Is your security adequate against online fraud?


With e-commerce’s steady growth comes an increase in an associated problem: Internet fraud. Two of the most common crimes are use of stolen cards and fraudulent mobile transactions.

The issue is global in reach. For example, the recent FBI sting Operation Card Shop resulted in arrests in Britain, Germany, Bosnia, Bulgaria and Norway, the New York Times reports. The criminals were hackers selling credit cards and stolen identities.

Another recent breach at a processing center in Atlanta, Ga., affected 1.5 million credit cards. In 2011, the cost of online fraud approached $3.4 billion in the U.S. and Canada, CyberSource reports, an increase of 26 percent from 2010.

keyboard with handcuffs

Businesses accepting online payments should upgrade their security and processing technology, and with present trends, maintenance will require constant vigilance. Some retailers aren’t yet using the first line of defense, the Card Verification Value2, or CVV2, in processing orders. This is the three- or four-digit number on the credit card that proves customers have the card in their possession.

The Payment Card Industry Data Security Standard (PCI DSS) does not allow merchants to store the CVV2 after the transaction is complete. Of course, if the physical card is stolen, the thief can enter the correct CVV2, so another level of security is to verify the billing address. An address verification system checks the numerals of the billing address entered with the one on file with the credit card company.

But as security gets more sophisticated, so do hackers. In 2011, the PlayStation Network was hacked, affecting 70 million users, CNET reports. Customer information included credit card numbers, CVV2s and addresses.

In another case, global intelligence company Stratfor was hacked, with reports that their computers had retained CVV2 numbers from customers against PCI DSS protocols, according to watchdog site Besides direct hacks into databases, criminals have planted malicious codes on websites that gather customer data. Firewalls need to be monitored and adequate.

Credit card companies are testing another layer of protection, called 3-D Secure, which asks customers to enter another password while shopping on member merchant sites. The 3-D protection is not without problems. The pop-up interface lends itself to imitations used by hackers to “phish” customer data. Customers are also protesting that it can lock them out of shopping unless they sign up. Mastercard SecureCode and Verified by Visa are both 3-D secure services.

The surge in mobile transactions – purchases via cell phone or portable device – has created another set of security issues, fraud prevention service provider Threatmetrix warns. Determining actual location and the unique Internet address (ISP) are more difficult in mobile device transactions, eliminating two tools systems can use to verify customer identity. With readily purchased equipment, hackers can mimic mobile use while seated at a computer.

In response, software companies are creating risk control and fraud prevention software that flags suspicious transactions through an automated process. One example is Boise, Idaho’s Kount company. Kount’s system uses factors including proxy location, actual location, device identity, customer history and card-testing attempts to create a risk score for further investigation.

T-shirt company had 2 percent in chargebacks and fines of $5,000 per month before implementing Kount. Since, their chargeback rate has dropped to 0.5 percent. Another client, CD Baby, reduced chargebacks from $26,000 per month to $850. Similar products include Falcon Fraud Manager,, ThreatMetrix and Volance.