Information highway robbery

Dec 01, 1998 10:30 PM  By

Direct marketers lose nearly $100 million a year to fraudulent transactions, according to credit card processor Paymentech. And the losses may skyrocket with the growth of electronic commerce.

For one thing, “print catalogers can exclude suspect consumers from the mailing,” says John Shirey, senior director of electronic commerce at Paymentech. “But online, controlling who visits your site isn’t possible. Anyone can visit and order online.”

What’s more, “hackers” are getting more sophisticated, even trading stolen credit card numbers and fraud secrets in online chat rooms. Many hackers can get around traditional stopgaps such as the Address Verification System (AVS), a service from credit card issuers and processors that passes the cardholder’s “bill to” address to the card-issuing bank during authorization; if the zip code entered matches the cardholder’s information on file, the company returns a valid purchase code and the charge goes through; if it doesn’t match, catalogers can stop the order. Hackers thwart AVS by getting the correct “bill to” and “ship to” addresses ahead of time. And AVS doesn’t cover European credit cards, leaving online marketers susceptible to overseas fraud.

Similar to AVS is CID verification, which requires the customer to include the four “extra” numbers printed on the back of many credit cards when placing an order. This can prevent orders from hackers who managed to obtain a cardholder’s account information but not the card itself.

But your best bet for controlling online credit fraud may be setting up your own program and controls. Online auction site Onsale was losing $40,000- $50,000 a month in fraudulent bids from stolen credit cards, until it developed a proprietary fraud detection system, says cofounder/chief technical officer Alan Fisher.

The Menlo Park, CA-based marketer’s software checks bids against a negative-or bad credit card-database compiled from the databases of credit card processors. If the card number appears in the database, Onsale automatically stops the bid.

Successful bids then pass through a fraud scoring system that verifies, among other things, the “bill to” and “ship to” addresses. The system also flags requests for overnight shipping and unusually large orders. And the processing system automatically contacts the cardholder or issuer for verification prior to fulfilling the winning bids. Fisher estimates the system has helped Onsale cut its monthly fraud losses in half.-SO

* Use all available credit card screening systems, such as Address Verification System (AVS) and CID verification.

* Establish your own fraud prevention controls. For instance, computer marketer NECX does not allow customers to forward shipments to a different address; Insight Direct reviews orders placed by customers in what it considers to be “high-risk” zip codes.

* Consider sending an e-mail to the customer to verify purchases exceeding a certain amount before shipping the goods. But don’t rely solely on e-mail to verify orders or “ship to” addresses, because a hacker using a stolen credit card number will likely use his own e-mail address for verification.