Although it’s been just over a year since we last looked at online fraud (see related articles links below) it is such an important topic for all e-tailers that I felt it was time to take a look at the subject again. In this article I’ll be exploring the latest information on the level of online fraud and looking at new developments in the war against the fraudsters.
First, the good news is that the seemingly ever-increasing level of fraud online is beginning to stabilize, with Gartner reporting recently that online fraud levels in 2001 were 1.14%, just slightly up on the figure of 1.13% recorded in 2000. However, this still continues to compare very badly with offline fraud levels, which run at just 0.06%. In other words, online fraud is running at nineteen times the level of offline fraud!
Of course, what these statistics hide is the fact that the value of these thefts is growing enormously as the number of online transactions grows, and Meridien Research predicts that worldwide online fraud will grow from $1.6 billion in 2000 to $15.5 billion in 2005.
The further bad news is that e-tailers are having to spend more time – and money – combating fraud. Gartner reports that merchants typically reject 5% of transactions as being “suspicious”. This order screening has two major cost impacts for e-tailers: the time that has to be spent vetting orders and the cost of orders lost because they have wrongly been identified as suspect.
The other danger for e-tailers is that fraud levels will deter consumers from buying online. This point was emphasized too by Gartner who reported that in a survey of 1000 US online consumers, a massive 5.2% had been subject to credit card fraud.
So what’s being done to combat these massive fraud levels? Well, in the last year there has been several new anti-fraud initiatives launched by both the credit card companies (much of which, as we will see, is largely “window-dressing”) and by third parties.
The biggest new move from the credit card companies has been the launch of the “Verified by Visa” program, which adds an additional layer of password protection to online purchases. Consumers sign up for the program on the Visa Web site, and then when they attempt to make a purchase at a participating Web store, a window pops up and asks them for their password. The e-tailer never sees the password: it is passed securely to a third party server and once it is verified a digital certificate is sent to the e-tailer authorizing the transaction. However, the scheme is optional for consumers and as a result Visa forecast that a mere 6% of its cards will have passwords by the end of this year.
Unfortunately, while the Verified by Visa program might help to increase consumer confidence, it does little to directly help the e-tailer as they are still held 100% responsible for any fraud, even if committed under the Verified by Visa scheme. Not surprisingly, many e-tailers have been suitably under-whelmed by the program and many major online players – for example Amazon.com – have refused to get involved. However, it is expected that Visa will change the rules in 2003 to make merchants who accept payments under the Verified by Visa scheme not liable for unauthorized charges.
Of course, the most effective way to tackle fraud would be for the major credit card companies to work together on the problem and come up with a common solution. However, MasterCard intends introducing its own, more complex, password scheme – Secure Payment Authorization – later this year, while American Express say they have currently no plans to introduce a password-based scheme
However, one praiseworthy trend in 2001 was the increasing adoption of the Cardholder Verification Method (variously known as CVVC, CID or CVV2). This is a new three or four digit code that is increasingly appearing on credit cards. The code is printed – not embossed – and therefore does not show up on receipts or vouchers, which are a common source of stolen credit card numbers. Asking for – and verifying – CVM information can help e-tailers reduce their fraud levels.
Realizing the extent of the problem, several third parties have also become involved in the fight against fraud.
For example, eConnect have launched the eCashPad, a home terminal that enables consumers to swipe their credit card and make payments to Internet merchants. The terminal consists of a proprietary hybrid magnetic stripe reader, PIN pad and “smart card” device that can be connected to any computer with a USB connection. Its manufacturer – eConnect – aims to ship 20,000 eCashPads per month.
E-tailers wanting to accept payments via the eCashPad need to sign up for the Bank Eyes Only system. Under the system only the bank – not the merchant – has access to the buyer’s credit card details, thereby reducing the chance of credit card data being stolen. From a merchant’s perspective it should also help to reduce the number of chargebacks and hopefully allow them to negotiate more attractive discount rates.
Fighting the problem in a different way, Safewww have recently launched FraudNet, which non-intrusively registers and uniquely identifies each PC by assigning a “fingerprint” (or “hardware signature”) to the computer when a customer enrolls for his or her online account. When illegitimate or fraudulent use is encountered, the suspect PC is flagged in a negative database, blocking future transactions from occurring from the machine. This helps prevent exposure to repeat fraud, while also acting as a deterrent to potential fraudsters, and does not require users to remember any additional passwords, carry a smart card or e-token, or purchase any expensive biometric device.
There is one other option in the fight against fraud: if you can’t prevent the actual fraud from taking place, at least you can insure yourself against its financial implications. Such insurance schemes or anti-fraud guarantees are provided as an extra cost item by some Payment Service Providers (PSPs), for example WorldPay who charge their merchants $30 per month and an additional transaction charge of 1% to indemnify them against fraud. Alternatively, there are third party insurance services available. For example, TCA Inc. provides Cardholder Absent Insurance underwritten by Lloyds of London with the cost typically running between 0.3% and 3% of annual sales.