MRC Europe 2010e-Commerce Payments and Risk Conference

21 & 22 April 2010Brussels, Belgium

The DNA of Fraud

Christopher UriarteChief Technology Officer & Head of International DevelopmentRetail Decisions

MRC Europe2010 e-Commerce Payments and Risk Conference

Eu

rop

eA

me

rica

Asia

Pa

cific

RO

W

Travel Telephony Retail Oil Banking

Sample of ReD’s Blue Chip Client Portfolio In

2009

Co

mp

lexit

yMalicious individuals continue to evolve

schemes in an effort to obtain greater

anonymity and higher return on investment

with less risk

Higher net return $

Time

Malware /Sniffers

Triangulation

Shipping fraud

Friendly Fraud

Source: 2008 PCI SSC Community Meeting

Good

Bad

Re-Shipping fraud

Online Ad Fraud

C2C Networks

Increased Complexity

Implanted Chips

4

Criminals implant a chip directly into Point of Sale equipment

The chip holds up to 1,000 account numbers

Major occurrences in Taiwan, Malaysia and Brazil

Small battery operated skimmers can hold up to 1 million account numbers at a time

Devices are mainly produced in Malaysia and China

Manually manufactured from standard POS equipment

The skimmers were introduced to US in 1998

Purpose Built Skimmers

Counterfeit Fraud

Increasing examples of large, sophisticated counterfeit card manufacturing operations

170,000cards seized in

Taipei, Taiwan

Arrests in card scamWednesday, February 28, 2007

By Paul Grimaldi

Journal Staff Writer

Arraigned yesterday in the thefts of credit-card and debit-card information — and more than $100,000

The men allegedly stole the information by

switching out checkout lane keypads with

one of their own machines and then

retrieving the units a few days later so

they could copy the account data. To

achieve this, they took shelf stocking

positions at the supermarket, which gave

them legitimate access to the facility

during late hours in the evening. They

recorded the stolen information on blank

bank cards that they used to get money from

ATMs in the area, the police said.

Organized & Social

Organized Criminal to Criminal Networks

Financial Services

Credit application fraud, identity theft , account takeover

Online Retail

Credit card fraud, affiliate and click frauds, shipping fraud

Online Gaming

Credit card fraud, gold farming, account take-over, griefing

Internet Dating/Social Networks

Email spam, money solicitation (419 scam), predatory behavior

Online Gambling

Cheating & collusion, money laundering

Diversified Rings of Collusion

CVV2s contain:

1: Name, Address, Post/Zip code, Phone number, Name on Card, CC Number, Expiry, CVV2

2: Name, Address, Post/Zip code, Phone number, Name on Card, CC Number, Expiry, CVV2

3: Name, Address, Post/Zip code, Phone number, Name on Card, CC Number, Expiry, CVV2

Organized Crime

11

Malware & Botnets

Easy to find & customizable by user

Designed to monetize fraud not disrupt systems

Utilizes phishing attack info

Prevalent in online advertising & affiliate fraud

Very low detection & apprehension rate

Very high ROI rates

High rate of mutation

Moving the Cash

Attacks on Specific Payment Instruments

As electronic payments evolve, criminals evolve their targets and their

strategies

Specific payment instruments have come under significant attack

– Alternative payment: PayPal, Bill Me Later, etc.

– Gift Card (Plastic and Virtual): Schemes used in, both, the acquisition and

redemption of gift cards

– Private Label cards

Merchants are often “two steps behind” the criminal after launching or

adjusting payment strategies

This is what it’s come to…

Source: ShopRite stores, New York City area, December 2009

Gift Card Acquisition Fraud Rates: Three

Top 10 Retailers

Virtual Gift Cards Plastic Gift Cards Overall Bankcard Fraud

Rates

Fraud Rate: % of

Transactions

% of Overall $

Value

% of

Transactions

% of Overall $

Value

% of

Transactions

% of Overall $

Value

Large Retailer “A” (Apparel, Home Goods)

0.80%

[1.50%]

1.00%

[1.70%]

0.03%

[0.60%]

0.03%

[0.90%]

0.16% 0.34%

Large Retailer “B”(Mixed Retail)

4.10% 10.6% 2.10% 3.05% 0.41% 1.30%

Large Retailer “C”(Mixed Retail)

1.70%

[6.70%]

2.60%

[5.5%]

0.70%

[2.7%]

2.80%

[2.6%]

1.5% 3.2%

• Gift Card Fraud: Defined as the fraudulent purchase of a virtual or plastic gift card

• Retailers displayed above have significant, established gift card programs

• Retailers profiled represent major North American retailers with total combined annual revenues exceeding USD $476 billion

(2008)

Key:

June – December 2008

[January-February 2009]

Private Label Card Fraud Examples: Three

Top 10 Retailers

Private Label Cards Other Cards Types

Fraud Rate: % of

Transactions

% of Overall $

Value

% of Transactions % of Overall $

Value

Large Retailer “A” (Apparel, Home Goods)

0.08% 0.23% 0.16% 0.34%

Large Retailer “B”(Mixed Retail)

0.44% 1.56% 0.41% 1.30%

Large Retailer “C”(Mixed Retail)

0.50% 0.98% 1.5% 3.2%

• Merchant sample includes 3 very large, established major retailers with significant transaction volumes and private label

portfolios

• Includes CNP Fraud rates for transactions taken place in 2008, with the exception of Retail “B”, whose statistics are from July to

December 2008

• Base on Retail Decisions merchant assessments, April 2009 (delay introduced to allow for confirmed fraud/chargeback

resolution window)

• “Fraud Rate” is defined as known-fraud, but not necessarily chargebacks. Some fraud is detected and denied before a

chargeback occurs. Actual chargeback rates for Other Card Types is significantly lower than reflected above

Are We Here

Now???

Time

Valu

e o

f fr

aud

Solutions implemented

to reduce fraud

Time lag for solutions

to take affect

New solution is implemented

to reduce fraud

Familiarity with weaknesses

in cards and technology

increases fraud

Fraud begins to rise as new

technologies are cracked

and new weaknesses are

found

2002 2010 ???

???

Implies

Innovation

The Fraud Lifecycle

Credit card fraud continues to become more of an organized,

professional crime – the case studies prove it

CNP fraud continues to aggressively increase. As more countries adapt

Chip and PIN solutions, fraud will continue to migrate from CP to CNP

channels

• APACS 2007 Fraud Study: For the first time, more than 50% of fraud

was CNP fraud. Update with new state

As other countries implement Chip and PIN solutions, both CP and CNP

fraud will increase in non-Chip and PIN geographies

ID Theft continues to increase, replacing counterfeit schemes, which are

no longer valid in Chip and PIN geographies

Since fraud is aggressively expanding, legacy fraud prevention

techniques are becoming less and less effective

What This Means In Regards to Fraud

Merchant Fraud Assessment

90%+ Of All Orders

Merchant Order

System, Storefront,

Website, etc.

ACCEPT

ORDER

DENY

ORDER

CHALLENGE

ORDER(Manually Review)

Fraud Prevention System

and Tools

(Proprietary or

Outsourced)

~2% Of All Orders 2%-8% Of All Orders

(Where Applicable)

• Challenges or outright Deny categories may not work for all types of merchants

• Merchants must find the balance:

• Too many manual reviews = too much staffing cost

• Too many outright denies = too many false positives

• No Fraud Prevention system is perfect: You will have false positives. You will require

manual review. Today’s strategy is to let the Fraud Prevention system identify ~95% of all

good and bad orders and manually review the rest

Key Metrics Merchants Must Track:

• Manual Review Rate (“Outsort Rate”) - % of orders reviewed by a person before shipped or cancelled

• Outright Deny Rate - % of orders rejected by the fraud system without performing a manual review

• Fraud Rate – Overall percentage of fraud, usually measured in % of overall transactions and % of $ value

• Customer Insult Rate – Falsely identifying good customers as fraudulent OR degrading service to good

customers as a result of slow/cumbersome fraud processes (e.g. manual reviews take so much time to

complete that shipping windows are missed)

• Revenue at Risk – How a particular fraud strategy could affect revenue

When This Happens: This Could Happen:

Manual Review Rates Increase Fraud Rates - Decrease

Staffing Costs - Increase

Revenue at Risk - Decrease

Customer Insult Rate – Potential to increase (slower order turnaround)

Scalability – becomes challenging (Double my orders = Double my staff??)

Manual Review Rates Decrease Fraud Rates - Increase

Staffing Costs - Decrease

Revenue at Risk – Potential to increase

Customer Insult Rate – Potential to increase (due to higher deny rates)

Hard Deny Rates Increase Fraud Rates - Decrease

Staffing Costs - Decrease

Revenue at Risk – Increases (Much more false positives)

Customer Insult Rate – Increase

Highlighted in red : The most typical and critical results in each respective category

Balancing Metrics

Transaction Data

Negative

DataDevice

ID CheckAddress

Validation

Proxy

Detection

Neural

Score

Business

Rules

No

MatchesEverything’ s

OK; First time

buyer

No History Address is

Good; No

match of

Name to

Address

Could be

behind a

University

proxy

Score:

362

Should you accept it? Should you outright deny it? Should you manually review it?

The "More Tools Create Greater

Complexity" Challenge

Some technologies don’t fit our existing

paradigms

Some technologies are expensive

Some address very specific fraud

scenarios

More tools and technologies can actually

make decision making more difficult

Some may require additional

customer data, such as SSN/last

4 or ask personal validation

questions

Cost per transaction increases

when more techniques and

technologies are added to the

suite of fraud tools

Fraud Evolves. Will these be

valid in 2 years? 1 year? 6

Months?

Could lead to increased manual

review costs, false positives and

customer dissatisfaction

New Tools and Techniques: The Challenge

24

Merchant vs. Issuer Fraud Prevention

Merchant Fraud Prevention

Screening is transaction-centric

Primary goal is to protect loss of

goods while staying out of compliance

programs (e.g. Visa RIS)

Primary focus on CNP channels

Historical perspective on cardholder is

relatively limited

Transaction Data set is very robust –

Who? What? When? How?

More focus on real-time screening

Many more detection tools exist due

to robust CNP data set

Issuer Fraud Prevention

Screening is more account- centric

Primary goal is to protect losses

within issuing portfolio

Not primarily focused on CNP – in

fact, CNP is often removed from some

screening models

Historical perspective on cardholder is

comprehensive

Transaction Data set is limited: Basic

account and transaction details

Less focus on real-time screening

(although this is changing)

Certain tools can be deployed much

more effective (e.g. neural networks)

Consolidated Merchant / Issuing fraud prevention systems do not exist today!

System and IT

Business model weaknesses

Defined payment strategy

Product Delivery

Customer service and business policies

Systems designed for the future

Manage to Total Cost of Payment

Identify Your Vulnerabilities

Thank You!

26

Christopher UriarteChief Technology Officer, Retail Decisions

curiarte@retaildecisions.com

UK: +44 (0) 1483 728700

US: +1 (732) 452 2440

Please feel free to contact me

with any questions!