From The Analysts
SANDBAGGING AGAINST
A TIDAL WAVE

The continued battle to make e-fraud too expensive for criminals, just
affordable enough for online merchants and less terrifying for consumers...
by Nick Holland

   One could be forgiven for thinking that the sky is falling and that fraudsters are behind this impending apocalypse. With high profile incidents of 'identity theft' gaining significant media coverage and more and more issuers adding this buzz-phrase to their marketing efforts, consumers are becoming increasingly jittery about card payments, and that's just in the physical world. Add the extra dimension of the Internet and the fear of fraud goes through the roof - 70% of cardholders are seriously concerned about the security of card payments online. And we've been buying goods on the Internet for how long now?
   As a percentage of the total transaction volume, online fraud is dropping. In 2000, the percentage of fraudulent card transactions committed online was 3.6%. By 2003, this had dropped to 1.7%. And... people are spending significantly more year on year; the average spend per transaction online in the 2003 holiday season was $153, up from $133 for the same period the previous year. And... complaints to the Internet Fraud Complaint Center in 2003 relating to card fraud only equated to 12%, with the vast majority (46%) resulting from auction fraud. So why are people still so nervous with e-tailers compared with retailers?
   There is clearly something of a disconnect between the fear of identity theft and the fear of online card fraud. Most issuers set a liability cap for fraudulent card transactions at no more than $50, which may explain the increased expenditure online, but this does little to protect from the time, effort and cost of repairing badly damaged credit scores should a nasty case of 'body-snatching' occur.
   The essence of the problem is that age-old trust mechanisms and conventions for payment are removed with an e-commerce transaction. When we visit a convenience store, we can see the clerk behind the counter, we know we are in a physical location and we can touch, smell and if we purchase, taste the merchandise. The store is unlikely to be a figment of our imagination, we can have faith in the clerk giving us the goods once we part with our money and we would have difficulty denying at a later date that the transaction occurred - cameras and witnesses could testify otherwise. With e-commerce, all of the above are gone. We shop on a website by clicking boxes and filling in forms, hand over our card details and click the 'purchase now' button. Apart from our eyes accepting the 2D images as plausible surrogates for real merchandise, we have absolutely no sense (literally) of whether the retailer is genuine or not. And the feeling is mutual from the retailer's perspective. We are simply not getting enough reassurance in a traditional sense that the transaction has been completed successfully.
   To increase the comfort level for all parties, there are a wide range of technologies that have been developed to allow each party to prove to a reliable degree of certainty that they are who they claim to be including single use card numbers, password generating tokens and decentralized vendor rating schemes as on eBay. A prominent and well- supported system is 3DSecure, better known by its brand names; 'SecureCode' and 'Verified by Visa' (VbV). The system provides a means of proving that a cardholder is placing the order by requesting that they enter a secret code at the checkout. This code is verified not by the merchant, but by the cardholder's issuing bank. If the card is accepted by the issuer then the merchant can have every reason to believe that the person making the payment is the rightful cardholder, protecting them from chargebacks of the 'I didn't do it' variety. Cardholders also feel safer knowing that the merchant is making these extra checks, were their card lost or stolen, then this particular website wouldn't be an easy target for card fraud. And finally, banks are made less susceptible to fraud. It's a win-win-win situation.
   Another authentication scheme is called PassMark. The recent explosion in phishing attacks has prompted the development of various systems to authenticate a vendor as legitimate. Like a reverse 3DSecure, this system uses a third party to authenticate the merchant as legitimate to the cardholder. PassMark is the third party, acting like the issuer in the 3D Secure system. A cardholder registers with PassMark directly, providing an image such as a small personal photo which is unique to them. Merchants registered with PassMark will be able to prove that they are legitimate by accessing the PassMark server once the cardholder logs in, which would allow the cardholder's personal image to be displayed. In doing so, the cardholder can be confident that they are dealing with the merchant that they think they are and not a fake.
   Both of these systems demonstrate the need to have reassurance from a trusted third party of the legitimacy of those in the transaction, substituting mechanisms in place in the real world. And as with the real world, criminals will attempt to get away with fraud wherever goods and services change hands for money. It is unrealistic to think that fraud can be stamped out online or indeed anywhere, but neither is the Internet the source of all evil. It may feel like we are dropping our card details into a black hole when we shop online, but the authentication mechanisms in place can render the transaction just as safe as a weekly shopping trip. It just doesn't feel that way and therein lies the problem.