Day One - RULES That Rule: Proven Strategies for Combating e-Commerce Fraud

June 23rd, 2008 by Josh Hallett | Conference Blogger
Posted in NRF Events

After the morning general session a series of concurrent sessions started. First up, battling e-commerce fraud. On the panel were Michael Long, Accertify, LLC and Timothy Laudenbach, Best Buy with Rod Holm, Express moderating.

NRF Loss & Prevention 2008

First up was Michael Long. Michael said in the lead-up to this session they decided to broaden the scope of the talk to discuss more e-commerce fraud best practices rather than process rules. Michael then turned things over to Timothy to review how Best Buy operates with regards to fraud.

NRF Loss & Prevention 2008

For the remainder of the session Michael and Timothy tag-teamed the presentation providing bullet points along with anecdotes from real-world experiences.

The major issues is Card not Present (CNP) Fraud. It’s typically: unauthorized use of a card, in a non face-to-face setting, can be hostile and is sometimes organized. Internet retail merchants really bear the burden on CNP fraud.

How are cards compromised?
- Call Centers (staff copying numbers)
- Face-to-face encounters
- Phishing
- Bogus web sites
- Dumpster dives

Often an internet retailer is not the source of the compromise, the card is often stolen elsewhere and then used online.

What is the total impact? It’s more than the chargeback number. In the US last year chargeback losses were in excess of $3.5 billion. Retailers maintain staff to deal with fraud but there are other costs. One major issue is customer insults, that is canceling or questioning a legitimate customer’s order.

What are the goals related to CNP fraud? Deploy effective measures to minimize exposure:
- Minimize costs
- Reduce manual effort
- Reduce customer insults
- Remain current on tools
- Reduce cycle time to fulfillment

Large volume retailers deal with thousands of transactions, criminals know this and leverage this. Use technology to assist with data processing.

What is the fraud fighting process? Screen -> Queue -> Review -> Resolve -> Learn

Screen:
Transaction screening is no silver bullet. Fraud patterns evolve, rules must keep pace. The rules should distinguish legitimate orders from fraud (don’t want to insult the legitimate customer).
- Negative file lookup, has the address, IP, name conducted fraud before?
- Bill to is not equal to Ship to, relationships are important here.
- High risk IP addresses are always suspect.
- AVS/security code mismatch, often criminals know this information.
- Rush orders/high $ orders.
- Invalid inputs
- High risk or targeted merchandise, i.e. laptops, iPods, cameras, etc.

When establishing your rules look to weight certain factors. For example if the ship to and bill to don’t match, that might not be as big an issue as a suspect IP.

Other effective rules:
- Fraudsters use same passwords on multiple sites
- Fraudsters often use the same device without resetting cookies on the browser
- Analyze handle and domain separately
- What’s the time of purchase? weekends, late night, early morning. What is the usual customer purchase pattern?
- Velocity rules: multiple orders via same IP, name, seeking to ‘fly under the radar’.
- Positive rules: eliminate legitimate orders, improves morale, reduces insults, improves brand reputation.

While you can spend all day building rules, it’s important to move on, you need to queue things

Queue:
Prioritization is key, which orders should be reviewed first? Which can wait? What are customer expectations? Don’t repeat the same process over (don’t call the same customer multiple times). Sorting and filtering is also key. You need to be able to analyze you data.

Review:
The typical review process takes a significant amount of manual work. With the manual process this is often room for error. The goal is to automate the process.

Some of the benefits of a good review process:
- Speeds review
- Reduces mistakes
- Reduce customer insults
- Reduce shipping and other delays
- Maximize profitability

Most major retailers will review between 3-8% of orders, and yes you will cancel some legitimate orders.

Resolve:
During the resolution process you need to clean up afterward:
- Order cancelation, send out notification
- Negative file updating, populate your IP, e-mail and other tables with information
- Conduct a database search for other instances

Learn:
Learn from your chargebacks to prevent losses. Train your staff and develop new screening rules. Fraudsters are constantly evolving their techniques, you need to as well.

Effective fraud solutions consolidate the entire process, this includes your rules, third-party data sources, historical data and reporting.

Working together, online retailers can learn from each other.

Posted In: NRF Events

Interact: Add a Comment | Trackback Link | Permalink

Share: digg | del.icio.us | Technorati | StumbleUpon | Email This

Leave a Comment

Posting Policy

NRF welcomes intelligent discussion and debate from our member community. We do insist that all comments must be expressed in a mature and civil tone of voice. Individuals posting rude or otherwise inappropriate material will lose their access to the discussion. Please send any complaints about material that violates our rules to Scott Krugman via krugmans@nrf.com.

Thank you,
NRF

Leave a Comment

Note: While anonymous comments are welcome, they are also moderated and may not be posted immediately. If you don't see your comment, please be patient, as it will be reviewed and posted soon if appropriate. Please do not post your comment a second time. Thank you.