A large part of all e-commerce fraud can be tracked back to orders where the fraudster provides a BILL-TO address that differs from the SHIP-TO address. Think about it - if I have a stolen card, and know the billing address, I can take that card, change the SHIP-TO address, and have the product delivered. At the e-commerce show this week, we were hearing about how one of the newest fraud schemes was to provide the same BILL-TO and SHIP-TO address on the order. As soon as the order zips through the order approval process, the fraudster then gets the UPS or FedEx tracking number and "re-routes" the transaction to an alternate address.
However - I am going to go out on a limb and predict the next new fraud scheme that is not being protected. If you think about the situation above, there is another way in which the fraudster can receive the fraudulent goods without re-routing the order. Intead of rerouting the order, once they receive the stolen card, they call the card issuer and change the address on the account. Once accomplished, the BILL-TO address is now the alternate address, and the fraudster is free to enter the same BILL-TO and SHIP-TO. Suddenly, the order flies right through as there is a match.
Once discovered, the bank ends up writing this off as Account Takeover. Once UPS and FedEx begin to shut down the re-routing of fraudulent orders, we are predicting that Account Takeover fraud will suddenly see a big increase.
One more piece of evidence suggesting that sharing the bank activity with the merchant activity is the only way we can protect the entire channel.
A.E>>>
Saturday, March 8, 2008
The Bank Merchant Connection
We were out at the Merchant Risk Council show this past week, where we were launching our new e-commerce solution to detect fraud amongst BILL-TO / SHIP-TO address discrepancies. A couple of things came to light that began to shed some new light on how the fraudsters are committing fraud. I was speaking to one large electronics merchant. They mentioned that they just got done researching a possible fraud case, where the orders were typical of fraud. They saw over 100 orders, all for the same product ($200), all in a very short amount of time. The total amount of these purchases was $20,000. When the fraud investigator got ahold of it, they immediately called the card issuer. The card issuer went on to explain that the customer was in good standing, and nothing amiss. After thinking about it, it became apparent that this was probably was fraud. However - it is my guess that the consumer hiding behind those orders had either committed Identity Theft to open that "good" account, or had created a fictitious identity.
The only way we could have detected this would be for us to understand the dynamics about how that account was opened. How long had the account been opened? Was the account opened with an address discrepancy?, etc... If there was an address discrepancy, did that address change make sense? Knowing this would allow us make a much better decision on whether those purchases were legit.
There has always been a void in information being passed from that of the bank or issuer to that of the merchant. Having this information provided would allow the merchant (and bank) to make a much more informed / efficient decision. In doing so, suddenly the online channel becomes more secure.
A.E>>>
The only way we could have detected this would be for us to understand the dynamics about how that account was opened. How long had the account been opened? Was the account opened with an address discrepancy?, etc... If there was an address discrepancy, did that address change make sense? Knowing this would allow us make a much better decision on whether those purchases were legit.
There has always been a void in information being passed from that of the bank or issuer to that of the merchant. Having this information provided would allow the merchant (and bank) to make a much more informed / efficient decision. In doing so, suddenly the online channel becomes more secure.
A.E>>>
Subscribe to:
Posts (Atom)