Fighting Fraud In Cyberspace
The surge of online credit card transactions is breeding a new generation of criminals. But retailers and other businesses now have new tools to combat cyberspace crimes.
by Elayne Robertson Demby
The Internet is radically changing the way consumers shop for goods and services. Credit providers, and especially retailers, are more than willing to satisfy their appetite to buy whatever they need, whenever they need it, without leaving the comfort of office or home.
Unfortunately, the Internet is also opening up fresh vistas for a new generation of technologically savvy criminals to steal with greater anonymity, and sending creditors and merchants scrambling to find new products and technologies to protect themselves — and their customers — from fraud.
In fact, the National Consumers League reports that cyberspace fraud has increased 600% since 1998. And it can be costly. Experian Inc. says that each year application fraud alone costs American banks, credit card companies, retailers, and businesses an estimated $8 billion.
The biggest worry for purveyors of goods and services over the Web is credit card fraud. “The biggest problem with respect to online merchants is credit card fraud, because they are left holding the bag,” says Thomas Spillane, marketing manager of Nestor Inc. based in Providence, R.I. For in-store retail transactions, the customer presents a card and signs for the purchase, so the bank issuing the card is liable for the cost of the fraud. On the Web, much like telephone catalog sales, the buyer is not physically present, the credit card itself is usually not presented to the merchant, and no signature is obtained to complete the sale. As a result, the e-creditor is the one who absorbs the loss if the transaction turns out to be fraudulent.
To help combat crime in cyberspace, the credit fraud prevention industry is providing a number of new products and marketing those tools to credit and retail businesses. To better understand what fraud-fighting products are being offered, retailers must know the types of fraudulent activity occurring on the Internet. A common Web-fraud scenario, says Patricia Campbell, executive director of marketing at San Diego-based HNC Software Inc., occurs when somebody purchases goods or supplies from an e-commerce retailer or business, and that individual is not the person they claim to be on the credit card.
Credit Card Fraud
In another instance, a person buying computers online from, say, Dell Computer may give Dell a credit card number and tell the company to bill the purchase to a legitimate address but send the goods to the perpetrator’s location, says Mark Doman, executive vice president of St. Cloud, Minn.-based Riskwise LLC. Since it’s a cardless transaction, Dell would have to absorb the loss.
Trying to detect and prevent these types of fraud is challenging. Criminals committing fraud online are smart, so that raises the stakes, says William Gossman, president of Pittsburgh-based Advanced Software Applications. In addition to anonymity, the Internet also offers perpetrators the opportunity to change tactics quickly. “The more manual methods of tracking and tracing these problems will not be acceptable. You need to have systems in place that can respond as quickly as the speed and rate of change at which the perpetrators acting,” Gossman says. “Organizations need to be able to respond to the changing purchasing patterns with an automated approval,” he says. “But they also need to be able to detect the need and change the response in an automated way as well.” At the same time, any verification process has to be done quickly. “Speed is critical,” Doman says, “because people will lose interest quickly if made to wait too long. Consumers want the Internet to be a fast and easy place to buy things.”
On that point, Gossman agrees. “In a store, a person may not mind waiting five to 10 minutes, but online that’s a long time,” he says. “Real-time validation is important.”
Retailers and other businesses “are looking for solutions to help them identify high-risk transactions before the goods are shipped,” Spillane says. In February, Nestor introduced Prism eFraud for online retailers and businesses. Using its neural network technology, the product basically looks at a number of risk factors associated with each transaction, including the particular type of product being purchased. For example, electronics and computers are high-risk transactions. Prism eFraud users can set risk parameters that identify suspicious behavior requiring immediate review for those types of purchases.
The Falcon Flies
Nestor’s competitor HNC rolled out a new product, e-Falcon, in August 1999 based on its neural network-based Falcon software system, which examines transaction, cardholder, and merchant data to detect a wide range of credit card fraud. The Falcon system covers more than 300 million credit cards against fraud worldwide. The new product is targeted specifically to online retailers and businesses, Campbell says. When a consumer tries to make a purchase with a credit card over the Internet, prior to completion of the sale the transaction is transmitted electronically to an e-Falcon service center. There it is scored and sent back to the retailer, who can decide to accept or reject it — or ask for more information. The product’s neural network, Campbell explains, is a form of artificial intelligence that enables it to predict the veracity of the current transaction based on past learning experience.
Atlanta-based Equifax Inc. now provides a comprehensive online fraud detection system that catches fraud not only in credit card transactions, but online check transactions as well. In January, the company introduced Equifax PayNet Secure. To make purchases at online businesses displaying the Equifax PayNet Secure logo on their website, consumers register once with PayNet Secure, get a password, and begin shopping at any site in the PayNet Secure system.
According to Jeff Carbiener, general manager of Equifax Check Solutions, when consumers enter a retailer’s website to shop, they typically fill up a basket and proceed to the checkout to pay. The consumer types in such pertinent information as name, address, credit card number, and so on. At that point, the transaction is handed over electronically to Equifax. The PayNet Secure system searches Equifax’s database to see if it has seen this person before and, if so, asks the consumer for the correct PayNet password.
If the system has not seen the individual before, it tries to verify his or her identity, Carbiener says. The consumer goes through an identification process that asks for the customer’s Social Security and driver’s license numbers. After comparing the responses with information in the Equifax credit database, the system poses a shared-secret question — something that only the actual individual could answer and based on information Equifax has on file. For example, the system could ask the would-be shopper which bank holds that individual’s automobile loan. PayNet Secure then scores the transaction and, if the applicant passes, the system issues a password and authorizes the transaction.
In addition to credit card confirmation, PayNet Secure allows consumers to pay by electronic check. “If a consumer clicks on pay by electronic check, then we’ll run the check through the same risk analysis profile that we do in our brick-and-mortar system,” Carbiener says. For an additional fee, companies can also have Equifax guarantee electronic checks.
Advanced Software Applications introduced its fraud detection product for Internet retailers in October 1999. Working off its flagship product ScorXPRESS, an automated predictive fraud and risk management system, the firm created e.DecisionWORKS. Similar to Nestor and HNC’s approach, ASA uses a hybrid of neural networks and statistics to predict fraud. Its new online system prevents fraud in real time, Gossman says.
For example, a company approving an automobile loan over the Internet uses e.DecisionWORKS to run the application process. The system guides the online auto lender through the transaction and can be used to market the company’s other products to the borrower.
In late 1998, Doman says, Riskwise established an affiliate company to market its fraud detection and prevention services to retailers. That company, riskwise.com, provides fraud detection, verification, and risk management services to credit card issuers, wireless telephone providers, and catalog sales companies. Its SureSale.com product, for example, identifies profitable customers who might not be approved for credit purchases because they have little or no credit history.
Riskwise also offers various verification products, including InstantID, which verifies a credit card applicant’s name, address, telephone number, Social Security number, date of birth, e-mail, and domain name information.
Some of riskwise.com’s clients include Amazon.com, Dell Computer, Wingspan Bank, and Internet bank, Doman says. A consumer who visits Wingspan’s website to apply for a credit card, for example, would input the required identification information, which would then be transmitted to riskwise.com for verification. Through a real-time process, riskwise.com verifies that the information is correct, the person is not deceased, and the address is not a prison address. In all, the system conducts 50 different verification checks in less than three seconds. Based on the results of the verification check, the system scores the transaction and sends it back to the bank, which can then decide either to grant the credit or ask for more information. Commercial Systems, Too
Online fraud control products are also being provided for business-to-business transactions. In fact, to enhance the security, reliability, and trustworthiness of conducting business online, Murray Hill, N.J.-based eccelerate.com, a subsidiary of Dun & Bradstreet Corp., formed a strategic alliance with VeriSign Inc., an Internet trust services provider, in November 1999. Among the services being offered are digital certificates for corporate users, real-time business verification, and certificate validation services. Digital certificates are electronic credentials that companies use for supposedly secure transactions to identify entities on the Internet. Companies obtain D&B; D-U-N-S Number-embedded certificates through VeriSign. When those companies want to conduct a business transaction, the online exchange prompts them to identify themselves by entering their digital certificates. VeriSign validates the information and creates a form of “digital signature” that enables the companies to buy and sell, confident that they are dealing with a trustworthy business.
But, largely because of the high volume of criminal activity there, trust in cyberspace is still a hard sell. For that reason, fraud detection tools designed to combat these crimes appear to be a growth industry.