Are you ready for PSD2 and Mastercard & Visa changes in October 2019? We look at Online Payment Fraud and how it happens…..
Published on: 26th September 2019
Following serious AML & compliance review, some of our clients receive payments from customers globally via www.metaluminor.com ’s payment gateways merchant account partners. In some cases our cleints meaning the business selling products or services online have issues with online fraud mainly happening through chargebacks, fees and detection techniques.
As companies globally move to payments online, fraudsters are simply following too. Most people I know across the world buy everything online as its convenient, practical and we simply do not have time to visit showrooms, stores, or even restaurants anymore. Fast paced and busy lives contribute a $5 trillion US dollar global ecommerce market industry which is said to grow even further. This is equivalent to 10% of all global consumer sales and said to reach 20% in just a few years.
So with so many active customers online it is no wonder that fraudsters are trying to take advantage and we need to be aware of their scheming methods. Many of us now store card details to make online payments.
What is online payment fraud and why is it so common?
Prior to taking a closer look into how online payment fraud happens, it would be important to know exactly what payments it affects. There are two types of payments:
When the physical card used to buy something in a shop, restaurant, bar or market.
Card not present
When the card details are used, but the physical card itself is not passed from the buyer to seller. Card Not Present payments can happen by mail or on the phone, but mainly happen online.
Online payments are a prime target for fraudsters as they do not even need to have the real card, they only need the card details which can be stored digitally. It is also easier to get away with it, and so much harder for the seller to verify who is really making the purchase.
Online sellers will lose $130 billion to online payment fraud between 2018 and 2023 Source: Juniper Research
Payment fraud affected 82% of organizations back in 2018 Source: Association of Finance Professionals
Payment fraud has unfortunately already exceeded a billion dollars business a year and is growing fast. When you look at the stats behind global online payment fraud, it’s no surprise that almost three quarters of businesses say it is becoming a very major concern.
Global fraud cost on average:
- Online payment fraud costs businesses globally approximately 1.8% of revenue.
- For every $1 of fraud from chargebacks, ecommerce businesses lose an additional $2.94 which is nearly a 200% plus cost.
The extra costs are mostly admin type of fraud for with costs including chargeback fees, merchandise distribution, AML fraud investigation, legal battles and top grade security software licenses.
The other thing is consumer confidence which is more than just a financial cost – fraud also impacts brand and customer loyalty. Online sellers get blamed for online fraud as consumer do not understand it.
Who is affected by online payment fraud?
When our card details are stolen or compromised we immediately try to contact our bank to stop all payments or purchases and this is timely and most of all we hope the bank or EMI’s customer support will help action this immediately to avoid further loses. It typically takes 3 to 4 working day to cancel one’s card and dealing with the mess that comes after.
All companies and sole trader set-ups selling online know that online fraud is a huge concern. Items are lost, refunding costs which we call chargebacks and even the small percentage that the payment provider charges are incurred by them too so it’s definitely a problem as it’s a complete negative liability.
This is where the revised EU Payment Service Directive PSD2 comes in, meaning that payment providers will now be responsible for their entire portfolio of online sellers. The game now changed in that online sellers look for low fraud rates as they would have a less risky and more robust secure infrastructure e.g avoid using 3d secure on every transaction.
How and why does online payment fraud happen?
Ease of access as in less secure sites as well as sociological and economic issues are to blame here.
We all know that there are various types of online payment fraud. One example is what is known in the industry as ‘friendly fraud’ which happens when a real customer actually receives the goods they ordered, but claims not to have received them and tries to file a chargeback through their bank instead of requesting a refund from the seller.
The most widely used online payment fraud is identity theft – this is how it works:
Criminals simply steal or gain access to cardholder information through skimming on payment pages or buying this information on the dark web for example.
A fraudster would then use the stolen card details to impersonate the cardholder and buy things online.
The online seller thinks the purchase is valid, processes the payment and sends the goods to the address indicated by the fraudster. This is how they are normally caught when the authorities wait for parcel to be collected from the address used.
- The actual cardholder then sees the charges and contacts their bank, the online seller is then slapped with a chargeback plus fees.
For the average master fraudster, buying card details on the dark web is the easiest and fastest way to get large numbers of card details. The Breach Level Index reports that more than 14 billion data records have been stolen and leaked online since 2013.
Surprisingly, less than a quarter of consumers are aware that this is how fraudsters operate, and only 20% know that it is eventually the retailers who pay for this fraud which is a huge concern as fraudsters are taking advantage of this fact as brands od not want to lose their customer loyalty so will try to keep all as low profile as possible once they have a breach although by right I believe it should be reported to authorities immediately. If this is not done then keeping it quiet only provides more incentive for the fraudsters. Could it be the online sellers do not want to have a price driop in stock or share value if they are listed?
How do these fraudsters operate online?
Fraudsters have always been stealthy, they’re constantly finding new ways to commit fraud online and improving their techniques. The dark web is unfortunately a corner of the Internet where criminals can interact without being traced. This is where fraudsters normally buy and sell card details, discuss and share information about how to go about committing fraud, what tools to use etc.
At www.metaluminor.com we are always keeping an eye on what these fraudsters come up with and how they operate through the experience our providers have as well as our online merchants.
A few of the latest trends include:
The most experienced fraudsters use what we call also heavy-duty software like Anti-Detect to avoid browser IDs. This software enables fraudsters to create multiple instances of virtual machines in browser windows virtually. Even though it makes it hard to trace them, blocking location is a huge indicator of fraud so that should be a warning signs in itself. We also call them advanced privacy software used by many emissaries, diplomats and secret services operating overseas.
Phone number spoofing
Fraudsters can also buy real customer phone numbers online with card details but they never get access to the actual phone. To get around this they can contact the customer’s phone company to request all calls are diverted to their own number so that they can verify purchases if needed through the second tier verification. They even advertise these so called ‘calling services’ on the dark web where someone can call a victim’s bank and credit card provider to change their registered phone number.
Mimicking the buyer behavior
In the past unprofessional fraudsters would give themselves away by making huge orders on compromised cards very quickly and that sets off alarm bells too quickly. The more advanced ones fraudsters acting like real customers and wait a while, adding and deleting things from their basket and placing a few smaller orders first before the bigger one.
Detailed customer information
As well as payment card details and personal information, we have also heard of fraudsters buying and selling device IDs and driving licenses original copies. Fraudsters normally use these to appear more convincing, or they can add different customer details and create new accounts under these aliases (fake) IDs. This tactic is often used in bank fraud which is ultimately the most serious of all fraudulent crime. The problems these have caused to businesses etc. are substantial.
Chargeback fees and card scheme rules
When a customer has had a fraud attempt on an online seller’s website, they normally notify their bank and the seller will receive a chargeback. As well as refunding the cardholder, the seller also has to pay the chargeback fees to their payment provider, this is the norm. Chargeback fees can be as high as Eur50 and are payable even if the chargeback is not upheld.
To add insult to injury in addition to these fees, the card schemes normally put a limit on the amount of chargebacks an online seller receives before they get even costlier fines. Between the decade of 1988 and 1998, Visa and Mastercard lost a colossal $750 million to credit card fraud. This made both the credit card companies start to monitor chargebacks (also called disputes). Now next month October 2019, Visa will update thresholds for the chargeback monitoring program which include the changes below:
New Visa fraud thresholds from October 2019
Visa Standard Fraud Monitoring Program (VFMP)
USD 250,000 in fraudulent transactions and 2.0% fraud : sales ratio (dollars)
USD 75,000 in fraudulent transactions and 0.9% fraud : sales ratio (dollars)
New Visa Excessive Fraud Monitoring starting from 1st October 2019
Visa Excessive Fraud Monitoring Program (VFMP)
USD 250,000 in fraudulent transactions and 2.0% fraud : sales ratio (USD$))
USD$ 250,000 in fraudulent transactions and 1.8% fraud : sales ratio (USD$)
Visa Chargeback Monitoring Program (VCMP) – Low Risk
100+ dispute count and 1.0% dispute : sales ratio
100+ dispute count and 0.9% dispute : sales ratio
Visa Chargeback Monitoring Program (VCMP) – High Risk
1000+ dispute count and 2.0% dispute : sales ratio
1000+ dispute count and 1.8% dispute : sales ratio
Prior to 1st October 2019 what should retailers does one prepare?
For merchants, it pays to invest in additional security and fraud detection and prevention to minimize the risk of chargebacks. Payment providers with fraud detection as part of their service can offer online sellers security and the reduced risk of fees and can even become more effective and catching fraud.
So how should sellers and payment providers approach fraud detection?
They must and need to redefine their rules-engine
With a traditional rules engine, payments which fit certain fraudulent criteria are blocked or reviewed, such as high-value orders which are more likely to be fraudulent. Using only rules can be risky, as you might inadvertently block and slow payments from genuine customers, for example if you enable a rule which blocks all transactions over Eur 500, you’d certainly be blocking lots of real customers too.
These rules are still a key part of any fraud detection toolkit. It is important to use and create good ones especially in certain situations where they have over 90% accuracy and where there’s no need for a ‘grey area’ in the answer – for example always flagging a payment from an extremely high-risk country or region. The trick is to use a combination of rules and machine learning tuned to your specific business fraud risk.
New Machine learning methods
Instead of just relying on simple basic rules with yes/no answers, machine learning uses trained models to score every transaction in terms of low, medium or high risk algorithmically. Whereas you need to feed rules into a rules engine, machine learning models are proactive and work on payments in real time, using past data and new information simultaneously. The problem begins where machine learning solely is being used which cause serious problems with customers and customer support for vendors and even the provider themselves.
We know that machine learning is automated and highly flexible to handle thousands of payments each second. A model is basically the equivalent of a team of analysts running hundreds of thousands of queries and comparing the outcomes to find the best result. With machine learning this is done in milliseconds with minimal human input.
The three main pillars of fraud protection
As with any type of crime, approaches to detecting and preventing fraud have evolved over time and have become highly professional and costly. Fraud is most certainly one of the success stories to use and apply machine learning tools and big data, as this enabled analysts to change the way they looked at customers and payments.
The three pillars of fraud detection are:
- A refined rules engine
- Machine learning
- Link analysis using graph databases
Link analysis using graph networks
A graph network with link analysis also can do a similar good job as it allows you to look at all the evidence across all your customers and quite literally joins the dots for you to build a picture of what a fraudster looks like, and this way you can prevent future fraudsters from making payments.
Machine learning models and graph networks are perfect tools to use collaboratively and mutually reinforce each other. For example, you can teach your machine learning model to flag large networks for review and to block payments from networks which have grown super quickly, to prevent a fraudster from using multiple accounts to keep ordering products or services.
Buying fraud protection vs. building your own
Matching fraud detection solutions with various technical financial roles such as KYC & AML requirements or possible red flag raising is no easy task. Creating a fraud detection solution that works, but also suits a business’s needs for speed and convenience is quite a matching task. Are there any tools to compliment this on the market are they any customizable api’s, or machine learning tools which payment providers can plug into?
If you and your team are thinking about developing your own fraud detection in-house, make sure you know the key questions to ask to understand what is right for your business and your exits. If you are looking for a fraud solution which uses machine learning make sure to ask the right questions and even liaise with all stakeholders of the process including suppliers etc.
If you would like to receive more information about our what machine learning tools are available on the marketplace or a review of your current processes by globally Certified Data Protection Specialists then please do not hesitate to reach out to us on info@ metaluminor.com
Philip Maurice Mifsud
CEO | Founder