Cutting out E-fraud

Recently, Kelt Reeves was ready to join the rest of the e-business-bound world and launch his company's first business-to-consumer site to sell $4,000 computer gaming systems. Then Reeves had a thought that gave him pause: What if the site turned into a magnet for fraud artists with phony or stolen credit card numbers? Could his small $3 million company survive an onslaught of bogus sales?

One check with credit card issuers confirmed his fear: As in the brick-and-mortar world, if he shipped goods to a crook, he'd be financially responsible—even if the card issuer had given him a verbal OK on the transaction. Reeves, president of Falcon Northwest Computer Systems Inc., in Ashland, Ore., immediately put a hold on his e-commerce plans.

"It's taking us forever to get our e-commerce site up and running," Reeves said. "The credit card companies didn't have a whole lot of answers for us when we asked how to protect ourselves. ... How do we cover our butts?"

Reeves is smart to be asking the question before launching a site. Seeing only the monetary sparkle of the holiday buying season, many companies have accelerated their e-commerce efforts without preparing for the threat posed by increasing levels of online fraud.

The most vulnerable enterprises are small and medium-size businesses, particularly if they sell big-ticket items or items such as software than can be delivered over the Internet. Such companies often can't afford expensive fraud detection products and services any more than they can big losses due to fraud. Therefore, like Reeves, they should develop an anti-fraud strategy before they launch, experts say. Fortunately, there are techniques that can help cut losses.

Meanwhile, vendors of anti-fraud services are beginning to market lower-priced products specifically for smaller e-commerce companies.

The high price of fraud

Help is coming none too soon. By year's end, online credit card fraud is expected to cost merchants $400 million, according to a report released this month by Meridien Research Inc., of Newton, Mass. Overall online consumer fraud—including consumers falsely claiming they never ordered items—is expected to cost online merchants $1.5 billion this year, the report says. Financial experts expect online fraud to get worse: Meridien predicts that by 2001, online credit card fraud could cost merchants $9 billion a year, and that by 2003 the cost could reach $15 billion (see chart, below). Fraud rates can reach 30 percent for sites selling certain types of merchandise, such as software, online merchants report.

"It's difficult for the merchant not to be left in the middle holding the bag," said Marcelo Halpern, a partner at the Chicago law firm of Gordon & Glickson LLC and an expert on e-commerce law. "It's a question of contractual leverage. The consumer ultimately dictates the terms, and Visa is Visa, and you, the merchant, are not."

The problem is not that credit card companies put more financial pressure on e-commerce companies than brick-and-mortar businesses. The problem, experts say, is that fraud is more likely to take place online. Less than 1 percent of credit card transactions initiated in brick-and-mortar stores today are fraudulent, according to Meridien's research and card issuers such as Visa International. But on average, nearly 10 percent of all Internet transactions are fraudulent, according to Meridien.

"Fraud is not really a bigger issue online except in the sense that online crooks may be fundamentally braver" than those in the offline world, Gordon & Glickson's Halpern said.

And going to court—provided you can figure out whom to sue—is almost guaranteed to fail, one expert said.

"You can certainly try to sue, but any attorney will tell you that in most cases there's almost no remedy," said Mark Grossman, head of the Computer and E-Commerce Law Group at the Miami law firm of Becker & Poliakoff P.A. "The merchant ends up the loser."

The reason more online transactions are fraudulent is that they are all what is called "card-not-present" transactions. In a "card-present" transaction, a clerk can at least compare the signature on the back of the credit card with the signature obtained on the sales slip at the time of the transaction. That protection is not available in card-not-present transactions. For those transactions, credit card companies and their partners force merchants to pay higher premiums for processing orders. And when a sale turns out to be fraudulent, the card issuer withdraws the funds from the merchant's bank account automatically. The true cardholder is only liable for $50 worth of transactions on his or her stolen card. The merchant typically eats the rest.

As fraudulent transactions pile up, the merchant's costs increase. For the behemoths of e-commerce, such as Dell Computer Corp., experts say this isn't as crucial an issue as it is for "mom-and-pop" Web stores. Dell, which runs one of the largest stores on the Web, may experience much more fraud than smaller vendors, but it also does much more business. And credit experts say banks and credit card companies are less likely to be strict about collecting fees from the big guys.

Compounding the problem is that so few startup e-commerce vendors are taking significant precautions to guard against fraud, said Meredith Hickman, an analyst at Meridien.

"We've found very few merchants with advanced fraud detection systems in place," such as neural network systems that compare new transactions against profiles of fraudulent ones, Hickman said. Only 2 percent to 4 percent of Web merchants use such systems today, mainly because of their cost, Meridien's research shows. Providers of such fraud detection services typically charge one-time fees of tens of thousands of dollars on top of per-transaction fees. That has put these services out of the reach of many e-commerce enterprises.

"The dot-com startups have no money for this. They're spending it on marketing," Hickman said.

Help is coming

But online store owners can take heart, analysts say, because new technology is starting to appear to help large and small Web businesses cut their fraud risks (see related story).

In the absence of affordable tools, some online merchants have had to go to great—and expensive—lengths to com bat e-fraud. Beyond.com Corp., a Santa Clara, Calif., online software and hardware vendor, for example, was forced to develop its own fraud detection software or risk going out of business shortly after launching in 1995. About six months after launching the Web site, company officials discovered that more than half the products moving off its virtual shelves were being stolen.

"People were stealing vast, vast amounts of software," even obscure programs, "simply because they could," said Beyond.com's chief technology officer, John Pettitt.

Finding no relief from credit card companies and faced with financial losses that were poised to put the company out of business, Beyond.com developed its own fraud detection system. In 1997, Beyond.com spun out its fraud detection unit, launching CyberSource Corp., based in San Jose, Calif.

"We realized there was no solution out there, so we grew our own," Pettitt said. Fraud losses were cut "drastically" after Beyond.com instituted the system that became the basis for CyberSource's product line, he said, although he would not specify how much credit card fraud the company experiences now.

Of course, most online merchants won't be able to do what Beyond.com did. But there are quick, inexpensive steps they can take while they ponder the small, but growing, selection of fraud detection services now available. For many, the answer is to extend to the e-commerce world the same fraud-prevention techniques developed for telephone-based transactions. Falcon Northwest Computer Systems, the gaming system company, for example, has kept telesales fraud rates low by teaching its sales staff how to detect certain types of would-be thieves by asking a series of questions during the telephone ordering and billing process.

"We average an hour on the phone with each customer. If it's less than that, it's a red flag," Reeves said. Originally, salespeople would simply take card numbers and expiration dates and get the authorization from the issuing bank. But some stolen and "false" cards (created using bank identification numbers and modular mathematics) can still slip through this system. After being taken advantage of one too many times, Falcon Northwest added new precautions.

"Now we ask for the 800-number listed on the back of the card, along with the last four digits of the customer's Social Security number or their mother's maiden name," he said. "It makes some people nervous, but they provide it. If they hang up, we're pretty sure it would have been a fraudulent transaction."

Experts such as Halpern said that applying similar techniques to online sales can cut out a chunk of credit card fraud.

"You can make it harder and harder for somebody to commit fraud by couching it as a customer service issue," Halpern advised. "Call the customer back and say, 'We're just verifying that this is really what you ordered.' Do multiple checks of the customer's e-mail, phone numbers and addresses." If the home phone number can't be independently verified as registered to the name on the credit card, that's a tip-off to a potentially fraudulent transaction, experts say.

Read the fine print

Merchants can also help themselves by reading up on how contracts work between online store owners, banks and credit card companies, experts say.

"Anybody setting up shop online must carefully read the credit card agreement with the merchant bank," said Michael Littenberg, a partner with the New York law firm of Schulte, Roth & Zabel LLP and an expert in e-commerce law. "You need to understand how the contract works because, once you ship the product, you're never going to see it again" if the transaction turns out to be fraudulent, Littenberg said.

Good customer service is also a valuable tool, since a certain portion of any merchant's charge-back fees is due to disputed credit card charges, another expert said. (See more tips on cutting e-fraud.)

The deck may be stacked against smaller merchants when it comes to protecting against fraud, but that's not going to keep them away from e-commerce. Falcon Northwest, for example, most likely will launch its site within the next few months, selling a new line of less expensive machines, averaging around $1,600. Reeves expects the lower price to boost sales volumes. That may even make the expected higher fraud levels palatable.

"Hopefully, at the end of the day, the Net allows you to reach so many customers that that should cancel out the fraud," said Meridien's Hickman.

Regardless of whether your Web storefront is a two-person operation or a brand-name superstore, experts say you need to think about how to protect it from credit card fraud. The tools available to help do this, however, vary widely depending on who your transaction partners are—and how deep your pockets are.

Many of the risk assessment tools available today give merchants instant access to a plethora of information about how to detect fraudulent transactions, but these tools are aimed mainly at banks, large transaction processing companies and large Web merchants. Some products can cost tens, if not hundreds, of thousands of dollars to license.

At least one vendor, however, is at work on a product aimed specifically at smaller online businesses. Internet Commerce Services Corp., an online storefront services provider based in Nashua, N.H., is about to announce a deal with San Diego-based HNC Software Inc. to offer an as-yet-unnamed product for small Web stores based on HNC's eFalcon, ICS officials said. Pricing has not yet been determined for the service, which is set to roll out in the first quarter of next year.

However, for now, most fraud-tool vendors target large e-commerce customers with products that often carry stiff per-transaction fees. Such tools include the following:

• Internet Fraud Screen, from CyberSource Corp., of San Jose, Calif., which uses artificial intelligence and advanced mathematics to calculate the risk of a given transaction. New transactions are compared with a database of the characteristics of millions of online thefts suffered by Web merchants since 1995, and a risk factor is assigned to each transaction. Some 500 Web merchants use Internet Fraud Screen, including Amazon.com Inc. and Compaq Computer Corp. Pricing is 39 cents per transaction, with discounts available for high-volume users.
• HNC Software's eFalcon, a fraud detection and risk management system that uses neural network technology to ferret out fraudulent transactions. Online storefront service provider users must guarantee a monthly minimum of $10,000 in transactions and pay a per-transaction fee of 10 to 15 cents, according to HNC officials. Merchants licensing the product directly pay 15 to 25 cents per transaction. Users include CyberCash Inc. and ShopNow.com Inc.
• FraudShield, a fraud detection system released this quarter by ClearCommerce Corp., of Austin, Texas. FraudShield is offered to users of the company's Merchant Engine and Hosting Engine e-commerce transaction systems, which are aimed at banks, telecommunications companies, portal Web sites and large merchants. Pricing ranges from $75,000 to $125,000, and Clear Commerce does not charge per-transaction fees. About 10 large merchants, including Cooking.com Inc., of Santa Monica, Calif., are now using FraudShield.
• Prism, from Nestor Inc., of Providence, R.I. Prism also deploys neural network technology to detect fraudulent online credit card transactions. Users are large banks and credit card companies. Early next year, the company plans to roll out a new product, Prism E-Fraud, geared toward large online merchants and Internet service providers. Pricing for Prism E-Fraud is expected to range from $250,000 to $500,000, according to officials.