Phishing
Phishing occurs when thieves use official-looking e-mails, usually from a bank or large company with a trusted brand name, and fake Web sites to spoof people into revealing personal data like account access codes and social security numbers. Armed with this information, the thieves then steal from the victim's bank accounts or use the credit card details to buy online. The transactions look legitimate, but the merchant then gets complaints from people who've been de-frauded.
No matter whether you run your own e-commerce infrastructure on secure mainframes with 128-bit encryption behind a top-grade firewall (like Adaptive Marketing's) or outsource transaction processing to a third-party merchant account provider and payment gateway, it's worth investing in the best you can afford for your market opportunity. Here are some steps merchants can take to protect themselves from phishing scams.
Use a transaction processing solution or service provider with top quality, across-the-board capabilities in:
- pre-screening users for fraud (including Address Verification System (AVS) and CVV2 checks for quick verification of names and addresses of new credit-card users)
- bank-account verification
- post-transaction screening
- international credit card verification.
For a detailed check, ask candidate providers for:
- references and case histories
- Terms of Service (ToS) and Service Level Agreement (SLA)
- their merchants' customer transaction repudiation rates
- their merchant dispute rate and buyer-related loss rates
And take a close look at the provider's anti-fraud models and processes. Big service-providers should be using some kind of neural network risk model to spot fraudulent credit card activity.
A Very Big Phish
Another huge and potentially grave breach of credit card security occurred June 17, when MasterCard International reported that a computer security breach at CardSystems Solutions, a payment processing company, might have exposed more than 40 million credit card accounts of all brands to fraud. In what's being called the largest ever theft of consumer credit and debit card data, some 20 million Visa and 14 million MasterCard accounts along with American Express and Discover accounts were compromised. MasterCard said that someone infiltrated special computer code onto CardSystems' network, enabling them to steal the data. The F.B.I. is investigating...
For an online merchant, the most worrying thing about this is that it occurred not at a mom-'n-pop store but at a major transaction processing partner of one of the world's largest financial services companies. The reality is that you the merchant have no control whatsoever over the security of other people's systems. So what can you do to protect yourself? Quite a lot, actually.
First, if you don't have AVS and other enhanced security-checking features on your e-commerce package, get them. Without some kind of verification, you have no idea whether the person making a transaction is the legitimate cardholder. It's no good getting a transaction authorized if the card has been stolen: eventually the real cardholder will find out and you'll likely get a chargeback plus a penalty and possibly a caution; you'll also likely loose the customer and you could get slammed in the online forums.
Second, monitor your average daily orders very carefully. Do you notice a difference in the usual shopping patterns, such as volume or purchase methods? Is there a sudden upsurge in orders for things that can be downloaded or for money transfers or services or pay-per-view subscriptions (i.e., orders not requiring shipment to a physical address)? Is there a higher percentage than normal of overseas or out-of-state orders? For odd combinations of goods and services? Do you recognize the names of regular customers but see uncharacteristic order size or type or frequency? Do you see multiple transactions coming from dispersed geographical locations but with recurring delivery addresses different from the billing addresses? A sudden surge of people asking for priority delivery to out-of-the-way places? For a merchant who knows their customers, these are the kinds of clues that can alert you to fraudulent activity. However, you still need the back-up of AVS and other robust anti-fraud tools that come with good commerce packages.
We believe extra vigilance is justified. MasterCard said that among the information stolen from CardSystems was cardholders' names, account numbers, expiration dates... and security codes, the three or four digits printed on the credit card separately from the account number. In other words, the thieves have the complete identity of the people whose data they stole.
April 20, 2005 in Trust | Permalink
Privacy
The issue of federal data protection legislation is gaining ground in the wake of increasing incidents of data and identity theft. Rep. Cliff Stearns (R-Fla.), Chairman of the House Subcommittee on Commerce, Trade and Consumer Protection, said that recent incidents are forcing congress to look again at the fundamental issues of the privacy debate. "The commercialization, or monetizing [of] consumer data has made protecting it far more complex and important given its value in the wired marketplace," Stearns said.
Rep. Joe Barton (R-Tex.), Chairman of the House Energy and Commerce Committee, said recently that legislation is likely necessary to make data collection firms "bear greater responsibility for the security and integrity" of information they sell. Barton suggested there might be a need to consider national standards for protecting consumers when their personal information is lost or wrongfully disclosed by a data broker.
And Sen. Diane Feinstein (D-Calif.) is moving to strengthen her identity theft legislative proposal. The Senate Judiciary Committee is considering Feinstein's bill, and the notion of a national notification law will likely be a major source of questions to officials from the Federal Trade Commission, the FBI and the Secret Service.
Privacy is on lawmakers' and businesses' agenda as never before. ChoicePoint, LexisNexis and Bank of America, companies whose data security was recently breached, have publicly declared support for legislation that would require data collection companies to notify consumers in the event of their data being compromised. However, the preferred solution is for all businesses, online or offline, that handle private data to adhere to the highest standards of security and protection.
