New technologies designed to combat Internet fraud may help give online shopping a much-needed boost. Angus Kidman dives into the waters with the Net shark catchers.

Published in APC, March 2001

After several years of careful education, consumers are finally beginning to realise that shopping on the Net is generally just as safe as shopping through conventional retail channels. However, this doesn't mean the battle to create secure online trading systems is over.

As etailers attract more customers, they face an increased risk of fraudulent transactions. These can range from simple, one-off problems such as stolen credit cards, to more complex and systematic attacks involving bogus orders using fake credit card numbers, or systems that try to bypass payment mechanisms when ordering goods. Sometimes these problems can be the result of human error -- at one point early in its career, the Web site of music chain Sanity allowed orders to be placed without payment -- but increasingly, they are also the result of deliberate attempts to defraud.

Perhaps the most widely publicised problems occur when data on individual consumers is accessed in bulk by hackers. Australia's first well-known cyber-crime occurred in 1995, when hacker 'Optik Surfer' accessed credit card details stored by ISP AUSNet. Optus suffered a similar attack last year. US electronics retailer Egghead also had its credit card database accessed by an unauthorised source last year. Credit card numbers obtained in these attacks can be used for fraudulent transactions. However, the hacks appear to have been committed for technological glory rather than as a deliberate attempt to steal credit card information.

Local data on the issue is scarce, but overseas surveys suggest that the problem is increasing for etailers. A Gartner Group study of 160 companies conducted in July last year found that online retailers were 12 times more likely to experience fraudulent transactions than conventional retailers. Gartner found that these transactions are more costly to Internet retailers, who are usually liable for the cost of dud deals and are generally charged higher fees for credit card transactions than physical retailers.

However, having created the problem, technology is also helping to provide the solution. Just as consumer security concerns were largely overcome through the use of improved encryption technologies, fraud concerns for retailers can be addressed with fraud-reduction systems. Anti-fraud technologies are becoming a standard part of online selling, helping to eliminate fraud before it becomes systemic.

Implementation of anti-fraud systems could make a dramatic difference to the cost of selling online. A study released in January 2001 by financial research firm Meridien Research highlights the possibilities. Meridien estimates that Internet payment fraud will grow from $US1.6 billion worldwide in 2000 to $US15.5 billion by 2005. That figure could be cut to just $US5.7 billion with the use of anti-fraud technologies. A $US5.7 billion loss is by no means small, but it's not much compared with the $US45 billion spent online in 2000, let alone the $US310 billion Meridien is forecasting will be spent with credit cards by 2005.

"Card fraud on the Web is declining because these solutions work well, and also because merchants have gotten smarter," Meridien analyst Jeanne Capachin said. "With wider adoption, we could eventually see online fraud rates consistent with those of telephone-initiated transactions." Speeding that process is an increasing level of merchant concern. Capachin estimated that only 30% of retailers are using full anti-fraud systems, but 61% of merchants surveyed by CyberSource in mid-2000 indicated their intention of improving their anti-fraud measures in some way.

Despite a widespread perception that the US leads the world in implementing most ecommerce-related systems, other data collected by CyberSource suggests that Europe may be taking the lead. In a similar survey conducted in the UK, almost half the respondents said they were using an automated fraud prevention solution and many of the others perform manual checks.

How does it work?

Along with standard checks such as verifying credit card numbers, anti-fraud software looks for atypical behaviour in the buying patterns of consumers. For instance, if a customer who routinely has items of a certain kind sent to a particular address suddenly changes that address, this is noted. Other address discrepancies such as different billing and shipping addresses are also noted, but experts warn that this is not always a reliable indicator. What if your credit card statements go to a post office box, but your deliveries to a street address? Other rule-based detection options include flagging transactions when an unusually high volume of an item is ordered.

Staying safe The Worldwide E-Commerce Fraud Protection Network recommends the following for the bare minimum of security for all online retailers. Ensure that all credit card information held by a site is encrypted and/or password protected. Make sure data transmission is secure and limited to authorised users. Keep all security software up to date and ensure firewalls are properly configured. Contact law enforcement agencies in any situation where crime is suspected. The Network also recommends the following specific strategies to help combat credit card fraud. Obtain real-time authorisation from a credit card company. Employ address verification systems. Use credit card verification codes. Use rule-based detection. Purchase predictive statistical models.

A more sophisticated variation on the same approach creates statistical models of buying behaviour which can then be matched against incoming transactions. New businesses need to rely on data from other companies, but businesses that have been established longer can apply the analysis to their existing transaction data. Many software packages also work in real time, adjusting their models with data accessed from live customer sites and protecting those sites at the same time.

Many etailing sites already use rudimentary techniques such as email confirmation. For instance, if you ask to change the primary email address associated with an account, you may be asked to enter an access code that is sent to your previous mail account. This prevents third parties making changes to account details without your knowledge, but it causes problems if you lose access to the previous account (for example, if you change jobs).

Some sites also use the anti-fraud mechanisms that are built into the credit card system. For instance, as well as asking for card numbers, sites can ask for the security codes that are printed on the back of many credit cards (usually a three-digit code following the normal 16-digit number). These are not generally printed on transaction slips, and make it harder for the credit card number to be used casually in a fraudulent transaction. However, it's less convenient for the shopper, and if shoppers elect to store credit card details for future use, the protective mechanism is eliminated. Some credit card companies have taken a more radical approach. For instance, American Express offers 'one time' credit card numbers for online use. These are cancelled after a single transaction.

What else can be done?

Of course, anti-fraud technologies alone will never solve all etailing woes. Many online stores complained that sales over Christmas 2000 were flat because the media has been protraying Internet retail as declining. With such pessimistic views in circulation, many consumers assumed that ordering online would be a waste of time.

A study by anti-fraud technology developer CyberSource has already found that putting in place anti-fraud mechanisms can actually scare off consumers, especially if they're already uncertain about the level of security available online. "Even though Internet fraud can significantly impact online revenues for a business selling online, it was interesting to learn that the respondents' greatest concern about implementing a fraud screen solution was jeopardising customer goodwill," CyberSource marketing vice-president William Donahoo said.

These fears might be exaggerated. "Consumers continue to flock to the Net without regard for the pain faced by online retailers," Forrester Research analyst Christopher Kelley said. He claimed that "98% of Web buyers say they will continue to shop online and 65% won't alter their spending at all."

One issue still unresolved is what to do when fraudulent transactions are uncovered, especially if the transaction originated overseas. Etailers can usually cancel fraudulent deals, but tracing and prosecuting the miscreants can prove more difficult.

Many observers believe that Internet crime is hard to police and impossible to punish, and fraud is no exception. "The safeguards are few at this early stage of trying to track crime on the Internet, and many crimes will go unpunished during the next three years," Gartner vice-president Richard Hunter said. "Today's Internet criminals don't have to rob banks -- using technology, they can just as easily rob tens of thousands of individuals, with less chance of being caught." In a few cases, the fraud originates with online businesses. A common complaint among users of adult sites is that after they sign up, additional unauthorised charges appear on their statements. The instigators assume that people will be too embarrassed to complain to their bank about unauthorised charges from porn peddlers.

Etailers are continuing to launch educational initiatives aimed at cutting fraud and combatting the perception that it is rampant online. The Worldwide E-Commerce Fraud Protection Network is a trade association founded by American Express that includes a number of high-profile etailers, such as Amazon.com, buy.com and Expedia.com. The group runs a Web site, merchantfraudsquad.com, designed to provide a clearing house for anti-fraud resources and information. "Combating online fraud represents a huge challenge, as merchants can be vulnerable to a wide range of criminal tactics, even if their own Web sites are secure," co-chairperson Jennifer Bennet said. "The Network seeks to identify these vulnerabilities and provide smart solutions for fighting back."