A Problem Yet To Be Solved

  As the explosive growth of electronic commerce continues, the card industry is struggling to get a handle on online card fraud. What's at stake? The $45.6 billion online retail market.
  As the Internet grows so, too, does online card fraud. The same features that draw consumers to the Web-convenience, worldwide access to large amounts of data, ease of use-also have turned cyberspace into what Celent Communications' analyst Ariana-Michele Moore terms "a breeding ground for fraud."
  And you don't have to be an Internet shopper to become a victim. Online card fraud has spilled over into other, more traditional types of fraud such as stolen or lost cards and counterfeit cards. It also is playing an increasingly larger role in identity theft, one of the fastest growing and most insidious type of card fraud.
  The card industry has reason to be concerned about Internet fraud. About 3% of all credit card transactions are conducted on the Internet and 2.1% of those are fraudulent, says Naftali Bennett, chief executive of Cyota Inc., a New York-based payment security company. "Over the past decade, the credit card industry has ... pinned down offline fraud," he says. "Online fraud has yet to be solved."
  Other researchers have different estimates but all agree that online fraud is high. A 2002 survey of e-merchants by Stamford, Conn.-based market-research firm Gartner Inc. found that fraudulent transactions comprise 1% of total online transactions, more than 15 times higher than fraud in the physical world.
  If the card industry fails to get a handle on the problem, it could lose access to the $45.6 billion online retail market.
  While the card industry and law enforcement have devoted much time and money to curbing cyberfraud-the first efforts came nearly a decade ago-a solution continues to elude them. That's due in part to the ever-changing face of online fraud. It can be anything from a stolen card number used at a pornographic Web site to a hacker breaching an online merchant's or merchant processor's database ("The Great Hack of 2003," Card Watch, page 8) to steal account numbers and other confidential consumer information.
  "We're seeing a lot more of the Internet and the face-to-face world coming together," says Michael A. Keresman III, chairman and chief executive of Cardinal Commerce Corp., a Mentor, Ohio-based payments security firm.
  The Internet has opened up a new source for obtaining card numbers and other consumer information-online merchant Web sites-and it also provides a new venue in which stolen card numbers can be used.
  "All you need is a Web browser to gain access ... and you have at your fingertips millions of records that you can borrow, copy, duplicate or even just look at," says Tracey Vispoli, worldwide financial fidelity manager in the department of financial institutions of the Chubb Group of Insurance Companies. "That's one problem that makes identity theft one of the fastest growing crimes."
  Warren, N.J.-based Chubb offers insurance to protect merchants, issuers, acquirers and others from Internet-related fraud losses.
  Chubb has seen a 200% increase in demand for its cyberrisk insurance over the past 18 months, Vispoli says. "That's very indicative of these organizations understanding for the first time that real risk does exist out there," she says.
  Compounding the online fraud problem is that as time goes by, hackers gain more expertise at breaking into databases. "The hacker community ... grows with every software patch and every software fix that the good guys implement," Vispoli says. "There are hackers on the back-end breaching (software) at the moment it's released."
  Even hacking novices have access to how-to-guides on breaking into bank databases, she says, adding that the "good guys" are "unequivocally, without a doubt" trailing the hackers.
  Good Enough?
  One of the reasons hackers are able to break into Web sites so easily comes down to a matter of money, Vispoli says. Organizations facing rising costs and an economic downturn need to deploy capital in a manner that brings value to shareholders. To many organizations, security may be an expensive, yet expendable line item. "The assumption they're making is that the security is good enough, let's leave it as it is," Vispoli says.
  But a 5% cut in a risk-control budget could translate into a 150% increase in risk, she says.
  "Security is expensive. That's a fact of life," Vispoli says. "However, a breach of security also is expensive."
  Vispoli notes that a database security breach can prove disastrous to online merchants. She cites the case of CD Universe, a Web site that shut down in January 2000 after a hacker broke through its security and stole 300,000 credit card account numbers.
  Database break-ins pose even a greater threat than thefts of account numbers during transmission. "In transit, (cardholder information) is pretty secure not only because it's locked down with transaction encryption but also because you have to sniff literally millions of messages and packets to find any useful information," says Aaron McPherson, research manager, payments at Framingham, Mass.-based Financial Insights, an IDC Co. "The database is a sitting target."
  Crooks use many methods to break into a merchant's database. One common means of attack is to exploit weaknesses in software. Merchants could avoid such attacks by attaching a so-called patch issued by software makers to fix the weak spots.
  But in many cases, Web-site administrators are reluctant to put the patch in place for fear it will disrupt the system, McPherson says. From the Web administrator's viewpoint, "that's a real disaster," he says.
  In other database breaches, a criminal will trick an employee into revealing a password or will work with an accomplice inside the company, McPherson says.
  The problem of database break-ins is only going to get worse "just because the information is in so many different places, it's difficult to lock them all down," McPherson says. "There's always going to be a weak link."
  That's because there are few incentives for merchants to encrypt data and hire auditors to test the security of their sites, says Avivah Litan, Gartner Inc. vice president and research director. The bank card associations may have to penalize merchants that don't have tight database security in place.
  But it is difficult for Visa and MasterCard to keep track of the "thousands and thousands of sites that could potentially store credit card numbers," Litan says. "They'd need armies of people or very, very intelligent software to monitor this."
  'Real Tough One'
  Another rapidly growing type of Internet fraud that is giving merchants "a lot of grief' is account takeover, says Julie Fergerson, vice president of emerging technologies at ClearCommerce Corp., an Austin, Texas-based provider of processing and risk-management software. In account takeover, a fraudster calls a credit card issuer and changes the cardholder's address to the fraudster's address. The crook then places an order. When the merchant checks to see if there's a valid address and phone number, "everything passes muster and they go ahead and ship the item," Fergerson says. "This is a real tough one to detect."
  ClearCommerce recently discovered that transactions approved by the bank card associations' address verification system had a higher fraud rate than transactions that were declined. "In the past, the fraud rate (on approved transactions) was about 0.20% or 0.25%," Fergerson says. "In the last six months or so, the fraud rate has actually grown to 0.95%," a possible side effect of the account-takeover fraud. That finding "shocked, surprised and scared me," she adds.
  To help uncover account-takeover fraud better, ClearCommerce now uses geolocation technologies combined with a risk score. Geolocation technology takes the Internet provider's address and identifies from where the person is actually placing the order.
  One major obstacle to curbing cyberfraud is getting all the participants-card issuers, merchants, acquirers and consumers-to use the antifraud measures available. "There are tools out there ... It's getting people to use them that's the trick," McPherson says. He notes that Visa International's Verified by Visa authentication product was launched in December 2001 but there still are major issuers and Web merchants who have not yet signed up for the program despite heavy promotion by Visa.
  Many merchants are lackadaisical about securing their databases, Cyota's Bennett says. "When someone hacks a Web site and steals two million credit card numbers, the Web site is usually not the one where those credit card numbers will now be fraudulently used," he says. "It's the second Web site that will bear the damage."
  Consumers also are slow to adopt anti-fraud measures such as authentication, because most merchants aren't using the technology. "It's the basic conundrum," Moore says. "How do you get the consumers to sign onboard when the merchants won't and vice versa."
  Issuers, too, had little incentive to use authentication, because without it e-merchants are liable for fraudulent transactions. "You have to say, 'well, geez, if that's the case, what incentive does the issuer have to make that online credit card transaction a bit more secure,'" Moore says.
  As liability switches to issuers on authenticated transactions, fraud "becomes the card issuers' problem and they'll be much more diligent about solving it," Litan says.
  Beginning this month, liability on Verified by Visa transactions will be shifted to issuers. MasterCard expected to begin the rollout of its SecureCode authentication technology, under which liability is shifted to the issuer on authenticated transactions, late last month.
  Many issuers also balk at the costs of setting up the programs-about $400,000 on average, Litan says.
  But implementing the authentication programs need not be expensive for merchants, says Bruce Rutherford, MasterCard's vice president of e-business and emerging technologies. "It can be as little as a few thousand dollars," to adopt MasterCard's SecureCode, he says. "Depending on the appetite for integration at the merchant site, (merchants) can choose to do it themselves or link up with a service provider."
  While the authentication systems can take a bite out of online fraud, they still aren't a panacea, Moore says. "While those programs address stolen cards at the point of sale on the Internet, (they) don't necessarily stop those cards from being used at the (offline) merchant," she says.
  What's more, consumers already are protected by the associations' zero-liability policies for fraudulent transactions, so cardholders may not see any added protection from using Verified By Visa and MasterCard SecureCode, Litan says.
  Authentication has the potential to cut e-fraud losses significantly, but faces an uphill climb, Litan says. "It's not easy to implement a new system on the Internet overnight," she says. "You can't get cardholders using passwords all of a sudden."
  However, a September 2002 Gartner survey showed that 17% of consumers had signed up or planned to sign up for Verified By Visa and 9% for SecureCode.
  Nonetheless, there's likely to be continued resistance from consumers for some time, Litan says. "Consumers are fickle," she says. "They want more security but they don't want to go out of their way to get it."
  Eventually, however, consumers may have no choice. "Issuers, once they start to eat the liability, will force consumers to sign up," Litan says.
  The card companies have taken steps to make authentication more attractive to merchants by shifting liability to the issuer. But convincing merchants to adopt authentication may be a slow process without offering other incentives, for example, lower interchange rates on authenticated transactions, Litan says.
  As it is, many merchants are skeptical that liability will shift to the issuers, Litan says. "They think the card issuers will do everything in their power not to take the liability," she says.
  New Group
  So distrustful are many merchants that they formed the Internet Merchant Risk Council, combining ClearCommerce's 5,800-member merchant council and the Internet Fraud Roundtable of 65 large e-merchants.
  If the card industry fails to calm online merchants' fears, e-tailers may switch to alternative forms of payment, including automated clearinghouse transactions. Fraud is "substantially lower than 0.1%," says a spokesperson for NACHA-The Electronic Payments Association.
  And NACHA plans to keep it that way. It is collecting data from ACH operators and financial institutions to identify companies that originate a "disproportionate percentage of unauthorized transactions," the spokesperson says.
  At best, various security measures will bring online fraud down to more manageable levels, says Keresman of Cardinal Commerce. But it is a war that will never end.
  "I don't know if you can ever get rid of fraud in its entirety," he says. "That may be dreaming because what you are saying is 'the crooks have stopped thinking.' I don't think that will happen."