Card-not-present fraud threatens small online businesses

Small online businesses are increasingly being targeted by sophisticated fraudsters. Some companies, however, are turning to fraud prevention services to verify their credit card transactions.

According to the Association for Payment Clearing Services (APACS), the body that manages interbank payments, losses on high-street transactions fell from £218.8m in 2004 to £73.0m last year. The dramatic reduction in credit card fraud is due largely to the introduction of Chip & PIN, a government-backed initiative that calls for personal identification numbers and semiconductor chip technology to secure payment card transactions.

But that is only half the picture. Card-not-present (CNP) fraud, where criminals make payments via the Internet or by phone, has soared. By 2007, losses reached £290.5m and rose to £328.40m in 2008. CNP fraud now accounts for 54% of all card fraud losses, according to APACS.

While the holders of stolen cards normally have their money refunded, it is the merchants who have to pick up the tab. For small online businesses, the losses can be especially damaging.

Chris Barling, managing director of Actinic Software Ltd., a Surrey-based ecommerce technology provider, has more than 100,000 small and medium-sized businesses using his e-commerce website package, and he said the fraud problem is getting progressively worse.

"Our customers are being targeted by increasingly clever and sophisticated fraudsters. And the level of fraud is noticeably higher in the last six months," he said. "At one end, you have people who will just try it on, and say they haven't received delivery of goods. At the other end, you have organised gangs that buy up sets of stolen card details."

To help beat the problem, he recently incorporated a new feature into his product, based on a service from Surrey-based antifraud firm, the 3rd Man Group plc. The feature provides users with instant feedback on credit card transactions, giving them a green light if the transaction looks good, or a red light if there is something suspicious about it. Armed with that information, the merchant can then decide on whether to refuse the order or investigate.

The 3rd Man's service screens more than 20 million transactions a month from a wide range of merchants, ranging from one-man outfits to large retailers like Argos. With that volume of data, the technology is able to spot suspicious traffic patterns that may indicate card-not-present fraud – such as large numbers of orders from a single IP address, or one card being used with several different names and addresses.

Equally important, the service allows the merchant to check with a customer before shipping goods, rather than just blocking the order. "False positives are just as much a problem as letting through fraud. A small business doesn't want to turn away good customers," said Barling.

Barling said that just by making contact with the customer, the merchant can often scare off the fraudster. "Normally fraudsters don't want to engage in any form of dialogue, because dialogue equals risk. If they talk to someone, they don't know if they are talking to law enforcement, or if someone is triangulating their mobile signal to find out where they are," he said.

Microsoft cracks down on click fraud ring 

Click fraudsters have used techniques that some experts say are threatening the online advertising industry.
The 3rd Man service now comes free as part of Actinic Payments, which channels all credit card payments through to CreditCall, a specialist payment processor. The package ensures that no credit card details are stored on the merchant's systems, thus avoiding any need to comply with the Payment Card Industry Data Security Standard (PCI DSS). "PCI compliance can cost between £40,000 and £80,000 for a medium-sized company, so we allow our customers to comply by effectively outsourcing the card data collection to a third party," said Barling.

Card-not-present fraud: Stolen model railways
The experience of one Actinic customer gives a flavour of the challenges facing small online businesses.

Mark Burley set up Model Railways Direct in 2006, with the aim of turning his life-long hobby into a real business. Soon his website began to generate a good level of orders, and when a spate of large orders came in, worth a total of £7,000, it seemed to confirm that he was on the road to success.

The credit card payments went through and Burley started shipping out the goods. Then, by chance, he noticed something odd about some of the orders. The person ordered a set of steam trains and a modern digital set. "The products were at opposite ends of the spectrum and would not work together," he said. His suspicions were aroused.

Burley's immediate thought was to call the credit card company to check on the cards. "The card company would not tell us anything, or even take the card number, due to 'data protection,'" he said. "So we went through directory enquiries and phoned some of the cardholders. In one case, the cardholder was unaware that his card was being used fraudulently, and in the other, he was surprised at how many transactions had been put through on his card. In both cases, they still had their cards in their possession."

By this time, £3000 worth of products had been shipped to an address where, on investigation, it was discovered the recipients had already moved out, taking the stolen goods with them. Luckily, he was able to cancel the remaining deliveries.

But as he was to discover, he had to pick up the £3000 tab when the card company put through a chargeback. Burley said he was shocked by the company's approach.

"They did not want to know anything or care," he said. "They have nothing to lose. If the card is used fraudulently, the card company simply collects the money back from the retailer via a chargeback. It is the retailer who pays for card fraud, and ultimately the customer through higher prices."

In the wake of the experience, he took on the service from The 3rd Man, and said it has killed fraud completely. "Every time we have had a transaction flagged as red, it has been a fraud," he said.

Read more on Web application security