1. No category

Selecting the Right Solution to Optimize Revenue

Bi-annual Fraud Report : Fraud Risk Management for E-Commerce (2012)
Selecting the Right Solution to Optimize Revenue Growth
CASHRUN
Fraud Protection & Safe Payment Solutions
www.cashrun.com
Singapore · Switzerland · Germany · China · United States
CASHRUN
Fraud Protection & Global Payment Solution
Table of Contents
1. Executive Summary
02
2. Online Fraud: A Complex and Growing Industry
2.1. Understanding the Complexity of the Fraud Industry
2.2. Warning Signs: Notable Cases of Fraud in 2011
2.3. Fraud Inc.: Why One Solution is Not Enough
03-04
05
06-07
3. Risk Management and Your Online Business
3.1. Key Factors to be Considered in Risk Management
08-10
3.2. Evaluating the Effectiveness of Today’s Fraud Prevention Tools
11-13
3.2.1. Device Fingerprinting
3.2.2. Global Data bases
3.2.3. IP / Geolocation Services
3.2.4. Automated Phone Checks
3.2.5. Card Authentication Schemes: Verified by Visa and 3D Secure
4. Conclusion
14
About CashRun
CashRun was established in 2007 with the objective of supporting business’ needs for effective and affordable online payment and fraud protection solutions. Since establishment, CashRun has had tremendous
success with key industries that are sensitive towards fraud, and continues to be at the forefront for
e-commerce solutions. With strong global presence and partnerships, CashRun supports online merchants
to develop and concentrate on their core business competencies while protecting against the risk of online
fraud.
01
www.cashrun.com
Switzerland · Germany · United States · Singapore · China
Fraud Risk Management for E-Commerce. Selecting the Right Solution to Optimize Revenue Growth
A publication by CashRun Pte Ltd. Copyright© 2012. CashRun Pte Ltd. All rights reserved.
CASHRUN
Fraud Protection & Global Payment Solution
01 Executive Summary
In recent years, the fraud protection industry has exploded with a surge in companies launching fraud tools
based on various concepts. Not fully understanding the fraud protection industry, merchants can be confused by
the true costs and benefits of the various fraud tools that are accessible or marketed in their specific region. After
selecting a fraud protection solution, businesses can spend an enormous amount of time, effort, and money to
integrate the risk management tool, thus producing a high exit cost. Therefore, merchants also risk being locked
into an ineffective and inefficient fraud solution for a long period of time.
With the dilemmas of choice, merchants face a high level of difficulty in selecting the right solution to grow their
businesses. This report aims to enhance merchants’ decision-making capacity by providing a recent overview of
the fraud industry, facilitate a deeper understanding of existing fraud detection tools, and assist merchants in the
selection of a risk management solution that optimizes revenue growth per chargeback risk.
The report begins with an introduction to the complexity of the fraud industry, recent notable fraud cases, and
key factors that must be considered while choosing a fraud protection solution. Then, an evaluation of the effectiveness of current fraud management tools is provided. Finally, recommendations are provided regarding key
elements that should be considered in selecting the fraud protection solution to grow the business.
02
www.cashrun.com
Switzerland · Germany · United States · Singapore · China
Fraud Risk Management for E-Commerce. Selecting the Right Solution to Optimize Revenue Growth
A publication by CashRun Pte Ltd. Copyright© 2012. CashRun Pte Ltd. All rights reserved.
CASHRUN
Fraud Protection & Global Payment Solution
02 Online Fraud: A Complex and Growing Industry
2.1. Understanding the Complexity of the Fraud Industry
Online fraud is evolving and growing with the emerging global scale of online purchases. Merchants are now able
to sell to customers located across the world through a single online storefront, thanks to the ubiquitous nature
of the internet. Thriving online business―attributable to the shifting attitudes of today’s consumers toward the
convenience of online purchases―has opened up vast opportunities for fraud perpetrators to profit from unsuspecting buyers and sellers. The complexity and sophistication of fraud attacks are increasing, and so is the
number of companies claiming to provide e-merchants with the ultimate fraud detection system. The lack of
information about this new fraud scenario only intensifies the confusion among merchants, who sometimes
remain unable to make a well-founded decision regarding fraud protection. Fraud is frequently perpetrated using
real identities obtained fraudulently, such as by phishing to purchase items that can be transferred or sold online
quickly. The absence of physical ownership leaves transaction traceability up to the buyer or seller, both victims
of the fraud. To counter this, card acquirers, payment gateways, and banks have traditionally been more inclined
to take the side of the cardholder, leaving the merchant to shoulder most of the financial loss of fraudulent
chargebacks. Most insurance and other protection programs are offered to customers rather than merchants.
Thus, merchants are clearly at a disadvantage, since they are unprotected and must untangle the fraud protection industry by themselves.
According to the figures indicated on the next page, the number of online fraud incidents decreased from 2009
to 2010, but at the same time the costs for merchants to combat fraud has increased as incidents of fraud are
hitting larger volume and more lucrative sectors.
So, the merchants are faced with the challenge of staying protected against fraud and, at the same time, controlling the costs associated with online fraud fighting. According to the LexisNexis True Cost of Fraud Study 2011,
while on average retail merchants report paying less per dollar for fraud than they did in 2010, small merchants
and certain industries continue to report high out-of-pocket costs. E-commerce and mobile merchants are combating an influx of fraudulent transactions that tend to be large in dollar amount.
Today’s e-commerce environment offers generally more incentives for cyber criminals than it did in past, not
just because the number of targets is so much greater, but also because the tools of self-expression are more
varied and effective and the appeal of a potentially lucrative venture is so tantalizing. Damaging and large-scale
data breaches in 2011 provided fraudsters with more information to use against retailers, financial institutions,
and consumers. Hackers even made use of social media to post information about new hacks and threats, to the
extent of soliciting donations and setting up domains to support malware-per-pay install affiliate programs.
03
www.cashrun.com
Switzerland · Germany · United States · Singapore · China
Fraud Risk Management for E-Commerce. Selecting the Right Solution to Optimize Revenue Growth
A publication by CashRun Pte Ltd. Copyright© 2012. CashRun Pte Ltd. All rights reserved.
CASHRUN
Fraud Protection & Global Payment Solution
The possibilities for fraudsters increase as fast as fraud protection programs are adapted to new schemes. The
total number of fraudulent transactions has decreased though, but the average dollar value of a completed
fraudulent transaction is higher than the year before, indicating that the nature of such transactions is becoming
more severe.
There is irrefutable evidence that cyber-espionage for the financially
motivated cybercriminal is taking aim at databases that contain
customer information. It is just a matter of time before this
information is tested and used online to cash out.
Online Fraud 2010
Online Revenue Loss
due to fraud estimated US$ 2.7 billion
in 2010, which represented
0.9% revenue lost to online fraud.
An
nu
al
Fra
ud
Re
por
t 20
11,
0
Lexis
y 201
Nexis T
rue Cost of Fraud Stud
When it is, the purchases will look like any other; all cardholder information will match that on file. The cybercriminal will have all the information needed to pass the
Card Verification Number (CVN) and Address Verification System (AVS) authentication screens. Given merFor every $100 in fraudulent transactions,
chants’ rapid abandonment of the other card authentiretailers incurred a "true" cost
cation screens, such as Verified by Visa (VbV) and 3D
of $230 in 2010 Internet fraud accounted for
Secure, they may have to rely on IP Geolocation, which can
59% of card-not-present (CNP)
be deceived using a proxy or a compromised device on a
losses in the UK in 2010.
e
rc
ou
matching location. Even then, manually matching every IP for
erS
yb
C
;
UK
tion
hundreds or thousands of orders a day is an insurmountable task,
d Ac
Frau
e
c
n
a
Source: Fin
one that is open to error as well.
Merchants may have to resort to a dated blacklist compiled and offered by third-party fraud protection providers,
but the blacklist’s effectiveness is limited – fraudulent activity is committed using multiple e-mail addresses,
cards, payment methods, personas, and even devices. Today, device fingerprinting technology is gaining popularity with merchants, who use it to ‘identify’ the unique digital print of the buyer. However, if an obvious fraud is
committed, the vast collection of prints is only useful if everyone who has gone into your shop has been fingerprinted. In addition, savvy users can change the ‘unique’ print within minutes.
04
www.cashrun.com
Switzerland · Germany · United States · Singapore · China
Fraud Risk Management for E-Commerce. Selecting the Right Solution to Optimize Revenue Growth
A publication by CashRun Pte Ltd. Copyright© 2012. CashRun Pte Ltd. All rights reserved.
CASHRUN
Fraud Protection & Global Payment Solution
2.2. Warning Signs: Notable Cases of Fraud in 2011
In 2011 even big, well-known companies such as those described below experienced remarkable fraud attacks.
With limited data sharing and the magnitude of compromise, it will take a while before fraudsters make their way
onto blacklists or victims realize the theft of their identity. It is thus not surprising that uninformed merchants
take these attacks as warning signs and rush into a fraud protection solution that lacks all the relevant attributes to effectively combat fraud. By the time merchants realize that the rejection rate is too high and that they
have not chosen an efficient and optimizing fraud protection solution, it is often too late; they may have already
lost a high amount of profit that must be added to the costs initially invested for integration of the tool. Moreover, the costs of shifting are often too high and out of all proportion with a potential improvement; they
frequently cannot be estimated exactly due to lack of knowledge and information.
The most lucrative areas of growth for Retail Merchants
- international, mobile, and e-commerce - tend also
to be the most susceptible to fraud and face the greatest risks
LexisNexis True Cost of Fraud Study 2010
The second largest security breach in U.S. history was reported in April 2011 when hackers successfully infiltrated
Sony's network to compromise personal data of 77 million PlayStation Network customers, including possible
credit card information as well as data of more than 24 million Sony Entertainment Online customers.
Prominent security companies were no exception - RSA announced in March 2011 that it was victimized by an
"extremely sophisticated cyber attack" in which sensitive data related to the Secure ID technology had been
pilfered and could be used by attackers to get access to networks of RSA customers who rely on the technology.
A bug was exploited in April 2011 Flash Player to trick Gmail users into clicking on a malicious link in an e-mail
message in order to forward e-mail messages to an attacker's account. The user received an email and was
tricked into clicking on a malicious link. When the user was logged on to a Gmail session and visited the site, this
new (attacker's) forwarding address had been added to the user's account, because Gmail enables its users to
forward e-mails automatically and grant others access to the account.
In 2011 damaging and large-scale data breaches occurred,
providing fraudsters with more information to use against
retailers, financial institutions and consumers.
LexisNexis True Cost of Fraud Study 2010
CitiGroup, Inc. made a shocking revelation in July 2011 when it announced that hackers had accessed approximately 200,000 cardholders, which is about 1% of the company's North American cardholders’ information
including customers’ account numbers, contact information and email addresses. This information was followed
up with phishing directed to capitalize on their panic which may trick CitiGroup customers into revealing their
banking credentials or other sensitive information. Fraud perpetrators can use the phished identities to bypass
truth services – the combination is endless.
05
www.cashrun.com
Switzerland · Germany · United States · Singapore · China
Fraud Risk Management for E-Commerce. Selecting the Right Solution to Optimize Revenue Growth
A publication by CashRun Pte Ltd. Copyright© 2012. CashRun Pte Ltd. All rights reserved.
CASHRUN
Fraud Protection & Global Payment Solution
2.3. Fraud Inc. - Why One Solution is Not Enough
Online fraud is adaptive; methodologies and techniques constantly evolve to find and exploit weaknesses so as
to derive financial gain – enter the lucrative world of cybercriminals where a complete supply chain exists to
facilitate the fraud trade.
A Perpetual Race to Keep Up with the Latest Fraud Scheme
Businesses lacking the expertise, personnel, systems, and processes to defend against these organized groups are
easy targets and can end up with compromised credentials, lost revenues, and damaged reputations. Most
importantly, businesses lack information about the fraud protection industry and the different tools available
to combat fraud effectively. While in-house developed fraud protection systems may appear to be sensible solutions at first, businesses soon are overwhelmed by the substantial initial costs as well as the ongoing costs of
upgrading systems and training personnel, distracting their focus from their area of competence, and end up
outsourcing their fraud management. Businesses that persist in developing internal fraud management capabilities are forced to reflect on the poor efficiencies achieved via their in-house solutions when benchmarked against
industry peers; they generally perform poorly on automation, fraud and rejection rates, and costs that immediately affect their bottom-line analysis.
06
www.cashrun.com
Switzerland · Germany · United States · Singapore · China
Fraud Risk Management for E-Commerce. Selecting the Right Solution to Optimize Revenue Growth
A publication by CashRun Pte Ltd. Copyright© 2012. CashRun Pte Ltd. All rights reserved.
CASHRUN
Fraud Protection & Global Payment Solution
Year on year, merchants continually add to or switch their use of fraud detection tools, attempting to keep up
with the pace of fraud behavior and trends, sometimes not truly comprehending how orders that look genuine
can be fraudulent. By the time they realize the fraud, it is mostly too late, as chargebacks can occur up to six
months after purchase or even without limitation. The damage has already been done, leaving the merchant
with hefty chargeback fees, penalties (e.g., from banks), lost revenue, and costs to replace the goods.
The constant changes in the fraud industry have originated different fraud protection solutions, each centering on a specific expertise.
However, merchants often fail to realize that effective fraud protection requires a
solution that is comprehensive enough and includes all key factors in fraud management.
Merchants have tried collecting more data from consumers, such as personal information, location, and device
and browser information. However, using this information has proven to be ineffective since fraud can be perpetrated using compromised credentials that have been harvested, adapted, or manipulated to make the fraudulent transaction blend in like a genuine one.
This will not change. No single tool, scoring mechanism, rule, authentication device, or identifier will achieve
a 100% accurate decision because fraud perpetrators work in a beneficial value chain with extensive
information-sharing networks driven by financial incentives.
07
www.cashrun.com
Switzerland · Germany · United States · Singapore · China
Fraud Risk Management for E-Commerce. Selecting the Right Solution to Optimize Revenue Growth
A publication by CashRun Pte Ltd. Copyright© 2012. CashRun Pte Ltd. All rights reserved.
CASHRUN
Fraud Protection & Global Payment Solution
03 Risk Management and Your Online Business
3.1 Key Factors to Consider in Fraud Management
Fraud protection is more than just blocking fraudulent transactions. The increasing number of anti-fraud solutions can mislead merchants into a fraud detection system that more often than not does not consider all
relevant factors of effective fraud management. Merchants have to understand that all fraud management
inherently affects the customer experience; it varies only in different parts of the transaction cycle and in intensity. The choice of fraud management solution reflects the company’s long-term objectives, branding, and
reputation, whether the company likes it or not, and is intertwined with the company’s profitability.
• Positivity Vs. Negativity Detection
Most fraud protection providers focus on threat detection, designed to detect risky or unusual activities that
might be related to unauthorized transactions. Thus, threat detection is programmed to react to negative
aspects, such as detection of device reputation on multiple customer IDs, mismatch of IP to billing location, highrisk e-mail domains, velocity abnormality, and browsing abnormality, among many others. Merchants tend to
settle for threat detection as an anti-fraud solution based on negative aspects and preventing fraud, and do not
consider that this will also negatively affect the rejection rate. The costs associated with an increasing rejection
rate can be much higher than the chargeback costs that the merchants initially wanted to avoid. Focusing only
on threat detection and rejecting orders based on negative aspects eventually becomes detrimental for online
business.
Therefore, it is essential to take into account both the negative and the positive aspects of an order. The positive
aspects (e.g., good order history, good social media behavior) weigh as much as negative aspects. Not until after
weighing both aspects can a good decision be made. To add analysis of the positive factors, merchants should
focus on combining relevant tools for effective and efficient fraud management.
• Cart Abandonment Rate
Most popular card authentication schemes like VbV and 3D Secure cannot distinguish exactly between genuine
and fraudulent orders since they simply add on a step to request a code. For merchants that cannot afford a failed
checkout, it is important to treat the optimal number of steps in the transaction flow as a priority, noting that
such an additional level of authorization dramatically increases the chances that the checkout may fail (Cart
Abandonment Rate). These card authentication schemes never consider the rejection resuscitation rate, as they
only block orders and, consequently, the checkout fails.
The rejection resuscitation rate for merchants is almost zero, as customers who have abandoned the checkout
will have moved on to execute a purchase on another site. It will also be difficult to contact customers who were
rejected by an authentication screen with no guarantees, regardless of the reason the authentication failed, even
if caused by a technical error or downtime on the authentication service. It is important to note that even if the
buyer inserts the code correctly this does not necessarily mean the transaction will succeed.
08
www.cashrun.com
Switzerland · Germany · United States · Singapore · China
Fraud Risk Management for E-Commerce. Selecting the Right Solution to Optimize Revenue Growth
A publication by CashRun Pte Ltd. Copyright© 2012. CashRun Pte Ltd. All rights reserved.
CASHRUN
Fraud Protection & Global Payment Solution
• Automation and Manual Verification
Automation should be high on the list with the priority on verification accuracy, which improves the customer
experience and keeps lost sales to a minimum. However, merchants should be prepared to conduct manual
reviews – if necessary – by appointing experienced, well-trained, and customer-orientated verification officers
who can decisively assess the optimal risk/return trade-off from the transaction in question. This ensures that no
orders are rejected instantly and a final review of all rejected orders is performed to determine if any transactions
may be resuscitated. All these layers act as fine filters to make sure that only fraud is blocked, even if that means
taking some risk on borderline orders.
Manual verification for orders displaying unusual characteristics means calling the buyer on the provided phone
numbers or requesting additional documentation. This should be a last-resort practice as the orders could be
delayed for a long period of time and the action could result in high customer insult. The decision in a manual
verification must be made only after carefully weighing all factors. Nevertheless, manual verification is essential
for reanimating already rejected orders and increasing the acceptance rate. In the end, the combination of automated screening and manual verification forms the basis of effective fraud management.
• Is the Solution in Line with your Corporate Objectives? Protection Vs. Growth
Corporate interest between merchants and fraud providers does not often link up well. Fraud protection providers, to preserve a reputation for safety, tend to focus mainly on threat detection, which could impact growth
and require merchants to define their own risk thresholds, thus passing the decision-making responsibility
directly back to the merchant.
As a result, merchants often face bigger challenges than they first expected: the costs of routine adjustment of
these thresholds that incorporate hard rules are high, especially when they are out of tune with the fast-changing
nature of international ecommerce. Furthermore, merchants need to have a well-trained verification department with excellent knowledge and expertise, as the tuning of their own risk management is complex and complicated to manage. The key is to select a tool that is responsible and works in line with the corporate objectives to eventually achieve revenue growth.
09
www.cashrun.com
Switzerland · Germany · United States · Singapore · China
Fraud Risk Management for E-Commerce. Selecting the Right Solution to Optimize Revenue Growth
A publication by CashRun Pte Ltd. Copyright© 2012. CashRun Pte Ltd. All rights reserved.
CASHRUN
Fraud Protection & Global Payment Solution
• Efficient Fraud Management Needs to Be Comprehensive and Flexible
Comprehensive implies weighing and assessing all the relevant key considerations to obtain a meaningful risk
picture that will help the merchant understand buyer trends and markets. Key subtleties that are positive and
undetected to the merchant, such as visible and positive traceability of the person in social activities on the internet or a positive result from other merchants’ databases, may weigh as much as the obvious negative aspects in
an apparently risky transaction. Flexibility means adaptability to online payment providers and gateways, as well
as the latest fraud trends. Risk managers with broad expertise are the ones who complete effective fraud management, as they are the ones who can still make a powerful decision in case of a suspicious order.
True Cost of Verification
Given the abundance of verification tools and the lack of information, merchants tend to overlook entirely
equally important factors that hide the real cost of verification. Fraud losses these days are much more than
incurring chargeback loss. The example which follows shows why. A typical merchant that sells intangible products online introduces a verification system aimed at minimizing fraud. However, the true cost of verification is
much higher than the chargeback loss that he has avoided. This example showcases that this merchant, like many
others, is spending more in combating fraud than he is saving.
For every $100 in fraudulent transactions, retailers incurred
a "true" cost of $230 in 2010.
LexisNexis True Cost of Fraud Study 2010
Merchant sells digital goods and has a monthly turnover of 500,000€.
Before introducing the Verification System his chargeback is 3%.
3% of his monthly turnover = 15,000€ Chargeback Rate
After introducing the Verification System his chargeback rate is reduced
to 1.5% of his monthly turnover.
1.5% of his monthly turnover = 7,500€ Chargeback Avoided
However, merchant fails to realise various hidden costs associated with combating fraud:
Technology Costs
Staffing Costs
Insult Costs
Rejected Customers
(0.5% monthly revenue)
(0.5% monthly revenue)
(1% monthly revenue)
(1.5% monthly revenue)
System
Verification and
Valid Order
Rejected Customer
Development
Customer
Rejection Rate
Returning Purchase
and Maintenance
Service Costs
Unsatisfied
Customers
(1% monthly revenue)
2,500€
+
2,500€
Slow & Manual
Verification
Rate
+
5,000€
+
7,500€
+
5,000€
= 22,500€ *
*Figures taken from a CashRun merchant upon his approval.
Merchant incurred in a true verification cost of 22,500€ in addition to his direct Chargeback Losses.
Merchant spent 3 times more trying to combat fraud than his avoided Chargeback (= 7,500€).
10
www.cashrun.com
Switzerland · Germany · United States · Singapore · China
Fraud Risk Management for E-Commerce. Selecting the Right Solution to Optimize Revenue Growth
A publication by CashRun Pte Ltd. Copyright© 2012. CashRun Pte Ltd. All rights reserved.
CASHRUN
Fraud Protection & Global Payment Solution
3.2. Evaluating the Effectiveness of Today’s Fraud Prevention Tools
Most fraud detection providers available in the market provide solutions that revolve around one or two fraud
detection tools. Lacking necessary information and urged to choose a system, merchants are usually unaware of
the restrictions that these tools entail or the consequences they can inflict on the company’s results. Assessing
the different tools available proves that no single tool is 100% accurate in effectively preventing fraud.
This might be obvious in tools that are limited by their own nature. For example, reverse phone checks tend to
be region dependent and are reliable only in those countries in which registering phone numbers in phone books
is common practice. Merchants using only e-mail validation probably perform weakly, given the ability of fraudsters to hack e-mail accounts and make use of stolen identities. An evaluation of widespread fraud prevention
tools entailing more developed technologies follows in the paragraphs below.
3.2.1. Device Fingerprinting
Device fingerprinting allows merchants to create a profile or device reputation of fraudsters by collecting the
hardware and software settings and information data of the device used. This procedure is useful when recognizing returning fraudsters, but is proven to compile insufficient data to filter out first-time fraudsters. Moreover, it
has negative effects on the customer acceptance rate, as a fraudster might use a device in a hotel, which will
probably result in the automatic rejection of the device and all subsequent orders made from it, even if these
orders are made by a genuine customer.
In addition, a unique fingerprint might not always be attainable, and savvy users can spoof, change, or substitute
a device ID. It must also be noted that most CDI vendors can tell when a device ID has been tampered with in
some way and the confidence level is not degraded significantly. It is logical for a device ID that has been tampered with and returned differently than expected to be a cause for suspicion. For example, the following result
illustrates this: “The browser fingerprint appears to be unique among the 1,614,216 tested so far. Currently, we
estimate that your browser has a fingerprint that conveys at least 20.62 bits of identifying information”. Although
device fingerprinting helps to collect a wide range of data, it is difficult for merchants to make use of this information to manage fraud.
3.2.2. Global Databases
Databases collect credit data from customers worldwide and allow merchants to compare the bank or card
details introduced by buyers with the information in these databases. Merchants can easily learn whether buyers
have a negative credit history anywhere in the world by accessing the credit scores offered by these companies.
This information can be used in the event of a friendly chargeback, when customers repeatedly order their banks
to reverse payments with no apparent reason, but it does not offer any reliability for unauthorized payments
made with stolen credit cards, for instance. In addition, an increasing number of merchants are turning to anonymous purchases, for which the information given by global databases might not be that relevant in preventing
fraud.
11
www.cashrun.com
Switzerland · Germany · United States · Singapore · China
Fraud Risk Management for E-Commerce. Selecting the Right Solution to Optimize Revenue Growth
A publication by CashRun Pte Ltd. Copyright© 2012. CashRun Pte Ltd. All rights reserved.
CASHRUN
Fraud Protection & Global Payment Solution
3.2.3. IP Address/Geolocation Technology
IP addresses and Geolocation services enable merchants to physically locate a device by its unique IP address and
match the information introduced by the buyer with a real location in the physical world. Unfortunately, in
today’s world, IP addresses can be replaced with proxies, which can easily fool the merchant’s verification
system. The results derived from Geolocation services are useful in those orders that include tangible goods that
must be delivered to a physical address.
However, merchants dealing with intangible goods might not require customers to introduce a shipping address,
since these goods are delivered electronically and, in most cases, only a valid e-mail address is requested. Once
again, locating a customer and the device in the real world can be useful, but not sufficient or conclusive in effectively filtering out fraudulent orders.
3.2.4. Automated Phone Checks
Online businesses often rely on automated phone checks, which allow merchants to call or send an SMS directly
to the phone number introduced by the buyer in the checkout page to verify the buyer’s identity. With identity
thefts growing in number in recent months, fewer buyers are willing to disclose personal information to finalize
an online purchase. Requesting customers to introduce their phone number might increase the number of abandoned checkouts, considerably decreasing the effectiveness of this tool. However, assuming the buyer introduces
his or her real phone number, automated phone checks tend to generate poor results, as the chances that fraudsters have access to both the credit card details and the associated phone number are relatively high.
3.2.5. Card Authentication Schemes: Verified by Visa and 3D Secure
Most card acquirers add a fee to the processing fee to have 3D Secure implemented. Costs aside, merchants must
be aware that this additional security screen adds friction to the customer checkout experience and severely
affects revenue when the authentication fails for whatever reason – valid or not. For example, when MasterCard
was under attack by hackers supporting Wikileaks, the widespread unquantifiable damage was borne by merchants who had implemented the MasterCard 3D Secure authentication.
The problem lasted for as long as two days; customers could not complete the authentication and received an
error message. This happened during the weekend – when high-frequency sales for most e-commerce merchants take place. Budget carriers worldwide looking to fill in spare capacity on the high-demand routes to weekend destinations probably suffered considerable financial loss.
12
www.cashrun.com
Switzerland · Germany · United States · Singapore · China
Fraud Risk Management for E-Commerce. Selecting the Right Solution to Optimize Revenue Growth
A publication by CashRun Pte Ltd. Copyright© 2012. CashRun Pte Ltd. All rights reserved.
CASHRUN
Fraud Protection & Global Payment Solution
This does not even consider the frustration of the customer who has spent the time to complete the particular
booking information and other tedious details to reach the checkout page only to have the transaction fail without any clear indication of whether the charge was placed on the customer’s card or whether malicious parties
have been involved. As the 3D Secure form is an iframe or pop-up without an address bar, there is no easy way
for customers to verify the identity of the entity or person asking for their password.
This not only makes attacks against 3D Secure easier, but it also undermines other anti-phishing initiatives by
contradicting previous advice (like sending e-mails from banks containing clickable URLs). Hackers have managed
to create similar-looking pages that resemble the authentication page, which is then used to phish for complete
credit card details from the unsuspecting customer.
3.2.6. Address Verification Tool
Problems with address verification service (AVS) include its ineffectiveness for international orders; the format
must be typed in a certain way and cardholders who have more than one home sometimes forget which address
they used when applying for the card, especially if they have held the card for a long time or not updated their
account file with their bank. Merchants need to assess carefully the risk of chargeback versus the risk of lifetime
sales from this customer, not to mention referrals and positive reviews.
As pointed out at the beginning of this section, an evaluation of the different tools commonly used today to
detect fraud shows that each verification system is strong and useful in a certain area, but the data provided and
the results derived from the data are simply not sufficient to draw a complete picture of the fraud menace. For
example, few merchants realize that rejecting an order on the wrong basis multiplies significantly the chargeback
loss due to the current pervasiveness of the internet and the power of positive and negative reviews and referrals. Only by comprehensively analyzing all key factors in an order and by weighing the risk of fraud in each and
every order that passes through a merchant’s web store can online businesses stay protected and achieve
revenue growth.
Fraud Detection Tools within Payment Gateways
Merchants usually need to adhere to the verification system provided
by the payment gateway, regardless of this system’s ability to match
their businesses’ needs. False positives orders are common for merchants selling intangible goods because the credentials to unlock a
purchase are sent directly to their e-mail, typically within minutes of
completing the checkout with little supporting documentation.
13
www.cashrun.com
Switzerland · Germany · United States · Singapore · China
Fraud Risk Management for E-Commerce. Selecting the Right Solution to Optimize Revenue Growth
A publication by CashRun Pte Ltd. Copyright© 2012. CashRun Pte Ltd. All rights reserved.
CASHRUN
Fraud Protection & Global Payment Solution
04 Conclusion
The rapid emergence of the fraud protection industry has provided merchants with a wide range of solutions.
However, fraud groups are rapidly coming up with new technology and methods to avoid detection. Often,
confused merchants or fraud solution providers react with a strict verification policy that results in unnecessarily
high rejection rates that are much more detrimental to businesses than the total chargeback incurred otherwise.
Considering these factors, merchants must be extra careful in selecting the right solution so as to avoid taking a
big step backward in their attempt to manage chargeback risk.
With each verification tool having its unique purpose in verifying an order, we concluded that an effective and
efficient risk management solution must be comprehensive enough to consider most of the key approaches to
dealing with fraud and flexible enough to customize a risk algorithm that combines the evaluation of each of the
key variables available and is optimized to the merchant’s risk level and business requirements.
Also, many fraud solutions tend to focus mainly on threat detection and subsequently reject an order based on
any negative points. Instead, an effective risk management solution should equally consider positive elements
within an order and potentially accept an order if the positive outweighs any negatives. What in fact increases
merchants’ business is not a lower rejection rate, but optimization of the acceptance rate.
Moreover, coordinated fraud groups often develop strategies and methods that focus on exploiting merchants’
verification system through single loopholes, bypassing IP, blacklists, velocity, e-mail, phone, or device reputation
checks so that they can make big successive hits on a merchant with minimal effort. A risk management algorithm with comprehensive and multi-layered alert tools can better prevent such attacks and allow more time for
the system to update its risk policies. Ultimately, a comprehensive and flexible system combining all relevant
tools for identifying genuine and fraudulent orders is more than necessary to effectively increase merchants’
profit rate.
About CashRun
CashRun has years of experience in the fraud industry protecting online merchants from high risk and cost associated with fraud
risk management. Ultimately, CashRun strives to allow merchants to focus on their core business competencies and at the same
time achieve higher revenue growth through effective fraud risk management.
· CashShield is an innovative and comprehensive one-stop risk management solution that analyzes the attributes from a wide
range of information including customer, payment, device and network information.
· Risk scores and decisions are based on a risk management algorithm specifically designed to assess each of the key variables
received and help each merchant achieve an optimized return per risk-level for their business.
· Provides real-time, automated verification with a unique 100% Chargeback Protection policy.
· Considers not only negative elements but also positive elements of an order thus minimizing the rejection of legitimate
customers and optimizing the order acceptance rate.
For more information, please visit www.cashrun.com or e-mail [email protected]
14
www.cashrun.com
Switzerland · Germany · United States · Singapore · China
Fraud Risk Management for E-Commerce. Selecting the Right Solution to Optimize Revenue Growth
A publication by CashRun Pte Ltd. Copyright© 2012. CashRun Pte Ltd. All rights reserved.
Switzerland
CashRun GmbH
Germany
CashRun GmbH
Singapore
CashRun Pte Ltd
Gatterstrasse 21
9010, St. Gallen
Switzerland
tel:
+41 71 278 0121
fax:
+41 71 577 1708
E-mail:
[email protected]
web:
www.cashrun.ch
Lyrenstrasse 13
44866 Bochum
Germany
tel:
fax:
E-mail:
web:
21 Bukit Batok Crescent
#16-78 WCEGA Tower
Singapore 658065
tel:
+65 6569 3686
fax:
+65 6569 3268
E-mail:
[email protected]
web:
www.cashrun.com
United States of America
CashRun Corporation
China CashRun Business
Consulting Ltd
5716 Corsa Avenue, Suite 110
Westlake Village
CA 91362-7354 USA
tel:
+1 805 2336 986
E-mail:
[email protected]
web:
www.cashrun.com
Room 303, NO 3535 QiXin Road
MinHang District
Shanghai, China
tel:
+86 2134 121 213
E-mail:
[email protected]
web:
www.cashrun.zh
+49 2327 621 290
+49 2327 621 2930
[email protected]
www.cashrun.de
CASHRUN
Fraud Protection & Safe Payment Solutions
www.cashrun.com
Singapore · Switzerland · Germany · China · United States

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz