Proxy Detection web services allow instant detection of anonymous IP addresses. While the use of a proxy is not a direct indicator of fraudulent behavior, it can be a useful indicator when combined with other data elements to determine if an individual is attempting to hide their true identity. The fact is, some of the most used ISPs, like AOL and MSN, are forms of proxies, and are used by both good and bad consumers.
The fraudsters know, that is very easy to make their IP geolocation information look like it is coming from the region where their stolen credentials originated. This ability makes them look authentic, when in fact they are using a proxy to mask their true location.
Again not all proxies are equal, some are very reputable, and to cut them off would be a death-nail to your sales conversion. The goal is to use this technique to distinguish which proxies are derived from compromised computers, or from proxies that are known to be highly used by fraudsters. The generic ability to identify an anonymous proxy provides little value.
Tuesday, June 17, 2008
Has Data Breach Legislation actually impacted ID Theft?
According to a recent paper published by Sasha Romanosky, Rahul Telang and Alessandro Acquisti of the Heinz School of Public Policy and Management at Carnegie Mellon University, the data breach legislation instituted from 2002 thru 2006 has had little effect on reducing ID theft.
While the legislation has not reduced ID theft cases the debate is still ongoing if has slowed the rate of increase. It seems the rate of increase is the same in states with legislation and in those without legislation.
A fascinating study showing how the legislation has made companies more aware, vigilant and proactive, but the net result is just plain lacking. Some of the more intersting findings from the paper were:
1. 44% of consumers ignore data breach notices, Choicepoint indicated that only 10% of consumers opted for the free credit watch services.
2. Most companies under estimate the costs associated with a data breach. Choicepoint reported a cost of $26 million related to their data breach and TJ Max reported a cost of 178 million related to their data breach.
3. The impact of a data breach on a companies overall performance, sales and stock performance are temporary typically lasting less than 4 quarters.
To read more on this article go to: "Do Data Breach Disclosure Laws Reduce Identity Theft?".
While the legislation has not reduced ID theft cases the debate is still ongoing if has slowed the rate of increase. It seems the rate of increase is the same in states with legislation and in those without legislation.
A fascinating study showing how the legislation has made companies more aware, vigilant and proactive, but the net result is just plain lacking. Some of the more intersting findings from the paper were:
1. 44% of consumers ignore data breach notices, Choicepoint indicated that only 10% of consumers opted for the free credit watch services.
2. Most companies under estimate the costs associated with a data breach. Choicepoint reported a cost of $26 million related to their data breach and TJ Max reported a cost of 178 million related to their data breach.
3. The impact of a data breach on a companies overall performance, sales and stock performance are temporary typically lasting less than 4 quarters.
To read more on this article go to: "Do Data Breach Disclosure Laws Reduce Identity Theft?".
Monday, June 2, 2008
Telephone Identification
Telephone identifcation is the process of determining the type of phone being used by a consumer or end user. This technique looks up the phone number to determine where it was provisioned, and the type of phone it is associated with.
Telephone identification, or TNI, serves several important functions. First it authenticates that the number is a real "dialable" phone number. Second it will let you know where the phone was provisioned, the country, region, and city. Lastly, and most importantly it will tell you the type of phone the number is assigned to.
To read more on Device Identification: http://www.fraudpractice.com/gl-phoneID.html
Telephone identification, or TNI, serves several important functions. First it authenticates that the number is a real "dialable" phone number. Second it will let you know where the phone was provisioned, the country, region, and city. Lastly, and most importantly it will tell you the type of phone the number is assigned to.
To read more on Device Identification: http://www.fraudpractice.com/gl-phoneID.html
PCI Compliance does not Gurantee Protection from breach
While the PCI standards have done a tremndous job at helping to secure sensitive credit card data, organiztions still need to take proactive measures to secure their systems from hacking. There have been several documented cases where PCI compliant organizations have been hacked and card data has been stolen. The most notable recent case involved Hannaford Food stores where 4 million credit cards / debit cards were comprimised when fraudsters loaded malicious software on the companies 300 servers. The software allowed the fraudsters to pull and store credit card and PIN data as it was being processed from the stores.
To read more on this article go to the CS Decisions website and view the May 2008 article from Pat Pape entitled: "Secure your System".
To read more on this article go to the CS Decisions website and view the May 2008 article from Pat Pape entitled: "Secure your System".
Wednesday, May 7, 2008
Verified by Visa & MasterCard SecureCode drop Sales Conversion by 30%!
We are all well aware of the complaints about consumer adoption, issuer adoption, complexity in signup, usability and protection rights with these programs, but we have all been trying to quantify if there is a real impact to sales conversion. Mick Scott of Lastminute.com was quoted in the recent article “Industry lays into 3-D Secure”, Phil Muncaster, IT Week, 11 April 2008 as saying "We turned on Verified by Visa in Spain and it was horrific," said Scott. "There was a 30 per cent drop off in completed purchases."
For more information on this topic see the article “Industry lays into 3-D Secure”, Phil Muncaster, IT Week, 11 April 2008
For more information on this topic see the article “Industry lays into 3-D Secure”, Phil Muncaster, IT Week, 11 April 2008
Tuesday, May 6, 2008
“We value and secure your private data”
The article from SCMagazineUS.com “Clothing retailer settles with FTC over credit breach” by Dan Kaplan may seem routine. It discusses the missteps the FTC believed the company Life is Good had taken and it outlined the corrective actions. But take a minute to reread the statement by Dan Kaplan; “The FTC said the merchant deceived customers by stating on its website that it valued and secured private data.” Wow, that got my attention. How many retailers take that statement for granted on their website?
Takeaway items:
· If you say you are doing something related to consumer data, you better being doing it.
· Data security issues can still damage your brand and your sales, even if nobody is defrauded. Mr. Kaplan stated in his article that there was no documented case of actual fraud from this breach of over 10,000 accounts.
To read the full article from SCMagazineUS.com “Clothing retailer settles with FTC over credit breach” by Dan Kaplan go to : “Clothing retailer settles with FTC over credit breach”
Takeaway items:
· If you say you are doing something related to consumer data, you better being doing it.
· Data security issues can still damage your brand and your sales, even if nobody is defrauded. Mr. Kaplan stated in his article that there was no documented case of actual fraud from this breach of over 10,000 accounts.
To read the full article from SCMagazineUS.com “Clothing retailer settles with FTC over credit breach” by Dan Kaplan go to : “Clothing retailer settles with FTC over credit breach”
Australians Poised to rollout Credit Card Pins on June 4th 2008
On June 4th 2008 Australia will roll out the capability for card present merchants to offer consumers the choice of confirming payment authorization using a physical signature or by entering a 4 digit pin.
Notable Quote: According to Pen or PIN project spokesman Simon Greig "Australians are among the most prolific card users in the world, making more that 118 million card transactions a month," Quote is taken from the Herald Sun Article by Alice Coster tittled “Credit card PINs punch wrong busttons”.
For more information related to this subject go to the Herald Sun article by Alice Coster titled: “Credit card PINs punch wrong buttons”
Notable Quote: According to Pen or PIN project spokesman Simon Greig "Australians are among the most prolific card users in the world, making more that 118 million card transactions a month," Quote is taken from the Herald Sun Article by Alice Coster tittled “Credit card PINs punch wrong busttons”.
For more information related to this subject go to the Herald Sun article by Alice Coster titled: “Credit card PINs punch wrong buttons”
Have you tried to Fididel yet?
For those of you that haven’t come across them yet, Fididel is a new eCommerce technology offering the ability for real time negotiation of purchases online. Unlike a traditional auction, buyers don’t have to wait for the auction to end to make a purchase. Additionally buyers that want to buy an item, but aren’t willing to pay the asking price can negotiate in real time with the seller or their representative in real time. For sellers this means a greater opportunity for converting sales, with a higher return than traditional sales; and for buyers this means saving money on items they are ready to buy now, without having to wait! Fididel launched their Beta version on Monday May 5th 2008. Fididel offers the technology on a hosted portal, and as an enterprise license.
For more information related to this subject go to the “www.fididel.com”, or the ecommerce-guide.com May 5th 2008 article by Michelle Megna “New Marketplace Offers Real-Time Bartering”. Other articles: “Fididel Launches First Site with Real-time Negotiation to Give Buyers More Control of the Online Shopping Experience”
:“Fididel Invites Online Price Haggling”:“Fididel Launches Live-negotiation auction business”
For more information related to this subject go to the “www.fididel.com”, or the ecommerce-guide.com May 5th 2008 article by Michelle Megna “New Marketplace Offers Real-Time Bartering”. Other articles: “Fididel Launches First Site with Real-time Negotiation to Give Buyers More Control of the Online Shopping Experience”
:“Fididel Invites Online Price Haggling”:“Fididel Launches Live-negotiation auction business”
Payment fraud remains a threat to the success of an EU single market for payments
Based on the article “Card fraud threatens development of European payments network-EU” by Finextra.com on 28 April 2008, it appears that payment fraud is undermining consumer confidence to a level that is impacting initiatives to develop a cross-border payment network in Europe.
For more information related to this subject go to the Finextra.com on 28 April 2008 article titled: “Card fraud threatens development of European payments network-EU”
For more information related to this subject go to the Finextra.com on 28 April 2008 article titled: “Card fraud threatens development of European payments network-EU”
eBay’s move to force payment via PayPal under review in Australia
The Australian government is investigating if eBay Australia's policy of forcing payment using PayPal, which eBay owns, or cash on delivery/pick-up, breaches trade practice and competition laws.
For more information related to this subject go to theage.com 22 April 2008 article titled: “Reserve bank could Scuttle eBay’s plans”
Issuers – Focus on Expanding fraud prevention and detection abilities
According to the Javelin Strategy & Research 2008 Card Issuers’ Identity Safety Scorecard results, the greatest opportunity for Issuers to reduce fraud losses is to expand on their abilities within prevention and detection.
Other notable excerpts:
“Bank of America Scores highest ranking on the Javelin’s 2008 Card Issuers’ Identity Safety Scorecard; second place went to Discover, followed by FNB Omaha and U.S. Bank.” Javelin Strategy & Research
“Findings Show That Arming Consumers with Expanded Account Monitoring Tools is Key to Security and Strengthening Customer Loyalty” Javelin Strategy & Research
For more information related to this subject go to the BusinessWire article “New Javelin Report Benchmarks 25 Top Credit Card Issuers for Consumer Identity Safety Features”
Other notable excerpts:
“Bank of America Scores highest ranking on the Javelin’s 2008 Card Issuers’ Identity Safety Scorecard; second place went to Discover, followed by FNB Omaha and U.S. Bank.” Javelin Strategy & Research
“Findings Show That Arming Consumers with Expanded Account Monitoring Tools is Key to Security and Strengthening Customer Loyalty” Javelin Strategy & Research
For more information related to this subject go to the BusinessWire article “New Javelin Report Benchmarks 25 Top Credit Card Issuers for Consumer Identity Safety Features”
The Godfather of Credit Card Fraud
Dmitry Ivanovich Golubov is known by some as the Godfather of Credit Card Fraud. Mr. Golubov is active on the underground Web site CarderPlanet and he is considered an expert at both Trojan horse and malware hacking. His arrest in July 2005, at the ripe old age of 22, was front page news in the war on computer crime.
To read more on this article go to the Cape Cod Times April 29, 2008 article: “Meet Mr. Malware, and see how to avoid him”.
To read more on this article go to the Cape Cod Times April 29, 2008 article: “Meet Mr. Malware, and see how to avoid him”.
$0.40 cents buys you a stolen Credit Card Number
According to The Economic Times, the going rate for stolen credit card numbers ranges from $0.40 to $20 while bank account information ranges from $10 to $1000 per account. They also indicated that if you were willing to buy in bulk you could acquire 50 credit card numbers for $40 or 500 credit card numbers for $200.
In case you were curious, the same article quoted Symantec Corporation as stating that email passwords sell for as little as $4.00 to $30.00, while full identities are selling for between $1.00 and $15.00.
To read more of this article go to The Economic Times May 4th 2008 article “Credit Card Numbers up for grabs Rs 16!”.
In case you were curious, the same article quoted Symantec Corporation as stating that email passwords sell for as little as $4.00 to $30.00, while full identities are selling for between $1.00 and $15.00.
To read more of this article go to The Economic Times May 4th 2008 article “Credit Card Numbers up for grabs Rs 16!”.
Issuers – Focus on Expanding fraud prevention and detection abilities…
According to the Javelin Strategy & Research 2008 Card Issuers’ Identity Safety Scorecard results, the greatest opportunity for Issuers to reduce fraud losses is to expand on their abilities within prevention and detection.
Other notable excerpts:
“Bank of America Scores highest ranking on the Javelin’s 2008 Card Issuers’ Identity Safety Scorecard; second place went to Discover, followed by FNB Omaha and U.S. Bank.” Javelin Strategy & Research
“Findings Show That Arming Consumers with Expanded Account Monitoring Tools is Key to Security and Strengthening Customer Loyalty” Javelin Strategy & Research
For more information related to this subject go to the BusinessWire article “New Javelin Report Benchmarks 25 Top Credit Card Issuers for Consumer Identity Safety Features”
Other notable excerpts:
“Bank of America Scores highest ranking on the Javelin’s 2008 Card Issuers’ Identity Safety Scorecard; second place went to Discover, followed by FNB Omaha and U.S. Bank.” Javelin Strategy & Research
“Findings Show That Arming Consumers with Expanded Account Monitoring Tools is Key to Security and Strengthening Customer Loyalty” Javelin Strategy & Research
For more information related to this subject go to the BusinessWire article “New Javelin Report Benchmarks 25 Top Credit Card Issuers for Consumer Identity Safety Features”
3 out of 4 Consumers Don’t Believe Retailers should be responsible for CNP Fraud Losses?
The debate has been ongoing for years, just who is responsible for the fraud losses associated with CNP fraud? I find it interesting that while the Associations, Banks, Issuers, Acquirers and Retailers continue to fight it out; the consumer’s have already made their opinion very clear: 3 out of 4 don’t believe that it is the retailers’ responsibility to absorb these fraud losses. I base this on recent surveys from CyberSource and CPP. CyberSource reported in their Cybersource’s 2008 UK Online Fraud report that 24% of consumers believe that retailers are ultimately responsible for fraud losses. CPP, a Life Assistance Firm, reported that 74% of the UK consumers questioned believe it is the responsibility of banks or credit card issuers to resolve any fraud problems.
For more information related to this subject go to the “CyberSource 2008 UK Online Fraud Report”, or the M2 PressWIRE April 7th 2008 article “CPP Group: Brits blame banks for fraud; More than a third or people blame banks for card fraud”.
For more information related to this subject go to the “CyberSource 2008 UK Online Fraud Report”, or the M2 PressWIRE April 7th 2008 article “CPP Group: Brits blame banks for fraud; More than a third or people blame banks for card fraud”.
Friday, May 2, 2008
Technique: Check Verification
Check Verification is a process that screens checks and check writers to assess the risk of the check being bad. These services typically will check to make sure the account is open, determine if the account has had bounced checks before and it will check a "negative database" of "bad check writers".
Thursday, May 1, 2008
Requiring CVV will drop sales conversion 40%???
I have to say up front that I actually find this hard to believe, and I cannot say I have ever seen or heard this from sites I was working with. According to the eCommerce Checkout Report, conducted by Elastic Path, and presented by Jason Billingsley, on the Internet's Top 100 Online Retailers merchants, merchants that did not make the card security code entry required were able to achieve a 40% higher conversion rate.
Alternative Payments may lower Conversion Rates
Huh? I thought the idea behind alternative payment types was to increase sales conversion. So you can imagine my surprise when I was listening to the eCommerce Checkout Report from Elastic Path, Jason Billingsley, on the Internet's Top 100 Online Retailers. It appears from their survey, that merchants that did not offer alternative payments had a significantly higher conversion rate than those that did offer them.
Wednesday, April 30, 2008
Reverse Lookups
The reverse lookup is used to cross check the address and phone information a consumer has provided to you with a third-party resource to verify that the public records show the same consumer’s name is associated with the provided address and phone information.
Device Identification
14 Different consumers, 14 different IP addresses, but they are using the same computer ???
The concept of device identification is not new, cookies have been around for long time, the problem is a user can delete and manipulate a cookie. Device identification has grown into a very sophisticated science, with versions that are completely transparent to the user, to some that load applets or other programs to serve their purpose.
The concept of device identification is not new, cookies have been around for long time, the problem is a user can delete and manipulate a cookie. Device identification has grown into a very sophisticated science, with versions that are completely transparent to the user, to some that load applets or other programs to serve their purpose.
Telephone Verification
A practical means of verification ...
Telephone verification is the process of calling back a consumer at the phone number they have provided, in order to verify the phone is working and the person in possession of the phone is the one placing the order.
Telephone verification is the process of calling back a consumer at the phone number they have provided, in order to verify the phone is working and the person in possession of the phone is the one placing the order.
Manual Reviews
Not always a bad thing ...
Manual review is a technique in which merchants use staff members to perform manual checks on orders to determine which orders are fraudulent.
How Good Is It?
In general, this is not a very good fraud-prevention technique. The quality and effectiveness of manual reviews is directly proportional to the knowledge and experience of the review staff, and the tools and process that they have established to perform manual reviews.
Manual review is a technique in which merchants use staff members to perform manual checks on orders to determine which orders are fraudulent.
How Good Is It?
In general, this is not a very good fraud-prevention technique. The quality and effectiveness of manual reviews is directly proportional to the knowledge and experience of the review staff, and the tools and process that they have established to perform manual reviews.
Common Fraud Schemes
I have been working with merchants for years, and I am still amazed at the creativity fraudsters come up with to defraud merchants. These people aren’t stupid, uneducated thugs. They are educated, crafty and patient.
If there is one thing I have learned from my experiences, I know that even if you wanted to, it is not realistic to think you can stop all fraud. There are just too many ways to create a perfect one-use identity. The resources, time, money and people I would have to put into place to catch these fraudsters just don’t make sense.
But the good news is you don’t have to catch the perfect one-use criminal. The majority of fraudsters out there are still using the basic scams to de-fraud merchants because there are still too many businesses that aren’t doing anything to stop them.
The purpose of this section is to give you an understanding of some of the general schemes that are out there. With this understanding you can look at your businesses and craft strategies to prevent fraud that most closely represents the type of fraud scheme your site sees.
If there is one thing I have learned from my experiences, I know that even if you wanted to, it is not realistic to think you can stop all fraud. There are just too many ways to create a perfect one-use identity. The resources, time, money and people I would have to put into place to catch these fraudsters just don’t make sense.
But the good news is you don’t have to catch the perfect one-use criminal. The majority of fraudsters out there are still using the basic scams to de-fraud merchants because there are still too many businesses that aren’t doing anything to stop them.
The purpose of this section is to give you an understanding of some of the general schemes that are out there. With this understanding you can look at your businesses and craft strategies to prevent fraud that most closely represents the type of fraud scheme your site sees.
Subscribe to:
Posts (Atom)
