The new fraud squad

The rise in popularity of online shopping has led to a massive increase in cardholder-not-present fraud and banks are working hard to put preventative measures in place

Costing £212.6m each year in the UK and growing at an annual rate of 16 per cent, cardholder-not-present (CNP) fraud is now the biggest category of plastic card deception.

Criminals are highly innovative users of payment systems and London has become the capital of credit card swindles, closely followed by Manchester and Kilmarnock, with online retailers being severely hit.

The internet retail industry in the UK is growing at an exceptional rate and credit card fraudsters are attacking the softer targets of the online sector. As new banking channels have opened up – including internet and telephone banking and e-commerce – not to mention with the boom in credit card use, criminals have migrated to attack these less mature transaction methods.

The introduction of chip-and-Pin has also had a strong impact on UK fraud patterns, pushing card fraud to the internet, says Neil Wilson, financial crime director at high street bank Abbey.

‘While there has been a reduction in counterfeit and lost and stolen cards, there has been an increase in card-not-present fraud and a growth in cross border risks,’ he says. ‘Fraudsters have modified their behaviour to ensure economic returns are maintained in the light of growing technological complexity and by following the path of least resistance.’

Dishonestly obtained card details are generally used with fabricated personal details to make fraudulent CNP purchases. Paul Thomas, head of merchant acquisition at secure electronic payment processors Valu, says that the card details have normally been copied without the cardholder’s knowledge, taken either from discarded receipts or by skimming.

‘The key is that when the transaction goes through our payment processing system it is picked up,’ he says. ‘The UK is a particular hotspot for credit card fraud, with one in five card users having already been a victim.’

With CNP fraud currently representing almost half of all card losses, there is a lot that online retailers can do to minimise the risk. Mark Bowerman, spokesman for banking industry association Apacs says it is important that merchants familiarise themselves with the contract they have with their bank and understand exactly where liability rests.

‘Often the contract will say that if a transaction is fraudulent then it will be the merchant who is liable, even if he has gained bank authorisation for the transaction,’ he says. ‘All authorisation means is that the card hasn’t been reported stolen and that there are sufficient funds or credit on the account.’

Although 36 per cent of consumers, according to a recent Ipsos Mori survey carried out on behalf of database specialist Secerno, would not put personal information online, 11 per cent of this group have still been victims of data theft. ‘Cardholders have a rather blasé attitude,’ says Bowerman. ‘You don’t have to be someone who shops online to be a victim of internet credit card fraud.’

To combat fraud, retailers should take a layered approach to its management. While criminals can often bypass a single scanning technique, it is less likely that they will be able to beat three or four different tools used together.

Third-party systems fall broadly into three categories: identity checking systems that verify names, addresses and other aspects of identity including date of birth; rule-based and neural networks that can be built into payment processing systems in order to identify potentially deceitful transactions; and data sharing services that allow merchants to exchange available information on fraudulent activity.

The banking industry has developed the Address Verification Service (AVS) and Card Security Code (CSC) to help minimise fraud.

‘Unlike a Pin code or signature, neither AVS nor CSC is a full confirmation of the cardholder’s identity,’ says Bowerman. ‘However, when used together they allow merchants to decide whether to proceed with a transaction. Merchants implementing AVS/CSC have seen reductions of up to 70 per cent in fraud losses.’

MasterCard and Visa have had a scheme in operation for some time, in which a cardholder registers a password that is then entered whenever they make an online purchase, thereby reducing the risk that a fraudster can use a stolen card to buy goods over the internet. Even if the card or its details are stolen, the card will be refused by the retailer if the password is not known.

Known confusingly as Verified by Visa or MasterCard SecureCode, and often generically referred to by its underlying protocol name of 3D Secure, industry opinion is that the uptake of the scheme has been disappointingly low, with many cardholders unaware that such a scheme even exists.

Jon Varco, head of Verified by Visa at electronic payments association Visa, is more optimistic about the scheme and says that the national advertising campaign planned for the autumn will significantly increase uptake by merchants and consumers.

‘Four-and-a-half million cardholders are already enrolled and a quarter of those are active online consumers,’ he says. ‘In addition, 12,000 online merchants are using Verified by Visa and more than 14 per cent of all Visa e-commerce transactions in the UK are done by password. Early adopters such as British Airways, Tesco and Ocado, who have an established base of regular customers, are now achieving 35 to 45 per cent of password-verified online transactions.’

According to Fikret Ates, vice president of chip product management at MasterCard International, authentication programmes are designed to make online transactions both safer and faster.

‘For a card authentication solution to be truly effective in a non face-to-face environment, it has to offer a high level of security, and be low cost and consistent across multiple channels,’ he says. ‘MasterCard SecureCode also helps issuing banks greatly reduce phishing attacks and online credit card fraud.’

Typically eight times more likely to be disputed than a face-to-face transaction, e-commerce transactions can be extremely expensive for a retailer. Companies who sign up to the Verified by Visa or MasterCard SecureCode scheme are protected against liability if the cardholder denies making the purchase, even if the cardissuer and cardholder are not participants in the scheme.

CNP fraud undermines the confidence of consumers, poses the threat of identity theft to cardholders and carries legal obligations for most companies. Real-time fraud detection tools increase the discovery of fraud before it happens.

To fully combat fraud, real-time fraud detection needs to be enterprise-wide to catch fraudsters across geographies and business units. Data sitting in separate silos within an organisation opens up doors that fraudsters can sneak through. It is in the interest of the industry to share fraud models and data to maximise the detection of fraud.

IT managers should be actively pursuing consortiums of best practice and data to combat fraud. Fraud detection should be flexible and capable of being updated – the criminals do not stand still, and therefore the ability to model and predict fraud should be fluid and adaptable to changing environments and geographies.

Best practice: preventing card fraud

CNP transactions are considered high risk because neither the card nor the cardholder is present, so the seller is unable to check the physical security features of the card to determine its authenticity.

In addition, without a Pin or signature it is impossible to confirm that the customer is the genuine cardholder.

Mark Bowerman, spokesman for Apacs, says the problem is further compounded because card issuers cannot guarantee the information provided during a CNP transaction relates to the genuine cardholder.

‘Card issuers can only confirm that the card has not been reported lost or stolen and that there are sufficient funds available in the account,’ he says.

‘The onus is therefore on a merchant accepting a CNP transaction to ensure it is genuine. If the transaction turns out to be fraudulent, the merchant is liable not only for the losses but also for any associated administration charges.’

Bowerman says criminals are becoming increasingly comfortable using the internet, making it the fastest growing medium for CNP purchases. ‘The internet provides anonymity for fraudsters,’ he says. ‘To combat this, merchants have to know their customers and get as much information as possible from them in order to guarantee that they are dealing with a genuine cardholder and card.’

Apacs has drawn up a list of 10 questions – available on its web site www.cardwatch.org.uk – that it recommends retailers ask before accepting a transaction.

These questions concern issues from new customers buying high-value or resalable goods, to purchasers providing details of other people’s cards or even being reluctant to give a traceable landline phone number.

‘While negative answers to these questions don’t always mean that a transaction is fraudulent, they should at least raise awareness of the possibility,’ says Bowerman. ‘In such cases, a merchant has the choice to hold the goods and get in touch with the customer using an alternative contact method in order to ask further questions, or to turn down the transaction altogether.’

He says that criminals are also experts at creating fake drop-off addresses, often doing so by trawling estate agents’ boards looking for empty houses or using a block of flats with many separate addresses.

As the delivery arrives, the criminal miraculously appears ready to intercept the goods before they reach the front door. ‘Merchants are becoming wise to this and are starting to insist that goods are only delivered to the cardholder’s permanent address and that they are handed directly to the
addressee on receipt of a signed and dated delivery note,’ says Bowerman.

But with caution, common sense and the practical advice available from Apacs, retailers can significantly reduce their incidence of CNP fraud.

What the experts say about cardholder-not-present fraud

We believe the way forward is by putting in an extra layer of security and making sure that all card payments are 3D Secure. To do this requires the education of both merchants and consumers. If all merchants actively encourage the Visa and MasterCard schemes by using them at all times, consumers will start to get the message and the scheme will grow. I believe that this additional level of security should become mandatory across the board.
Paul Thomas, head of merchant acquisition, Valu

The future has got to be one-time password generating tokens. Everyone is looking towards Barclays and RBS to see how well the system works in the online banking environment. There is no reason why this type of security device shouldn’t be used to verify online credit card transactions. It would embrace the security benefits of chip-and-Pin but deliver it in a CNP environment.
Mark Bowerman, spokesman for industry association Apacs

Every fraud manager has to understand their business, their clients and the associated risks. Once you know what an average customer for your business looks like and how they typically behave, it is easier to spot behaviour outside that profile. It is also important to train staff to recognise what CNP fraud looks like.
Sandra Barton-Nicol, head of risk investigations, Betfair

The challenge is to meet regulatory and market requirements while managing fraud risk within a real-time payment framework. Vendors and banks face a significant challenge to deploy solutions that can meet aggressive regulatory frameworks including the Faster Payments requirement in the UK, where real-time payment execution is mandated from November 2007.
Neil Wilson, financial crime director, Abbey

CNP transactions have been risky in the past with disputes arising around the transaction. As a means to counteract this, AVS and CSC should already be commonplace among merchants accepting CNP transactions. The next step is for merchants to adopt the 3D Secure technology offered by schemes such as Verified by Visa to help confirm the identity of the cardholder.
Jon Varco, head of Verified by Visa, Visa