Don’t get caught out by cybercriminals

3 August 2011

By Sascha Breite,
head of the e-commerce competence centre,
SIX Card Solutions

In the past few years, payment fraud levels have on the whole been decreasing thanks to industry wide efforts to combat this criminal activity. However, the recent actions of hacking groups Lulz Security and Anonymous have put the threat of card-not-present (CNP) fraud firmly back in the spotlight. Their cyber attacks on the likes of the Sony PlayStation network and Citibank, in which millions of users had their personal details, including credit card information, stolen, have made front page news around the world. Yet while there has been much speculation about the potential impact this type of fraud could have on consumers, there has been little coverage on the effects of CNP fraud on businesses.

Once a criminal has thousands of stolen credit card details in their possession, they typically start the process of determining which ones can be used for genuine online payments. Different methods can be employed by fraudsters to do this, but one method that is growing in popularity is to place fake orders on a retailer’s website to find out which cards are enrolled to 3-D Secure and therefore require a password to verify a payment. Fraudsters do this by building an automated script to push out as many orders as possible to the merchant site that they have identified as a target, usually one that accepts credit card payments.

Of course, there are tools available to merchants to help them detect these robot scripts or see if an unusual number of transactions are coming from the same IP address in quick succession. Once the merchants become aware of the suspicious activity, they can thwart the attempted fraud by blocking the IP address for good or for a designated period of time. However, while businesses can reject the fake orders, the result is that online stores become a “credit card screening tool” for criminals to then go out and place real orders. This means that the merchant shop effectively becomes an instrument which enables fraudsters to defraud other merchants and consumers.

In addition, the process of filtering good from bad orders naturally takes time away from the important day-to-day running of the business. Not only is this an inconvenience but it can also have serious consequences on business efficiency. However, for online businesses that do not utilise 3-D Secure the cost of CNP fraud can be far greater as they become liable for the fraud rather than the cardholder’s bank.

While European legislation has made it compulsory for all new merchants in the region to employ 3-D Secure in order for them to obtain an acquiring contract, there are many reasons why a merchant may not offer 3-D Secure. For example, some of those online businesses established before the regulation came into force are still not obliged to implement a 3-D Secure programme. What’s more, some online businesses are dissuaded from taking advantage of the scheme if they are looking to expand internationally. While “MasterCard SecureCode” and “Verified by Visa” are powerful tools in the battle against fraud, not all card issuing banks have enrolled their cardholders to 3-D Secure. This is especially true in countries where the issuing and acquiring bank is one and the same - this means that liability lies with them either way and so the business case for investing in 3-D Secure diminishes. The result is that a merchant that is growing cross-border can often come up against customers who are unfamiliar with 3-D Secure. For example, in France only one cardholder out of eight is registered with a 3-D Secure scheme. Those unregistered consumers can be deterred from completing a purchase when prompted to use 3-D Secure to verify a transaction. In Spain, the number of orders unfulfilled due to this issue sits between 40 and 60 per cent. As a result, merchants might disable 3-D Secure on their websites to increase the order rate in these countries. While this will help business sales in these new markets in the short term, it will obviously increase their exposure to fraud and thus their liability. In light of the recent hacks by Lulz Security, a move like this could potentially be disastrous for many merchants and lead to high charge-back rates. The solution for these merchants is to employ tools that detect, once a debit or credit card enters the payment system, whether the issuing bank has a good track record in encouraging cardholders to enroll to a 3-D Secure scheme and then recommend to the merchant whether to deactivate the 3-D Secure process or not.

However, 3-D Secure is only effective for e-commerce transactions and does not apply to businesses that still take orders via the telephone or by mail. Not only do fraudsters find it easier to place orders using stolen card information via these channels, but merchants also face the issue of having to protect that data and trying to prevent it from being stolen from their systems too. This is because when card details are entered via these mediums they are typically stored within unsecure platforms such as Excel spreadsheets that can easily lead to the information being intercepted or leaked. The launch of the PCI (Payment Card Industry) programme has been a successful initiative in forcing merchants to reassess their IT processes and infrastructure and ensure that their card payments processing is secure. Specifically, merchants with a high volume of transactions are increasingly becoming aware of the risks associated with handling credit card data and the potential fraud losses which can arise if card data is stolen from their systems. This will, in turn, help increase consumer confidence and thus help increase revenue.

However, there are still some small to medium-sized enterprises (SMEs) that do not have a complete overview of their credit card processing and continue to store card details on their systems without them being encrypted. One of the main reasons for this can be because of the cost of being PCI compliant or, quite simply, due to a lack of awareness of the risks. This can result in security holes which can be exploited by intruders or even employees for criminal purposes. It can also lead to unnecessary penalties being incurred for merchants who are not PCI compliant and are therefore liable for the risk and have to pay the price.

In light of these numerous issues, merchants need to be proactive in their security strategies and have suitable risk management applications in place to not only better protect themselves from fraud but also to ensure their sites are not inadvertently being misused to aid fraudsters. Coupled with this, merchants need to be able to keep costs down and business fluid so achieving a fine balance between higher revenue and fewer charge backs is crucial. Only then, can merchants ensure that they are not caught out by the growing wave of sophisticated cyber criminals.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development