Know Your Enemy

“KYE” KNOW YOUR ENEMY
“KYE” KNOW YOUR ENEMY

Understanding Payment Fraud Risks and
Exposures

Andrea Wilson, CEO
First Atlantic Commerce Ltd
First Atlantic Commerce Ltd

Agenda

1. The Shadow Economy – KYC or Know Your Enemy?
KYC or Know Your Enemy?
2. Current Trends in Online Fraud
3. 2008 2009 Online Fraud Statistics
4. Current Online Fraud Detection Tools
5. Payer Authentication – Who’s Protected and How?
Who’s Protected and How?
6. Our recommendations

The Shadow Internet Economy

• Online fraud continues to be a growing and costly experience for all
online merchants;
• Fraudsters are far more sophisticated and understand the card
processing systems far better than most
most merchants!
• Identity theft is the single largest threat
threat to non facetoface transaction
processing;
• Phishing, Skimming, Spoofing, Malware, Server Hacking, Credit Card
Number Generators, Counterfeiters, Black Market Card and Billing
Address Lists, Key Stroke Loggers are all prevalent methods used by
fraudsters today to obtain personal and
and financial information!
• The “Shadow Internet Economy” is a staggering $105 billion
underground business causing havoc
havoc worldwide.

Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009


• Existing fraud detection methods are proving to be outdated and easily
manipulated by clever fraudsters who
who employ;
– Undetected Malware programmes,
programmes, trojoans, spyware
– CVV2 data manipulation
– Device Skimming and Card Counterfeiting
Counterfeiting
– Phishing/ID theft
– Authorisation Response Message
Message Data Manipulation
– Verified By VISA and SecureCode™
SecureCode™ Enrolment Phishing Scams
– Online banking web site phishing
phishing scams
– Nigerian money transfer emails

Ltd 2009
Ltd 2009


• PCI data standards and Merchant PCI and SDP certification helps in
ensuring hackers cannot easily get access
access to your systems to compromise
card numbers and transaction data, however, fraudsters are finding holes
in web servers and generating malware programmes to compromise
information;
• Phishers have become experts in high
highjacking web site designs
• They rely on sophisticated IRC chat room
room interfaces
• Hackers are generating (and selling) credit card numbers using software
purchased ‘for educational purposes only’ online;
• They are purchasing black market card card number lists;
• They are counterfeiting credit cards through mag stripe skimming
devices;
• CHIP and PIN is driving more fraud to to easier targets – online merchants;
• Cardnotpresent and Internet merchants
merchants are obvious and easy targets for
credit card fraud.

Ltd 2009
Ltd 2009


Maksym Schipka, Senior Architect at MessageLabs

• Malware Writer $300$3500/programme
/programme; $25$50/update
• Identity Collector (Phisher) $0.001
001 $5/identity
• Stolen “active” credit cards $0.50 to
to $5/card
• Botnet Owner (remote control network of computers) – from $200/hr to
$10million depending on network compromised
compromised
• Malware Distributor – 2.5% of credit
credit card sale amount
• CC Fraudster – 30% of goods price
• “Drop” Website Developers $200 $2000/site
• Malware Guarantor – 25% of the deal
deal

Courtesy of Combating CyberCrime Conference London 2009
Courtesy of Combating CyberCrime Conference London 2009


Maksym Schipka, Senior Architect at MessageLabs

“For as little as $250 you can buy a custom written malware and for an
extra $25 a month you can subscribe to updates that will ensure that your
malware evades detection.”

“The vast majority of malware authors (viruses, trojans, spyware) do not
distribute it themselves. In fact, they make great play of offering their
software ‘for educational purposes only’ in the hope that this offers some
immunity from prosecution.”

Ltd 2009
Ltd 2009

Ltd 2009
Ltd 2009

Heartland called U.S. Secret Service and hired two breach forensics teams
to investigate. Robert Baldwin, Heartland's President and chief financial
Robert Baldwin, Heartland's President and chief financial
officer said it wasn't until mid January that investigators uncovered the
said it wasn't until mid January that investigators uncovered the
source of the breach:

A piece of malicious software planted on the company's payment
malicious software planted on the company's payment
processing network that recorded payment card data as it was being sent
for processing to Heartland by thousands of the company's retail clients.

Heartland does not know how long the malicious software was in place,
how it got there or how many accounts may have been compromised. The
stolen data includes names, credit and debit card numbers and expiration
dates.

quot;The transactional data crossing our platform, in terms of magnitude... is
about 100 million transactions a month,quot; Baldwin said. quot;At this point,
though, we don't know the magnitude of what was grabbed.”
though, we don't know the magnitude of what was grabbed.”

Source: Washington Post.com

RBS WorldPay, formerly RBS Lynk, is the United Statesbased payment
RBS WorldPay, formerly RBS Lynk, is the United States
processing arm of The Royal Bank of Scotland Group
Royal Bank of Scotland Group. RBS announced
in December 2008 that an unauthorized party had improperly accessed
that an unauthorized party had improperly accessed
the company's computer system.

Compromised prepaid cards included 1.5 million payroll and openloop gift
Compromised prepaid cards included
cards, approximately 100 of which had experienced actual fraud,
according to an RBS statement. The bank says hackers also may have
statement. The bank says hackers also may have
accessed the Social Security numbers of approximately 1.1 million
individuals. An RBS WorldPay spokesperson says no identity theft has
WorldPay spokesperson says no identity theft has
been reported on individuals whose personal information was
compromised in the breach. Neither the RBS spokesperson nor Ross
compromised in the breach. Neither the
would confirm media estimates of the amount of fraud committed on the
would confirm media estimates of the amount of fraud committed on the
payroll cards.

Source: Cardline Global

KYE Know Your Enemy
Excerpts from Interview with a Professional Phisher

Ø Started at age 14. Now 19
Ø >20 million identities phished so far via social networking worms
Ø Works 34 days a week
Ø Uses web software programme called MyOwnChanger.com
Ø Low entry costs VPN’s, dedicated servers, proxies and network traffic is
VPN’s, dedicated servers, proxies and network traffic is
encrypted. All payments are made through eGold.
Ø Anti phishing deterrents in Explorer 7 and Firefox 2 cause slowdowns but
it makes phishers more “motivated”
Ø “Lazy web developers are the reason I’m still
Lazy web developers are the reason I’m still around phishing”

Source: http://ha.ckers.org/blog/20070508/phishingsocial
socialnetworkingsites

KYE – Know Your Enemy
Excerpts from Interview with a Professional Phisher

“Social networking sites, make me $500 to 1k through CPA deals.  5 times
out of 10 the person uses the same password for their email account.
Now depending what is inside their email inbox determines how much
more profit I make.  If an email account has one of the following
paypal/egold/rapidshare/ebay accounts even the email account itself, I
sell those to scammers ($5 /pswd).  All in all, I make 3k to 4k a day.  I
only phish 34 days a week. Depends on how much time I invest.  The
4 days a week. Depends on how much time I invest.  The
more time I invest the greater the outcome.”

Ltd 2009
Ltd 2009

The Bank of Bermuda email domain was hijacked
The Bank of Bermuda email domain was hijacked

This is a phishing email

Ltd 2009

Highjacked URL from
Jliangpartnership.co.uk

Copyright year is different

This is the Phished site
Ltd 2009

This is the real web site
Ltd 2009
Ltd 2009

KYE – Know Your Enemy
Ø The Anti Phishing Network Group is dedicated to wiping out Internet
scams and fraud;
Ø The site contains detailed global information on reports of phishing scams.
http://www.apwg.org
Ø They work along side another site called Millers Miles in the UK that tracks
online phishing email scams and web sites.
http://www.millersmiles.co.uk
Ø Millers Miles has over 1,490,599 phishing scams in their database
Ø This information is public available for all merchants to reference
Ø Much of the world’s phishing is isolated to specific geographies including
Eastern Europe, Russia, China and the USA
Ø Most targeted industries: Financial Services 52%; Payment Services
18%; Auctions 25%; Retail 1%

Ltd 2009
Ltd 2009

Current Trends in Phishing
Anti Phishing Network Group 2008
Statistics April May June

Number of unique phishing emails rec'd by
APWG from consumers 24,924 23,762 28,151
Number of unique phishing web sites
detected 20,410 20,317 18,509
Number of brands hijacked by Phishers 276 294 227
Country hosting the most phishing
websites CHINA Turkey USA
Contain some form of target name in the
URL 28.30% 23.20% 26.10%
Longest time online for Phished site 30 days 31 days 30 days

Source:www.apwg.org

Countries
Hosting
Phishing Sites
in Q2 2008 www.apwg.org
APRIL MAY JUNE
China 25.15% Turkey 25.73% USA 18.93%
USA 16.68% USA 17.16% Turkey 17.92%
Russia 8.23% Japan 11.23% Poland 13.56%
Poland 7.15% China 9.17% Greece 6.86%
Turkey 5.79% Poland 7.41% China 5.87%
Germany 3.97% Russia 3.27% Russia 4.28%
Republic of
Korea 3.12% Greece 2.11% France 2.48%
Greece 2.61% France 2.08% Republic of Korea 2.38%
France 2.32% Republic of Korea 1.60% Bulgaria 2.28%
Romania 2.21% Netherlands 1.60% UK 2.16%

Ø Phishing based trojans are ‘crimeware’ which is designed with the intent
on redirecting endusers network traffic to a location where it was not
users network traffic to a location where it was not
intended to go;
Ø This includes crimeware that changes DNSspecific information and
This includes crimeware that changes DNS
automatically redirects browsers to a fraudulent web site;
Ø The USA and China host the highest percentage of either phishingbased
The USA and China host the highest percentage of either phishing
keyloggers or trojan downloads in Q2 2008
Ø Phishing Activity Trends Report Q2 2008:

April May June
USA 38.67% 32.12% 30.98%
China 9.68% 28.67% 24.95%
Russia 8.23% 6.06% 5.74%
Republic of
Korea 3.81% 2.18% 2.17%

Current Trends in Online Fraud

Ltd 2009
Ltd 2009

22,169 Downloads

Ltd 2009

Current Trends in Online Fraud
Ø Since 2000 the percent of online revenues lost to payment fraud has been
slowly declining from 3.6% in 2000 to 1.8% in 2004 to 1.4% in 2008;
Ø th
2009 CyberSource 10 Annual Online Fraud Report estimates that $4
billion in online revenues was lost to
to online fraud (North America region) –
down from $5.5 billion in 2007.
Ø Chargebacks understate true fraud losses by as much as 50%. The
remainder occurs when merchants issue refunds in response to a
consumer’s claim of fraudulent account
account use.
Ø International transactions have a 3
3.5% higher risk factor than domestic
transactions resulting in rejection of international transactions 3.5 times
more than domestic transactions.

Source: Cybersource 2009 Online Fraud Report

Card Fraud Worldwide 2007
Total Volume
ISSUER ($billions) Fraud Losses ($billions)

VISA $5,636.26 $3.21
PIN Debit $2,347.40 $0.16
MasterCard $2,276.10 $1.50
AMEX $647.30 $0.22
Discover $118.91 $0.07
JCB $60.94 $0.04
Diners Club $30.11 $0.01

Magstripe credit/debit
other $691.00 $0.15

TOTALS $11,808.02 $5.55
Source: 2008 Nilson Report Issue 915

Online Fraud Statistics 2008
Nilson Report Nov 2008 states:

Ø Over past 10 years the card industry has succeeded in reducing
“opportunity fraud” from lost or stolen
stolen cards, and fraudulent applications;
Ø Opportunity fraud accounted for 21 .07% of total fraud losses suffered in
2007 or $1.17billion;
Ø Counterfeit cards accounted for 33.52 52% of all fraud losses or $1.86billion
in 2007. Counterfeit cards are being produced using
compromised/hacked account data stored by merchants, networks,
processors;
Ø CardNotPresent fraud amounted to 38.04% of total fraud losses or
$2.11 billion. Five years ago CNP fraud accounted for roughly 25% of
total fraud losses;
Ø Total fraud losses based on the above
above research $5.55 billion

In 2008 North America surveyed merchants said:
In 2008 North America surveyed merchants said

Ø Merchants processing > $5million/yr online are employing six or more
million/yr
fraud detection/screening tools and are utilizing more automated decision
systems;
Ø Merchants processing >$100 million/yr online are employing 7.7 fraud
detection/screening tools;
Ø Stolen card numbers are the most popular exploit of online fraudsters.
They try multiple identities, emails, zip codes and details with the same
credit card numbers until they find a combination that makes it past the
fraud and issuer authorisation systems
systems;
Ø Stolen cards are repeatedly “tested”
“tested” by processing small transactions until
the limit is reached or the account blocked. Often this testing is done
across multiple merchant sites;
Ø Without industry data sharing this cannot
cannot be properly tracked.
Source: Cybersource 2009 Online Fraud Reports

In 2008 UK/EU surveyed merchants said:
In 2008 UK/EU surveyed merchants said

Ø Efforts to tackle online fraud are being hampered by a lack of
coordination across multiple channels
channels (and cross border cooperation);
Ø Fraudsters are divided into two groups – less sophisticated
“chancers” targeting small merchants with simple techniques; and
sophisticated professionals who are testing defences of larger
merchants in pursuit of significant data or financial rewards;
Ø Lack of consumer education regarding phishing and password
protection is a significant problem; ;
Ø Only 17% of merchants believe the police are effectively tackling
cybercrime citing lack of resources and not following up on significant
“tipoffs” of addresses where they knew fraudsters were located.


• According to the recently published 2008 Identity Fraud Survey issued
by Javelin Strategy and Research 8.1 million Americans were
Research,
victimized by identity fraud – a crime
crime amounting to $45 billion;
• The total average cost of a data breach last year reached $202 per
record, a 2.5% increase since 2007 (the study was conducted by the
Ponemon Institute, a privacy and data dataprotection research group);
• Of the average $202 per record cost, $139 was attributable to lost
businesses as a result of the breach
breach;
• Breaches that originated with outsourcing companies, contractors,
consultants, and business partners accounted for 44% of the breach
total, up from 40% in 2007.
• Thirdparty breaches cost an average of $231 per record, compared
with $179 for breaches originating from within the organization that
owns the data.

• The total average cost per company surveyed was more than $6.6
million per breach, up from $6.3 million in 2007 and $4.7 million in
3
2006;
• Javelin reports seeing an increase in “Vishing” which is identity theft
over the phone. Consumers receive an email requesting them call a
given phone number instead of being
being directed to a phishing web site;
• Consumers are told about security warnings of fraudulent activity on
their accounts or plastics;
• Customers are then told to “call the bank back at this number” and
input your account numbers, card details and private information.

In 2008 UK/EU survey:
Ø Merchants surveyed were asked to rate the biggest threat to income
losses:
• Increased price competition
competition
• Competition from International
International Markets
• Online Fraud activity
• Reduced consumer demand
demand
• Data Theft
• Product Quality

Ø Merchants surveyed were asked to rate the biggest threat to technical
losses:
• Online Fraud
• Internal Systems Failure
• Software Viruses
• Competitors Technical Advancements
Advancements
• Data Hackers
Source: Cybersource 2008 Online UK Fraud Reports

Current Fraud Detection Tools

Fraud ‘detection’ tools are those used to identify the probability of risk
associated with an online transaction or to validate the identity of the
purchaser. Results from detection tools are then interpreted by humans
or rules systems to determine if the the transaction should be accepted. The
systems do not guarantee that a fraud will not occur and certainly will
never prevent a chargeback initiated by the consumer. Consumer
behaviour cannot be predicted or prevented
prevented by fraud detection tools.

“Detection Does Not Equal Prevention
Detection Does Not Equal Prevention”


So How Do You Protect Your
Business?
Business?


The most popular tools used to assess or gauge online fraud are different
for merchants processing over $25 million USD per annum in sales.  The
larger North American merchants use more riskspecific scoring models,
larger North American merchants use more risk
negative and positive lists and sophisticated data sharing tools.  They also
spend considerably greater effort on chargeback management.

Company specific fraud screening solutions, external fraud systems and
consumer behaviour models rated the highest in the large merchant
consumer behaviour models rated the highest in the large merchant
category survey.


Current Fraud Detection Tools – USA/Canada
Current Fraud Detection Tools 2006 2007 2008 >$25mm/yr
Address Verification AVS 79% 80% 78% 87%
Card Verification CVV2/CVC2 69% 74% 74% 80%
Fraud Screening (internal) 38% 39% 27% 42%

IP Geolocation (Address Point Verify) 35% 37% 35% 48%
Negative Lists (in house) 34% 36% 38% 67%
Order Velocity Monitoring 33% 35% 28% 54%
Automated Decision Scoring 32% 34% 34% 50%
Manual Review 25% 22% 22% 33%
Chargeback Management 22% 20% 20% 33%
Customer behaviour analysis 29% 20% 22%
Customer order history 47% 54%
3D Secure (VBV and SecureCode) 29% 25% 27% 39%
Positive Lists 17% 17% 32%
Device fingerprinting 6% 7%
Consumer challenge questions 5% 6% 5% 7%

In the UK and Europe the use of online fraud tools trends are different
from that of the USA. Merchants spend considerably more time manually
reviewing transactions and use CVV2, AVS and Verified By
VISA/SecureCode continue to remain the primary automated fraud
solutions.

The fastest growing antifraud tool in the past year has been 3
fraud tool in the past year has been 3D Secure™
due to June 2007 Maestro SecureCode mandate. 71% of UK/EU
merchants now claim to have implemented 3D Secure™.
merchants now claim to have implemented 3

One significant difference is with the use of IP Geolocation services in the
detection of possible fraud. 48% of North American merchants use IP
of North American merchants use IP
Geolocation, whereas only 23% of European merchants use IP
of European merchants use IP
Geolocation.

Device Fingerprinting has been identified as the top fraud tool to add in
Device Fingerprinting has been identified as the top fraud tool to add in
2009.

Source: Cybersource USA/UK 2008 Online Fraud Reports

Current Fraud Detection Tools – Comparison
Fraud Detection Tools >$25mm/yr North America 2008 UK Europe 2008

Card Verification CVV2/CVC2 80% 79%
Address Verification AVS 87% 78%
Manual Review 22% 67%
3D Secure (VBV and SecureCode) 38% 59%
3rd Party ID checks 39% 49%
Automated Decision Scoring 54% 30%
Fraud screening (industry) 18% 36%
Fraud screening internal 42% 38%
Negative lists 18% 29%
Chargeback Management 20% 37%
Industry Hot Card information 18% 21%
Customer Device Fingerprinting 7% 8%
IP Geolocation 48% 26%

Top Fraud Detection Tools – to be implemented
Top Fraud Detection Tools
Fraud Detection Tools to be
Implemented in 2009 North America UK Europe
Customer Device
Fingerprinting 47% 17%
IP Geolocation 27% 11%
Fraud services (internal) 20% 12%
Customer Order History 17% 6%
Card Verification CVV2/CVC2 16% 8%
Customer Behaviour
Screening 13% 13%
3D Secure (VBV and
SecureCode) 11% 19%
Negative lists/Shared
Services 10% 13%
Telephone Verification 10% 19%
Multi Merchant Fraud Models 9% 15%
3rd Party ID checks 9% 20%
Automated Decision Scoring 7% 18%
Chargeback Management 7% 23%
Address Verification AVS 6% 16%


Address Verification Services (AVS):
Ø Address Verification Service is a North American based service whereby
the Card Issuing bank matches the street street and Zip/Postal Code information
entered by the consumer to the information
information held on the bank’s systems;
Ø Issuers DO NOT decline authorisations based on AVS responses – they
Issuers DO NOT decline authorisations based on AVS responses
simply provide the AVS code in the auth response message;
Ø AVS is a North American service and not many international processors or
acquirers support USA AVS verification;
Ø AVS Line 2 scamming is now prevalent making this tool unreliable as a
verification tool – data is bought from card list brokers;
data is bought from card list brokers;
Ø AVS is subject to a significant rate of “false positives” because it can be
fooled into providing a partial match
match AVS score;
Ø Large merchants typically use AVS as a prescreening service prior to
fulfilling orders.

Ltd 2009
Ltd 2009

Current Fraud Detection Tools Used
Geolocation
Ø Geolocation is used to identify the geographic origin of an order based on
I.P Internet address of the customer’s browser;
Ø The data returns specific information about the IP address associated with
the originating ISP transaction request including:
ü IP address
ü Country (long and short name)
ü City
ü Region (State, Province etc)
ü Zip Code
ü Domain Name
ü ISP Name
ü Latitude + Longitude
ü Time Zone
ü Proxies

Ltd 2009
Ltd 2009

Device Based Fingerprinting
Ø Traditional Fraud Service providers are now offering more intelligent
services including PC fingerprinting;
Ø The service determines within whether an online transaction is coming
from a computer that has a history of fraud or abuse;
Ø Could be an issue with virtual devices and dynamic IP addresses/roaming
Ø New technology so not much analysis regarding fraud reduction available
yet

Customer Spending and Behaviour Analysis
Ø Reviewing consumer behaviour, spending patterns and charges provides a
lot of information about your client;
Ø Web site traffic and transactional flows are profiled to watch for and
detect suspicious shopping or surfing behaviour (ie large quantities of
electronics purchased with rapid check out);
Ø Repeat customers have typical patterns of shopping or browsing
behaviour which fall into normal parameters.
behaviour which fall into normal parameters.

Negative Files and Cross Industry Data Sharing
Ø Are based on previous cardholder processing and purchasing information
across multiple merchant and acquirer systems;
Ø Somewhere in history this cardholder has defrauded a merchant or is an
Somewhere in history this cardholder has de
habitual chargeback offender, which is why they are in the negative
database;
Ø Unfortunately a lot of consumers get placed on the negative file as a
result of someone else’s fraudulent use of their card or deliberately by
merchants competing for consumer transactions;
merchants competing for consumer transactions
Ø Negative files can be very useful if part of an overall data sharing solution.
ETHOCA is an example of a data sharing service that combines decline
data, chargebacks and suspicious transaction information at the card
number level.

Ltd 2009
Ltd 2009


Decision Matrices, Risk Scoring Software and Data Sharing
Ø Determine if a transaction should be be accepted, rejected or suspended for
review based on risk parameters set set up in the fraud system;
Ø Only as good as the data within the risk matrix database which is why
crossindustry sharing is so important
important going forward;
Ø Fraud is dynamic which means the matrices must always be updated
and refreshed with ‘current data’ trends
trends
Ø Fraudsters learn over time and vary their strategies so the systems must
be regularly “tuned”;
Ø Still requires manual review of exception
exception items
Ø They can be expensive for small merchants but worthwhile for larger
merchants who need cross industry information to reduce fraud
exposures.

Ltd 2009
Ltd 2009

‘Hits’ = Suspicious
The numbers in ( ) represent
Activity
your own data


ETHOCA Data Sharing
Ø Fraud Reduction – Leveraging ‘Advisory Codes’ such as velocity and data
Leveraging ‘Advisory Codes’ such as velocity and data
inconsistencies (e.g., multiple emails per card) can detect upwards of
30% of card related fraud
Ø Comparing merchants to their industry peers reveals that for some
merchants 10% of rejections are actually good orders
10% of rejections are actually good orders
Ø Link Analysis – Up to 15% of fraud
Up to 15% of fraud that is undetected by traditional
means can be spotted by ‘linking’ common data elements across
multiple merchants and industries
Ø So far over 40 companies/partners now share their transactional data
through ETHOCA including RBS, TigerDirect, British Airways, Emirates
through ETHOCA including RBS, TigerDirect, British Airways, Emirates
Airways, others

Source: Keegan Johnson – CEO ETHOCA

Manual Order Review
Ø Merchants claim they manually review 1 out of every 4 online
transactions;
Ø Used specifically to manage payment fraud;
Ø Must be done in conjunction with other tools like AVS, CVV2 match
checks, internal chargeback analysis etc
Ø One consequence of using multiple automated fraud tools is that more
transactions are flagged up for manual review adding additional work to
back office admin functions;
Ø This requires merchants to divert more ‘qualified’ staff to order review,
increase time to review, improve accuracy of the manual review process
(and train staff to know what to look for);
Ø Merchants report on average they only provide 46 weeks of training to
Merchants report on average they only provide 4
review orders!.

Ltd 2009
Ltd 2009

CVV2
Ø CVV2 stands for Card Verification Value;
Ø Consists of the last 3 digits printed on the VISA plastic signature panel
which is not recorded anywhere else on the card;
Ø Is known as CVC2 with MasterCard and CID with AMEX/Discover;
Ø CVV2 can assist a merchant to differentiate between consumers who have
the physical plastic in their possession at the time of the transaction and
those that don’t (but not always);
Ø However CVV2 is only as useful as the Issuer who validates the data and
declines the authorisation based on No Match
No Match responses
Ø Changes in Card Association regs in 2007 now allow merchants to
represent chargebacks for RC 83 if the Issuer does not participate in
CVV2 match checking.

Ltd 2009
Ltd 2009

CVV2
Ø Not all Issuers participate in CVV2 verification, so the presence of CVV2 in
the auth request should not be used to ‘assume’ the cardholder that’s
performing the transaction is in possession of the actual plastic
performing the transaction is in possession of the actual plastic unless
the Issuer has replied with a CVV2 Match ‘M’ response;
Ø There are more Issuers now who decline authorisations for CVV2
mismatch – this is encouraging.

Ltd 2009
Ltd 2009

The real cost of chargebacks:
Ø In 2008 merchants reported that it takes on average 1.8 hours to handle
ONE chargeback (time consumed on research, documentation and
representment);
Ø Over the past 4 years fraudcoded chargebacks (RC23/83) have been
coded
represented successfully between 43 4353%;
Ø Over 1/3 of merchants surveyed confirm
confirm they dispute 90% of their fraud
chargebacks;
Ø In 2007 large merchants reported 57% of their fraud was RC83
chargebacks. This has dropped to 48 48% in 2008;
Ø Having an efficient representment process enhances the merchant’s
chances of successfully representing
representing a fraud coded chargeback
Ø FriendlyFraud is on the rise with the
the downturn in the credit markets;
Ø Merchants MUST get diligent with managing
managing this issue or face large fines
and risk losing their merchant account
account.

Ltd 2009
Ltd 2009

The real cost of chargebacks:
Ø Given the time involved, the administration efforts, fines, penalty fees
merchants are finding it makes more economic sense to encourage
consumers to contact them directly to receive a credit/refund then to
process a chargeback;
Ø If merchants are evaluating fraud losses solely on the basis of RC83
chargebacks, the actual rate of fraud loss is likely 2x higher simply
because of the number of Refunds being processed and consumer
complaints resolved in other ways (ecash
(ecash credits etc);
Ø Implementing Verified By VISA/SecureCode also reduces fraud coded
chargebacks by ‘guaranteeing’ liability shift back to the issuer for
qualifying Reason Codes.

Source: Cybersource USA/UK 2008 Online Fraud Reports

Chargebacks Vs Refunds
100%

90%

80%
52% 52%
58% 57%
70%
76%
60%

50% Credits Issued
Chargebacks
40%

30%
48% 48%
42% 43%
20%
24%
10%

0%
Overall <$500k $500k 54% avg $25mm+
$5mm win rate

Source: Cybersource 2009 Online Fraud Report

The Payer Authentication Process
Process

Ø Issuers and Acquirers register independently and the service is not inter
dependent
Ø Issuers can have credit card BINs registered but not their cardholders;
alternatively neither can be enrolled
enrolled this drives the merchant chargeback
liability shift conditions for ‘attempted’
‘attempted’ 3D Secure requests;
Ø Merchants ONLY have chargeback liability
liability shift rights if BOTH the Acquirer
and the Merchant are registered with VBV/SecureCode – however
chargeback liability shift is not contingent on whether the Issuer or
cardholder participate in 3D Secure™
Secure™.

Ltd 2009
Ltd 2009

How Does 3D Secure™ work?
How Does 3
Process
Ø VBV is a global service so once Merchants are enrolled by participating
acquirers all VISA transactions can be authenticated with VBV for a
fraction of the cost of other fraud detection
detection services;
Ø Verified By VISA liability shift is guaranteed for ‘attempted’ transaction
authentication (global) even if the cardholder
cardholder is NOT enrolled in VBV with
their Issuer;
Ø If an enrolled VBV Merchant attempts to authenticate the cardholder
through Verified By VISA and either the cardholder and/or their Issuer
doesn’t participate, the transaction is is flagged as an ‘attempt’ (ECI=6) and
these transactions are included in the the liability shift programme for specific
chargeback reason codes (RC23, 83). .

Ltd 2009
Ltd 2009

How Does 3D Secure™ Work?
How Does 3
Process
Ø th
After June 30 , 2007, online merchants will no longer be able to process
merchants
Maestro debit transactions unless they implement MasterCard
SecureCode™;
Ø MasterCard SecureCode has implemented
implemented merchantonly liability shift in all
Regions except the USA;
Ø This means if a merchant is registered
registered with a participating acquiring bank
in EU, Asia/Pacific, SAMEA, LACR regions
regions and they attempt to authenticate
the cardholder – they have chargeback liability shift protection for
chargeback RC 37 and 63 (if the transaction
transaction is authorised);
Ø USA has not opted into this liability shift on ‘attempted’ SecureCode
transactions yet.

Ltd 2009
Ltd 2009

What are the Problems with 3D Secure?
What are the Problems with 3
3D Secure™ Issuer Blocks
Ø In specific countries Issuers are blocking 3D Secure attempted
transaction requests – those tagged
tagged with an ECI 6 value;
Ø There is compliance that clearly states Issuers can be fined for not
authorising 3D Secure attempted (ECI 6) transactions however it
doesn’t seem like the enforcement mechanisms are in place to penalize
Issuers;
Ø Mexico Issuers are blocking ECI= authorisation requests; some
ECI=6
banks in Eastern Europe also

Ltd 2009
Ltd 2009

3D Secure™ Phishing Scams
Ø Consumers are emailed with a Verified By VISA or SecureCode
enrolment request which includes actual
actual language from the VBV or S/C
web sites as well as the same fonts,
fonts, layout and logos;
Ø Consumers either click on a link or are redirected to a site that looks
exactly like their card issuer VBV enrolment
enrolment site;
Ø Ironic that the one programme designed to assist merchants and
consumers with prevention of fraud is in itself a victim of phishing
fraud

Ltd 2009
Ltd 2009

This link redirects to the phish site


Ltd 2009
Ltd 2009

VBV Enrolment Phishing Scam
VBV Phishing Scams
• This VBV enrolment phish had already
already targeted 24,011 consumers who
had innocently registered;
• 21,086 VISA BINs and card numbers
numbers were obtained as a result;
• The fraudulent site was tracked to an IP address in Uruguay;
• The scam was locked down by VISA within hours of being reported –
however you can see just how many people were victimized by the
phish;
• The data collected is extremely valuable on the black market for
and online fraud!
identify theft, counterfeit cards and

Ltd 2009
Ltd 2009

VBV Enrolment Phishing Scam
So why is 3D Secure phishing so
so “easy” to pull off?
Ø Both Verified By VISA and MasterCard
MasterCard SecureCode online web sites list
every registered Issuer in alphabetical
alphabetical order;
Ø If you select a specific Issuer, the VBV or SecureCode enrolment site
(legitimate one) displays;
Ø This can be recreated by the ‘phishing’ fraudster and within hours
thousands of cardholders are fooled into providing personal
information, card data, PINs, passwords
passwords and bank account numbers;
Ø “Activate the Verified by Visa feature It's easy and only takes a
“Activate the Verified by Visa feature
few moments to activate your card. You can do it right here on the
secure Visa site or when prompted during the checkout process at one
of our participating online merchants. Either way, your information
of our participating online merchants.
is protected.”

Ltd 2009
Ltd 2009

This is legit VBV registration site
This is legit VBV registration site

Ltd 2009

This is a phishing site

Ltd 2009

Summary – Fraud Detection versus Prevention
Fraud Detection versus Prevention

Fraud ‘detection’ tools are those used to identify the probability of risk
tools are those used to identify the probability of risk
associated with an online transaction. They do not guarantee that a
fraud will not occur and certainly will never prevent a chargeback from
fraud will not occur and certainly will never
being initiated by the consumer.

Fraud ‘prevention’ tools like CVV2 and 3
tools like CVV2 and 3D Secure do provide
guarantees against fraud coded chargebacks and are fully sponsored
by the Card Associations.

Ltd 2009
Ltd 2009

Summary – Fraud Prevention
Summary

The top fraud detection and risk mitigation services being
implemented in North America and and Europe in 2009 are 3D Secure™,
IP Geolocation (geoblocking, proxy server detection), Computer
Device Fingerprinting, Data Sharing systems and implementation of
experienced chargeback analysis and
and management personnel.

……..Detection Assists With Fraud Prevention

Ltd 2009
Ltd 2009

Summary
OUR CONCLUSIONS
Merchants must implement PCI compliant security requirements to
reduce risk to malware/trojan/spyware attacks, transaction pre
authentication solutions including AVS, CVV2, IP Geolocation and data
sharing services in addition to Verified by VISA and MasterCard
SecureCode – WHY?

Preauthentication services prescreen transactions to filter out ‘obvious’
screen
or suspicious fraudulent transactions 3D Secure provides guaranteed
transactions.
chargeback liability shift on the not
notsoobvious and seemingly legitimate
transactions.

Ltd 2009
Ltd 2009

Summary
OUR CONCLUSIONS

KNOW YOUR ENEMY – you will then know your customer! Watch for
behaviour patterns that don’t seem
seem “normal” for customers at your site

Implement a facetoface authentication
authentication system so you can “see” if your
customer is the same as the photo ID they provided. SKYPE is free –
anyone can use it. Why doesn’t the gaming industry verify new clients
by looking directly at them? It seems
seems like a great deterrent to ensuring
criminals don’t register for your sites
sites and therefore reduce your exposure
to fraudulent payment transactions
transactions.

Ltd 2009
Ltd 2009

Summary
OUR CONCLUSIONS

Preauthentication and automated screening services cannot predict
‘human behaviour’ which results in chargebacks. Habitual chargeback
offenders (the “friendly fraud” culprits)
culprits) are aware of this and will use this
excuse over and over again

3D Secure™ is there to protect online merchants from habitual
chargeback offenders by allowing fraud chargebacks to be represented
under the liability shift guarantees regardless of whether the cardholder
is enrolled or not.

Ltd 2009
Ltd 2009

Summary
Useful References
Ø Cybersource Annual Fraud Reports (USA
(USA and UK)
Ø AntiPhishing Working Group
Ø Nilson Reports
Ø Message Labs – the Online Shadow Economy reference docs
Ø Online newsfeeds – read about what’s
what’s going on elsewhere with respect to
phishing, skimming, malware attacks,
attacks, data attacks and advise your own
staff. Education and information is key to identifying dodgy consumer
behaviour or transactions
Ø Javelin Research Reports
Ø USA Federal Trade Commission – Internet
Internet Fraud and Safety info
Ø Watch the blogs and chat rooms – they
they are fascinating!

Ltd 2009
Ltd 2009

Thank You!
Andrea Wilson
CEO First Atlantic Commerce Ltd
WWW.FIRSTATLANTICCOMMERCE.COM
+(441) 294
+(441) 294 4620
4620
Email ‘awilson@fac.bm’

Ltd 2009
Ltd 2009

Know Your Enemy

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (7)

Destacado

Destacado (20)

Similar a Know Your Enemy

Similar a Know Your Enemy (20)

Último

Último (20)

Know Your Enemy