Understanding Ecommerce Fraud Risks and Exposures

Transcription

1 Understanding Ecommerce Fraud Risks and Exposures ASOBANCARIA s 6th Congress of Fraud Prevention and Security Thursday, 25 October, 2012 Chris Burns, CEO

2 Agenda The Underground Internet Economy Still Thriving The Cost of Fraud Current Trends in Online Fraud Examples of Fraudulent Activity Mobile Trends Fraud Mitigation & Case Studies FAC Recommendations

3 The Underground Internet Economy Fraud is a costly experience for all online merchants Shadow internet economy still thriving Merchants are trying to keep up with fraud to protect their bottom line and their customers Increases in ecommerce are driving increased fraudulent activity 1. 5 million victims of Cyber crime per day Million victims per year (Norton) Cybercriminals are sophisticated and understand the card processing systems better than most merchants Cybercriminals continually develop new methods for tricking victims with scams that bring in billions per year in profits

4 The Underground Internet Economy In 2011, fraud cost businesses over $100 Billion Losses included: Unrecoverable Product Replacement Costs Chargeback Fees + dispute fees Manual Reviews Distracts staff from revenue generating aspects of operating a business Fines and Penalties Loss of merchant account Customer Satisfaction, Brand Image, insulted customer Number 1 reason for CBs is fraudulent transactions (Visa) Fraud increased by 25% year-over-year, e-commerce grew 16% Brazil accounted for 7% of global economic loses related to cybercrime $8 billion, Mexico was responsible for $2 billion Source: Kount

5 The Underground Internet Economy Cost of Fraud Merchants using more tools to compete with increased fraud threat = higher costs Large merchants use on average 8 different tools to screen orders Nearly 50% of all chargebacks are direct result of fraud Refunds can be = to or > cost of CBs loss of product, shipping costs Average order rejection rate in US is 2.4% and 7.7% internationally Revenue impact felt by small and large business alike Management, reviews and escalation of suspect transactions time and cost of review teams Merchants bear the highest percentage of fraud costs compared to Banks and card holders Source: Kount

6 Industries with the highest fraud rates - US 1. Consumer electronics 2. Apparel/Jewelry 3. Household/General Merchandise 4. Physical Goods 5. Digital goods and services 6. All services Source Cybersource 2012 online fraud report

7 The Underground Internet Economy Current Trends: Just some examples of methods used by fraudsters today to obtain personal and financial information Identity Theft Credit Card Number Generators Phishing Card Counterfeiters Spam/Junk Mail offers Black Market Card & Billing Address Lists Skimming Key Stroke Loggers Spoofing 3D Secure Enrolment Phishing Scams Malware Nigerian money transfer scam s Server Hacking

8

9 The Underground Internet Economy Cybercriminals profit from selling stolen data TrendLabs identified the following items & their average price tag for sale on the underground: Documents Scan Resale Services: Passport/utility bill/statement - $20 Credit card (front and back) - $25 Original docs - starts from $4 Passport - $20 Drivers License - $20 Credit cards - $30 Utility bill - $10

10 The Underground Internet Economy Credit Card Number Value in the Cybercriminal Underground US $1-3 per US based card number US $3-8 per Central America, Australia & Europe-based number US $6-10 per number in Asia, Middle East and other countries 1 verified PayPal account (attached to credit card or bank account) costs US $1-6 when sold underground Source: Trend Micro TrendLabs: Annual Security Roundup 2011

11 Examples of Fraudulent Activity Phishing Phishing attacks use or malicious websites to solicit personal information by posing as a trustworthy organization For example, an attacker may send seemingly from a reputable credit card company or financial institution requesting account information FACT ebay & PayPal are 2 of the most commonly phished sites (Source: TrendLabs) When users respond with the requested information, attackers can use it to gain access to those accounts

12 Examples of Fraudulent Activity

13 Examples of Fraudulent Activity

14 Note the high jacked URL This is a phished site Copyright year is different

15 This is the real site (URL and look & feel has since changed)

16 Examples of Fraudulent Activity Social networking sites present huge opportunities for cybercriminals Some reports indicate that as much as 30% of personalities on social network sites are people working a scam Facebook, LinkedIn, Twitter, MySpace and other social networking sites all been hit by various phishing scams Dorkbot malware -- Latin America was the most infected region in The worm stole 1000s of passwords for Facebook, Twitter Gmail and Paypal LinkedIn phishers targeted users with suspicious invitations to connect. The link triggered malware that embedded itself in user s browser if the browser was opened July, Twitter phishing scam preying on curiosity about criticism. Came in the form of a direct message from a friend, but was phishing scam aimed at stealing Twitter login details

17 TrendLabs Annual Security Roundup 2011 TOP 3 PUBLICLY AVAILABLE INFORMATION ON SOCIAL MEDIA 3 MOST COMMON FACEBOOK ATTACK TYPES addresses Hometown High school Likejacking Attacks Rogue application propagation attacks Spam campaigns TOP 3 SOCIAL MEDIA SECURITY RISKS Malware infection Data leakage Unwilling attack participation

18 Examples of Fraudulent Activity Credit Card Number Generation Credit card generation software online is prolific and easy to obtain Once the card BIN number is sourced, online generation software can produce thousands of card numbers which will authorise online BIN attacks are common on merchant web sites and are detected by fraud software or a diligent payment solutions provider who recognize the transaction testing patterns used to validate BIN ranges and counterfeit credit card numbers New online reference sites like the BIN database are very useful to banks and fraudsters for completely different reasons!

19 Examples of Fraudulent Activity

20 Examples of Fraudulent Activity

21 Examples of Fraudulent Activity

22 Examples of Fraudulent Activity Cybercriminals always trying out new schemes in order to replace old ones that have become less effective Ukash & Paysafecard (voucher providers) are frequently used by criminals (according to TrendLabs) Both companies are legitimate businesses. However, vouchers are like cash and there is no records of them changing hands Criminals take the vouchers and sell them to exchange sites for 40 to 50% of face value Exchanges then sell them to customers for up to 90% of value

23 Examples of Fraudulent Activity

24 Examples of Fraudulent Activity Affiliate networking has helped fraudsters flourish even more with products sold via affiliate & cost-per-click marketing Merchants are misled into paying commissions that they should not be paying Fraudulent affiliates use techniques such as cookie-stuffing, URL hijacking & adware to get paid commissions for leads they did not refer They may also order products using stolen credit cards with no intention of receiving product, just the commission

25 Mobile Trends Source: KOUNT

26 Mobile Trends Mobile is an important extra channel to market Smartphones and tablets & their large -scale consumer adoption is changing the way we pay. 80% of Latin Americans have a mobile phone BUT as use of mobile payments grows globally, so too does risk of FRAUD Mobile fraud risk is still fairly unknown, but evidence suggests that mobile fraud rates may be among highest of all CNP fraud Two schools of though on this Riskier as it is a new channel (more loop holes) and harder to identify the device Vs. closed mobile network device almost always on person and passcodes on phones. Mobile vulnerabilities doubles in 2011 over % of mobile users received a text from someone they didn t know asking them to click on malicious links

27 Mobile Trends 2011 saw the mobile threat landscape mature -- evidenced by staggering spike in mobile malware volume (According to Trend Micro s Trend Labs annual security roundup) But if you pass on offering mobile payment, you lose out on the upside of this sales channel If current trends hold, we may be able to see more than 120,000 malicious Android apps by the end of Menard Oseña, Trend Micro Solutions Product Manager

28 Fraud Mitigation Use the right tools Fraud detection tools are those used to identify the probability of risk associated with an online transaction. They do not guarantee that a fraud will not occur and certainly will never prevent a chargeback from being initiated by the consumer Fraud prevention tools like CVV2/CVC2 and 3-D Secure do provide guarantees against fraud coded chargebacks and are fully sponsored by the Card Associations for chargeback compliance What can you take away from all of this? Importance of choosing an e-commerce Provider that can work with you to help mitigate fraud & customize a solution that is right for your business Payment and Fraud Strategy should always be top of mind (even when you think you have it nailed)

29 Fraud Mitigation Use the right tools: AVS & Card Verification Code 3-D Secure Bin Blocking Card Blocking Transaction Data Monitoring Manual Reviews Transaction Value Caps Volume Limits FAC is also currently adding a third party risk scoring system to our platform Kount Kount provides maximum protection for some of the world s best known companies. Hundreds of variables are analyzed to give the merchant a clear picture of the risk associated with a transaction

30 Fraud Mitigation Who is Kount? Founded in 2007 (Idaho, USA) Technology dating back to 1998 Multiple patents Empower their merchants to WIN THE WAR on fraud An operational platform, all-in-one, SaaS solution Reduce fraud without jeopardizing sales Greater usability with less complexity Speed & Accuracy

31 Fraud Mitigation Kount Complete Platform

32 Recommendations What can you do to protect you business? Watch for behaviour patterns that don t seem normal for customers at your web site (or on the phone, or other access point) or Merchants in your portfolio Merchants must implement PCI compliant security requirements to reduce risk to malware/trojan/spyware attacks. Implement transaction pre-authentication solutions including AVS, CVV2, IP Geolocation and data sharing services in addition to Verified by Visa & MasterCard SecureCode WHY? Pre-authentication transaction services - pre-screen transactions to filter out obvious or suspicious fraudulent transactions Outsource fraud services to knowledgeable third parties who are experts in detection and data analysis Don t be afraid to ask for help KNOW YOUR ENEMY!

33 Recommendations Pre-authentication and automated fraud screening services cannot predict human behaviour which ultimately results in chargebacks. Habitual chargeback offenders (the friendly fraud culprits) are aware of this and will use this over and over again 3-D Secure is there to protect online merchants from habitual chargeback offenders by allowing fraud chargebacks to be represented under the chargeback liability shift guarantees Implement pre-screening of card information before you process the payment (if applicable). It s an extra step but a valuable one to prevent a chargeback loss later on REMEMBER!

34 Fraud Prevention Case Studies Latin America Caribbean Merchants Large Airline in LACR implemented FAC s AVS + CVV2 consumer verification to validate legitimacy of the consumer transaction prior to the actual payment for the ticket. This enables the airline to verify the plastic for fraud before the ticket is issued Airlines & Travel Agencies are also implementing AVS + CVV2 verification at the point of sale (terminal) during a face-to-face transaction (or over the phone) to assist with consumer verification Verified By Visa & MasterCard SecureCode solutions have been implemented in Mexico, Europe and South America as a standalone service which is performed BEFORE the payment authorisation request -- This allows merchant to validate the enrolment status of the Issuer and Cardholder before the transaction is performed so a risk profile can be obtained for chargeback liability shift rights

35 FAC s Payment Platform Key Features Multi-jurisdictional, multi-currency settlement via a single interface Direct merchant accounts Call Centre web applications Virtual Terminal (back office support) Mail Order/Telephone Order (MO/TO) Batch Processing Recurring Payments Tokenization Secure web-based transaction reporting Hosted Payment Page Web-based chargeback reports 24 x 7 telephone, web and emergency technical support 3-D Secure - certified MPI (EU, CEMEA, LACR) CVV2/CVC2/CID and AVS checks PCI Compliant Gateway since 2005 Alternative payments Fraud prevention solutions

36 Lastly DON T LET FRAUD BE JUST ANOTHER COST OF DOING BUSINESS!

37 Thank You Chris Burns First Atlantic Commerce Ltd Tel: +(441)