the dna of online payments fraud
TRANSCRIPT
MRC Europe 2010e-Commerce Payments and Risk Conference
21 & 22 April 2010Brussels, Belgium
The DNA of Fraud
Christopher UriarteChief Technology Officer & Head of International DevelopmentRetail Decisions
MRC Europe2010 e-Commerce Payments and Risk Conference
Eu
rop
eA
me
rica
Asia
Pa
cific
RO
W
Travel Telephony Retail Oil Banking
Sample of ReD’s Blue Chip Client Portfolio In
2009
Co
mp
lexit
yMalicious individuals continue to evolve
schemes in an effort to obtain greater
anonymity and higher return on investment
with less risk
Higher net return $
Time
Malware /Sniffers
Triangulation
Shipping fraud
Friendly Fraud
Source: 2008 PCI SSC Community Meeting
Good
Bad
Re-Shipping fraud
Online Ad Fraud
C2C Networks
Increased Complexity
Implanted Chips
4
Criminals implant a chip directly into Point of Sale equipment
The chip holds up to 1,000 account numbers
Major occurrences in Taiwan, Malaysia and Brazil
Small battery operated skimmers can hold up to 1 million account numbers at a time
Devices are mainly produced in Malaysia and China
Manually manufactured from standard POS equipment
The skimmers were introduced to US in 1998
Purpose Built Skimmers
Counterfeit Fraud
Increasing examples of large, sophisticated counterfeit card manufacturing operations
170,000cards seized in
Taipei, Taiwan
Arrests in card scamWednesday, February 28, 2007
By Paul Grimaldi
Journal Staff Writer
Arraigned yesterday in the thefts of credit-card and debit-card information — and more than $100,000
The men allegedly stole the information by
switching out checkout lane keypads with
one of their own machines and then
retrieving the units a few days later so
they could copy the account data. To
achieve this, they took shelf stocking
positions at the supermarket, which gave
them legitimate access to the facility
during late hours in the evening. They
recorded the stolen information on blank
bank cards that they used to get money from
ATMs in the area, the police said.
Organized & Social
Organized Criminal to Criminal Networks
Financial Services
Credit application fraud, identity theft , account takeover
Online Retail
Credit card fraud, affiliate and click frauds, shipping fraud
Online Gaming
Credit card fraud, gold farming, account take-over, griefing
Internet Dating/Social Networks
Email spam, money solicitation (419 scam), predatory behavior
Online Gambling
Cheating & collusion, money laundering
Diversified Rings of Collusion
CVV2s contain:
1: Name, Address, Post/Zip code, Phone number, Name on Card, CC Number, Expiry, CVV2
2: Name, Address, Post/Zip code, Phone number, Name on Card, CC Number, Expiry, CVV2
3: Name, Address, Post/Zip code, Phone number, Name on Card, CC Number, Expiry, CVV2
Malware & Botnets
Easy to find & customizable by user
Designed to monetize fraud not disrupt systems
Utilizes phishing attack info
Prevalent in online advertising & affiliate fraud
Very low detection & apprehension rate
Very high ROI rates
High rate of mutation
Attacks on Specific Payment Instruments
As electronic payments evolve, criminals evolve their targets and their
strategies
Specific payment instruments have come under significant attack
– Alternative payment: PayPal, Bill Me Later, etc.
– Gift Card (Plastic and Virtual): Schemes used in, both, the acquisition and
redemption of gift cards
– Private Label cards
Merchants are often “two steps behind” the criminal after launching or
adjusting payment strategies
Gift Card Acquisition Fraud Rates: Three
Top 10 Retailers
Virtual Gift Cards Plastic Gift Cards Overall Bankcard Fraud
Rates
Fraud Rate: % of
Transactions
% of Overall $
Value
% of
Transactions
% of Overall $
Value
% of
Transactions
% of Overall $
Value
Large Retailer “A” (Apparel, Home Goods)
0.80%
[1.50%]
1.00%
[1.70%]
0.03%
[0.60%]
0.03%
[0.90%]
0.16% 0.34%
Large Retailer “B”(Mixed Retail)
4.10% 10.6% 2.10% 3.05% 0.41% 1.30%
Large Retailer “C”(Mixed Retail)
1.70%
[6.70%]
2.60%
[5.5%]
0.70%
[2.7%]
2.80%
[2.6%]
1.5% 3.2%
• Gift Card Fraud: Defined as the fraudulent purchase of a virtual or plastic gift card
• Retailers displayed above have significant, established gift card programs
• Retailers profiled represent major North American retailers with total combined annual revenues exceeding USD $476 billion
(2008)
Key:
June – December 2008
[January-February 2009]
Private Label Card Fraud Examples: Three
Top 10 Retailers
Private Label Cards Other Cards Types
Fraud Rate: % of
Transactions
% of Overall $
Value
% of Transactions % of Overall $
Value
Large Retailer “A” (Apparel, Home Goods)
0.08% 0.23% 0.16% 0.34%
Large Retailer “B”(Mixed Retail)
0.44% 1.56% 0.41% 1.30%
Large Retailer “C”(Mixed Retail)
0.50% 0.98% 1.5% 3.2%
• Merchant sample includes 3 very large, established major retailers with significant transaction volumes and private label
portfolios
• Includes CNP Fraud rates for transactions taken place in 2008, with the exception of Retail “B”, whose statistics are from July to
December 2008
• Base on Retail Decisions merchant assessments, April 2009 (delay introduced to allow for confirmed fraud/chargeback
resolution window)
• “Fraud Rate” is defined as known-fraud, but not necessarily chargebacks. Some fraud is detected and denied before a
chargeback occurs. Actual chargeback rates for Other Card Types is significantly lower than reflected above
Are We Here
Now???
Time
Valu
e o
f fr
aud
Solutions implemented
to reduce fraud
Time lag for solutions
to take affect
New solution is implemented
to reduce fraud
Familiarity with weaknesses
in cards and technology
increases fraud
Fraud begins to rise as new
technologies are cracked
and new weaknesses are
found
2002 2010 ???
???
Implies
Innovation
The Fraud Lifecycle
Credit card fraud continues to become more of an organized,
professional crime – the case studies prove it
CNP fraud continues to aggressively increase. As more countries adapt
Chip and PIN solutions, fraud will continue to migrate from CP to CNP
channels
• APACS 2007 Fraud Study: For the first time, more than 50% of fraud
was CNP fraud. Update with new state
As other countries implement Chip and PIN solutions, both CP and CNP
fraud will increase in non-Chip and PIN geographies
ID Theft continues to increase, replacing counterfeit schemes, which are
no longer valid in Chip and PIN geographies
Since fraud is aggressively expanding, legacy fraud prevention
techniques are becoming less and less effective
What This Means In Regards to Fraud
Merchant Fraud Assessment
90%+ Of All Orders
Merchant Order
System, Storefront,
Website, etc.
ACCEPT
ORDER
DENY
ORDER
CHALLENGE
ORDER(Manually Review)
Fraud Prevention System
and Tools
(Proprietary or
Outsourced)
~2% Of All Orders 2%-8% Of All Orders
(Where Applicable)
• Challenges or outright Deny categories may not work for all types of merchants
• Merchants must find the balance:
• Too many manual reviews = too much staffing cost
• Too many outright denies = too many false positives
• No Fraud Prevention system is perfect: You will have false positives. You will require
manual review. Today’s strategy is to let the Fraud Prevention system identify ~95% of all
good and bad orders and manually review the rest
Key Metrics Merchants Must Track:
• Manual Review Rate (“Outsort Rate”) - % of orders reviewed by a person before shipped or cancelled
• Outright Deny Rate - % of orders rejected by the fraud system without performing a manual review
• Fraud Rate – Overall percentage of fraud, usually measured in % of overall transactions and % of $ value
• Customer Insult Rate – Falsely identifying good customers as fraudulent OR degrading service to good
customers as a result of slow/cumbersome fraud processes (e.g. manual reviews take so much time to
complete that shipping windows are missed)
• Revenue at Risk – How a particular fraud strategy could affect revenue
When This Happens: This Could Happen:
Manual Review Rates Increase Fraud Rates - Decrease
Staffing Costs - Increase
Revenue at Risk - Decrease
Customer Insult Rate – Potential to increase (slower order turnaround)
Scalability – becomes challenging (Double my orders = Double my staff??)
Manual Review Rates Decrease Fraud Rates - Increase
Staffing Costs - Decrease
Revenue at Risk – Potential to increase
Customer Insult Rate – Potential to increase (due to higher deny rates)
Hard Deny Rates Increase Fraud Rates - Decrease
Staffing Costs - Decrease
Revenue at Risk – Increases (Much more false positives)
Customer Insult Rate – Increase
Highlighted in red : The most typical and critical results in each respective category
Balancing Metrics
Transaction Data
Negative
DataDevice
ID CheckAddress
Validation
Proxy
Detection
Neural
Score
Business
Rules
No
MatchesEverything’ s
OK; First time
buyer
No History Address is
Good; No
match of
Name to
Address
Could be
behind a
University
proxy
Score:
362
Should you accept it? Should you outright deny it? Should you manually review it?
The "More Tools Create Greater
Complexity" Challenge
Some technologies don’t fit our existing
paradigms
Some technologies are expensive
Some address very specific fraud
scenarios
More tools and technologies can actually
make decision making more difficult
Some may require additional
customer data, such as SSN/last
4 or ask personal validation
questions
Cost per transaction increases
when more techniques and
technologies are added to the
suite of fraud tools
Fraud Evolves. Will these be
valid in 2 years? 1 year? 6
Months?
Could lead to increased manual
review costs, false positives and
customer dissatisfaction
New Tools and Techniques: The Challenge
24
Merchant vs. Issuer Fraud Prevention
Merchant Fraud Prevention
Screening is transaction-centric
Primary goal is to protect loss of
goods while staying out of compliance
programs (e.g. Visa RIS)
Primary focus on CNP channels
Historical perspective on cardholder is
relatively limited
Transaction Data set is very robust –
Who? What? When? How?
More focus on real-time screening
Many more detection tools exist due
to robust CNP data set
Issuer Fraud Prevention
Screening is more account- centric
Primary goal is to protect losses
within issuing portfolio
Not primarily focused on CNP – in
fact, CNP is often removed from some
screening models
Historical perspective on cardholder is
comprehensive
Transaction Data set is limited: Basic
account and transaction details
Less focus on real-time screening
(although this is changing)
Certain tools can be deployed much
more effective (e.g. neural networks)
Consolidated Merchant / Issuing fraud prevention systems do not exist today!
System and IT
Business model weaknesses
Defined payment strategy
Product Delivery
Customer service and business policies
Systems designed for the future
Manage to Total Cost of Payment
Identify Your Vulnerabilities
Thank You!
26
Christopher UriarteChief Technology Officer, Retail Decisions
UK: +44 (0) 1483 728700
US: +1 (732) 452 2440
Please feel free to contact me
with any questions!