Retail Security: The Merchant’s Need to Employ Creative Methods

A misperception often shared by retailers and the public alike is that e-commerce losses to fraud are growing like wildfire. In fact, fraud losses, at least as a percentage of online sales have remained just about the same for the last three years: 1.4%. But as e-commerce sales have grown, that steady percentage of fraud has meant that dollar losses have inexorably climbed as well. Last year, retailers and other entities engaging in e-commerce in North America lost an estimated $4 billion to fraud, an alarming 11% increase over the year before.

So there is little inclination on the part of retailers to relax their e-commerce vigilance. The problem is how best to spread always-limited anti-fraud budgets over the available tools and processes. It’s a challenge for the largest merchants and it can drive smaller organizations to distraction.

"What retailers don't always realize in today’s world is that fraud prevention and detection are becoming very complex," says Brent MacLean, senior security manager for J.B. MacLean Consulting Inc. "Having fraud detection tools in place is only one piece of a very complicated puzzle. If those tools are not properly applied and interpreted properly or are too limited in their scope, they are not going to be that effective in combating this growing problem."

According to MacLean, to effectively combat fraud, retailers need to create an automated, multi-layered fraud detection strategy that casts a broad but fine net over fraud. The desired end result? Maximize sales, minimize fraud, and reduce expensive manual review.

"When applying fraud detection tools, retailers need to think in 4D (four dimensions) of fraud detection: global validation, single merchant purchase history, multi-merchant purchase history, and purchase device tracing," MacLean says. According to a security studies across the globe, most merchants concentrate their fraud detection efforts on one or two dimensions, which limits their ability to assess the true risk of retail transactions.

"Performance has less to do with the number of fraud detection tools used and more to do with the dimensions of detection to which the tools are being applied," says MacLean, senior manager, "The important thing is to apply necessary detectors in such a way that limits fraudsters in such a way that there is less of a chance of them being able to replicate an individuals identity."

The most commonly applied dimension of fraud detection is global validation, which is a first pass attempt to verify a) the customer is actually in possession of the credit card being used to make the purchase, b) the cardholder is who he or she claims to be, and c) the card itself is legitimate. These detection techniques take place in conjunction with the authorization and for the most part are transparent to the customer.

Global validation techniques include CVV, AVS, payer authentication, delivery address and phone number verification. CVV (cardholder verification value) is a three-digit code found on the back of the credit card that is used to verify the customer is in possession of the card during checkout. AVS (address verification service) matches the billing address provided by the customer to that on file at the card-issuing bank. Payer authentication requires customers to enter the password they established for their account. Delivery address verification uses unique elements of an address, such as apartment numbers, suite numbers, and post office boxes, to verify a shipping address. All these help merchants to verify the authenticity of the cardholder in diligent and continued efforts to reduce fraud across the board.

"Retailers want to know if the delivery address is valid and whether the account data provided correlates to the customer before they complete the sale," MacLean says. "But this is just the starting point. If this is all retailers do to detect fraud, they will begin to see significant improvements on the number of frauds perpetrated. There is an entire underground industry built around stealing data to fool global validation tests, and selling that data to fraudsters so merchants need to go beyond these simple tests." “We need to be vigilant on these procedures if we are going to combat this growing threat”, MacLean says.

The second dimension of detection is single-merchant purchase history. Here, using systems trend monitoring, where retailers monitor the purchase patterns of customers at their own web site, assessing whether the frequency or volume of purchase (product and/or dollars within a certain timeframe) is out of the ordinary. Here the retailer also checks whether the identity of the purchaser is matched to a positive list (known as good customers list to that retailer) or negative list (known bad identities based on their own experience with the customer).

The third dimension of detection is multi-merchant purchase history. In 1995, merchants began building a database that tracks purchase behavior across multiple merchants demographics, and other sources of information gathering, and provided a risk assessment model retailers can use to gauge the risk of a transaction by correlating dozens of order details across merchants and over time to identify suspect patterns; a very valuable tool for retailers.

For example, the service would help retailers flag an order if a customer's name is attached to more than one credit card used for a prior purchase, as well as different shipping or billing addresses, even if that merchant had no history with that customer. "What we are looking for are activity patterns across large groups of names, addresses or card numbers," MacLean says. "Criminals will often work several card accounts simultaneously and will mix and match customer names with credit card account numbers and shipping and billing addresses to avoid detection. This identity morphing is common, but hard for individual retailers to identify."

"Criminals are getting smarter and creative. Instead of hitting a single retailer in rapid fire succession, they are spreading out fraudulent purchases over a larger base to avoid detection longer," MacLean says. "The goal is to spot the common element across multiple transactions. It's rare that criminals will have new customer and billing information for every fraudulent transaction they attempt."

Still, some criminals do succeed in avoiding detection when using stolen card information. To counter, a fourth dimension of detection is required purchase device tracing. The aim of this dimension is to trace the network and device being used to make the purchase and understand inconsistencies in that digital identity. This method enables retailers to digitally trace the device the fraudster is using to access the retailer's web site and initiate the transaction.

The technique, known as device fingerprinting, identifies traits specific to a computer or wireless Internet device.

To gather these identifiers, merchants insert code into their order page instructing the web site to capture the device-specific traits. Traits making up a device's fingerprint are visible when the device is communicating with a web site. The tracking code does not identify any personal information about the user. By identifying a device's fingerprint, retailers can determine when a fraudster is attempting to make multiple orders with the same device, even if he or she is using different customer names, account data, etc., for each transaction.

"Every computer or wireless Internet device has specific characteristics and there are enough that can be passively gathered to create a fingerprint," explains MacLean. "Matching these traits to transactions provides a higher level of security against fraud."

Once retailers thoroughly understand the effectiveness of using four dimensions of fraud detection, they can apply them in combinations appropriate for the product category and market being served (fraud patterns and purchase behaviors differ by culture). Doing so not only prevents fraud, but can also reduce the risk of rejecting valid orders. As an example, if one dimension indicates a potentially fraudulent transaction, but the customer has made prior purchases without triggering a red flag, the retailer may want to apply a stronger detection method to assess the transaction at a more granular level.

"Sometimes good customers can unwittingly take actions that trigger a red flag," MacLean says. "That means detection methods have to be more sophisticated and aggressive to determine the validity of a red flag. The idea is to be more precise, and not taking a broad-brush approach to fraud prevention or putting a high percentage of transactions under manual review."

Most retailers lack the resources to manually review a large percentage of suspect transactions. "Relying too heavily on manual techniques for advanced fraud detection will strain a merchant's ability to keep up with the expected increase in fraud attempts," MacLean says.

By adding more sophisticated tools that help automate fraud detection, retailers can thoroughly review more transactions with fewer staff resources. That's good news for retailers facing the prospect of staff restrictions.

"Manual fraud screening is time-consuming and expensive and retailers can't scale their staff to meet the growth in transaction volume," MacLean says. "The more automation retailers bring to fraud screening, the more effective they will become at fraud prevention and serving their customers." Technology is advancing at exponential and alarming rates. It is hard to keep up with the creativity of the common criminal. We have to continually become more vigilant to the creativity of the on-line hackers and criminals that are seeking to circumvent these security policies; policies that need our daily attention and modification if we are to keep the fraud levels to a minimum. It is a daily process and should become part of everyone’s lifestyle. A reality that we now have to embrace as technology has embraced mankind. It is here to stay.