driving payment innovation - know your enemy

““KYE” - KNOW YOUR ENEMYKYE” - KNOW YOUR ENEMY

Understanding Payment Fraud Risks and Understanding Payment Fraud Risks and ExposuresExposures

Andrea Wilson, CEO Andrea Wilson, CEO First Atlantic Commerce LtdFirst Atlantic Commerce Ltd

Agenda

1. The Shadow Economy – KYC or Know Your Enemy?

2. Current Trends in Online Fraud

3. 2008 - 2009 Online Fraud Statistics

4. Current Online Fraud Detection Tools

5. Payer Authentication – Who’s Protected and How?

6. Our recommendations

The Shadow Internet Economy

• Online fraud continues to be a growing and costly experience for all online merchants;

• Fraudsters are far more sophisticated and understand the card processing systems far better than most merchants!

• Identity theft is the single largest threat to non face-to-face transaction processing;

• Phishing, Skimming, Spoofing, Malware, Server Hacking, Credit Card Number Generators, Counterfeiters, Black Market Card and Billing Address Lists, Key Stroke Loggers are all prevalent methods used by fraudsters today to obtain personal and financial information!

• The “Shadow Internet Economy” is a staggering $105 billion underground business causing havoc worldwide.

Copyright First Atlantic Commerce Ltd 2009


• Existing fraud detection methods are proving to be outdated and easily manipulated by clever fraudsters who employ; – Undetected Malware programmes, trojoans, spyware– CVV2 data manipulation– Device Skimming and Card Counterfeiting– Phishing/ID theft– Authorisation Response Message Data Manipulation– Verified By VISA and SecureCode™ Enrolment Phishing Scams– Online banking web site phishing scams– Nigerian money transfer emails



• PCI data standards and Merchant PCI and SDP certification helps in ensuring hackers cannot easily get access to your systems to compromise card numbers and transaction data, however, fraudsters are finding holes in web servers and generating malware programmes to compromise information;

• Phishers have become experts in high-jacking web site designs • They rely on sophisticated IRC chat room interfaces• Hackers are generating (and selling) credit card numbers using software

purchased ‘for educational purposes only’ online;• They are purchasing black market card number lists;• They are counterfeiting credit cards through mag stripe skimming devices;• CHIP and PIN is driving more fraud to easier targets – online merchants;• Card-not-present and Internet merchants are obvious and easy targets for

credit card fraud.



Maksym Schipka, Senior Architect at MessageLabs

• Malware Writer $300-$3500/programme; $25-$50/update• Identity Collector (Phisher) - $0.001 - $5/identity• Stolen “active” credit cards - $0.50 to $5/card• Botnet Owner (remote control network of computers) – from $200/hr to

$10million depending on network compromised• Malware Distributor – 2.5% of credit card sale amount• CC Fraudster – 30% of goods price• “Drop” Website Developers - $200 - $2000/site• Malware Guarantor – 2-5% of the deal

Courtesy of Combating CyberCrime Conference London 2009


Maksym Schipka, Senior Architect at MessageLabs

“For as little as $250 you can buy a custom written malware and for an extra $25 a month you can subscribe to updates that will ensure that your malware evades detection.”

“The vast majority of malware authors (viruses, trojans, spyware) do not distribute it themselves. In fact, they make great play of offering their software ‘for educational purposes only’ in the hope that this offers some immunity from prosecution.”


Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. Robert Baldwin, Heartland's President and chief financial officer said it wasn't until mid January that investigators uncovered the source of the breach:

A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients.

Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

"The transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month," Baldwin said. "At this point, though, we don't know the magnitude of what was grabbed.”

Source: Washington Post.com

RBS WorldPay, formerly RBS Lynk, is the United States-based payment-processing arm of The Royal Bank of Scotland Group. RBS announced in December 2008 that an unauthorized party had improperly accessed the company's computer system.

Compromised prepaid cards included 1.5 million payroll and open-loop gift cards, approximately 100 of which had experienced actual fraud, according to an RBS statement. The bank says hackers also may have accessed the Social Security numbers of approximately 1.1 million individuals. An RBS WorldPay spokesperson says no identity theft has been reported on individuals whose personal information was compromised in the breach. Neither the RBS spokesperson nor Ross would confirm media estimates of the amount of fraud committed on the payroll cards.

Source: Cardline Global

KYE - Know Your EnemyExcerpts from Interview with a Professional Phisher

Started at age 14. Now 19 >20 million identities phished so far via social networking worms Works 3-4 days a week Uses web software programme called MyOwnChanger.com Low entry costs - VPN’s, dedicated servers, proxies and network traffic is

encrypted. All payments are made through eGold. Anti phishing deterrents in Explorer 7 and Firefox 2 cause slowdowns but it

makes phishers more “motivated” “Lazy web developers are the reason I’m still around phishing”

Source: http://ha.ckers.org/blog/20070508/phishing-social-networking-sites

KYE – Know Your EnemyExcerpts from Interview with a Professional Phisher

“Social networking sites, make me $500 to 1k through CPA deals. 5 times out of 10 the person uses the same password for their email account. Now depending what is inside their email inbox determines how much more profit I make. If an email account has one of the following paypal/egold/rapidshare/ebay accounts even the email account itself, I sell those to scammers ($5 /pswd). All in all, I make 3k to 4k a day. I only phish 3-4 days a week. Depends on how much time I invest. The more time I invest the greater the outcome.”



This is a phishing email

The Bank of Bermuda email domain was hijacked


Highjacked URL from Jliangpartnership.co.uk

Copyright year is different

This is the Phished site


This is the real web site

KYE – Know Your Enemy The Anti Phishing Network Group is dedicated to wiping out Internet scams

and fraud; The site contains detailed global information on reports of phishing scams.

http://www.apwg.org They work along side another site called Millers Miles in the UK that tracks

online phishing email scams and web sites. http://www.millersmiles.co.uk Millers Miles has over 1,490,599 phishing scams in their database This information is public available for all merchants to reference Much of the world’s phishing is isolated to specific geographies including

Eastern Europe, Russia, China and the USA Most targeted industries: Financial Services 52%; Payment Services 18%;

Auctions 25%; Retail 1%


http://www.millersmiles.co.uk/

Current Trends in PhishingAnti Phishing Network Group 2008 Statistics April May June

Number of unique phishing emails rec'd by APWG from consumers 24,924 23,762 28,151

Number of unique phishing web sites detected 20,410 20,317 18,509

Number of brands hijacked by Phishers 276 294 227

Country hosting the most phishing websites CHINA Turkey USA

Contain some form of target name in the URL 28.30% 23.20% 26.10%

Longest time online for Phished site 30 days 31 days 30 days

Source:www.apwg.org

Current Trends in PhishingCountries Hosting Phishing Sites in Q2 2008 www.apwg.org

APRIL MAY JUNE

China 25.15% Turkey 25.73% USA 18.93%

USA 16.68% USA 17.16% Turkey 17.92%

Russia 8.23% Japan 11.23% Poland 13.56%

Poland 7.15% China 9.17% Greece 6.86%

Turkey 5.79% Poland 7.41% China 5.87%

Germany 3.97% Russia 3.27% Russia 4.28%

Republic of Korea 3.12% Greece 2.11% France 2.48%

Greece 2.61% France 2.08% Republic of Korea 2.38%

France 2.32% Republic of Korea 1.60% Bulgaria 2.28%

Romania 2.21% Netherlands 1.60% UK 2.16%

Current Trends in Phishing Phishing based trojans are ‘crimeware’ which is designed with the intent

on redirecting end-users network traffic to a location where it was not intended to go;

This includes crimeware that changes DNS-specific information and automatically redirects browsers to a fraudulent web site;

The USA and China host the highest percentage of either phishing-based keyloggers or trojan downloads in Q2 2008

Phishing Activity Trends Report Q2 2008:

April May June

USA 38.67% 32.12% 30.98%

China 9.68% 28.67% 24.95%

Russia 8.23% 6.06% 5.74%

Republic of Korea 3.81% 2.18% 2.17%

Current Trends in Online Fraud



22,169 Downloads

Current Trends in Online Fraud


Current Trends in Online Fraud Since 2000 the percent of online revenues lost to payment fraud has been

slowly declining from 3.6% in 2000 to 1.8% in 2004 to 1.4% in 2008; 2009 CyberSource 10th Annual Online Fraud Report estimates that $4

billion in online revenues was lost to online fraud (North America region) – down from $5.5 billion in 2007.

Chargebacks understate true fraud losses by as much as 50%. The remainder occurs when merchants issue refunds in response to a consumer’s claim of fraudulent account use.

International transactions have a 3.5% higher risk factor than domestic transactions resulting in rejection of international transactions 3.5 times more than domestic transactions.

Source: Cybersource 2009 Online Fraud Report

Card Fraud Worldwide 2007

ISSUERTotal Volume

($billions) Fraud Losses ($billions)

VISA $5,636.26 $3.21

PIN Debit $2,347.40 $0.16

MasterCard $2,276.10 $1.50

AMEX $647.30 $0.22

Discover $118.91 $0.07

JCB $60.94 $0.04

Diners Club $30.11 $0.01

Magstripe credit/debit other $691.00 $0.15

TOTALS $11,808.02 $5.55

Source: 2008 Nilson Report Issue 915

Online Fraud Statistics 2008

Nilson Report Nov 2008 states:

Over past 10 years the card industry has succeeded in reducing “opportunity fraud” from lost or stolen cards, and fraudulent applications;

Opportunity fraud accounted for 21.07% of total fraud losses suffered in 2007 or $1.17billion;

Counterfeit cards accounted for 33.52% of all fraud losses or $1.86billion in 2007. Counterfeit cards are being produced using compromised/hacked account data stored by merchants, networks, processors;

Card-Not-Present fraud amounted to 38.04% of total fraud losses or $2.11 billion. Five years ago CNP fraud accounted for roughly 25% of total fraud losses;

Total fraud losses based on the above research - $5.55 billion


In 2008 North America surveyed merchants said:

Merchants processing > $5million/yr online are employing six or more fraud detection/screening tools and are utilizing more automated decision systems;

Merchants processing >$100 million/yr online are employing 7.7 fraud detection/screening tools;

Stolen card numbers are the most popular exploit of online fraudsters. They try multiple identities, emails, zip codes and details with the same credit card numbers until they find a combination that makes it past the fraud and issuer authorisation systems;

Stolen cards are repeatedly “tested” by processing small transactions until the limit is reached or the account blocked. Often this testing is done across multiple merchant sites;

Without industry data sharing this cannot be properly tracked.

Source: Cybersource 2009 Online Fraud Reports


In 2008 UK/EU surveyed merchants said:

Efforts to tackle online fraud are being hampered by a lack of coordination across multiple channels (and cross border cooperation);

Fraudsters are divided into two groups – less sophisticated “chancers” targeting small merchants with simple techniques; and sophisticated professionals who are testing defences of larger merchants in pursuit of significant data or financial rewards;

Lack of consumer education regarding phishing and password protection is a significant problem;

Only 17% of merchants believe the police are effectively tackling cybercrime citing lack of resources and not following up on significant “tip-offs” of addresses where they knew fraudsters were located.



• According to the recently published 2008 Identity Fraud Survey issued by Javelin Strategy and Research, 8.1 million Americans were victimized by identity fraud – a crime amounting to $45 billion;

• The total average cost of a data breach last year reached $202 per record, a 2.5% increase since 2007 (the study was conducted by the Ponemon Institute, a privacy and data-protection research group);

• Of the average $202 per record cost, $139 was attributable to lost businesses as a result of the breach;

• Breaches that originated with outsourcing companies, contractors, consultants, and business partners accounted for 44% of the breach total, up from 40% in 2007.

• Third-party breaches cost an average of $231 per record, compared with $179 for breaches originating from within the organization that owns the data.

http://www.ponemon.org/


• The total average cost per company surveyed was more than $6.6 million per breach, up from $6.3 million in 2007 and $4.7 million in 2006;

• Javelin reports seeing an increase in “Vishing” which is identity theft over the phone. Consumers receive an email requesting them call a given phone number instead of being directed to a phishing web site;

• Consumers are told about security warnings of fraudulent activity on their accounts or plastics;

• Customers are then told to “call the bank back at this number” and input your account numbers, card details and private information.


In 2008 UK/EU survey: Merchants surveyed were asked to rate the biggest threat to income losses:

• Increased price competition• Competition from International Markets• Online Fraud activity• Reduced consumer demand• Data Theft• Product Quality

Merchants surveyed were asked to rate the biggest threat to technical losses: • Online Fraud• Internal Systems Failure• Software Viruses• Competitors Technical Advancements• Data Hackers

Source: Cybersource 2008 Online UK Fraud Reports

Current Fraud Detection Tools

Fraud ‘detection’ tools are those used to identify the probability of risk associated with an online transaction or to validate the identity of the purchaser. Results from detection tools are then interpreted by humans or rules systems to determine if the transaction should be accepted. The systems do not guarantee that a fraud will not occur and certainly will never prevent a chargeback initiated by the consumer. Consumer behaviour cannot be predicted or prevented by fraud detection tools.

“Detection Does Not Equal Prevention”


So How Do You Protect Your Business?


The most popular tools used to assess or gauge online fraud are different for merchants processing over $25 million USD per annum in sales. The larger North American merchants use more risk-specific scoring models, negative and positive lists and sophisticated data sharing tools. They also spend considerably greater effort on chargeback management.

Company specific fraud screening solutions, external fraud systems and consumer behaviour models rated the highest in the large merchant category survey.


Current Fraud Detection Tools – USA/Canada

Current Fraud Detection Tools 2006 2007 2008 >$25mm/yr

Address Verification AVS 79% 80% 78% 87%

Card Verification CVV2/CVC2 69% 74% 74% 80%

Fraud Screening (internal) 38% 39% 27% 42%

IP Geolocation (Address Point Verify) 35% 37% 35% 48%

Negative Lists (in house) 34% 36% 38% 67%

Order Velocity Monitoring 33% 35% 28% 54%

Automated Decision Scoring 32% 34% 34% 50%

Manual Review 25% 22% 22% 33%

Chargeback Management 22% 20% 20% 33%

Customer behaviour analysis 29% 20% 22%

Customer order history 47% 54%

3-D Secure (VBV and SecureCode) 29% 25% 27% 39%

Positive Lists 17% 17% 32%

Device fingerprinting 6% 7%

Consumer challenge questions 5% 6% 5% 7%

Current Fraud Detection ToolsIn the UK and Europe the use of online fraud tools trends are different from that of the USA. Merchants spend considerably more time manually reviewing transactions and use CVV2, AVS and Verified By VISA/SecureCode continue to remain the primary automated fraud solutions.

The fastest growing anti-fraud tool in the past year has been 3-D Secure™ due to June 2007 Maestro SecureCode mandate. 71% of UK/EU merchants now claim to have implemented 3-D Secure™.

One significant difference is with the use of IP Geolocation services in the detection of possible fraud. 48% of North American merchants use IP Geolocation, whereas only 23% of European merchants use IP Geolocation.

Device Fingerprinting has been identified as the top fraud tool to add in 2009.

Source: Cybersource USA/UK 2008 Online Fraud Reports

Current Fraud Detection Tools – ComparisonFraud Detection Tools >$25mm/yr North America 2008 UK Europe 2008

Card Verification CVV2/CVC2 80% 79%

Address Verification AVS 87% 78%

Manual Review 22% 67%

3-D Secure (VBV and SecureCode) 38% 59%

3rd Party ID checks 39% 49%

Automated Decision Scoring 54% 30%

Fraud screening (industry) 18% 36%

Fraud screening internal 42% 38%

Negative lists 18% 29%

Chargeback Management 20% 37%

Industry Hot Card information 18% 21%

Customer Device Fingerprinting 7% 8%

IP Geolocation 48% 26%

Top Fraud Detection Tools – to be implemented

Fraud Detection Tools to be Implemented in 2009 North America UK Europe

Customer Device Fingerprinting 47% 17%

IP Geolocation 27% 11%

Fraud services (internal) 20% 12%

Customer Order History 17% 6%

Card Verification CVV2/CVC2 16% 8%

Customer Behaviour Screening 13% 13%

3-D Secure (VBV and SecureCode) 11% 19%

Negative lists/Shared Services 10% 13%

Telephone Verification 10% 19%

Multi- Merchant Fraud Models 9% 15%

3rd Party ID checks 9% 20%

Automated Decision Scoring 7% 18%

Chargeback Management 7% 23%

Address Verification AVS 6% 16%


Address Verification Services (AVS): Address Verification Service is a North American based service whereby the Card

Issuing bank matches the street and Zip/Postal Code information entered by the consumer to the information held on the bank’s systems;

Issuers DO NOT decline authorisations based on AVS responses – they simply provide the AVS code in the auth response message;

AVS is a North American service and not many international processors or acquirers support USA AVS verification;

AVS Line 2 scamming is now prevalent making this tool unreliable as a verification tool – data is bought from card list brokers;

AVS is subject to a significant rate of “false positives” because it can be fooled into providing a partial match AVS score;

Large merchants typically use AVS as a pre-screening service prior to fulfilling orders.


Current Fraud Detection Tools Used

Geolocation Geolocation is used to identify the geographic origin of an order based on I.P

Internet address of the customer’s browser; The data returns specific information about the IP address associated with the

originating ISP transaction request including: IP address Country (long and short name) City Region (State, Province etc) Zip Code Domain Name ISP Name Latitude + Longitude Time Zone Proxies



Device Based Fingerprinting Traditional Fraud Service providers are now offering more intelligent services including PC

fingerprinting; The service determines within whether an online transaction is coming from a computer that

has a history of fraud or abuse; Could be an issue with virtual devices and dynamic IP addresses/roaming New technology so not much analysis regarding fraud reduction available yet

Customer Spending and Behaviour Analysis Reviewing consumer behaviour, spending patterns and charges provides a lot of information

about your client; Web site traffic and transactional flows are profiled to watch for and detect suspicious

shopping or surfing behaviour (ie large quantities of electronics purchased with rapid check out);

Repeat customers have typical patterns of shopping or browsing behaviour which fall into normal parameters.


Negative Files and Cross Industry Data Sharing Are based on previous cardholder processing and purchasing information across

multiple merchant and acquirer systems; Somewhere in history this cardholder has de-frauded a merchant or is an

habitual chargeback offender, which is why they are in the negative database; Unfortunately a lot of consumers get placed on the negative file as a result of

someone else’s fraudulent use of their card or deliberately by merchants competing for consumer transactions;

Negative files can be very useful if part of an overall data sharing solution. ETHOCA is an example of a data sharing service that combines decline data, chargebacks and suspicious transaction information at the card number level.



Decision Matrices, Risk Scoring Software and Data Sharing Determine if a transaction should be accepted, rejected or suspended for

review based on risk parameters set up in the fraud system; Only as good as the data within the risk matrix database which is why

cross-industry sharing is so important going forward; Fraud is dynamic which means the matrices must always be updated and

refreshed with ‘current data’ trends Fraudsters learn over time and vary their strategies so the systems must

be regularly “tuned”; Still requires manual review of exception items They can be expensive for small merchants but worthwhile for larger

merchants who need cross industry information to reduce fraud exposures.


An Example

The numbers in ( ) represent your own data

‘Hits’ = Suspicious Activity


ETHOCA Data Sharing Fraud Reduction – Leveraging ‘Advisory Codes’ such as velocity and data

inconsistencies (e.g., multiple emails per card) can detect upwards of 30% of card related fraud

Comparing merchants to their industry peers reveals that for some merchants 10% of rejections are actually good orders

Link Analysis – Up to 15% of fraud that is undetected by traditional means can be spotted by ‘linking’ common data elements across multiple merchants and industries

So far over 40 companies/partners now share their transactional data through ETHOCA including RBS, TigerDirect, British Airways, Emirates Airways, others

Source: Keegan Johnson – CEO ETHOCA


Manual Order Review Merchants claim they manually review 1 out of every 4 online

transactions; Used specifically to manage payment fraud; Must be done in conjunction with other tools like AVS, CVV2 match

checks, internal chargeback analysis etc One consequence of using multiple automated fraud tools is that more

transactions are flagged up for manual review adding additional work to back office admin functions;

This requires merchants to divert more ‘qualified’ staff to order review, increase time to review, improve accuracy of the manual review process (and train staff to know what to look for);

Merchants report on average they only provide 4-6 weeks of training to review orders!.


Current Fraud Detection Tools UsedCVV2 CVV2 stands for Card Verification Value; Consists of the last 3 digits printed on the VISA plastic signature panel

which is not recorded anywhere else on the card; Is known as CVC2 with MasterCard and CID with AMEX/Discover; CVV2 can assist a merchant to differentiate between consumers who have

the physical plastic in their possession at the time of the transaction and those that don’t (but not always);

However CVV2 is only as useful as the Issuer who validates the data and declines the authorisation based on No Match responses

Changes in Card Association regs in 2007 now allow merchants to represent chargebacks for RC 83 if the Issuer does not participate in CVV2 match checking.


Current Fraud Detection Tools UsedCVV2 Not all Issuers participate in CVV2 verification, so the presence of CVV2 in

the auth request should not be used to ‘assume’ the cardholder that’s performing the transaction is in possession of the actual plastic - unless the Issuer has replied with a CVV2 Match ‘M’ response;

There are more Issuers now who decline authorisations for CVV2 mismatch – this is encouraging.


Current Fraud Detection ToolsThe real cost of chargebacks: In 2008 merchants reported that it takes on average 1.8 hours to handle ONE

chargeback (time consumed on research, documentation and representment); Over the past 4 years fraud-coded chargebacks (RC23/83) have been

represented successfully between 43-53%; Over 1/3 of merchants surveyed confirm they dispute 90% of their fraud

chargebacks; In 2007 large merchants reported 57% of their fraud was RC83 chargebacks.

This has dropped to 48% in 2008; Having an efficient representment process enhances the merchant’s chances of

successfully representing a fraud coded chargeback Friendly-Fraud is on the rise with the downturn in the credit markets; Merchants MUST get diligent with managing this issue or face large fines and

risk losing their merchant account.


Current Fraud Detection ToolsThe real cost of chargebacks: Given the time involved, the administration efforts, fines, penalty fees merchants

are finding it makes more economic sense to encourage consumers to contact them directly to receive a credit/refund then to process a chargeback;

If merchants are evaluating fraud losses solely on the basis of RC83 chargebacks, the actual rate of fraud loss is likely 2x higher simply because of the number of Refunds being processed and consumer complaints resolved in other ways (ecash credits etc);

Implementing Verified By VISA/SecureCode also reduces fraud coded chargebacks by ‘guaranteeing’ liability shift back to the issuer for qualifying Reason Codes.

Source: Cybersource USA/UK 2008 Online Fraud Reports

Chargebacks Vs Refunds

Source: Cybersource 2009 Online Fraud Report

42%

58%

24%

76%

43%

57%

48%

52%

48%

52%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Overall <$500k $500k -$5mm

54% avgwin rate

$25mm+

Credits Issued

Chargebacks


The Payer Authentication Process

Issuers and Acquirers register independently and the service is not inter-dependent

Issuers can have credit card BINs registered but not their cardholders; alternatively neither can be enrolled - this drives the merchant chargeback liability shift conditions for ‘attempted’ 3-D Secure requests;

Merchants ONLY have chargeback liability shift rights if BOTH the Acquirer and the Merchant are registered with VBV/SecureCode – however chargeback liability shift is not contingent on whether the Issuer or cardholder participate in 3-D Secure™.


How Does 3-D Secure™ work?

The Payer Authentication Process VBV is a global service so once Merchants are enrolled by participating

acquirers all VISA transactions can be authenticated with VBV for a fraction of the cost of other fraud detection services;

Verified By VISA liability shift is guaranteed for ‘attempted’ transaction authentication (global) even if the cardholder is NOT enrolled in VBV with their Issuer;

If an enrolled VBV Merchant attempts to authenticate the cardholder through Verified By VISA and either the cardholder and/or their Issuer doesn’t participate, the transaction is flagged as an ‘attempt’ (ECI=6) and these transactions are included in the liability shift programme for specific chargeback reason codes (RC23, 83).


How Does 3-D Secure™ Work?The Payer Authentication Process After June 30th, 2007, online merchants will no longer be able to process

Maestro debit transactions unless they implement MasterCard SecureCode™;

MasterCard SecureCode has implemented merchant-only liability shift in all Regions except the USA;

This means if a merchant is registered with a participating acquiring bank in EU, Asia/Pacific, SAMEA, LACR regions and they attempt to authenticate the cardholder – they have chargeback liability shift protection for chargeback RC 37 and 63 (if the transaction is authorised);

USA has not opted into this liability shift on ‘attempted’ SecureCode transactions yet.


What are the Problems with 3-D Secure? 3-D Secure™ Issuer Blocks In specific countries Issuers are blocking 3-D Secure attempted

transaction requests – those tagged with an ECI 6 value; There is compliance that clearly states Issuers can be fined for not

authorising 3-D Secure attempted (ECI 6) transactions however it doesn’t seem like the enforcement mechanisms are in place to penalize Issuers;

Mexico Issuers are blocking ECI=6 authorisation requests; some banks in Eastern Europe also


What are the Problems with 3-D Secure? 3-D Secure™ Phishing Scams Consumers are emailed with a Verified By VISA or SecureCode

enrolment request which includes actual language from the VBV or S/C web sites as well as the same fonts, layout and logos;

Consumers either click on a link or are redirected to a site that looks exactly like their card issuer VBV enrolment site;

Ironic that the one programme designed to assist merchants and consumers with prevention of fraud is in itself a victim of phishing fraud


This is a phishing site

This link redirects to the phish site

What are the Problems with 3-D Secure?


This is where it should become suspicious. The amount of information is too great for just a service activation.

VBV Enrolment Phishing ScamVBV Phishing Scams• This VBV enrolment phish had already targeted 24,011 consumers who

had innocently registered;• 21,086 VISA BINs and card numbers were obtained as a result;• The fraudulent site was tracked to an IP address in Uruguay;• The scam was locked down by VISA within hours of being reported –

however you can see just how many people were victimized by the phish;

• The data collected is extremely valuable on the black market for identify theft, counterfeit cards and online fraud!


VBV Enrolment Phishing ScamSo why is 3-D Secure phishing so “easy” to pull off? Both Verified By VISA and MasterCard SecureCode online web sites list

every registered Issuer in alphabetical order; If you select a specific Issuer, the VBV or SecureCode enrolment site

(legitimate one) displays; This can be recreated by the ‘phishing’ fraudster and within hours

thousands of cardholders are fooled into providing personal information, card data, PINs, passwords and bank account numbers;

“Activate the Verified by Visa feature - It's easy and only takes a few moments to activate your card. You can do it right here on the secure Visa site or when prompted during the checkout process at one of our participating online merchants. Either way, your information is protected.”


https://usa.visa.com/personal/security/vbv/activate_form.html


This is legit VBV registration site


This is a phishing site

Summary – Fraud Detection versus Prevention

Fraud ‘detection’ tools are those used to identify the probability of risk associated with an online transaction. They do not guarantee that a fraud will not occur and certainly will never prevent a chargeback from being initiated by the consumer.

Fraud ‘prevention’ tools like CVV2 and 3-D Secure do provide guarantees against fraud coded chargebacks and are fully sponsored by the Card Associations.


Summary – Fraud Prevention

The top fraud detection and risk mitigation services being implemented in North America and Europe in 2009 are 3-D Secure™, IP Geolocation (geoblocking, proxy server detection), Computer Device Fingerprinting, Data Sharing systems and implementation of experienced chargeback analysis and management personnel.

……..Detection Assists With Fraud Prevention


Summary – Fraud PreventionOUR CONCLUSIONS

Merchants must implement PCI compliant security requirements to reduce risk to malware/trojan/spyware attacks, transaction pre-authentication solutions including AVS, CVV2, IP Geolocation and data sharing services in addition to Verified by VISA and MasterCard SecureCode – WHY?

Pre-authentication services pre-screen transactions to filter out ‘obvious’ or suspicious fraudulent transactions. 3-D Secure provides guaranteed chargeback liability shift on the not-so-obvious and seemingly legitimate transactions.



KNOW YOUR ENEMY – you will then know your customer! Watch for behaviour patterns that don’t seem “normal” for customers at your site

Implement a face-to-face authentication system so you can “see” if your customer is the same as the photo ID they provided. SKYPE is free – anyone can use it. Why doesn’t the gaming industry verify new clients by looking directly at them? It seems like a great deterrent to ensuring criminals don’t register for your sites and therefore reduce your exposure to fraudulent payment transactions.



Pre-authentication and automated screening services cannot predict ‘human behaviour’ which results in chargebacks. Habitual chargeback offenders (the “friendly fraud” culprits) are aware of this and will use this excuse over and over again

3-D Secure™ is there to protect online merchants from habitual chargeback offenders by allowing fraud chargebacks to be represented under the liability shift guarantees regardless of whether the cardholder is enrolled or not.


Summary – Fraud PreventionUseful References Cybersource Annual Fraud Reports (USA and UK) Anti-Phishing Working Group Nilson Reports Message Labs – the Online Shadow Economy reference docs Online newsfeeds – read about what’s going on elsewhere with respect to

phishing, skimming, malware attacks, data attacks and advise your own staff. Education and information is key to identifying dodgy consumer behaviour or transactions

Javelin Research Reports USA Federal Trade Commission – Internet Fraud and Safety info Watch the blogs and chat rooms – they are fascinating!


Thank You!Thank You!

Andrea WilsonAndrea Wilson

CEO First Atlantic Commerce LtdCEO First Atlantic Commerce LtdWWW.FIRSTATLANTICCOMMERCE.COM

+(441) 294-4620+(441) 294-4620

Email ‘[email protected]’Email ‘[email protected]’


http://www.firstatlanticcommerce.com/

driving payment innovation - know your enemy

Business

credit card fraud

payment card data

credit card numbers

credit card sale

card processing systems

debit card numbers

credit card number generators

internet merchants