Online Fraud Prevention 101

With simple ecommerce pricing packages available and shopping cart solutions that require no technical skills to set up an online store, more and more Canadian businesses are selling over the web.  According to Visa Canada, card-not-present fraud accounted for 80% of total fraud[1] last year, and in 2015 it’s estimated that Canadians lost approximately $2 billion to cybercrime[2]. With a combination of tactics and the right fraud prevention tools in place, ecommerce merchants can protect themselves from a number of different fraud schemes.

The most common types of fraud

Let’s take a look at some of the most common types of card-not-present fraud:

  • Account Takeover – This takes place when a fraudster gains control of a customer’s credit card or bank account and makes purchases using the stolen account. Often fraudsters will pretend to be the cardholder when using the stolen credit card to make purchases (this is known as identity theft).
  • Phishing – Phishing is one of a number of ways that fraudsters steal account information. Phony websites, emails, and text messages are created in an attempt to steal personal information and credit card numbers. Phishing is often done in combination with:
    • Pharming – Used to gain access to information through browser manipulation by directing a consumer to a fraudulent website; and
    • Malware – Used to damage or disrupt a computer system through the use of a virus, Trojan horse, or spyware.

Many fraudsters purchase stolen credit card numbers from websites that allow anyone to buy and sell lists of card numbers.

  • Card Testing Fraud – Occurs when fraudsters obtain stolen credit card information and test them on a merchant’s website to check whether the card is valid. Fraudsters often test these cards using automated programs called bots and scripts, creating a large number -- hundreds, even thousands -- of fraudulent, low-value transactions for the merchant to clean up. The process of reversing all of the fraudulent test transactions, separating the good transactions from the bad, and ensuring that there are no future chargebacks is tedious and costly for merchants that are exposed.
  • Friendly Fraud – This is when a customer uses a credit card to make a purchase, and then disputes the charge with their credit card company once the item(s) are received. There are two types of friendly fraud: deliberateand accidental. Deliberate friendly fraud occurs when a customer intentionally attempts to obtain an item for free whereas accidental friendly fraud can occur when a customer does not recognize a charge on their statement.

How to detect and reduce ecommerce fraud

Detect Address Mismatches

Address Verification Service (AVS) is one type of prevention tool for identity fraud. The address the customer provides during checkout is cross-referenced with the address the customer’s card issuer has on file. If the address details match, there’s less risk that the card data has been stolen. AVS can be effective, but it’s not a fool-proof solution - you should use multiple validation tools to solidify ecommerce transaction security

Know your customer

Understanding the habits of customers and taking steps to identify abnormal activity can help strengthen your internal fraud strategy. Unusual orders should be flagged for further evaluation. This may include:

  • Unusually large orders – for example, if the average order size is $40 but you receive an order for $900
  • Multiple orders of the same product
  • Similar or duplicate products included in one order
  • Items that can easy be resold by a fraudster or easily exchanged for cash (e.g. electronics, jewelry, high-end fashion)

Enforce the Use of Card Verification Value (CVV)

Enforcing the use of the CVV – a 3 or 4 digit code, typically on the back of credit cards, which verifies the purchaser is in possession of the card – acts as another barrier for fraudsters targeting your website. It is harder and more expensive for fraudsters to get both the credit card numbers and CVVs. This simple tool will help reduce the number of fraudulent purchases and may even prevent card testing attacks on your website.

Real-Time Cardholder Authentication (3D Secure)

This security feature redirects the customer to an authentication page where the customer will be asked to verify their identity with their issuing bank. Once the customer’s identity is confirmed, the transaction is processed.

Collectively known as 3D Secure, the major card brands each have a version of this solution:

Using real-time authentication (3D Secure) will assist with fraud-related chargebacks and card testing attacks on your website.  However, each additional step at checkout reduces the conversion rate of browsers to buyers.  Research has indicated that 3D Secure merchant accounts may fail to finalize up to 30% of sales.  Prior to installing this solution merchants should review their fraud-related chargebacks and evaluate whether the cost of the added friction is worth implementing 3D Secure.

Final Thoughts

Employing fraud prevention measures may seem resource intensive but they are important when you consider the cost of fraud to your business (chargebacks, lost time, penalties, lost inventory, lost customers, etc.) As fraud continues to evolve, a layered security approach works best to help prevent it. Implementing both fraud prevention tools and tactics will ensure maximum protection of your ecommerce website.

Sources

[1] http://www.visa.ca/en/aboutcan/mediacentre/news/fraud-prevention-tools.jsp#_ednref2

[2] http://canada.creditcards.com/credit-card-news/images/012116%20NortonReport_2015_Canada_Stats%20Sheet.pdf

 

Patrick Brophy, CPP
Product Manager, Online Payments
Moneris Solutions

As the Product Manager for Online Payments at Moneris, Patrick is responsible for ecommerce and omni-channel solutions, most notably the Moneris Gateway.  With 13 years of experience in the payments industry and a focus in integrated and emerging customer solutions, Patrick carries a broad expertise on many subjects important to the online merchant experience.