Card-not-present fraud threatens small online businesses

By Ron Condon, U.K. Bureau Chief 27 Jul 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

But that is only half the picture. Card-not-present (CNP) fraud, where criminals make payments via the Internet or by phone, has soared. By 2007, losses reached £290.5m and rose to £328.40m in 2008. CNP fraud now accounts for 54% of all card fraud losses, according to APACS.

While the holders of stolen cards normally have their money refunded, it is the merchants who have to pick up the tab. For small online businesses, the losses can be especially damaging.

Chris Barling, managing director of Actinic Software Ltd., a Surrey-based ecommerce technology provider, has more than 100,000 small and medium-sized businesses using his e-commerce website package, and he said the fraud problem is getting progressively worse.

"Our customers are being targeted by increasingly clever and sophisticated fraudsters. And the level of fraud is noticeably higher in the last six months," he said. "At one end, you have people who will just try it on, and say they haven't received delivery of goods. At the other end, you have organised gangs that buy up sets of stolen card details."

To help beat the problem, he recently incorporated a new feature into his product, based on a service from Surrey-based antifraud firm, the 3rd Man Group plc. The feature provides users with instant feedback on credit card transactions, giving them a green light if the transaction looks good, or a red light if there is something suspicious about it. Armed with that information, the merchant can then decide on whether to refuse the order or investigate.

The 3rd Man's service screens more than 20 million transactions a month from a wide range of merchants, ranging from one-man outfits to large retailers like Argos. With that volume of data, the technology is able to spot suspicious traffic patterns that may indicate card-not-present fraud – such as large numbers of orders from a single IP address, or one card being used with several different names and addresses.

Equally important, the service allows the merchant to check with a customer before shipping goods, rather than just blocking the order. "False positives are just as much a problem as letting through fraud. A small business doesn't want to turn away good customers," said Barling.

Barling said that just by making contact with the customer, the merchant can often scare off the fraudster. "Normally fraudsters don't want to engage in any form of dialogue, because dialogue equals risk. If they talk to someone, they don't know if they are talking to law enforcement, or if someone is triangulating their mobile signal to find out where they are," he said.

Microsoft cracks down on click fraud ring  Click fraudsters have used techniques that some experts say are threatening the online advertising industry.

The 3rd Man service now comes free as part of Actinic Payments, which channels all credit card payments through to CreditCall, a specialist payment processor. The package ensures that no credit card details are stored on the merchant's systems, thus avoiding any need to comply with the Payment Card Industry Data Security Standard (PCI DSS). "PCI compliance can cost between £40,000 and £80,000 for a medium-sized company, so we allow our customers to comply by effectively outsourcing the card data collection to a third party," said Barling.

Card-not-present fraud: Stolen model railways
The experience of one Actinic customer gives a flavour of the challenges facing small online businesses.

Mark Burley set up Model Railways Direct in 2006, with the aim of turning his life-long hobby into a real business. Soon his website began to generate a good level of orders, and when a spate of large orders came in, worth a total of £7,000, it seemed to confirm that he was on the road to success.

The credit card payments went through and Burley started shipping out the goods. Then, by chance, he noticed something odd about some of the orders. The person ordered a set of steam trains and a modern digital set. "The products were at opposite ends of the spectrum and would not work together," he said. His suspicions were aroused.

Burley's immediate thought was to call the credit card company to check on the cards. "The card company would not tell us anything, or even take the card number, due to 'data protection,'" he said. "So we went through directory enquiries and phoned some of the cardholders. In one case, the cardholder was unaware that his card was being used fraudulently, and in the other, he was surprised at how many transactions had been put through on his card. In both cases, they still had their cards in their possession."

By this time, £3000 worth of products had been shipped to an address where, on investigation, it was discovered the recipients had already moved out, taking the stolen goods with them. Luckily, he was able to cancel the remaining deliveries.

But as he was to discover, he had to pick up the £3000 tab when the card company put through a chargeback. Burley said he was shocked by the company's approach.

"They did not want to know anything or care," he said. "They have nothing to lose. If the card is used fraudulently, the card company simply collects the money back from the retailer via a chargeback. It is the retailer who pays for card fraud, and ultimately the customer through higher prices."

In the wake of the experience, he took on the service from The 3rd Man, and said it has killed fraud completely. "Every time we have had a transaction flagged as red, it has been a fraud," he said.

Tags: Data Breach Incident Management and Recovery,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Breach Incident Management and Recovery Lessons learned: Societe Generale and alleged theft of trade secrets Information security awareness lacking in laptop users, according to study Information Security Breaches Survey: Attacks hit new high Data Protection Act compliance: Effective data protection? Make PCI DSS compliance easier by reducing scope, outsourcing data Full disk encryption: Safer and easier than file and folder encryption PCI DSS requirements: Get ready for stricter enforcement, fines Data breach costs continue to rise in 2009, Ponemon study finds Data Protection Act breach could cost companies 500,000 pounds Jericho Forum to provide customers with good security questions to ask Web Application Security Twitter settles with FTC over security issues, careless policies Report: Google to phase out Windows, cites security issues New tool enables botnet command and control via Twitter Symantec Internet threat report highlights botnet, malware trends Researchers aim to smarten Web application security scanners Security-related social networking issues abound in organisations New cloud VPN service improves application acceleration, security New banking Trojan targets U.K. banks Social networking risks, benefits for enterprises weighed by RSA panel How to prevent Adobe hacks from affecting your organisation

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary