The DNA of Online Payments Fraud
-
Upload
christopher-uriarte -
Category
Internet
-
view
214 -
download
5
Transcript of The DNA of Online Payments Fraud
Christopher Uriarte
Chief Technology Officer &
Head of International
Development
Retail Decisions
Understanding the DNA
of E-Commerce Fraud
The Tools, the Technologies
and the Techniques
Sample of ReD’s Clients and Focus SectorsE
uro
pe
Am
eri
ca
As
ia
Pa
cif
icO
ther
Travel Telephony Retail Oil Banking
About Retail Decisions: A Market Leader
• One of the leading global providers of transactional card fraud
prevention and payment services
– Touched approx.16 billion card transactions per year for blue
chip clients around the globe; 160 billion card transactions per
annum worldwide (2007)
– 20+ years experience in card fraud prevention
• Fully-managed Fraud Prevention and Payment Services focused
only on large and blue-chip customers: Merchants, Issuers and
Acquirers
• Blue-chip client base of more than 300 companies
• Largest pre-paid gift card issuer in Australia
• Strong service offering throughout all pieces in the payment value
chain: merchants, processors and banking institutions
Retail Decisions (ReD) is a London-based specialty provider of transaction and card issuing service to banks, retailers, oil companies and telcos worldwide
Where We Sit & Where the Data Comes From
Fraud
Prevention &
Gateway
Services
(CP&CNP)ReDShieldTM
ReD1GatewayTM
CardExpressTM
Fraud Prevention
for Acquirers &
Processors
PRISMTM
Fraud Prevention
for Issuers
PRISMTM
Fraud Prevention for
Merchants
Fraud Prevention for
Banking Institutions
Co
mp
lexit
yMalicious individuals continue to evolve
schemes in an effort to obtain greater
anonymity and higher return on investment
with less risk
Higher net return $
Time
Malware /Sniffers
Triangulation
Shipping fraud
Friendly Fraud
Source: 2008 PCI SSC Community
Meeting
Good
Bad
Re-Shipping fraud
Online Ad Fraud
C2C Networks
Increased Complexity
Implanted chips
Criminals implant a chip directly into Point of Sale equipment
The chip holds up to 1,000 account numbers
Major occurrences in Taiwan, Malaysia and Brazil
• Small battery operated skimmers can hold up to 1 million account numbers at a time
• Devices are mainly produced in Malaysia and China
• Manually manufactured from standard POS equipment
• The skimmers were introduced to US in 1998
Purpose Built Skimmers
Counterfeit Fraud
Increasing examples of large, sophisticated counterfeit card manufacturing operations
170,000cards seized in
Taipei, Taiwan
Arrests in card scamWednesday, February 28, 2007
By Paul Grimaldi
Journal Staff Writer
Arraigned yesterday in the thefts of credit-card and debit-card information — and more than $100,000
The men allegedly stole the information by
switching out checkout lane keypads with
one of their own machines and then
retrieving the units a few days later so
they could copy the account data. To
achieve this, they took shelf stocking
positions at the supermarket, which gave
them legitimate access to the facility
during late hours in the evening. They
recorded the stolen information on blank
bank cards that they used to get money from
ATMs in the area, the police said.
Organized & Social
Organized Criminal to Criminal Networks
Financial Services
Credit application fraud, identity theft , account takeover
Online Retail
Credit card fraud, affiliate and click frauds, shipping fraud
Online Gaming
Credit card fraud, gold farming, account take-over, griefing
Internet Dating/Social Networks
Email spam, money solicitation (419 scam), predatory behavior
Online Gambling
Cheating & collusion, money laundering
Diversified Rings of Collusion
CVV2s contain:
1: Name, Address, Post/Zip code, Phone number, Name on Card, CC Number, Expiry, CVV2
2: Name, Address, Post/Zip code, Phone number, Name on Card, CC Number, Expiry, CVV2
3: Name, Address, Post/Zip code, Phone number, Name on Card, CC Number, Expiry, CVV2
Malware & Botnets
• Easy to find & customizable by user
• Designed to monetize fraud not disrupt systems
• Utilizes phishing attack info
• Prevalent in online advertising & affiliate fraud
• Very low detection & apprehension rate
• Very high ROI rates
• High rate of mutation
Attacks on Specific Payment Instruments
• As electronic payments evolve, criminals evolve their targets and their
strategies
• Specific payment instruments have come under significant attack
– Alternative payment: PayPal, Bill Me Later, etc.
– Gift Card (Plastic and Virtual): Schemes used in, both, the acquisition and
redemption of gift cards
– Private Label cards
• Merchants are often “two steps behind” the criminal after launching or
adjusting payment strategies
Gift Card Acquisition Fraud Rates: Three Top 10
Retailers
Virtual Gift Cards Plastic Gift Cards Overall Bankcard Fraud
Rates
Fraud Rate: % of
Transactions
% of Overall $
Value
% of
Transactions
% of Overall $
Value
% of
Transactions
% of Overall $
Value
Large Retailer “A” (Apparel, Home Goods)
0.80%
[1.50%]
1.00%
[1.70%]
0.03%
[0.60%]
0.03%
[0.90%]
0.16% 0.34%
Large Retailer “B”(Mixed Retail)
4.10% 10.6% 2.10% 3.05% 0.41% 1.30%
Large Retailer “C”(Mixed Retail)
1.70%
[6.70%]
2.60%
[5.5%]
0.70%
[2.7%]
2.80%
[2.6%]
1.5% 3.2%
• Gift Card Fraud: Defined as the fraudulent purchase of a virtual or plastic gift card
• Retailers displayed above have significant, established gift card programs
• Retailers profiled represent major North American retailers with total combined annual revenues exceeding USD $476
billion (2008)
Key:
June – December 2008
[January-February 2009]
Private Label Card Fraud Examples: Three Top 10
Retailers
Private Label Cards Other Cards Types
Fraud Rate: % of
Transactions
% of Overall $
Value
% of Transactions % of Overall $
Value
Large Retailer “A” (Apparel, Home Goods)
0.08% 0.23% 0.16% 0.34%
Large Retailer “B”(Mixed Retail)
0.44% 1.56% 0.41% 1.30%
Large Retailer “C”(Mixed Retail)
0.50% 0.98% 1.5% 3.2%
• Merchant sample includes 3 very large, established major retailers with significant transaction volumes and private
label portfolios
• Includes CNP Fraud rates for transactions taken place in 2008, with the exception of Retail “B”, whose statistics are
from July to December 2008
• Base on Retail Decisions merchant assessments, April 2009 (delay introduced to allow for confirmed
fraud/chargeback resolution window)
• “Fraud Rate” is defined as known-fraud, but not necessarily chargebacks. Some fraud is detected and denied before
a chargeback occurs. Actual chargeback rates for Other Card Types is significantly lower than reflected above
Are We Here
Now???
Time
Valu
e o
f fr
au
d
Solutions implemented
to reduce fraud
Time lag for solutions
to take affect
New solution is
implemented
to reduce fraud
Familiarity with
weaknesses in cards and
technology increases
fraud
Fraud begins to rise as
new technologies are
cracked and new
weaknesses are found
2002 2010 ???
???
Implies
Innovation
The Fraud Lifecycle
• Credit card fraud continues to become more of an organized, professional crime
– the case studies prove it
• CNP fraud continues to aggressively increase. As more countries adapt Chip
and PIN solutions, fraud will continue to migrate from CP to CNP channels
• APACS 2007 Fraud Study: For the first time, more than 50% of fraud was CNP
fraud. Update with new state
• As other countries implement Chip and PIN solutions, both CP and CNP fraud
will increase in non-Chip and PIN geographies
• ID Theft continues to increase, replacing counterfeit schemes, which are no
longer valid in Chip and PIN geographies
• Since fraud is aggressively expanding, legacy fraud prevention techniques are
becoming less and less effective
What This Means In Regards to Fraud
Merchant Fraud Assessment
90%+ Of All Orders
Merchant Order System, Storefront,
Website, etc.
ACCEPT
ORDER
DENY
ORDER
CHALLENGE
ORDER(Manually Review)
Fraud Prevention System and Tools
(Proprietary or
Outsourced)
~2% Of All Orders 2%-8% Of All Orders
(Where Applicable)
• Challenges or outright Deny categories may not work for all types of merchants
• Merchants must find the balance:
• Too many manual reviews = too much staffing cost
• Too many outright denies = too many false positives
• No Fraud Prevention system is perfect: You will have false positives. You will
require manual review. Today’s strategy is to let the Fraud Prevention system
identify ~95% of all good and bad orders and manually review the rest
Key Metrics Merchants Must Track:
• Manual Review Rate (“Outsort Rate”) - % of orders reviewed by a person before shipped or cancelled
• Outright Deny Rate - % of orders rejected by the fraud system without performing a manual review
• Fraud Rate – Overall percentage of fraud, usually measured in % of overall transactions and % of $ value
• Customer Insult Rate – Falsely identifying good customers as fraudulent OR degrading service to good
customers as a result of slow/cumbersome fraud processes (e.g. manual reviews take so much time to
complete that shipping windows are missed)
• Revenue at Risk – How a particular fraud strategy could affect revenue
When This Happens: This Could Happen:
Manual Review Rates Increase Fraud Rates - Decrease
Staffing Costs - Increase
Revenue at Risk - Decrease
Customer Insult Rate – Potential to increase (slower order turnaround)
Scalability – becomes challenging (Double my orders = Double my staff??)
Manual Review Rates Decrease Fraud Rates - Increase
Staffing Costs - Decrease
Revenue at Risk – Potential to increase
Customer Insult Rate – Potential to increase (due to higher deny rates)
Hard Deny Rates Increase Fraud Rates - Decrease
Staffing Costs - Decrease
Revenue at Risk – Increases (Much more false positives)
Customer Insult Rate – Increase
Highlighted in red : The most typical and critical results in each respective category
Balancing Metrics
Transaction Data
Negative
DataDevice
ID CheckAddress
Validation
Proxy
Detection
Neural
Score
Business
Rules
No
MatchesEverything’ s
OK; First
time buyer
No
History
Address is
Good; No
match of
Name to
Address
Could be
behind a
University
proxy
Score:
362
Should you accept it? Should you outright deny it? Should you manually review it?
The "More Tools Create Greater
Complexity" Challenge
Some technologies don’t fit our existing
paradigms
Some technologies are expensive
Some address very specific fraud
scenarios
More tools and technologies can actually
make decision making more difficult
Some may require additional
customer data, such as
SSN/last 4 or ask personal
validation questions
Cost per transaction increases
when more techniques and
technologies are added to the
suite of fraud tools
Fraud Evolves. Will these be
valid in 2 years? 1 year? 6
Months?
Could lead to increased manual
review costs, false positives
and customer dissatisfaction
New Tools and Techniques: The Challenge
Merchant vs. Issuer Fraud Prevention
Merchant Fraud Prevention
• Screening is transaction-centric
• Primary goal is to protect loss of goods
while staying out of compliance programs
(e.g. Visa RIS)
• Primary focus on CNP channels
• Historical perspective on cardholder is
relatively limited
• Transaction Data set is very robust –
Who? What? When? How?
• More focus on real-time screening
• Many more detection tools exist due to
robust CNP data set
Issuer Fraud Prevention
• Screening is more account- centric
• Primary goal is to protect losses within
issuing portfolio
• Not primarily focused on CNP – in fact,
CNP is often removed from some
screening models
• Historical perspective on cardholder is
comprehensive
• Transaction Data set is limited: Basic
account and transaction details
• Less focus on real-time screening
(although this is changing)
• Certain tools can be deployed much more
effective (e.g. neural networks)
Consolidated Merchant / Issuing fraud prevention systems do not exist today!
• System and IT
• Business model weaknesses
• Defined payment strategy
• Product Delivery
• Customer service and business policies
• Systems designed for the future
• Manage to Total Cost of Payment
Identify Your Vulnerabilities
Christopher UriarteChief Technology Officer, Retail Decisions
US: +1 (732) 452 2440
UK: +44 (0) 1483 728700
Thank You!
Please feel free to contact me
with any questions!