Social Media

Call: 877-764-4862

Reward Merchants International

Managing Risk

The Four Dimensions of Fraud Detection
A CyberSource Complimentary Article

A misperception often shared by retailers and the public alike is that e-commerce losses to fraud are growing like wildfire. In fact, fraud losses—at least as a percentage of online sales—have remained just about the same for the last three years: 1.4%. But as e-commerce sales have grown, that steady percentage of fraud has meant that dollar losses have inexorably climbed as well. Last year, retailers and other entities engaging in e-commerce in North America lost an estimated $4 billion to fraud, an 11% increase over the year before.So there is little inclination on the part of retailers to relax their e-commerce vigilance. The problem is how best to spread always-limited anti-fraud budgets over the available tools and processes. It’s a challenge for the largest merchants—it can drive smaller organizations to distraction.

“What retailers don’t always realize is that fraud prevention and detection are very complex,” says Cory Siddens, senior product manager for CyberSource Corporation. “Having fraud detection tools in place is only one piece of the puzzle. If those tools are not properly applied and interpreted or too limited in their scope, they are not going to be that effective.”

According to Siddens, to effectively combat fraud, retailers need to create an automated, multi-layered fraud detection strategy that casts a broad but fine net over fraud. The desired end result? Maximize sales, minimize fraud, and reduce expensive manual review.

“When applying fraud detection tools, retailers need to think in ‘4D’—four dimensions of fraud detection: global validation, single merchant purchase history, multi-merchant purchase history, and purchase device tracing,” Siddens says. According to a study by CyberSource (10th Annual Online Fraud Report), most merchants concentrate their fraud detection efforts on one or two dimensions, which limits their ability to assess the true risk of transactions.

“Performance has less to do with the number of fraud detection tools used and more to do with the dimensions of detection to which the tools are being applied,” says Paul Brock, senior manager, managed services, for CyberSource. “The important thing is to apply detectors in a way that boxes fraudsters in so there is less chance of them being able to replicate an identity.”

The most commonly applied dimension of fraud detection is global validation, which is a first pass attempt to verify a) the customer is actually in possession of the credit card being used to make the purchase, b) the cardholder is who he or she claims to be, and c) the card itself is legitimate. These detection techniques take place in conjunction with the authorization and for the most part are transparent to the customer.

Global validation techniques include CVV, AVS, payer authentication, delivery address and phone number verification. CVV (cardholder verification value) is a three-digit code found on the back of the credit card that is used to verify the customer is in possession of the card during checkout. AVS (address verification service) matches the billing address provided by the customer to that on file at the card-issuing bank. Payer authentication requires customers to enter the password they established for their account. Delivery address verification uses unique elements of an address, such as apartment numbers, suite numbers, and post office boxes, to verify a shipping address.

“Retailers want to know if the delivery address is valid and whether the account data provided correlates to the customer before they complete the sale,” Siddens says. “But this is just the starting point. If this is all retailers do to detect fraud, they will see significant amounts of fraud slipping through. There is an entire underground industry built around stealing data to fool global validation tests, and selling that data it to fraudsters—so merchants need to go beyond these simple tests.”

The second dimension of detection is single-merchant purchase history. Here, using systems like those supplied by CyberSource, retailers monitor the purchase patterns of customers at their own web site, assessing whether the frequency or volume of purchase (product and/or dollars within a certain timeframe) is out of the ordinary. Here the retailer also checks whether the identity of the purchaser is matched to a positive list (known good customers to that retailer) or negative list (known bad identities based on their own experience with the customer).

The third dimension of detection is multi-merchant purchase history. In 1995 CyberSource began building a database that tracks purchase behavior across multiple merchants, and provides a risk assessment model retailers can use to gauge the risk of a transaction — correlating dozens of order details across merchants and over time to identify suspect patterns.

For example, the service would help retailers flag an order if a customer’s name is attached to more than one credit card used for a prior purchase, as well as different shipping or billing addresses, even if that merchant had no history with that customer. “What we are looking for are activity patterns across large groups of names, addresses or card numbers,” Brock says. “Criminals will often work several card accounts simultaneously and will mix and match customer names with credit card account numbers and shipping and billing addresses to avoid detection. This identity morphing is common, but hard for individual retailers to identify.”

“Criminals are getting smarter. Instead of hitting a single retailer in rapid fire succession, they are spreading out fraudulent purchases over a larger base to avoid detection longer,” Siddens says. “Our aim is to spot the common element across multiple transactions. It’s rare that criminals will have new customer and billing information for every fraudulent transaction they attempt.”

Still, some criminals do succeed in avoiding detection when using stolen card information. To counter, a fourth dimension of detection is required—purchase device tracing. The aim of this dimension is to trace the network and device being used to make the purchase and understand inconsistencies in that digital identity. CyberSource enables retailers to digitally trace the device the fraudster is using to access the retailer’s web site and initiate the transaction.

The technique, known as device fingerprinting, identifies traits specific to a computer or wireless Internet device.

To gather these identifiers, merchants insert code into their order page instructing the web site to capture the device-specific traits. Traits making up a device’s fingerprint are visible when the device is communicating with a web site. The tracking code does not identify any personal information about the user. By identifying a device’s fingerprint, retailers can determine when a fraudster is attempting to make multiple orders with the same device, even if he or she is using different customer names, account data, etc., for each transaction.

“Every computer or wireless Internet device has specific characteristics and there are enough that can be passively gathered to create a fingerprint,” explains Siddens. “Matching these traits to transactions provides a higher level of security against fraud.”

Once retailers thoroughly understand the effectiveness of using four dimensions of fraud detection they can apply them in combinations appropriate for the product category and market being served (fraud patterns and purchase behaviors differ by culture). Doing so not only prevents fraud, but can also reduce the risk of rejecting valid orders. As an example, if one dimension indicates a potentially fraudulent transaction, but the customer has made prior purchases without triggering a red flag, the retailer may want to apply a stronger detection method to assess the transaction at a more granular level.

“Sometimes good customers can unwittingly take actions that trigger a red flag,” Brock says. “That means detection methods have to be more sophisticated to determine the validity of a red flag. The idea is to be more precise, not take a broad-brush approach to fraud prevention or putting a high percentage of transactions under manual review.”

Most retailers lack the resources to manually review a large percentage of suspect transactions. “Relying too heavily on manual techniques for advanced fraud detection will strain a merchant’s ability to keep up with the expected increase in fraud attempts,” Siddens says.

By adding more sophisticated tools that help automate fraud detection, retailers can thoroughly review more transactions with fewer staff resources. That’s good news for retailers facing the prospect of staff restrictions.

“Manual fraud screening is time-consuming and expensive and retailers can’t scale their staffs to meet the growth in transaction volume,” Siddens says. “The more automation retailers bring to fraud screening, the more effective they will become at fraud prevention and serving their customers.”