Crime Does Pay

Sick of working yourself to the bone just to keep your demanding customers happy? Tired of worrying about budgets and margins and inventory turns? Maybe it’s time you considered a carefree life in online retail fraud.

Once the exclusive domain of Hollywood screenwriters and disgruntled teenagers, cyber crime is now a big-time illegal business. Last year, 341 retailers surveyed by MindWave Research for CyberSource Corporation estimated that they lose approximately 3% of their online sales to fraud — over $2 billion, if Forrester Research Inc. and Shop.org’s estimates of U.S. online sales of $76 billion are correct. And most security experts say that in spite of new credit card security initiatives and better anti-fraud software, cyber criminals have years of growing opportunity ahead.

You may be thinking, sure, that’s good news for the hackers, but what does that have to do with me? Why would a cyber gang need a fulfillment executive? The answer is that today’s best cyber criminals aren’t just pimply loners plotting the overthrow of the capitalist order from mom’s basement. Some of them are very sophisticated operators, according to online fraud experts. Outsourcing, third-party-logistics partnerships, lean inventory management — everything that your department does, organized cyber criminals are doing too, but for a higher return and at a lower cost.

COPS AND ROBBERS

Of course, before you start your life of crime, you may want to ask yourself whether you’d miss the thrills of your current job. The truth is, for all its aura of glamorous, high-stakes danger, cyber fraud seems to be about as risky as a mean game of bridge. The vast majority of fraud goes unreported, according to most estimates. One reason for this, says Jonathan J. Rusch, special counsel for fraud prevention in the Criminal Division of the Fraud Section in the U.S. Department of Justice in Washington, DC, is that consumers seldom face much out-of-pocket loss for credit card fraud, giving them less incentive to report the incident.

Even when a theft is reported to the police, prosecutions seem to be relatively rare. Professional-quality fraud is often hard to identify until long after the damage is done, 90 days after the fact, when the chargebacks start drifting in. Rusch says that to prosecute a case of electronic fraud, his office typically uses both physical and electronic evidence, such as ISP records and evidence from the suspect’s computer. He says they use a variety of “high-tech and low-tech information … to establish that that was actually the person at that keyboard on that date using this [stolen] information to commit fraud.” Unfortunately, say other fraud experts, thieves often log onto the Internet from some public place or route their orders through a site that disguises their Internet protocol address.

On occasion a case might be assembled, but, experts say, the long arm of the law doesn’t reach many of the places where some of the most accomplished tricksters are active, such as Malaysia, Eastern Europe, or most notoriously, Nigeria. In some countries, the local authorities don’t have the staff to pursue mere petty fraud. In other countries, online fraud isn’t even classified as a crime — and a basic principle of law requires that both countries agree that a given act is a crime in order for an extradition to take place.

But don’t buy your ticket to Kuala Lumpur just yet. As in the legitimate business world, it’s important to understand your core competencies before you join an organization. For instance, you’ll need to ask yourself, am I better suited to stealing cards or to working with cards that have already been stolen?

CARDSHARPERS

As a fulfillment expert, you may find that working with pre-stolen cards is a better fit. But where do you find card numbers? Online, of course. Although at one time, access to cards was limited to what you or your friends could filch, today, thanks to the Internet, con men have many places to get hold of everyone’s favorite numbers.

Chat rooms are one important source. In these roving virtual markets, card numbers are bought and sold for about $1 to $5 apiece, according to Daniele Micci-Barreca, director of risk management at ClearCommerce, an Austin, TX-based provider of payment processing and anti-fraud solutions.

Be careful, though: Dan Clements, president of CardCops.com, a credit card fraud-prevention service in Malibu, CA, says that these numbers may have already been used illegally. “A lot of times [defrauders will] use a card and then they’ll burn it, they’ll post it, to spread suspicion off themselves,” Clements explains. “It makes it difficult for law enforcement to track down the culprits.”

Alternatively, you might save yourself that bother and get your numbers from your very own card-number generator. “These are little software programs that are easily found on the Internet and downloadable — there are probably a dozen of them,” Micci-Barecca says. The numbers your generator spits out will need to be checked against an e-commerce site, but once you find a number that’s active — he estimates that perhaps four in 200 will be good — it’s time to start shopping.

At this point, your expertise in fulfillment is likely to be very useful indeed. Experts say that online retailers can be robbed in a variety of ways. In one rip-off, merchandise is ordered and then sent to a re-shipping agent. Some retailers have figured out this scam and screen out the addresses of re-shippers, but cyber thieves have responded by recruiting other third parties, individuals who agree to re-ship merchandise from their own homes.

Note, however, that as an operations professional, the scam you may enjoy most for its elegance in holding down inventory levels is the now-classic online auction gambit. First, put a brand-new item such as a digital camera up for bid at an impossibly low price at an auction site such as eBay. If your customer is suspicious, ask him to send no money until he gets his order. Then, buy the camera from an Internet retailer using the stolen credit card number and have it shipped directly to your customer. Voilà! “Everybody’s happy,” says Micci-Barecca, “except for the merchant, who 90 days later gets the chargeback on the order.”

LOCKED IN

Caveat sleazeball: As in legitimate business, underlying conditions are changing all the time. Clements of CardCops.com says that address verification will be available soon for some countries outside the US, which should make fraud a bit more difficult to find than it is now. “Fraud-scrubbing” software — programs that flag unusual patterns in transactions — is getting better all the time, experts say. ClearCommerce’s software, for instance, can identify suspicious patterns such as a flurry of orders from a single e-mail address or orders for overnight delivery to certain high-risk addresses, according to Micci-Barecca. The technology can also check the Internet protocol address of a customer’s computer, providing merchants a way to locate the country where the order originates — a useful tool, Micci-Barecca points out, but not an infallible one. “If the [tricksters] realize that this particular merchant is using geolocation, they’ll try to do something to make them appear as if they were connecting from the United States,” he says.

At the moment, however, the biggest threat to fraud seems to be the credit card companies’ new security programs. The new programs, such as Verified by Visa and MasterCard Secure Code, add password protection to online ordering, putting in place another barrier for hackers.

However, these programs have met with limited success among retailers so far. John Shirey, group manager of product development at Dallas-based Paymentech, a major retail payment transaction processor with offices in Salem, NH, says that some retailers are reluctant to give customers new hoops to jump through, fearful that shoppers will be annoyed or alarmed by pop-up windows asking them for their card pass codes.

To encourage more use of their security programs, the card issuers are changing the traditional terms of card-not-present transactions. Under the new programs, the merchant is no longer liable for the chargeback if the merchant requires the customer’s enrollment in the program. Visa has sweetened its terms even more, providing merchants a cut of five basis points — from 1.85% to 1.80% — in its commission if they enroll in the program, and by supplying the same chargeback protection even if the authentication attempt fails.

Why would issuing banks want to take on more risk for a lower commission? Shirey says it’s because online retail accounts for half of all chargebacks, although it amounts to only about 4% of all credit card transactions. Although merchants have been liable for those chargebacks, the process itself still costs the card issuer money, he says.

Shirey estimates that despite their advantages, security programs are probably several years away from full acceptance, as merchants, customers, banks, and payment processors get used to the technology. Others are less optimistic that the programs will ever be fully accepted. “Consumers actually have fewer rights under a program like Verified by Visa,” says CardCops’ Clements. “Currently, if they make an online purchase, they can just dispute it and it gets taken off their bill. With Verified By Visa, they have to register their cards with the issuing bank and that pretty much locks them into the purchase and they’re liable. Now should there be a [card] compromise with a program like Verified by Visa, which is similar to a PIN system, the consumer is 100% liable. So you can see that there are some conflicts of interest, to say the least.”

STILL A STEAL

Even if cards do become more secure, don’t despair about your success in the criminal world. Most security experts still foresee tremendous opportunities for data theft. They say that while online retailers concentrate all sorts of efforts on securing the front end of the order system, they often leave their back doors relatively exposed. Kenneth R. van Wyk, an Alexandria, VA-based information security consultant, cites the “woefully inadequate” security in most e-commerce applications.

“In the testing that we’ve done of hundreds of e-commerce applications, I’ve not found one that didn’t have a significant vulnerability,” van Wyk says. “Sometimes those vulnerabilities would have taken weeks or months to exploit, but … we’ve always found the vulnerabilities when we’ve looked at the applications, 100% of the time.”

Those weaknesses, combined with a low risk of getting caught, add up to a Unique Stealing Proposition that hasn’t gone unnoticed in the virtual underground. Shirey says it’s not surprising that there seem to be more and more attempts to hack sites. “If you’re a bad guy and you can hack into a system, steal a few million cards and then sell them, that’s a lot more lucrative than trying to rip off Amazon.com for a digital camera that you’re going to sell on eBay,” he says.

Then again, you may want to stay where you are. A powerful and irresistible force may soon fill cyberspace that will frighten retailers into securing their sites more carefully than ever before: fear of liability.

A new privacy law in California that went into effect July 1 requires online retailers and any other organization that collects the personal data of Californians to inform their customers in the event their data is stolen.

“The California law is really changing things,” says Marc J. Zwillinger, an attorney with a specialty in information security at Sonnenschein Nath & Rosenthal in Washington, DC. “If you make the wrong decision and you don’t tell every customer and you should have, you could be sued.”

Bennett Voyles is a NYC-based business writer. He can be reached at [email protected].