Online credit card fraud against small businesses

Kate Charlton and Natalie Taylor
ISBN 0 642 53846 8 ; ISSN 1326-6004
Canberra: Australian Institute of Criminology: 2004
(Research and public policy series, no. 60)

Section 4 : Fraud prevention

Electronic fraud prevention

The most basic technique of fraud prevention is electronic authorisation. This process involves verifying that the credit card being used to purchase goods is valid and has sufficient funds attached to it. Given that there are significant limitations associated with this process, specifically that it provides no assurance that the person using the card is authorised to make the purchase, technology is rapidly developing to provide retailers with added protection.

For credit card transactions conducted in person, a system involving microchips and personal identification numbers (PINs) is currently being developed in the United Kingdom. This has involved a microchip being added to credit cards to store data securely, and a PIN being used rather than a signature at the point of sale (APACS 2003). This procedure requires traders to install special terminals to accommodate the new chip and PIN. A recent UK trial of the system was successful. Countries around the world are creating chip cards to meet an international specification originally devised by the card issuers Europay, MasterCard and Visa (known collectively as EMV). It is anticipated that all of the UK's credit, debit and charge cards will be reissued with chip and PIN capability by 2005. The potential reduction in over-the-counter credit card fraud should be substantial.

For credit card transactions conducted over the internet, however, the problems of card and cardholder authentication still remain. Chip and PIN cards have the potential at some point in the future to provide more secure transaction technology through the use of chip readers and PIN pads attached to computers, however at this early stage, their application is limited. In the UK and USA, two additional online fraud prevention strategies have been developed in partnership with financial institutions and card issuers:

• an address verification service (AVS); and
• a card verification number (CVN).

The AVS is obtained through the cardholder's issuing financial institution, whereby numerical details of the address provided in the online order are cross-checked. While this service is not foolproof (for example, if the cardholder has moved but the financial institution's records have not been updated), it is nevertheless a tool which traders can use to determine their risks of proceeding with the order. A formalised AVS is not currently available for cards issued within Australia (Turpen 2003).

Similarly, online traders can request that the customer enter the CVN, usually a three- or four-digit number printed on the back of most credit cards. Again, while this does not necessarily prevent fraud, it presumably reduces the likelihood of fraud occurring since it is an additional piece of information which is available only from viewing the card itself and cannot be obtained from items such as discarded receipts. For this reason Australian online traders may ask customers to provide this number (St George Bank 2003), however, the extent to which it is verified with card issuers is unclear. A US survey of online traders found that 75 per cent used the AVS, while 44 per cent used the CVN (Cybersource 2003), however the degree to which these measures prevent fraud has not been assessed.

A third option currently available in Australia is payer authentication offered through both Mastercard ('Mastercard Securecode') and Visa ('Verified by VISA'). These are password-based programs which allow registered cardholders to verify their purchases by entering a password in a pop-up box on the computer screen when an online purchase is being made. Again, however, this requires cardholders to register for the program with participating card issuers and it also requires businesses to be registered and to have a Verified by Visa or Mastercard Securecode merchant plug-in installed on their processor. The procedure of transactions using Verified by Visa or Mastercard Securecode is displayed in Figure 2.

The benefits of Verified by Visa or Mastercard Securecode for online traders are primarily that internet credit card transactions become considerably safer as the credit card purchase will be authorised only if the customer knows the correct password. This makes it much more likely that the person making the purchase is in fact the genuine cardholder.

Further, online traders who participate in these programs are protected to a greater degree against fraudulent chargebacks. Whereas retailers using basic electronic authorisation procedures are liable for the full amount, since April 2003 those using Verified by Visa are no longer liable for chargebacks arising from fraudulent transactions (ANZ Bank 2003). Visa believes that up to 80 per cent of online chargebacks and fraud will be eliminated through this system. Implementation of the system is in its early stages, as it requires participation by both cardholders and businesses, however its future potential if optimised is presumably large.

The use of electronic authorisation

Currently in Australia there are several ways that retailers can authorise a credit card payment for an online purchase. One way is to use a web link to a bank-operated internet payment service (AIIA 1999). This is where credit card details are entered onto the web site of the business and the details of the purchase are automatically submitted for bank authorisation. The authorisation is almost instantaneous and, if approved, the customer receives an approval notice while they are still waiting. Figure 3 illustrates the processes involved in a bank-operated internet payment authorisation service.

Alternative methods of electronic authorisation are where the credit card details are entered onto the retailer's web site and staff later enter them into an EFTPOS terminal, or where the retailer contacts the bank or a merchant authorisation service to obtain authorisation for the credit card purchase. In all three methods (web site link, EFTPOS check and phone call to bank) the electronic authorisation verifies that the card used to make the purchase has sufficient funds and has not been stolen - it does not verify that the customer is the genuine cardholder. All three methods also involve three parties:

• the retailer (who requests the initial authorisation and receives the final approval or decline);
• the retailer's financial institution (the mediator between the retailer and the cardholder's financial institution); and
• the cardholder's financial institution (who provides the authorisation) (Retail Decisions 2001).

However, there are also likely to be instances where some online traders may simply take the credit card details for the purchase at face value and not seek bank authorisation. This latter scenario could clearly put traders at greater risk of fraud and may reflect a lack of knowledge as to the potential risks involved with such a strategy. Identifying the proportion of online traders who fall into this latter category would assist in identifying fraud prevention strategies. This could include developing information kits to make available to all online traders.

Online traders were asked whether they had web-based systems in place which would provide real-time authorisation while the customer waited online and, if not, how often they manually processed electronic authorisations (either by using an EFTPOS terminal or telephoning the relevant authority). It was found that:

• 25 per cent used a system which automatically requested authorisation through the various parties (cardholder's financial institution, credit card company and so on) while the customer waited online;
• 63 per cent always manually processed electronic authorisation prior to dispatching goods;
• 4 per cent manually processed electronic authorisation some or most of the time; and
• 8 per cent never used electronic authorisation.

Manual fraud prevention

In lieu of more technologically advanced prevention techniques, Australian online traders are usually provided with numerous suggestions for fraud prevention strategies by their financial institution, which are intended to reduce the risk of businesses accepting fraudulent online transactions (National Australia Bank 2002b; Westpac 2000). These suggestions usually centre on manually screening orders prior to sending the goods in addition to obtaining electronic authorisation. Retailers are told of possible 'warning signs' which may indicate a customer who is not genuine, such as an overseas mailing address or a postal box address instead of a physical address. Retailers are also warned about:

• orders comprising duplicate items (they may be sold on);
• orders placed on a rush or with immediate delivery (fraudsters are not concerned with delivery costs and want the items quickly);
• cards that have been used previously and found to be fraudulent; and
• customers who provide an email address from a free email service (Tomlinson 2002).

In addition to being wary when these 'warning signs' appear on an order, online traders are advised to:

• verify the order with the customer by telephone or email;
• confirm the address with the financial institution or recent telephone directory;
• establish a database which records good and bad customers (to ensure speedy approval and no unnecessary screening); and
• request information from the customer which only the cardholder would know (address, digits on back of card, bank who offers the card, and so on).

The use of fraud prevention strategies by businesses (prior research)

Although there are clearly numerous methods recommended to Australian traders to prevent online credit card fraud, it is important to know the degree to which they are employed in day-to-day processing. This would help to establish whether additional strategies need to be developed or existing ones implemented. Further, it is important to know why businesses do not use particular strategies. This latter point is yet to be investigated.

The Cybersource survey from the United States (2003) found that 65 per cent of online traders manually screened orders, with each retailer reviewing an average 23 per cent of orders placed on their web site. The study reported that the manual review techniques employed (in order of common use) were:

• phoning the customer (78%);
• checking customer records (64%);
• emailing the customer (61%);
• phoning the bank (58%); or
• checking a 'bad customer' database (40%).

In the UK it was similarly reported that 55 per cent of the sample employed manual fraud detection systems and 15 per cent had automated systems for fraud detection (Experian 2001). To date, there have been no surveys published examining the use of these strategies in Australia, hence the importance of probing these issues in the present study.

The use of manual screening

In the current AIC online fraud survey, online traders were asked about the manual techniques they employed to prevent themselves becoming victims of credit card fraud. Specific methods were identified beforehand; often these were recommended in literature provided by financial institutions (National Australia Bank 2002b, Westpac 2000), or in other sources (Internet Scambusters 1998). Some methods were more popular among business proprietors than others (see Table 2), with the most common method used being to phone or email the customer prior to delivering the goods. While half the traders always undertook to phone or email the customer post-purchase to confirm the order, only 12 per cent consistently checked customer address details in the telephone directory.

Table 2: Use of manual fraud prevention methods by online traders in Australia (row percentages)

Prevention method	Never	Rarely	Sometimes	Mostly	Always	n (a)
Phone/email the customer to confirm order	89	88	822	86	855	8838
Check customer details in phone directory	852	817	814	85	812	8830
Keep database of good and bad customers	834	813	89	83	841	8835
Reject suspicious orders	832	817	816	85	830	8806
(a) n varies due to missing cases Source: Australian Institute of Criminology, Online credit card fraud against small business 2003 [computer file, weighted data]

Reasons for infrequent manual screening

Why do some online traders never or rarely manually screen orders, particularly as these fraud prevention measures are often advised by financial institutions? For three of the four preventive methods given (all except confirming details in the telephone directory), the most common reason was that they had rarely or never experienced problems with credit card fraud online and therefore felt little need to employ such strategies. This strongly implies that prevention strategies are applied after fraud has been experienced, rather than as a pre-emptive measure.

Of those who never or rarely confirmed customer details in the telephone directory, the most common reason was that the international orders which they processed made checking details difficult or impossible. This is important because international orders have been identified as being particularly at risk of involving fraudulent activity (Internet Scambusters 1998; National Australia Bank 2002b). In the Cybersource 2003 survey, for example, less than one per cent of US/Canadian domestic online orders were fraudulent compared with 3.2 per cent of orders emanating from outside the US/Canada.

Predictors of manual screening use

In addition to examining the reasons given above for businesses not employing particular methods, the predictors for whether businesses consistently use fraud prevention measures ¹ can also be evaluated more systematically using logistic regression. This model evaluated the importance of both demographic and attitudinal variables and found that:

• experiencing fraud is a significant predictor of phoning/emailing the customer and rejecting suspicious orders, supporting the above implication that traders implement more stringent prevention methods following a fraud episode; and
• male retailers were less likely than females to keep a database of good and bad customers.

---

---