Phantom Deceptions
The complexities of dealing with the rising threat of card-not-present fraud, which encompasses internet, phone and mail fraud, are a growing concern for online resellers across the UK
Light-fingered: Catching cyber criminals is increasingly tough now that online fraud is more professional than ever.
Ten years ago, card-not-present (CNP) fraud cost the UK only £10m a year and represented less than 10 per cent of all fraud committed using UK issued cards.
Last year CNP fraud grew 37 per cent on 2006 and the cost has now spiralled to £290.5m. For the first time, this accounts for more than half of the total cost of fraud in the UK.
UK fraud totalled £535.2m last year, according to annual figures published last month from the Association for Payment Clearing Services (Apacs). This represents an increase of a quarter on the previous year, after having fallen in both 2006 and 2005.
Mark Bowerman, representative for Apacs, said: “The vast majority of the cost of CNP fraud is borne by the retailers. One of the main things online retailers can do is sign up for systems like Verified by Visa or Mastercard Securecode these are very good initiatives to implement.”
The two schemes were launched in the UK in 2002 to combat card fraud and shift the liability for the cost of fraud from retailers to card issuers. Cardholders signing up for the schemes can protect their purchases with a password, but if consumers choose not to take part, retailers are still at risk.
Akif Khan, head of client and technical services for payment management company Cybersource, said: “Banks really need to increase their push to get more customers involved. Trying to persuade a customer to remember another password when they know that if they have their card stolen, they will be refunded, is a tough sell.”
Apacs’ annual figures revealed counterfeit card fraud rose steeply in 2007, having fallen consistently since 2001 and dropped off sharply after the chip-and-PIN rollout in 2004. Fraud using lost or stolen cards has also been affected by the introduction of chip-and-PIN technology.
As recently as 1996, this fraud accounted for 62 per cent of all UK fraud, but it now represents little more than 10 per cent after falling 18 per cent last year, its third consecutive annual decline.
While the chip-and-PIN rollout has dramatically reduced face-to-face retailer and cash machine fraud in this country, the overall cost of fraud is at an all-time high as criminals turn to new methods.
In addition to the hike in CNP fraud levels, 2007 saw a 77 per cent rise in fraud abroad, mostly perpetrated in countries yet to introduce chip-and-PIN. This includes the US, which is now by far the biggest hotspot for overseas fraud, followed by Italy, Australia, France and Spain.
“The objective of the chip-and-PIN implementation was to reduce customer present fraud and it has been successful. But fraud is a bit like the air bubble under the carpet, if you stand on it, it appears somewhere else,” said Cybersource’s Khan.
Lines of responsibility
Some retailers have criticised the police for its approach to tackling CNP fraud, but Cybersource’s 2008 UK Online Fraud report reveals that just four per cent of consumers believe the police should be responsible for ensuring the safety of online transactions, compared with 24 per cent who would hold retailers accountable.
Nineteen per cent would charge ISPs with responsibility, while 13 per cent think banks should be culpable and nine per cent believe it is the government’s remit.
Stewart Hayward, commercial director of online reseller WStore, said: “If we have a customer with the clear intent to rip us off, we generally will not even bother informing the police. It is a frustration of ours that the police do not seem to want to take action.”
Khan sympathises with the difficulties police face when combating online fraud. “One of the main difficulties is that it is easy to commit fraud, but difficult to apprehend people,” he said. “We may be defrauded by someone overseas.”
David Hobson, managing director of security reseller GSS, also believes law enforcement faces an uphill struggle.
“There is a general lack of resources in the police to tackle internet crime. And it is invisible, which makes it harder to solve.”
Online retailers have a number of options when it comes to dealing with internet fraud. Automated anti-fraud tools are increasingly popular, but manual review by staff is still a favoured approach for many firms, particularly large businesses.
The Cybersource report indicates that 78 per cent of large merchants use a manual review system and Khan claimed that small and large businesses feel the cost of fraud in different ways. “Smaller merchants feel the loss of each individual fraudulent order that much harder; it affects their bottom line,” he said.
“For large businesses the indirect costs of managing fraud are a big factor. It all costs money to provide employment to people, paying for third-party tools, it all adds up.”
Hobson indicated that online retailers need a comprehensive approach to fraud management. “The automated tools cover a lot more ground faster, but you always need the manual tool to back that up,” he said.
“From a purist point of view, you should have as many checks as possible, but if you are commercially driven you have to find a happy medium that recognises cost versus benefit. You must balance risk against cost to the business,” he added.
The Malicious Code Research Center (MCRC), run by security vendor Finjan, reported a disturbing trend in online crime this month.
It suggested that crimeware, in common with mainstream software, is moving towards a managed service model. This allows online criminals to access a crimeware infrastructure without having to run their own server and operators that host the service need not take part in any criminal activity as they only provide the necessary framework.
Clever tactics
The MCRC predicts that online crime will be increasingly commercialised as crimeware toolkits become more sophisticated.
Yuval Ben-Itzhak, chief technical officer at Finjan, said: “The security industry and law enforcement agencies should take an innovative approach to handling threats. Cyber- criminals continue to adapt legitimate technologies and business models.”
There are now thousands of UK retailers selling online and starting an online business is easier than ever. But Hobson believes people should have to go through more stringent processes before being allowed to trade on the internet.
“It has been too easy for people to sell online. The only way you can set up is with a bank’s help. The banking system could control a lot,” he said.
Worryingly for online startup businesses, the Cybersource report reveals that 82 per cent of people will only shop online with a reputable retailer. But Khan believes there are still opportunities for entrepreneurs who can differentiate themselves in the crowded market.
“The building of web sites is a commoditised industry so selling online is easier than ever. We have seen smaller merchants growing into medium-sized merchants. If you have a valid and distinctive business offering, you can grow your business,” he said.
Phil McCabe from the Forum of Private Business said: “Small businesses in the IT industry should not be afraid of marketing what they offer and they should offer what is unique or necessary in their local market.”
WStore’s Hayward believes online resellers concerned about the rise of CNP fraud can take simple steps to assuage their fears. “Fraud is always a concern, but it is relatively simple to defend against. There are common-sense triggers.”
“I do not believe that CNP fraud is any worse now than it was a year or two ago. We are in an industry that is constantly evolving, the methods change and we become better at coping with them.”