According to the January 2010 report from the National Fraud Authority, fraud now costs the UK an eye watering £30 billion a year. 58% of fraud is committed in the private sector with tax fraud hitting £15.2 billion, and, in the private sector, financial services companies and organisations are said to suffer yearly losses of £3.8 billion through crimes including mortgage and insurance fraud, online banking, cheque and card fraud.
According to CIFAS, the UK’s Fraud Prevention Service, nearly 60,000 proven frauds were identified in the first three months of 2010 alone. Identity threat, where fraudsters use the names and details of innocent victims to generate cash-flow, has also increased by almost 20% in the first quarter of 2010 compared to the same period in 2009.
In order to effectively combat fraud and security breaches, merchants across all sectors need a better understanding of their overall fraud and security landscape threat and exposure. Many merchants make the mistake of putting all their effort into preventing ecommerce fraud. This however is short-sighted as there are no boundaries to fraudulent activity. All channels are vulnerable.
Fraudsters can be first party, third party, ‘friendly’, opportunistic or part of an organised group of criminals - anything from an underage person trying to buy alcohol with a parental credit card to an organised gang of criminals performing a complex Denial of Service (DoS) attack designed to make a computer resource unavailable to its intended users. Fraud can also occur anywhere within a business – from externally generated activity to internal threats from one’s own staff.
Multichannel approach for a multichannel problem
The problem is vast, constant and evolving - as fast as merchants can detect fraudulent activity and shut it down, fraudsters remain one step ahead with new techniques for merchants and the payments industry to fight against across multichannel environments.
And, no matter how much an organisation works to protect or prevent security breaches, you can bet the persistent fraudster will be working diligently to find another channel to exploit. If they have been prevented from defrauding a merchant in a shop where the cardholder has to be present to make a purchase by Chip and Pin, they may then try to find gaps within a merchant’s ecommerce environment.
If that merchant has 3D Secure in place to limit ecommerce fraud, fraudsters may then see if they can exploit that merchant’s call centre channel. And, when a fraudster or gang of criminals succeeds in committing fraud in one particular channel, they will often extend their activity to other channels because it is easy for them to do so.
Certain sectors are also subject to particular types of targeted fraud and merchants should be aware of the types of fraud prevalent in their market.
In the Financial Services sector for example No Intention to Pay (NITPs) fraud is on the increase. Here fraudsters may sign up for car insurance (usually using a compromised credit card) for the first payment of the policy and then set up a direct debit to pay for the remaining 11 instalments. As soon as the insurance certificate is received the fraudster will cancel the direct debit facility. The insurance company generally writes this off as it’s deemed too expensive to follow through. Meanwhile the fraudster has the certificate if stopped by the police or needs to prove the vehicle is insured.
Charities are also well known for being used as test sites for fraudsters. As many of these charities take low value transactions, fraudsters use these sites to see if compromised cards can get through authorisation before going to other sites selling higher value goods.
Merchants that sell goods and services with an age restriction (e.g. alcohol, knives, games or betting services) are also regularly targeted by fraudsters. Underage children may try to make themselves older by changing their date of birth or use a parents credit card to buy restricted goods. Or someone may try to open up an account to access pornography using a nearest and dearest’s personal details. Without proper identity checks to catch them out, fraudsters can easily get around such restrictions.
How should merchants tackle fraud and security breaches?
The truth is that there is no silver bullet to combat fraud. A merchant can’t simply adopt 3D secure and presume they are safeguarded – fraudsters will find another way. There is also no ‘one size fits all’ solution, as every merchant is different with different fraud levels and exposure. One prevention technique will work for one and not the other.
Merchants need to look at their payment and loyalty environments as a whole, not just looking at fraud prevention in isolation.
The first step is to take measures to prevent against fraud and detect areas of vulnerability before fraudsters can attack. This can be done by implementing correct procedures (and ensuring that the business is following those procedures), training staff to recognise fraudulent activity, adhering to industry initiatives such as PCI DSS, 3D Secure and CV2, and making use of expert fraud screening and prevention suppliers.
Merchants need to make sure their infrastructure is protected against security breaches. If infrastructure and networks are not protected, hackers will penetrate systems and steal consumer and business data. By complying with best-practice guidelines such as PCI DSS, organisations can protect their infrastructure, customer confidence, loyalty and ultimately retention.
However, even if a merchant follows best practice guidelines and is PCI DSS compliant, it may still be the victim of a breach. At this stage it is important to have procedures in place to pursue. This allows merchants to rapidly respond to any external or internal breach and understand why it happened, who caused it, where and when it took place so the breach does not occur again. This can include calling in a Qualified Forensic Investigator (QFI) that uses ethical hackers and a dedicated forensics lab to identify and pursue attacks including website hacking, unauthorised access to critical systems, theft of financial or critical data, and unauthorised use of computer equipment.
While fraudsters are ever more resourceful and have been more active than ever during the peak of the recession, there is a continued effort on behalf of the industry to stay ahead of the fraud curve. As there is no one solution or approach to combat fraud, retailers, banks and security specialists must increasingly work together and pool expertise to help organisations to actively prevent fraud before it happens, protect against breaches that are likely to happen or are happening, and aggressively pursue fraudsters once a breach has taken place. In order to enhance customer confidence, interaction and reduce business risk, organisations too must step up and ensure they have the processes in place to ensure they are managing their information and transactions securely. Point solutions are available, but at the end of the day, it will be combined fraud and risk management expertise with an overall integrated approach that will keep fraudsters at bay.
PCI DSS V3 – what is new for merchants?
Fraud Prevention Checklist for the Christmas Holiday Season
The challenges of rolling out a mobile offering in the retail sector
The Future of Multichannel Payments
Blog: Cause for celebration in the retail sector
Blog: How we are Energising the Mobile High Street