E-commerce fraud takes a toll on sales [news.zdnet.co.uk]

We have always rejected most Eastern European transactions as we have had considerable problems there.

Most English and Spanish speaking countries have been okay for us.

Merchants surveyed ... reported that they lost 1.14 percent of all online sales to fraud in 2001

If I lost 1.14% of revenues to fraud I would have be forced to close long time ago...

Currently we are at about 0.2% of sales lost to fraud. It is probably feasible to push it to less than 0.1% using a good "warning system".

every business needs to cater for a level of fraud / theft etc. it's very easy to adjust prices accordingly. bricks and mortar stores need to cater for shoplifting as well.

in 2 years of online trading, i have had just one "fraud" out of thousands of transactions, although it depends on your definition of fraud. it was a customer in the phillipines who signed up for web hosting with a legitimate card and charged back 5 months later. he did the same with the hosting company he moved to later - i warned them but they took a chance on him. the only real cost to me was the initial transaction fee.

of the customers i provide ecommerce for, there is very little fraud. most attempted fraud gets stopped well in advance as my customers all use worldpay. one customer set up SSL to take payments manually thinking it was cheaper, and lost £2000 to fraud in one month - he should really have checked the cards were valid before sending the goods. he abandoned his own SSL and reverted to worldpay.

another customer providing downloadable software had a lot of chargebacks. he switched to providing software by CD - this stops a lot of fraud as purchasers need to give a valid postal address to receive the goods whereas when goods were downloadable, any postal address would do. no fraudster in their right mind will give their real postal address as that means they could be traced. since switching to providing software by CD, fraud has dropped to virtually zero.

there are several simple things people can do to reduce and/or prevent fraud:
1) use a real-time payment system such as worldpay, netbanx, 2checkout.com and so on - these validate card numbers and addresses - worldpay at least is adding more anti-fraud measures soon by adopting the Visa 3D Secure verification. a similar Mastercard scheme is due to follow. other e-commerce providers may also do something similar.

a real time system such as worldpay will also let you see failed orders - repeated failed orders are likely to be from someone who is trying their luck with various credit card numbers in the hope that a valid one will eventually get through.

2) switch from providing intangibles to tangibles where possible (software, documents, music etc)

3) be wary of orders placed from certain countries, especially the former eastern block countries

4) be wary of those who place orders using a PO Box number, those using a hotmail email address (or one of over 10,000 other free email address systems), and giving a mobile telephone number.

5) in the event of suspect orders, contact customers by telephone prior to despatch of goods. a genuine landline telephone number is likely to mean a genuine customer. a telephone call, even worldwide, only costs a few pence and can save your company a lot of money.

i could go on and on .....

Visa International and MasterCard reported that about 0.06 percent of physical world sales were lost to fraud

It's their policies for dealing with internet sales that lead to the higher rate of fraud, especially internet based services. If you run advertising and someone buys advertising from you with a credit card, they could spend millions with you, only to charge it back at any time they choose if they claim the quality of service wasn't good enough (no time limit on this kind of charge back). This applies to just about any internet based business that provides a service instead of a product.

1) Best option is to have pre-auth. This allows you to view the transaction and see what WorldPay's AVS says about the transaction before you accept the transaction. If you do not have pre-auth and someone places an order for £2000, you lose 4.5% (for select accounts) in transaction fees, whether you process the order or not. If someone tries to do that to you every day, you lose £32850 per year in transaction charges.

2) One improvement that should be made is card comparison. If a transaction has been made before on your account with the same card number, it would be nice if they could let you know the last transaction number so you can compare that the addresses and other details are the same. I had two people try to place orders with the same card. I didn't know until I requested code 10's. It was the same person asking for two orders, giving different addresses. I may suggest this to WorldPay now, while I think on.

Fraud is an increasing problem, but we no longer accept the order if we don't like the 'look' of the person's details. Before shipping goods, you can check www.infobel.com to see if details match. You can also use www.whereis.info to check that the IP address (you should record this) country matches up to the country they say they are from. We have had requests to addresses in London, Madrid, New York and the IP address on every one is from Uganda.

Eastern Europe and African countries are definate no-go areas, unless you are prepared to accept higher losses or the AVS check match.

unfortunately, no credit card processing system can be guaranteed to prevent fraud. they can only be as good as the bank and credit card company systems will allow in terms of AVS and other anti-fraud checks. and yes, i agree that use of pre-auth is very important to allow AVS checks without incurring any charges.

but the most important and most effective anti-fraud measures come from the retailer. the retailer ALWAYS has the option of contacting the customer to verify the transaction is genuine, of cancelling the transaction if it looks suspicious, of sending goods by recorded / registered post to obtain a signature and so on. make some effort, use some common sense, and the retailer will be less susceptible to chargebacks.

>>It's their [the credit card issuers] policies for dealing
>>with internet sales that lead to the higher rate of
>>fraud, especially internet based services

yes, and not just internet sales, but all sales in any cardholder not present situation such as over the telephone and by mail order and so on. there needs to be a change of policy to prevent cardholders from making legitimate transactions and fraudulently charging back.

in cases where cardholders charge back due to inadequate service etc, there is absolutely nothing a service provider can do to prevent the chargeback occurring. however, the service provider should have terms which do not guarantee a minimum service level, and should therefore be able to claim the costs of providing that service through the courts.

in cases where the cardholder charges back claiming the card has been used without permission, there is nothing the service provider can do unless they can prove that it really was the cardholder who made the transaction. in my opinion, the cardholder should accept responsibility for these - they have a duty to ensure they look after their cards properly.

unfortunately, we need to persuade the credit card issuers to change their rules. none of them will want to do this on their own as it means they will be lowering the service and guarantees they provide to their customers, and they need their customers.

That is true, but, if WorldPay are authorising the card for you WITHOUT your approval of the order and it is fraud, you have to refund the amount to the card - and that costs you money (the transaction fee).

Therefore you need the balance of both. Besides, WorldPay are about to instigate a £10.00 chargeback fee if the cardholder does chargeback.

I'll give you one instance of what happened to me:

1) Receive order (£191.00 - I get paid £180.50)
2) Send order (£7.05 delivery charge by courier)
3) Realise it was fraud
4) Cancelled delivery with courier (no cost)
5) Contacted WorldPay for advice (wish I hadn't bothered)
6) Refunded amount to card (cost £191.00)
7) Customer charges back - WorldPay charge back (cost £191.00)
8) Three months later I give WorldPay a 7-day letter to get my chargeback cancelled because it was already refunded (cost about £10 including all phone charges - they never return your call)

Total income = £180.50
Total expense= £399.05 (before correction)
Total expense= £208.05 (after correction)

TOTAL COST = £27.55

I should have saved £10 in phone calls and £7.05 delivery if I have been more careful making a loss of £10.50 for a £191.00 order. That's a loss of 5.5% on every transaction.

Are you prepared to lose 5.5% on transactions made through WorldPay - transaction that THEY authorise and YOU DONT EVEN SEND?

Let's say someone keeps coming back (as happened to me with the above person) and they spend £2500 in one week (as happened to me). That is loss of £137.50 in one week before I've even looked at any of the orders.

likewise, ALL bricks and mortar shops are susceptible to shoplifting. retailers cannot blame the company that built the shop, the company that fitted the shop out, the company that supplied the cash registers, the company that supplied the CCTV equipment.

the only person to blame is the criminal.

and whatever line of business we're in, whether it be an internet store or a bricks and mortar store, we MUST take into account the possibility of theft / fraud. it's common business sense to allow for a bit of theft / fraud. it's a very simple matter to adjust pricing accordingly.

we can also take out insurance against fraud and chargebacks. there are a small but growing number of insurers willing to provide specialist insurance against online fraud. of course, they all expect the retailer to take basic precautions ...

Have jsut opened up a new site in a market aimed at the younger generation which is going to make the checks that we use more difficult. hotmail accounts are more popular amongst young people is just the first obvious problem.

I tried a high-tech retails goods site and gave up because about 75% of order were with stolen cards. I used World Pay (natwest streamline) and went over to a pre-auth account. Once you get stung once, watch out because the crooks will then hit your site even more!!

IMHO Forget retail online unless you make the goods or your name is Wal Mart or something.

On the other hand I have a services site that have never had a fraud transaction in three years. Again with World Pay.

THIS HAPPENS EVEN IF YOU KNOW THE ORDER IS FRAUD AND DO NOT SHIP OR SUPPLY ANY SERVICE.

That's why you need pre-auth so YOU DECIDE whether to authorise the payment. This is not set up in WorldPays system in it's initial state. You have to request it.

Yes - paulclarke is correct. There are websites out there where people test your site for fraud possibilities on small orders. They post your address if you ship the goods and then you get hit. Hard.