Fraudsters are cleaning up

Cleaner transaction data is making it easier for fraudsters to slip their activities past legitimate businesses, notes Akif Khan

What's the difference between a customer and a fraudster? Unfortunately this isn't the start of a joke, and sometimes the answer is ‘Not a lot'. At least based on what an online merchant can see from the data captured in a transaction.

To bypass merchants' automated security systems, fraudsters try to appear as much like ‘real' customers as possible. As ever greater levels of sophistication have been added to payment processes and fraudsters have responded, the bar has moved higher. Now the race is on to add further layers of protection without damaging genuine customers' experiences.

Very basic fraud screens simply look at the customer's card data. Fraudsters may once have only had some of this information, and filled in the blanks using online resources or number generators, trying multiple variations across multiple stores until they succeeded.

Online merchants then started requesting additional information, like the card verification number, and began linking transactions to the cardholder's address. Adding velocity checking - looking at how many times the card had been used across a number of merchants within a given time - further reduced the chances of success for scattergun attempts at fraud.

Fraudsters then began acquiring and using real card data, complete with card verification number and genuine cardholder addresses, focusing on making smaller numbers of high-value transactions without tripping velocity checks.

Matching IP addresses to customer locations and even applying basic ‘fingerprint' technology to the computers helped capture an array of information and match it with previous transaction histories. But today fraudsters are even finding ways around these checks.

Botnets can bypass these controls. In this manner, a huge range of locations and IP addresses can be used, and device identities replicated. Combine this capability with real customer data and it can become more difficult to identify real customers from fake.

One option is to increase the sensitivity of the range of tests, but this can carry risks. The false positive rate could rise, rejecting too many real customer orders and encouraging acceptance of fraudulent ones. Usually each transaction considered suspicious will be manually reviewed, but flagging more transactions can affect the consumer's experience if this is not carefully managed.

Simply making current controls more sensitive may ultimately reduce profits and damage customer relationships. Our 2011 online fraud report found that merchants' average order reject rate has indeed increased, and yet the proportion of fraudulent orders accepted had also risen.

So what is to be done?
Channel providers should consider offering organisations more automated screening mechanisms, such as more sophisticated fraud detection tools. The latest device fingerprinting technology includes packet signature inspection, which can identify if a device is operating behind a proxy (used to disguise certain features or spoof a computer's true identity and location) or displaying behaviour associated with machines under the control of another device (such as sending out spam, or scanning firewalls for weaknesses).

If these things appear to be happening, attempts can be made by the merchant's fraud screen (which incorporates device fingerprinting) to ascertain additional information about the controlling device, including whether or not it has been previously profiled by the technology, and the reality of its IP and geolocation characteristics.

Combining and cross-referencing this additional data with the appropriate global data sources - such as feeds of known infected computers, or global transaction history - can help to identify a fraudulent order, even if the address, card and IP information appear clean. For example, it may detect if a particular device fingerprint has been seen with multiple credit card numbers, or if the same true IP address has been hidden behind multiple proxy IP addresses.

As ever, the fraudsters continue to evolve their practices, and so must the wider e-commerce community. Yet our annual online fraud report suggests that only seven per cent of merchants may have yet implemented any form of device fingerprinting. This may represent an opportunity for channel players working with retailers and other merchants.

Akif Khan is director for products and services at CyberSource