Detecting and preventing online fraud is like fighting neighborhood crime. Residents can put locks on doors and windows, install a security system to detect intruders, and train a dog to monitor the yard. If a break-in occurs despite those precautions, police will investigate and track down any suspects. A local organization may help deal with the loss and provide educational material to help prepare for the future.
But putting police cars on the streets to drive through the neighborhood and thwart break-ins before they happen is a rarity.
The fight against online fraud is similarly structured, with a variety of commercial and nonprofit organizations that specialize in educating consumers, setting e-commerce standards for e-tailers and releasing software designed to nab fraudsters in their tracks.
But despite the existence of coalitions, agency watchdogs, security firms and technology solutions, the fight against fraud currently seems like a losing battle.
Pressing Problem
In 2001, more than US$700 million in online sales was lost to fraud, representing 1.14 percent of the $61.8 billion annual sales total, according to a GartnerG2 study released earlier this year. The study also showed that fraud occurred online 17 times more often than in the real world.
Of the more than 51,000 complaints fielded by the Internet Fraud Complaint Center last year, 9.4 percent were related to credit and debit card fraud, with an average loss per complaint of $450.
In terms of watchdog agencies that monitor e-commerce fraud, “there isn’t much [out] there — and it’s a problem. Millions of credit card numbers have been compromised because of weak security on e-commerce sites,” GartnerG2 research director Rich Mogull told the E-Commerce Times. “The real goal should be to stop it before it hits that level.”
Relaying Information
That is not to say the e-commerce field is devoid of fraud fighters. In addition to the Federal Bureau of Investigation (FBI) and the Federal Trade Commission (FTC) in the United States, several agencies work to filter information among law enforcement agencies, consumers and e-tailers, although they may not be able to stop fraud in its tracks.
For example, the Internet Fraud Complaint Center, created by the FBI and the National White Collar Crime Center, funnels consumer complaints about online fraud to the proper federal agencies. The IFCC also sends periodic warning bulletins to consumers, focusing on how to recognize malicious or irresponsible e-commerce Web sites and other types of fraud.
The National Fraud Information Center/Internet Fraud Watch (NFIC/IFW), operated by the National Consumer League, also functions as an e-commerce watchdog for consumers. “What we do at the fraud center is give people advice and relay consumers’ reports about suspected telemarketing and Internet fraud to law enforcement agencies,” Susan Grant, director of the group, told the E-Commerce Times.
Within the United States, the NFIC/IFW has lobbied for federal and state laws that would apply to e-commerce and would resemble telemarketing sales rules. “It would be good to have legal rules of the road for e-tailers that would make it easier for states and the federal government to go after companies for misleading and deceptive practices,” Grant said.
International Organizations
Grant also pointed to several international organizations the NFIC/IFW is involved with that are working toward the same goal of reducing e-commerce fraud and protecting consumers online, including the Transatlantic Consumer Dialogue and The Organization for Economic Cooperation and Development.
One method of monitoring the safety of e-commerce waters, she added, involves an international e-commerce shopping test sponsored by Consumers International. In the test, members of consumer groups go online to make 100 test purchases, returns and refunds, then report their findings to the agency.
While the report functions as a tracking device for the entire e-shopping experience, it also notes, for instance, that in almost one out of every 10 test cases, money for returned items was never refunded — and in 6 percent of test cases, ordered items were never shipped.
And then there is the Worldwide E-Commerce Fraud and Prevention Network, which has more than 3,000 corporate and institutional members focused on informing and educating merchants about e-commerce fraud.
Patrolling the Streets
Despite the wide variety of groups attempting to remedy or keep tabs on Internet fraud, according to analysts, agencies that scan the Web in an effort to pinpoint fraudulent e-commerce activities as they are perpetrated are virtually nonexistent.
“No one has responsibility for this today — and consumers should protect themselves by doing research, monitoring their credit, and reporting fraud to the FTC or FBI if it is a criminal matter,” Mogull said.
Likewise, while existing watchdog groups may be helpful, Aaron McPherson, research manager of financial services and payment strategies at IDC, said he believes they best “inform people and inform merchants about how to defend themselves and what to watch for.”
At the Software Level
In addition to agencies and coalitions, security companies also have made efforts to introduce e-commerce products that can protect online transactions and increase consumer confidence. Among those companies is VeriSign, which last week announced a partnership with MasterCard to offer password-enabled credit card transactions.
When using a MasterCard at an e-tail site that has the Universal Cardholder Authentication Field program in place, customers must enter a password to verify that the card is valid and in use by its owner.
“We see that the MasterCard program helps close the remaining gap in credit card security. We are connecting consumers to their cards, and … that eliminates a major source of fraud today,” Barry McCarthy, vice president and general manager at VeriSign Payment Services, told the E-Commerce Times.
In fact, MasterCard is so confident that the UCAF system will reduce fraud that it has shouldered the liability for any fraud caught by its system — a change from the past, when merchants traditionally were stuck with the tab.
One or Many?
Barry said VeriSign now has the ability to improve security across the entire e-commerce industry, because the company is involved in nearly one-fourth of all online transactions in North America. It is a “win,” he noted, for consumers, merchants and banks, and can “increase the confidence of all parties to the commerce transaction.”
However, NFIC/IFW’s Grant argued, it is the combination of forces, rather than a single program, that ultimately will reduce e-commerce fraud. “These technologies and trust marks are very helpful,” she noted, but added that “they’re part of what has to be a multipronged approach to consumer protection.”
NFIC/IFW’s Susan Grant makes a key point in stating that a "multipronged approach" to consumer protection is what’s needed. The same is true for merchant protection. While consumers can suffer greatly from identity theft, it is online merchants who are financially responsible for any fraudulent charges they unwittingly accept.
Several payment providers have announced support for credit card association payer authentication programs. On September 16, CyberSource announced availability of its Payer Authentication Service in the US and the UK. It is the first service to provide merchants instant access to both Visa’s "Verified by Visa" and MasterCard’s payer authentication programs, as well as complementary fraud screening services.
Currently, Visa’s program offers fraud-related chargeback protection on Visa transactions in Europe. The same protection will be extended to US companies in April 2003. Until then merchants will still be financially liable for fraud losses, including chargeback fees.
While the protection afforded to merchants by these programs will be a major benefit, they cannot entirely mitigate the threat of fraud on their own. Because exclusions to chargeback protection apply under certain conditions, merchants should maintain additional fraud protection measures to control overall fraud rates. Additionally, only Visa and MasterCard have introduced authentication programs with phased rollout strategies. Fraud protection for transactions involving other card brands will still be required. Thus, a combination of authentication and fraud tools are required to adequately control fraud.
Merchants should protect themselves by maintaining additional fraud screening technologies such as neural nets and rules based systems. Used in conjunction, these technologies along with payer authentication programs will go a long way toward preventing fraud. In addition, merchants should make sure that they are using a (PKI)-based cryptographic security model to authenticate and secure 100 percent of the transactions processed on their behalf.
Jeff King, Director of Risk Product Management, CyberSource Corporation http://www.cybersource.com