Retailers vastly reduced fraudsters’ income streams when they implemented Chip and PIN. But criminals keep finding new scams to bolster their bank accounts. And, once again, retailers are on the receiving end.
UK payments association Apacs released figures for 2007 showing that card-not-present fraud (CNP) was up 37 per cent to£290 million on the previous year. 77 per cent –£223 million – of that total was committed over the internet. That figure was 4 per cent on 2006.
Apacs is unsurprised by the rise in CNP fraud over the internet. Director of communications Sandra Quinn says: “CNP fraud has risen ever since this type of fraud existed. Online transactions were up 350 per cent in a five-year period. Fraudsters are doing what we do – going online and shopping.”
So maybe it can be argued that CNP fraud is not such a big issue – after all, online sales are rising much faster than online fraud.
Last month, however, credit card fraud protection specialist The 3rd Man estimated CNP fraud in the UK at more than£500 million a year. It believes that the true figure is far higher than official statistics suggest – Apacs cannot measure fraud committed with non-UK issued cards – and is getting worse.
Certainly at this year’s Retail Week Conference, House of Fraser’s head of retail support Jerry Carter explained that the retailer had been warned about the problem before it launched its transactional web site last year.
He was ready for fraudsters to try out the site, to see what would get through HoF’s anti-fraud systems. However, the site’s transaction referral rate is now running at about 10 per cent and the fraud rate less than 0.5 per cent.
Paul Mackin, managing director of Everyday Financial Solutions, the financial arm of Littlewoods Shop Direct Group, says that CNP fraud is a growing problem to online retailers. He believes in proactively introducing fraud prevention initiatives, such as Verified by Visa and MasterCard SecureCode. Both organisations introduced these schemes in order to provide verification of a cardholder’s identity on the web.
Visa Europe vice-president of risk management Peter Bayley says that, because the organisation’s focus is on developing the infrastructure, this is the main area where it can make enhancements to drive payment fraud rates down.
He says that, despite the fact that Apacs’ most up to date figures show that CNP fraud rose substantially in 2007, he believes it has now peaked. He adds: “CNP fraud, I would argue, is now reducing. We are starting to see Verified by Visa and additional detection systems pushing CNP fraud downwards.”
Bayley admits that Verified by Visa is not foolproof. He says: “If authentication details are compromised, then a fraudulent transaction can occur.” However, he believes that it is still worthwhile for merchants to add the facility to their sites, because it gives greater liability protection.
He also claims that the fraud rates occurring on transactions using Verified by Visa have fallen since the scheme was first introduced.
He explains that early adopters of the system tended to be higher-risk merchants that were attracted by the limited liability model.
Some retailers worry that having stringent security on their sites – whether it’s Verified by Visa or overly sensitive fraud screening – could cost them more in lost sales than fraud does. Carter argues that if your fraud rate is too low, then you are probably turning legitimate customers away. They appear as false positives within the fraud prevention systems.
Bayley says that when companies formulate rules around who to transact with, care must be taken. He adds: “We are less keen on blanket declines. It is not beneficial to merchants, the banking community or Visa. But there is a point where the merchant can ask for reasonable additional data from cardholders.”
Apacs has admitted that CNP fraud on international cards is likely to increase, as other weak spots in retailers’ fraud defences are strengthened. But Bayley says that Visa doesn’t want to end up in situations where merchants are turning down all cross-border transactions. He adds that UK acquiring banks should be good at helping retailers manage such risks.
He says: “There has to be a careful balance. We are keen to ensure that Visa cards are accepted reasonably, but the merchant has the responsibility for not taking inappropriate risks.”
In the know
Retailers can sign up to shared databases, which contain details of clearly fraudulent and highly suspicious data, including listings of bad or questionable details such as e-mail addresses, delivery addresses, phone numbers, IP addresses and card numbers. Mackin adds that information sharing is crucial if this loss is to be tackled. “It’s also important for companies to use extensive reporting to monitor levels of CNP fraud and highlight new trends in fraud.”
Paul Simms, chief executive of 3rd Man Group, quantifies the benefits of data sharing. He says: “Behavioural analysis detects about 80 per cent of all attempted frauds, but retailers can be stung by exactly the same fraud committed with another retailer. By sharing their data they are protecting each other and in doing so will already have saved more than£100 million this year.
However, he adds: “More can be done. We have a real opportunity to get on top of this problem through managed collaboration, involving retailers, consumers and the banks.”
So, what are financial services firms and the authorities actually doing to identify patterns and counter online fraud?
In March, the banking industry, in a joint operation with the police, launched a fraud intelligence unit to improve information sharing and tackle cheque and plastic card fraud. The Payment Industry and Police Joint Intelligence Unit (PIPJIU) is staffed by five banking industry fraud specialists, who work alongside 10 officers and staff from the City of London and Metropolitan Police forces.
Prior to this, each party ran its own anti-fraud unit – the banking industry’s Fraud Intelligence Bureau and the intelligence section of the Dedicated Cheque and Plastic Crime Unit (DCPCU). PIPJIU is now supporting the work being carried out by the DCPCU.
At the same time, Apacs unveiled its fraud intelligence sharing system to allow the banking industry to share information on all confirmed, attempted and suspected fraud in a central, shared database.
In addition, the Government agreed to implement the recommendations of last year’s Fraud Review.£29 million will be spent over three years and central to this is the creation of the National Fraud Strategic Authority. On the basis that fraudsters are organised and operate on a national level, the strategy to tackle the problem should be national too.
The Attorney General’s Office is also developing a model for a National Fraud Reporting Centre, to collate intelligence on both online and traditional fraud and to provide reports on the scale of the problem across England and Wales.
A centralised agency would help investigators link cases, set priorities for fraud policing and ensure relevant information is passed between the different agencies involved with tackling the problem.
The centre could be operational by the middle of next year. Before then, a six-month test project will take place to assess the information that needs collating and sharing, processes that will be used to do this and the contributing parties to be involved.
It will be up to retailers to make sure that online CNP fraud is on the agenda for these new organisations.
And despite these measures, retailers are going to have to work harder if they want to stem the rise in CNP fraud. This includes thinking about how fraudsters might alter their scams to get round fraud prevention technologies and techniques.
The banking industry has suffered already at the hands of phishers using their brands to impart data that has allowed fraud to be committed. With many retailers allowing customers to save payment details with their account information, they could be next.
Bayley says: “We are always looking for the next trend and the next problem, but it is not always that easy to predict.” He adds that Visa works with fraud experts from its member banks in order to consider the steps it can take.
On the question of where phishers will next set their sites, Bayley adds that retailers should remain vigilant. “The internet is a hostile place. If you have a portion of the community that strengthens its defences, then the criminals are going to look elsewhere. There are various sites they might go to. If I was a merchant, I would be nervous about it.”
CNP fraud might not be rising as fast as online shopping, but it still remains a weak spot that allows fraudsters to make a career of their criminality. Retailers can secure their own systems to ensure that they do not leak payment card data, but they can’t control other sources. While this information is available, there will always be fraudsters trying to profit from it.