issue replaces, “I shouldn’t be a dick” with, “do I comply with regulations.” And since it’s impossible to draft regulations that contemplate all current contingencies, let alone contingencies arising from future innovation, it leaves individuals and corporations the ability to be dicks as long as they are regulatory compliant.

In fact, they may not even think about the consequences of their actions anymore, assuming that either the regulators will have contemplated the outcomes, or the outcomes don’t matter so long as I follow the rules. This is particularly problematic where those who work in the regulated industry are more informed and less conflicted than those drafting the regulation. There are examples of that all over the recent financial crisis, but that is not the subject of this discussion.

Ethoca and privacy regulation

In our first drafts of how we would develop the Ethoca architecture and operate the Ethoca service, we did not call legal counsel. We knew that caring for the data we were being entrusted with meant that we would have to respect it, secure it, and provide access to it in a way that wouldn’t allow it to be abused. We knew that we would have to watch over the data to ensure its quality. We knew that we would need a mechanism for members and consumers to dispute the data in the event of a misunderstanding.

We found codes of practice that helped us to define what that meant, specifically, the AICPA Privacy Framework, now called the AICPA Generally Accepted Privacy Principles. We engaged top-tier consultants to help us develop and implement the practices befitting the responsibility we expected to take on.

In short, we took our responsibility extremely seriously. This was in part driven by our internal ethics, but was also required by anyone we wanted to add as members. We held ourselves accountable, and those we were doing business with were holding us accountable. Ah, if only the world could work this way in all contexts.

Enter the lawyers

The time came to get the regulatory analyses for the jurisdictions in which we contemplated doing business. These included most significantly the US, the UK, Ireland and Canada. This cost us hundreds of thousands of dollars in legal fees. (I wish I were exaggerating here to make a point.) I’m happy to say that it didn’t result in our having to change much of anything in relation to our operation. The work we had done just trying to be responsible took us well beyond what was required simply from a regulatory compliance standpoint.

In a follow-up blog post I will summarize our findings from each jurisdiction and more detailed discussion is available from us for anyone contemplating joining Ethoca’s Global Fraud Alliance.

In general though, if you know nothing more than this about privacy law, as it relates to private enterprise, you are 90 percent of the way there: People have to be given the opportunity to agree to and know how their data is being used, they have to have the ability to inquire about and correct any mistakes in the data, and those holding the data have to safeguard the data with due care.

The final word

I’ve been a little glib here. Unfortunately, regulation is required where there is an imbalance of power as there is with respect to data. Consumers tend not to band together in a cohesive group, and the ability to abuse data that a company has been entrusted with would tempt some to make use of it for purely self-serving ends. However, the regulation should be minimal to meet the objectives highlighted above. In some jurisdictions I’m starting to see regulation that seems more like empire-building-through-bureaucracy than a regime meant to serve the needs of individuals.

Clearly, any regulation that would make it unworkable or uneconomical to help consumers and merchants avoid being victimized by fraud would have slipped over that line.

Darryl Green is one of the co-founders in Ethoca. He has degrees in Law, Engineering and a Masters in Business Administration from the University of Western Ontario/Ivey School of Business. He started in the internet industry in 1999 with Tucows Inc. where he participated primarily in Business and Corporate Development activities. He worked there until co-founding Ethoca in 2005. Darryl is responsible for financial and regulatory compliance for Ethoca and, as with all the founders, is active in Ethoca’s Business Development. He tends to prefer free market solutions over government regulation and is big big fan of transparency and candor.

Fear of Online Credit Card Fraud Shrinks Pool of Good Customers

Andre Edelbrock — Tue, 08 Jun 2010 13:00:00 GMT

The U.S. Federal Trade Commission estimates that six times as much revenue is lost to "fear of fraud" as to actual fraud

How making online shopping safer means a more profitable online environment for all

Beyond the total cost of fraud you may face today, there is an even bigger challenge: many potential customers are afraid to buy online. They don’t think it’s safe.

In fact, six times as much revenue is lost each year to fear of fraud than to actual fraud, according to the U.S. Federal Trade Commission.

That number is consistent with surveys and research by other organizations as well. VeriSign says half of Internet users avoid buying online, for fear of their financial information being stolen. And of those who have been victims of fraud:

12% don’t shop online any longer

25% shop less frequently

19% spend less when they do shop online

And according to figures from a CyberSource 2009 survey:

71% of consumers are concerned with the level of risk when shopping over the web, an increase of 5% over 2008

24% of consumers (the largest grouping of answers) say it is merchants’ responsibility to make online shopping safe

Making online shopping safer -- It's within your control

Trust seals can and do increase the perception of safe shopping for many. They, however, can only go so far, and with constant media attention paid to massive data security breaches such as those perpetrated against Heartland Payment Systems, TJ Maxx, Hannaford Supermarkets and many others, not to mention the myriad tales of unscrubbed and unprotected data on used hard drives, archival tapes full of social security numbers and other personally identifiable information falling off the back of trucks, consumers are rightly fearful that no matter what they or merchants do to protect their data, there are weak links in the security chain that put them at risk.

In fact, there are 3 elements to making Internet shopping not only as safe as it can be, but truly the safest form of shopping. First, merchants need to implement proper security precautions, especially PCI compliance. Second, compliance needs to be regulated and certified (and advertised by the accompanying trust marks). Finally, merchants need to ensure that in the event security is breached, that minimal harm comes to the consumer. The best way to do that is through collaboration with other merchants, as well as card issuers, fraud vendors, payment service providers - in fact, all the stakeholders in ecommerce.

The Global Fraud Alliance is that third and critical piece in making internet shopping safer. It provides a shield against misuse of breached and compromised data, by enabling merchants to gain insight into each other's payment experiences in real time, without compromising the privacy or security of their data.

Ethoca has recently made a very important contribution to safe shopping by making Ethoca360 Negative Signals freely available to any merchant that signs up for service during the introductory period. And, not just free to sign up, but free forever. Merchants need only apply and start actively using the service during the introductory period to ensure this lifetime benefit. This service is also being made available through partners such as 41^st Parameter's FraudNet technology, GB Group's URU identity service, and the IMRG ISIS (Internet Shopping Is Safe) program. This network is rapidly growing to include other payment service providers and fraud merchants, and in the very near future will include many other in the U.S., Canada, U.K., and throughout Europe.

A safer online environment means a more profitable online environment

The more merchants collaborating against fraud, the safer the Internet will be, and the more customers will shop online.

Doing your part is simple, and most importantly, it will start saving you money right away, no matter what fraud tools or services you already use. That's because Ethoca360 Negative Signals is designed to be an additive service, compatible with all 3^rd party offerings. This is simply smart business for members of the Global Fraud Alliance. Increasing the consumers willingness to shop online means more business for everyone.

We invite you to join.

2010 Merchant Risk Council (MRC) Annual Conference - Observations

Andre Edelbrock — Fri, 26 Mar 2010 03:05:00 GMT

See the latest information on Ethoca360 Signals >>

After a whirlwind few days in Las Vegas last week at the annual MRC conference, I'm back in my office catching up and thinking about all that happened. Having had a few days to reflect, I thought I would share some of my learnings from this year's conference.

To put my thoughts in perspective, this year's conference was very significant for Ethoca. We announced perhaps our biggest news ever: that we are offering a free card-not-present fraud detection service, and have begun accepting merchant applications for participation. (The application process is to ensure that we are protecting the integrity of Global Fraud Alliance data, and only letting legitimate online merchants in).

A subset of Ethoca360 Signals (itself a newly announced service), we are offering the Negative Signals part at no charge forever as an introductory opportunity for merchants who sign up now.

Free forever is a big deal

The free service is a big deal for Ethoca, because for the first time ever, it makes large scale collaboration possible in the fight against fraud by removing the most significant barrier to participation, namely price. Now the question becomes, if you can identify potential fraud by leveraging the bad payment experiences of fellow merchants, why wouldn't you?

We decided to make the Negative Signals service free forever for merchants who join now to accelerate much broader collaboration. Our thinking is that by giving away a high value production-grade service, many more merchants, payment processors and fraud solutions providers will jump in quickly, thus boosting the value to everyone, and that our upgrade service to full Ethoca360 Signals would also grow quickly and more than pay for what we give up by making Negative Signals free.

Besides, it just feels right to make this kind of collaborative information freely available as a community service. With the strong positive reaction we got from merchants, payment service providers (PSPs), card issuers, and fraud workbench/platform providers, we're confident that this is the right move at the right time.

A highly succcessful conference

Having missed last year's conference due to my sister getting married in Mexico during the same week, I was pleased to accept credit from Tom Donlea for boosting registrations to this year's conference by 20% by deciding to come back. OK, so maybe my return only boosted the total increase in attendance by one, but perhaps Ethoca sponsoring Governor Tom Ridge, the first US Secretary of Homeland Security as a keynote presenter last year had a carry-over effect.

Congratulations to Tom and all the MRC staff for putting on another great conference, that continues to grow and attract increased interest year-over-year from the e-commerce merchant community.

Big trends

So what were my major observations and conclusions from this year's conference? There were two big ones in addition to getting confirmation that our free Negative Signals service was exactly the right thing to do:

Collaboration to fight fraud is an idea whose time has come. Online merchants have never been more ready, nor the time more right than right now for working together to make the next great strides in minimizing the Total Cost of Fraud. After baby steps in data sharing, most now realize that we can't make further significant gains without large-scale collaboration to construct a 360 degree view of customer behavior and online reputation. After four years of missionary work and building out Ethoca's infrastructure to support the Global Fraud Alliance, it's gratifying to see this recognition taking hold.

There are many widely held misconceptions about the advantages and disadvantages of data-sharing. We heard a number of shibboleths at the Data Sharing session on the last day of the conference, which made me realize that it's time to dispel the myths once and for all. One thing that we at Ethoca often forget is that just because we solved the problems doesn't mean that everyone else knows that.

To address the second issue, my next few blog posts will specifically address the numerous misconceptions about data sharing and shed some light on why large-scale global collaboration works.

It was great to see the MRC community come together again this year. Look forward to seeing you all again in 2011.