How to foil the online fraudsters

IT Week: As head of fraud prevention solutions at business intelligence software developer SAS, what do you see as the biggest problems for e-traders?

Peter Dorrington: According to statistics from the US-based National Consumers League for the first half of this year, the most common problem was online auction fraud, which made up 87% of all incidents. This was followed by general merchandise fraud and (hoax) Nigerian money offers. We do not have a reliable similar source in the UK, although I suspect that we are in the same position here.

A recent survey showed that most Internet merchants have been affected by online fraud in some way. Why are the numbers so high?

Internet merchants are vulnerable to the various forms of card-not-present fraud. These include stolen cards, which are on the decline; card number generators, which are peculiar to the Internet or call centres and are also beginning to decline; and the use of false identities or identify theft – where the fraudster takes over someone else’s identity to make a purchase, leaving the innocent victim to fend off the credit recovery agencies. This last type of fraud is dramatically increasing. Another reason why the levels are high is that many retailers have not implemented the kind of fraud-detection measures that the banks and bigger players have in place. Those can potentially spot a fraud as it happens.

What can retailers do to reduce the risk of fraudulent transactions?

They can use a number of measures to protect themselves. Initially, they should implement adequate security to protect sensitive customer information. Where substantial sums of money are involved, they need to verify details of the purchaser. Implementation of a fraud-detection system that can automatically indicate those transactions that are most suspicious, usually some kind of rules-based system, is also important.

And what steps should consumers take to guard themselves?

Consumers should protect their cards and any personal information that can be used to apply for a card in their name. For example, they should destroy ID-related information before putting it into the rubbish.

Should there be more collaboration among banks, retailers and payment systems providers, to develop standardised online payment models?

While supportive of measures that can prevent fraud, we have to recognise that these systems are only as good as the data they use. If data about an individual is wrong or outdated, it may disenfranchise them from doing business over the Internet. Also, all these verification systems are vulnerable when it comes to the original application for, and issuing of, the verification key. How do you tell that the person applying for the key is really who they say they are?

Will the introduction of smartcards help to reduce fraud?

Smartcards will dramatically decrease opportunistic fraud, but they are not infallible. For example, France has a smartcard and PIN system, but it still suffers from about 20% of the card fraud it originally had. An 80% reduction is excellent, but it is not 100%. As to online fraud, the problem will be the reader. Lots of online shoppers shop from home. Are we going to make them buy smartcard readers before we allow them to shop?

How are fraudsters likely to change their strategies and how should firms react?

Fraudsters constantly evolve their techniques, so it is impossible to predict where next they will turn up. There are an awful lot of them and relatively few of us. That said, we cannot afford to just give up. Businesses need to get to grips with the problem today, by becoming familiar with the common forms of fraud and appropriate countermeasures. Firms should also keep themselves educated by working with a good vendor and joining appropriate self-help bodies.

ABOUT PETER DORRINGTON

• Peter Dorrington is head of fraud solutions at business intelligence software developer SAS Institute UK. His role focuses on helping organisations to detect and prevent fraud and money laundering.

Dorrington has more than 20 years’ experience in IT. He was originally sponsored as a systems designer by the Science & Engineering Research Council, where he spent a number of years working with advanced computer systems.

Before joining SAS, Dorrington was a principal consultant with a European IT services consultancy.