INTERNET FRAUD

How serious is Internet fraud? To quote Verisign, a company that delivers critical infrastructure services that make the Internet and telecommunications networks more intelligent, reliable, and secure, “The threat of online fraud is so pervasive that the government has begun mandating security requirements for businesses that handle financial information online.” Although currently such regulations only apply to the banking community, e-commerce businesses access the financial networks for each transaction made on their website. Thus, security at the point of sale is an increasing concern for not only governments, but also for credit card associations.

These sobering figures show how prevalent Internet fraud has become:

Gartner Group estimates that fraudulent transactions make up 1.06% of total online transactions versus only .06% of offline transactions. Gartner also estimates that in 2003 alone, online transaction fraud will reach $1.8 billion.

The FBI reported that in 2002 Internet fraud complaints tripled from the year before; and, sadly, 2003 complaints are above the level reported for the same time period in 2003.

Although any e-commerce site can be at risk and a single fraud incident may be serious enough to put a merchant out of business, some websites are at greater risk for certain types of fraud than others. Some of the higher than average risk categories include e-commerce sites that:

• Don’t have robust security defenses — cybercriminals can take advantage of such sites using sophisticated spidering techniques to enable them to search the Internet for websites with network vulnerabilities. Criminals then use this information to break into your network where they can steal your account access information for hijacking or merchant takeovers.
• Are highly visible — although you, of course, need to have a high-visibility quotient to attract customers, fraud attempts are higher for e-commerce sites that advertise heavily or are media darlings. That’s because cybercriminals understand that websites experiencing high volume traffic spend less time defending against fraud.
• Sell internationally — it is difficult to validate the address or identity of out-of-country customers. It is even more difficult to investigate and prosecute fraudulent activity internationally. has limited time to spend on fraud protection measures when sales volumes are high.
• Offer seasonal or special promotion merchandise — criminals know that a website owner
• Sell high-ticket items — criminals fraudulently acquire items that can be resold easily.
• Sell downloadable goods (e.g. software, music) — the purchase of these goods doesn’t require a physical address, which makes it easier for criminals to disguise a fraudulent transaction.

There are steps you can take to significantly reduce your exposure to fraud. These steps are separated into three levels: the individual transaction level, the account level (i.e. protecting access to your payment gateway account), and the network level. However, to protect your business from fraud, you must address each of these levels in an integrated manner.

Transaction Level. This is where you ensure that each transaction you process is a valid transaction. To do this you must authenticate the customer and screen order for fraud patterns.

• Take advantage of MasterCard and Visa’s buyer authentication programs.
• Put in place a system that offers address verification service, card security code features, IP address checks, shipping address validation (e.g. VeriSign’s Payflow service).
• Maintain a list of “bad” or fraudulent orders and check all transactions against that list and a list of repeat customers who have previously transacted legitimate business on your website.
• Don’t automatically reject a transaction that seems suspicious. Instead, review such transactions to ensure that you aren’t rejecting a legitimate customer.

Account Level. At this level you ensure that only authorized users have access to your payment gateway account. Also put in place a system whereby you can be alerted for suspicious account access patterns. For instance:

• Lock down administrative access.
• Change your account password on a regular basis.
• Monitor account level activity for suspicious patterns that could indicate merchant account takeover.

Network Level. This is where you ensure your network or “perimeter” is defended against unauthorized access. As described in this chapter’s “Common Website Security Measures” section, protection at this level includes:

• Locking down network access.
• Monitoring firewall activity.
• Putting in place a system whereby alerts and patches are automatically checked and installed on all servers, operating systems, and applications.
• Investing in regularly scheduled security audits or port scans to identify network vulnerabilities.