Understanding Online Fraud

Australians are big digital adopters. And the demand for online and mobile convenience is stronger than ever, with increased digital activity permeating into almost every industry.

In the banking sector alone, 38% of Australians interact with their bank via smartphone or tablet, a 22% jump in the last three years. For prepared merchants, the future of this online adoption is bright: eCommerce sales are projected to rise 21% by 2018, with Australia’s eCommerce market expected to surpass $24bn also by 2018.

With credit and debit cards sitting in first place as Australians’ preferred digital payment method (at 85%), and with online fraud accounting for 78% of fraud on all Australian credit and debit cards in 2016, the convenience of card payments comes with a unique set of challenges.

What might have caused the 78%?

While chip & pin has provided strong protection against in-store card fraud, it has meant that fraudsters have migrated online

The more we use cards online, the more sensitive card data there is to protect. This has resulted in large scale data breaches

ID theft has, and continues, to evolve dramatically, posing more threat as techniques become more varied and sophisticated

This incline isn’t a reason to panic, but rather a reason to get savvy. As a business, how do you capitalise on the eCommerce boom while safeguarding your business and your customers? Here’s what you need to know about the different types of online payment fraud and how you protect your business.

What different types of eCommerce fraud are there?

To some extent, movies with charismatic thieves rolling out ambitious heists and payment scams have glamourised fraud; but there’s nothing glamorous about large scale data breaches!

Today, fraud can take on many disguises with a variety of dangers, severity and outcomes. Rapid innovation in payment technology, especially in the mobile sphere with the uptake of digital wallets and sophisticated shopping carts, has created new avenues for fraudsters to breach data and access sensitive card data.

Types of fraud can be separated into two main categories:

• Card not present fraud: online fraud, where card details are stolen to make payments without the card
• Card present fraud: occurs at an ATM or at POS devices

Within these two fraud types are other malicious examples of fraud, including affiliate fraud, merchant identity, phishing, ID theft and pagejacking.

Within these two fraud types are other malicious examples of fraud, including affiliate fraud, merchant identity, phishing, ID theft and pagejacking.

What do online fraudsters look like?

The idea of a lone hacker working independently in a room somewhere isn’t the reality of organised payment fraud. Fraud rings are incredibly discrete, often part of vertically-integrated organisations, always adapting to the market and searching for new efficiencies to increase their revenue, reduce costs and lower risk.

Importantly, online fraudsters defy blacklists. Just blocking communications with countries with well-known black-market operations isn’t enough as even the safest marketplaces, including here in Australia, are attacked by sophisticated schemes that trick merchants into thinking they’re dealing with companies from countries like the UK and United States. This gives merchants a false sense of security, and you’re led to believe that you’re serving your local market.

Know your industry

Every industry is effected by payment fraud in different ways and some are more susceptible than others. For example, the retail industry might experience a number large number of individual occurrences of fraud, but the average loss is usually smaller than other industries where fraud might be less frequent but hits harder.

The banking and financial service industries are, on average, hit the hardest. Fraud tactics like identity theft and credit card fraud are becoming increasingly popular as online banking becomes automated. Large establishments are another big target, like governments, because of the size and number of employees. Governments can fall victim to every type of fraud, including billing fraud, asset misappropriation and payroll fraud. The manufacturing industry also carries higher risk, as the nature of manufacturing businesses render them susceptible to noncash instances of fraud like intellectual property theft and the stealing of trade secrets.

40% of fraud in the healthcare industry is through billing scams. Insurance fraud is another common problem in the healthcare industry, too, with plenty of money regularly injected into insurance premiums and packages.

It’s advisable to carry out a risk assessment of your industry to ensure your payments process reflects its unique challenges.

What are the challenges?

Fraudsters can use a variety of techniques online. Because of this, it’s important that Payment Service Providers educate businesses of every shape and size in fraud prevention: how to spot risk-based behaviour and promoting fraud prevention tools as standard.

For less experienced merchants, making the foray into the payments space might feel a tad risky, but the payments industry has emerging technology on our side as well as existing powerful measures and preventives that work. This includes methods like biometric identification – usually via smartphone where fingerprint verification provides an incredibly reliable user authentication.

The uptake and growing popularity of mobile in Australia has further anti-fraud advantages. Digital wallets and the more advanced shopping carts out there do not require customers to re-fill card field data. The current projection is that by 2020, just one fifth of all online transactions will require customers to put their details into a browser. The only way is app!

What fraud tools exist today?

The best way to protect your business in today’s busy marketplace is to be proactive. The adage (well, our adage) that a business is only as good as it’s secure checkout rings true.

There are fraud tools that every business accepting payments online should use. Bambora’s easy Checkout solution includes these important tools as standard and it is not advisable to accept payments without them. These tools are your best friends:

1. Velocity checks monitor the number of times customer data occurs within a specified interval. This could be: IP address, email address, phone number, billing/shipping address
2. 3D Secure will send the cardholder to a payment form hosted by Visa, Mastercard, or Amex which requires a password to make payment
3. Card Verification Values (CVV) confirms the customer is the cardholder by matching the CVV number provided to what is on record with the credit/debit card company

For larger businesses processing a high volume (and high value) of payment transactions, employing advanced fraud tools is advisable to ensure that customer card data is safe and your business is future proofed.

The type of advanced tools you use depends on the Payments Service Provider you work with. At Bambora we partner with ACI ReD Shield, who specialise in monitoring eCommerce transactions for fraudulent activities in real-time. This way, your fraud solution can be bespoke and unique to your individual business requirements.

The importance of PCI compliance

PCI (Payment Card Industry) compliance is a set of card data security standards that is designed to keep customer data secure. These standards ensure that customer data is cryptographically transmitted across networks, rendering it unreadable and unusable to a system intruder.

PCI applies to every company of every size that accepts card payments. If you intend to accept card payments, and process cardholder data, you need to do it securely with a PCI compliant payments provider.

PCI compliance is a big part of fraud defense. It’s not advisable to process payments through a Payments Service Provider that is not PCI compliant as your customer card data will be exposed to all manner of risk.

A PCI compliant provider, like Bambora, will provide multiple layers of defense that combines physical and virtual security methods; including authorisation, passwords, restricted server access and networking locks.

Bambora is Level 1 PCI compliant. This means that when you choose to accept payments through our payment gateway, we keep your customer data safe for you. You don’t have to worry about it!

Tokenisation as fraud defence

Tokenisation is a multi-benefit solution that keeps cardholder data and other personal customer data secure. It does this by preventing the data from entering CRM (and other types of applications) and eCommerce sites.

Tokenisation technology replaces credit and debit card numbers with a separate piece of data – usually a long string of numbers. This acts as a stand-in for the much more valuable information but has virtually no value on its own. The string of numbers simply represents the much more valuable information. The credit and debit card number is encrypted and stored in an off-site PCI compliant vault that is separate from your data systems.

The encrypted card number, or the token, is then used as if it were the real card in the online transaction, meaning that as a merchant you do not handle or store the unsecured card data. Just the tokens.

What does this mean for security? Simply that tokenisation makes it more difficult for attackers to gain access to sensitive data outside your tokenisaton system, so it’s great way to combat the threat of fraudsters. It also adds peace of mind for your customers as your payments have an added, very visible, layer of security.

If you’ve been inspired to learn more about fraud, what actions you can take to prevent it, or are concerned that you might been encountering it, don’t hesitate to get in touch with one of the Bambora team today.