You are on page 1of 14

SPECIAL REPORT

Retail Fraud Detection and Prevention

Lessons on Credit Card Skimming,


e-Commerce Scams, and Theft Investigation
C
yber attacks and data theft are making headlines Rigging ATMs or gas pumps with fake panels that
like never before, with some of the largest and steal data
most well-known brandsTarget, Home Depot, Modifying store POS terminals
Sony, Anthemfalling victim. With the frequency Using off-the-shelf hardware keyloggers on cash
and pervasiveness of these attacks, executives in registers
companies of all sizes and across industries are left These techniques all require physical access to
asking, If these businesses can be compromised, are the cards or the devices used to process them. This
we next? introduces a high risk of getting apprehended. Plus,
But rather than being consumed by fear, skimmers cannot be readily mass deployed for
uncertainty, and doubt, its time to be constructive maximum effectiveness. Therefore, criminals have
and proactive to address these attacks. The new begun changing their focus to using malicious
reality is when, not if, a data compromise will occur. software to steal payment card dataprimarily credit
Embracing the fact that these criminal acts are card data.
lucrative and difficult to prosecute has created a new
paradigm in the retail landscape. As long as Credit Card Hacking 2.0
computers and the Internet serve a central role in POS RAM scraping is a software methodology
commerce, these attacks are not going away. for stealing credit card data. After the merchant
swipes the credit card, the data on the card
POS: A Major Target temporarily resides in plain-text format in the POS
In recent years, there has been a tremendous softwares process memory space in random access
amount of data leakage from retailers that have had memory (RAM). The magnetic stripe on the back of
their payment-card systems compromised. This not the credit card contains three data tracks. Credit cards
only includes credit card information stolen from the use the first two. When the credit card is swiped, data
point-of-sale (POS) registers or terminals, but other from these tracks are read into the POS softwares
sensitive customer information as well, such as process memory.
address, date of birth, telephone number, email
addresses, and more. How Do Hackers Infiltrate?
Statistics show that 50 percent of the readers of Retailers and other businesses that process credit
this article have had to replace one or more credit cards, irrespective of their size, are data-theft targets.
cards in the last eighteen months due to a point-of- The most convenient place to steal credit card data is
sale hack. This is of great concern, to say the least. In from the RAM of POS systems where the data
2014, the FBI issued an alert to retailers indicating temporarily resides in plain-text format during
that we had seen just the tip of the iceberg as far as transaction processing. The challenge for
the emergence of malware designed to penetrate and cybercriminals is to find a reliable method to infect
capture our sensitive data. True to this warning, more POS systems. Some of the common infection
and more infections and security breaches regarding methods are described below.
POS systems have been reported since then. Inside Jobs. The inside job is the most difficult
The good news is that the situation isnt infection vector to prevent, since it involves people
hopeless. However, it does require proper planning whom businesses trust or those who can abuse their
and investment in new approaches to skill privileges to commit crimes. These could include
development and technology implementation. It also disgruntled or disillusioned employees out to take
requires innovative ways to deconstruct and analyze revenge or even just unscrupulous individuals out to
how these targeted attacks evolve within your make quick cash by victimizing their employers.
networks. Phishing and Social Engineering. POS RAM
scrapers are never spammed out to millions of
Payment Card Data Theft potential victims. Instead, they are sent to a chosen
Stealing payment card data has become an few targets via phishing emails with effective social-
everyday crime that yields quick monetary gains. The engineering lures. Small businesses often use their
goal is to steal the data stored in the magnetic stripe POS servers to browse the Internet and check email,
of payment cards, (optionally) clone the cards, and making them easy targets for phishing attacks. Its
run charges on the accounts associated with them. not a bad idea for loss prevention professionals to
Criminals have been physically skimming payment look into developing company policy against using
cards, including both debit and credit cards, for years POS servers this way.
now. Common techniques for skimming payment Vulnerability Exploitation. New software
cards include: vulnerabilities are disclosed and patched every month
Making a rub of the card by their respective vendors. Only a handful of these

2|Retail Fraud Special Report


are successfully weaponized. Once weaponized, The key to setting up a strong defense is to
the vulnerabilities will be used in cyberattacks for understand the nature of the threat. In the case of
years. These exploits are able to successfully POS RAM scrapers, this means understanding the
compromise systems when IT has not rigorously malwares attack chain. Through countless hours of
applied these vendor patches. The reality is that many research, security analysts have been able to see
POS servers are still running outmoded, unsupported trends and patterns on how these attacks persist and,
operating systems. ultimately, the success that they have in stealing
PCI-DSS Non-compliance Abuse. The sensitive data.
Payment Card Industry Data Security Standard (PCI- As companies formulate defense strategies, they
DSS) refers to a set of requirements designed to should keep in mind the following:
ensure that companies that process, store, or transmit Size of the organizationLarge organizations have
credit card information maintain a secure complex networks with thousands of connected
environment. PCI-DSS does not offer new secure devices, multiple locations, and so on. Security
technologies to protect electronic payment systems. It solutions must be scalable, centrally managed, and
does provide requirements to build up additional able to defend complex networks.
layers of security controls around controls that CostsSecurity solutions can become expensive,
already exist. Hardening systems and networks especially when the organization requires multi-
(making them more secure) is not a trivial task. tiered defenses. Businesses should factor in the
Companies that lack expertise or resources often costs of in-house and/or externally contracted IT
incorrectly configure their POS environments, services required to manage the deployed security
making them susceptible to malware attacks. solutions.
Targeted Cyber Attacks. Targeted POS RAM Multi-platform supportMany businesses support
scraper attacks are attacks aimed at large businesses several major operating system (OS) platforms in
with millions of credit cards. There are six different their operating environments, so security solutions
stages of these attacks, from ensnaring a victim to must be able to protect all of them and provide
exfiltrating stolen data to the black market. Some of centralized management of the protected devices.
the most malevolent attacks of all, these targeted Bring your own device (BYOD)Organizations
assaults are meticulously planned and well executed, are increasingly moving toward implementing
making them notoriously difficult to detect. BYOD policies as a means of cutting costs and
POS RAM scraper malware retrieves a list of giving employees flexibility. BYOD policies
running processes on the victim machine, loads each introduce new challenges regarding securing
processs memory space in RAM, and searches for employee-owned devices that are accessing the
the credit card data residing there. The malware organizations resources.
scrapes the payment card data from RAM and Consumers and end users will also have to adopt a
exfiltrates it to the cybercriminals. The stolen tracks shared-security attitudeThis includes taking
data can be used to physically clone the credit card or steps to ensure that their BYOD devices are
can be used in fraudulent card-not-present (CNP) protected. As we move to a more frictionless form
transactions, meaning online purchases. of payment capability, we must ensure that the
devices that we enable to carry out these payment
Promoting Security beyond Compliance transactions are pristine. We will also have to
POS security can no longer be a checkmark on embrace multi-factor and biometric capabilities to
an audit to-do list. It has become a business driver help thwart future attacks.
an integral component of business operations.
Proactivity is a must because every business that Time for Forward Thinking
possesses or processes credit card payments is a Implementation of EMV (Europay, Mastercard
target for POS data theft. and Visa) chip-and-PIN technology as well as next-
To effectively protect against POS RAM scraper generation payment platforms and e-wallet
attacks, businesses need to protect all aspects of their capabilities will certainly help reduce POS attacks,
operating environments, not just the POS systems. but wont guarantee the complete elimination of
Attackers can gain initial entry into the corporate payment attacks. Retailers and financial institutions
network using compromised credentials or via need to work diligently to determine the possible
phishing emails. From there, they can locate the POS failure modes of their own systems.
systems and infiltrate them.

3|Retail Fraud Special Report


Retailers should be spending money on creating suspicious campaigns. Finding out about a breach
rich POS payment applications that are securely tied sooner rather than later means maximizing the
to our mobile devices and that can leverage cheap chances for damage control. Knowing is 90 percent
technology to process and transmit transactions. This of the battle in stopping exfiltration in your
may be preferable to spending hundreds of millions organization.
or billions of dollars implementing chip-and-PIN As a loss prevention professional, its not beyond
technology that will be cumbersome for consumers to your scope to ask your IT department hard questions
leverage in two to three years (if not sooner). At the about what they are doing to prevent these thefts. In
rate that this technology is advancing, this form of fact, every employee should feel comfortable asking
payment will be outmoded quickly. We should these questions. In todays climate, we truly are all
demand more from our companies and challenge risk managers.
them think much bigger.
In January 2014, the FBI warned that we hadnt EMV
seen the end of the POS breaches. The agency was EMV, known in the UK as chip-and-PIN, is a
correct. Target, P.F. Changs, UPS, Home Depot...the global standard that strengthens card authentication
list continued to grow and hasnt stopped yet. Dozens using a computer chip physically built in to the card.
of other organizations that process payments have Instead of reading card data off the cards magnetic
fallen victim to targeted attacks. Its time to be strip, every time a customer inserts their chip card
forward thinking about where this market is going into an EMV-equipped POS card reader, the chip
and spend money on the right payment platform that generates a new, unique transaction code. Since the
will scale for the masses for the foreseeable future. magnetic strip data remains the same with every use,
It is crucial for retailers to implement breach- copying that data by card skimming or stealing it in a
detection capability to deconstruct and analyze hack allows the account to be imprinted on

4|Retail Fraud Special Report


counterfeit cards or reused illegally online. But chip- their tracks. They are adept at evolving their schemes
generated codes are one-time use onlystealing one to elude merchant controls and are constantly looking
becomes useless. for ways to remain under the radar. For instance,
For the UK, chip-card deployment was largely many merchants review orders that request express
successful in reducing domestic face-to-face card shipping because many such orders have been linked
fraud, but there was a dramatic rise in foreign fraud to fraud. Knowing this, a fraudster might request
using UK-issued cards, as well as card-not-present standard shipping on a purchase then call customer
card fraud. When the UK went to chip-and-PIN, service a day later complaining that the order was
there was a spike in online fraud, said Scott Sanford, processed incorrectly. Without proper prevention
director of investigations for Barnes & Noble. The techniques, the fraudster gets overnight delivery of
brick-and-mortar card fraud migrated to the online the package without tripping merchant fraud alerts.
world.
On October 1, 2015, the U.S. payment card
market will make a similar move. On that date, the
liability for card-present counterfeit card losses will
shift from issuer to merchant unless the merchant
implements EMV. In effect, what this liability shift
means is that by the end of this year most consumers
cards will have a chip in them and most brick-and-
mortar merchants will be processing cards by reading
these chips instead of the conventional magnetic
strips, making in-store card counterfeit fraud much
more difficult.
While in-store card fraud may fall significantly,
many expect online card fraud to jump in response,
as it did in the UK. If brick-and-mortar credit card
fraud is my game, and I have EMV potentially
blocking my lifestyle, Im going to go try to do it
online, said Sanford. I think online fraud is going
to jump dramatically in the US. Even were it not for
the EMV adoption, some experts expect online fraud Although major strides have been made over
would continue to increase over the next one to two the past decade, e-commerce fraud is still a
years. So although major strides have been made over significant challenge to the LP industry
the past decade, e-commerce fraud is still a today and will remain so into the near future.
significant challenge to the LP industry today and
will remain so into the near future. Examining Charge-Backs
The first step to prevent fraud is looking at a
Introduction to Online Fraud companys charge-backs, a frequently cited metric
In the world of fraud prevention, there is a for online payment fraud. Charge-backs are a sale
thriving, underground economy of web-savvy reversal that occurs when a customer claims their
criminals who are knowledgeable about card-not- credit card was charged for a purchase they didnt
present (CNP) fraud and how to exploit merchant make. The typical practice for many retailers is to
vulnerabilities for personal gain. The unfortunate supply information requested by the card issuer and
reality is that criminals are stealing consumers credit to write off the loss as bad debt.
card information, either in the physical world or via But its important to adopt measures for reducing
online phishing attacks, and selling it on the Internet. charge-backs because they are costly and eat away at
Sophisticated fraudsters, who are increasingly a retailers bottom line. The retailer loses the full
well organized and working frequently from outside value of the merchandise and also incurs a charge-
the U.S., obtain the card number and security code back penalty from the card issuer. A company with a
data to buy popular merchandise over the web and high charge-back rate risks heavy fines or being
then resell it for profit. Perhaps less sinister, but just dropped by card issuers.
as problematic, are family members using credit There are two things that retailers can do to
cards to make unauthorized purchases. minimize these losses. The first is to dispute charge-
CNP fraud involves nameless, faceless crimes backs in an effort to reverse them. This isnt easy, as
that are difficult to trace and prosecute. Fraudsters the burden is on the merchant to prove that the
steal consumer identities and operate in rings to cover merchandise was received by the cardholder, but you

5|Retail Fraud Special Report


are likely to succeed in reversing a certain percentage never received the merchandise. These are difficult
of them, which will save your company money. The cases for a merchant to challenge.
second, and more effective thing you can do, is to Of the many types of fraud in existence, the
prevent charge-backs before they happen, which triangulation scheme was ranked the ninth most
means identifying incoming fraudulent orders and impactful type of fraud in 2012 based on frequency
cancelling them before the orders are fulfilled. of attack and revenue loss; by 2013 triangulation had
Many retailers have automated order-screening jumped to the number one perceived threat,
systems for exactly this purpose. For example, if an according to a survey conducted jointly between the
order exceeds a certain dollar amount, or if the billing Merchant Risk Council and CyberSource.
and shipping addresses dont match, the order may be Like many online frauds, the triangulation
flagged as potentially fraudulent and placed into a scheme starts with obtaining stolen credit card
review queue in the order management system for account information. For that, the best place to visit is
further inspection by a fraud analyst. A negative the Deep Web, the name for those realms of the
file of order data, such as email addresses and Internet you cant get to from a Google search. Some
physical addresses associated with past fraudulent parts of the Deep Web are still a Wild West, free
orders, may also be maintained. New orders from regulation, and may only be reachable using
involving any of these negative data elements are specialized software that masks users in anonymity.
also queued for an analysts review. In addition,
retailers can monitor for order velocity, meaning Triangulation Fraud Schemes
customers placing similar orders in succession over a So our fraudsterwell call him Chuckhas
short periodanother hallmark of fraudster activity. gone to the Deep Web and bought a few thousand
Performing a detailed analysis of charge-backs complete credit card account records, including
on a historical basis can help determine what kind of cardholder name, billing address, credit card number,
fraud was slipping through and how controls could be CVV security code, and possibly corresponding
improved. An in-depth look at charge-back data email addresses, phone numbers, and other personal
could provide valuable information about the nature information.
of fraudulent transactions and could enable retailers The next step in the fraud is listing an item for
to fine-tune fraud controls based on fraudster sale on an online marketplace, such as Amazon,
behavior. Craigslist, eBay, or any of the thousands of other
online auction houses and marketplaces. Nearly any
What Does e-Commerce Fraud Look Like? category of merchandise will dobooks, clothing, or
Compared to the professional shoplifter teams electronicsas long as the product is in relatively
of years past who come to stores and shoplift in high demand. Chuck decides to list a brand-name
groups or do basic grab-and-runs, the types of ORC laptop for sale. In order to quickly find a buyer, he
actors you see today are very sophisticated, said has to list that laptop at a price point below that of the
John Matas, vice president of asset protection at legitimate sellers out thereif he didnt, customers
Macys. These groups have the traditional organized wouldnt have any reason to buy from him over any
crime hierarchy, and the higher the level within the big-name retailer. The laptop retails at $150, so
group, the more insulated an individual is from arrest. Chuck (connected through a proxy) posts a listing on
These groups are well organized and highly eBay for a brand-new laptop for $125 plus free
technical, taking full advantage of all sorts of retail shipping.
processes designed to enhance our customers Alice is shopping for a laptop. Shes a crafty
shopping experience, but in a criminal way. consumer. She wants to save money. So instead of
For example, the realm of gift cards has its own buying at full retail price, she shops around. She
subgenres of gift card fraud. Legitimate websites searches eBay, sorts the results by lowest price, and
intended to store gift cards on your phone have been there is Chucks listing right at the top. Wow, what
used by criminals to launder stolen cards. One group a deal, she thinks. Alice buys the laptop, and money
broke the mathematical algorithm used to generate is transferred from her credit card to Chucks PayPal
gift-card number/PIN combinations, then account. Chuck has never been in possession of the
manufactured actual counterfeit plastic cards to use laptop. But he cant just ship nothing to Alice
them with. because she would leave negative feedback, file a
Friendly fraud is another problematic category complaint, and Chuck would find his eBay and
of fraud. Friendly fraud is when the actual cardholder PayPal accounts banned. So he has to send her the
(or somebody known to the cardholder) makes a item she bought. In fact, he wants to appear not only
legitimate purchase, but then tries to dispute the as legitimate, but also as a high-quality, customer-
charge by claiming they never made a purchase or satisfaction-focused seller.

6|Retail Fraud Special Report


So he goes to his list of stolen credit card accounts eBay accounts. In reality, there is large-scale fraud
and pulls the first one on the list, which belongs to going on, but the online medium obscures the fact.
Bob, the legitimate account holder. Using a proxy
server, Chuck visits Targets online storefront to buy Combating the Triangulation Scheme
the laptop. He uses Bobs credit card number and Of course, retailers have sophisticated ways to
billing address, but enters Alices shipping address. detect fraudulent orders. There are many red flags
And then he submits the fraudulent order. Target that could hint that an order is fraudulent, but these
processes the order and ships Alice the laptop. are almost never definitivethey merely add some
Bob is the first victimhe had a fraudulent probability that the transaction in question is suspect.
purchase made on his card. Target is the second One way that many merchants and third-party
victimit will be hit with a chargeback. And Alice is fraud prevention vendors combat fraud is by putting
the third victimher name and address are on the every online order through a screening algorithm to
fraudulent shipment. Thus the triangulation scheme look for these red flags and determine how likely it is
came to be named for these three victims. that an order is fraudulent. These algorithms will
Chuck will use Bobs account only once or frequently have hundreds of very specific criteria
twice, and then hell drop it and move on to one of they check for. If the order fails one of the checks,
the other thousand he has on hand. Target is looking the order is flagged with a certain number of fraud
at a $150 loss, so it doesnt make sense for its team to alert points commensurate with the likelihood of that
investigate it. Law enforcement, on top of looking at criterion being associated with fraud. If the order
such a small loss, cant figure out who Chuck is since passes a certain point thresholdsay 1,000 pointsit
hes been using a proxy server. Both Target and law is sent to an analyst for manual review.
enforcement might dismiss the whole affair as a There are the obvious checks: is the shipping
minor crime, but Chuck is doing this ten times a day address different from the billing address? If so, add
with ten different retailers, on each of four different

7|Retail Fraud Special Report


200 points. Is this the first time this card has been said Tim Guastaferro, director of e-commerce for
used on the site? If so, add 50 points. Sears, so if you take steps that make it anything but
Then there are less obvious checks: are the first a seamless transaction, you run the risk of driving
and last names capitalized? If not, add 200 points. that customer to other sites where they dont have to
(Apparently many criminals habitually enter names jump through hoops. Its not all about fraud losses.
in all lowercase.) Did the transaction occur late at We have to balance fraud losses with our customer
night? If so, add 50 points. experience, our operational expense, the ability to
Then there are more subtle checks: is the take on more payments, to offer more fulfillment
transaction placed from a browser configured for a types. We want to beat everyone to the scene on
language from a high-fraud country? If so, add 100 implementing these things because they are about
points. Does the order originate from a proxys IP enhancing the customer experience.
address? If so, add 400 points. Is the proxys IP There are tools out there that you can layer on
address out-of-country? If so, add 200 more points. your existing e-commerce platform to drastically
Another fraud test is called device reduce the chance of fraud. We could nearly
fingerprinting. When you visit any website, various eliminate it, said Jerett Sauer, director of loss
bits of information about your computer are shared, prevention at Gap Inc. Thats not the issue. The
such as time zone and type and version of browser issue is that you would highly impact your customer
and operating system. This information can be experience. The balance in how you are trying to
analyzed to fingerprint an individual device. So if a structure your program becomes key. You want to
fraudster is placing multiple fraudulent orders from make it seamless to 99.9 percent of legitimate
behind multiple proxies to avoid detection, device customers, but make it just hard enough for fraudsters
fingerprinting can tie together several suspicious that they decide to go elsewhere.
orders to reveal that they all came from the same Looking forward, a middle ground might be
machine. found in an access control concept called two-factor
Order velocity is a metric that can be used in a authentication. ATM withdrawals use two-factor
similar way. Velocity measures how often the same authentication. They require something that a user
card is used to place orders on a site. Depending on physically possessesthe debit cardas well as
the item and the merchants customers normal something that a user knowsthe PIN. For card-not-
buying habits, multiple purchases in a short time present transactions, the first factorwhat they
frame can also point toward fraud. havewould be entered as it is now, manually typing
If an order passes the 1,000-point alert mark, or card account information. The second factorwhat
fails any of the other tests, it gets marked as they knowcould be integrated by sending a text
suspect and kicked to a human fraud analyst for message to the mobile device number on file at the
review. Analysts have a number of tools at their card-issuing bank. Since most people keep their
disposal to help determine whether they should phones on them most of the time, confirming a
cancel the order or let it go through. They may pay legitimate purchase using a phone could become an
for a public records search to validate order data. accepted non-intrusive step in making an online
They may check social media sites or Google Maps. purchase that could dramatically reduce online fraud.
But theyll often just call or email the contact Retailers, or retailer associations, cannot implement
information given when the order was placed. two-factor authentication unilaterally. It requires buy-
in on the part of card companies and card issuers. But
Balancing the Customer Experience some expect this option to be regarded highly by the
Fraud prevention is a careful balancing act. payment card industry in the near future.
Weighting too heavily on the side of fraud prevention
can negatively impact the customer experience. Investigation
Asking customers to provide extra information at The role of the fraud analyst is inherently
checkout for validation purposes will at best slow defensive. Analysts manually review orders that a
down the transaction, and if done improperly could merchants automated fraud prevention system deems
make customers uncomfortable. And while suspect. Analysts can stop an order in its tracks,
contacting a customer to verify a purchase might be a recall it, or allow it to go through, said Sanford.
positive to some (this merchant cares about my But stopping the order doesnt dissuade the bad
security), it could be a negative to others (this call actor. They simply move on to the next retailer or the
reduces the convenience of shopping online). next card number, modifying their approach to fly
The last thing a retailer wants to do is drive away under the radar the next time. One thing is certain
legitimate customers who were trying to make a unless theyre caught, the online fraudster will
purchase. There are a lot of merchants out there,

8|Retail Fraud Special Report


continue their efforts one transaction at a time, one of jurisdictions involved can multiply to a staggering
credit card number at a time. number.
But it is possible to track down these people, and And the magnitude of loss is often concealed by
thats where the investigator comes in. It starts with using multiple accounts and targeting multiple
the will to find them, said Sanford, And it requires merchants. If Im looking at $100 or $1,000 loss
a collaborative effort on the part of many players, from one particular incident, said Sauer, even if I
including online resale venues, banks, ISPs, law know exactly who the perpetrator is, its not worth
enforcement, and sometimes others. eBay has set the my time or the authorities time to prosecute, even if
gold standard for this collaborative effort, according Ive been hit multiple times. Most cases dont go
to Sanford. Every major player engaged in peer-to- above low double-digit thousands as far as loss. But
peer selling could learn something from eBay. They if a criminal has hit a dozen other merchants in a
clearly want nothing to do with criminals engaging similar way and has committed the same frauds using
others on their site, he said. several other accounts to minimize his risk, one
One way for a retailer to track down fraudulent merchants perspective may be just one piece of a
sellers is to search online marketplaces for products much, much larger puzzle.
listed as new but offered at a price below what the If I get hit one night, said Sears Guastaferro,
retailer is paying for the product. One instance could theres a good chance that another retailer has been
be a fluke, but if a sellers sales history shows a too. So if I communicate with another retailer and
pattern of similar offerings, the investigator has most they say, We know those people; we know that
likely found a fraudster. How they proceed from MO, it does make it easier since we can put together
there depends on which marketplace the item is listed a larger case.
under. The value of collaboration with other retailers
Law enforcement wont look at a case unless its has led to the formation of organizations for that very
a proven fraud event. Investigators can collect a great purpose. We depend heavily on these organizations
deal of evidence, but in order to get the final proof for networking and sharing of common ORC
and identity information, they need information from offenders, said Matas. The most effective are the
the online marketplace. My team and I have regional ORCA organizations. There are over twenty-
successfully conducted hundreds of investigations two of these regional coalitions nationwide. Since the
over the years, said Sanford. Many of these ORC and e-commerce fraud phenomenon has spread
investigations were concluded in partnership with far beyond the local criminal groupsthere are
eBays PROACT team. Though weve also closed national and international linkagesthe next logical
numerous investigations involving nefarious Amazon step is tying these regional ORCA coalitions into one
sellers, weve taken that trip solo, not by choice master national association and creating a unified
either. On the contrary, at least eBay has the decency national ORC database. Together, our ongoing ORC
to respond and show concern for society as a whole. investigations and prosecution dollar value could be
They recognize that we all lose out when the criminal significantly larger when it comes to federal
wins. prosecution.
As our modern digital lifestyles become further
Working Together intertwined with the physical world, it becomes
Taking down cybercriminals is more difficult increasingly important for us to remain aware of the
than just piercing the veil of anonymity to track down benefits this marriage brings and vigilant of its risks.
who the perpetrator is and where they can be found. The complexity of modern digital systems is
Prosecuting has always been a challenge, said staggering and continually increasing, making it more
Sauer. Early in my career, it was almost impossible and more difficult for any one individual to be able to
since you were usually looking at different parts of truly understand how all the pieces fit together. Since
the crime being committed in different jurisdictions. increasing system complexity is associated with an
Where a package was shipped from, where it was increase in the number of possible failure points in
shipped to, the address of the merchant, the address the system, total risk exposure increases unless we
of the stolen credit cards legitimate ownerthese remain proactive. Fraud affects individuals just as it
locations may be in entirely different states, or even does companies and the greater industry, and just as
different countries. And thats not even considering the industry and the company are collaborating and
the location details of the criminal (or criminals). evolving to combat these modern threats, so must we
When considering a fraud scheme that has moved as individuals.
hundreds or thousands of items, each one with
multiple different location components, the number

9|Retail Fraud Special Report


Best Practices The best course of action is to adopt a program
Following is a summary of recommendations that integrates all the elements of your prevention
and best practices that can help you reduce charge- efforts, utilizes a combination of fraud-fighting
backs and cut overall fraud-related losses. tactics and filters, and leverages automation to the
Completely eliminating CNP fraud isnt a cost- fullest possible extent. Your particular fraud controls
effective strategy. A good fraud prevention and thresholds will depend on the nature of your
program should be designed to minimize your business, merchandise, and your customers buying
companys exposure while allowing legitimate habits. But no matter the size of your company or
customers to purchase with ease. your product offering, you are likely to reduce your
Analyze your charge-back data historically and on fraud losses through the deployment of a more
an ongoing basis. Analyzing the data elements comprehensive prevention approach.
associated with fraudulent charge-back orders will
help you determine if your fraud controls or
procedures need tightening.
Challenge your charge-backs. Merchants that do so
recover on average more than one-quarter of their
fraud charge-backs.
Todays order-screening systems have become
more sophisticated. Choose one that can detect
more complex fraud patterns while allowing you to
give more weight to certain rules and scoring to
calculate the overall risk of each transaction.
Create negative files for checking orders based on
rejected transactions and fraudulent orders that
resulted in charge-backs, keeping them updated
automatically. Also create positive files from data
in your customer records so you wont delay orders
from legitimate customers when their buying habits
innocently make them appear risky.
Your fraud solution should be designed to permit
non-technical users and fraud managers to modify
your controls and deploy new ones.
A comprehensive fraud solution should Data Security
automatically sort, rank, and prioritize suspect Never before has the retailer/customer
orders so analysts can stay focused on the riskiest relationship been so vital. With the growth of
orders and orders that need to be shipped quickly. interactive social media and personal loyalty
Automate your review process to the fullest extent schemes, the retail industry is surging forward in
possible. terms of customer experience. Yet with competition
Use multiple tools to identify fraud. A fraudster so intense and consumers becoming ever more
that successfully bypasses the address verification cautious, many retailers are unknowingly, and
service (AVS) or card-verification-number (CVN) unnecessarily, putting this tenuous customer
checks may be caught by device identification, relationship into serious jeopardy.
identity verification, or geo-location technologies. The issuedata security. There have been plenty
Your fraud solution should readily accommodate of news reports recently of major incidents where
plug-in of new tools and third-party technologies, customer credit card data has been stolen from well-
permitting you to respond in real time to new fraud known retailers. These headlines about hacking and
schemes. Fighting payment fraud is increasingly leaks should be ringing alarm bells for big
important as e-commerce sales continue in a growth businesses, but small and medium enterprises (SMEs)
mode. In fact, many experts predict that the current are often even more vulnerable.
economy will result in even more fraud attempts and All merchants need to take data security
charge-backs, putting added pressure on retailers to seriously. Careless handling of credit card details
keep fraud in check. You always have to be vigilant. imperils the financial stability and customer base of
However, there is no single technologyno silver any business. Yes, there are the obvious damaging
bulletthat will detect fraud and keep your online financial consequences such as penalties, fines, and
payments secure. the cost of implementing improved security, but the
ongoing loss of customer trust and the fear that

10 | R e t a i l F r a u d S p e c i a l R e p o r t
personal details have been leaked to criminals have organizations. Larger companies are naturally richer
more significant long-term consequences. The targets; however, most have accompanying budgets
security of shoppers and their credit card details and an IT department dedicated to protecting their
has been repeatedly shown to be a top concern. vital customer information. Therefore, as PCI DSS
Consider that: regulations take hold, fraudsters are shifting their
A global survey found that 50 percent of attention to softer, less well-defended targets like
consumers worry about credit card fraud (ACI small businesses. In fact, nearly 96 percent of PCI
Worldwide: Card Fraud Survey, March 2011) DSS breaches take place with Level 3 and 4
More than a third of consumers in the UK have merchants typically smaller businesses that accept
experienced some form of card fraud (ACI less than one million card transactions annually.
Worldwide: Card Fraud Survey, March 2011) Along with satellite branches of larger organizations,
A survey of consumers in the UK found that 42 these are proven to be the most vulnerable
percent had been discouraged from making a organizations for attacks. According to research from
purchase because they were worried about card Javelin (source), cybercrime in the U.S. targeted at
fraud (Connected World: Card Fraud Survey, SMEs totaled more than $8 billion in 2010.
January 2011) It can be very difficult as a smaller organization
Banks, the credit card companies and retailers to dedicate the time to ensuring proper and thorough
have all responded by taking steps to improve PCI DSS compliance, but that doesnt mean there
security. In the UK, for example, EMV (chip-and- arent options. Network management systems can be
PIN) cards were introduced to help reduce the risk of used to make PCI DSS compliance a simple, cost-
card fraud, but chip and PIN alone does not secure effective and continual process with minimal fuss.
merchants. Even though the payment cards are more Nobody said compliance was easy, but
difficult to clone and copy, the card data is still compliance is not an option; its essential. Retailers
susceptible to breaches while its on a merchants must begin to explore the opportunities, do whats
payment system. In an attempt to secure the whole best for the business, and avoid being next on the
environment in which the transaction takes place, the hackers hit list.
Payment Card Industry Data Security Standards (PCI
DSS) were introduced in 2006 by the major credit Mobile, Mobile Everywhere,
card companies. These standards help ensure that a But What Does It All Mean?
basic level of security is in place at merchant Mobile payments, mobile commerce, and mobile
businesses to reduce the risk of card fraud. POS are three commonly used terms today. Here, the
By now, all merchants should be aware of PCI various mobile methods are defined based on
DSS, and many merchants that process, transmit or descriptions provided by MerchantWarehouse.com.
store credit card data are required to be PCI DSS- Mobile Payment. In its simplest definition,
compliant. mobile payment is the payment for an item or service
In theory, with these new security standards the from or via a mobile device. While many today
retail industry should be a safe haven for consumer associate mobile payments primarily with
data, with criminals forced to turn their attention contactless payments like near-field
elsewhere. Instead, a serious data breach happens communication (NFC) or bar and QR codes, SMS,
every week on average and the number of hacking mobile web payments, and direct mobile billing are
incidents seems only to be increasing. So whats also included in its broader definition.
going wrong? Mobile Payment Acceptance. Unlike the
For many merchants, PCI DSS compliance has broader term of mobile payment, mobile payment
become a bit like setting a house alarm, but using acceptance signifies the ability to accept payments on
1234 as an access code. The intention to protect a mobile device, whether it is a smartphone or tablet.
against theft is there, but the execution is poor. The typical setup includes a free or low-cost
Retailers just arent giving enough attention to attachment that allows for the swiping of traditional
compliance. Its one thing just to fill out a self- credit and debit cards. The device is connected,
assessment compliance form and tick the correct through the smartphone or tablet, to a credit- and
boxes, which on the surface indicates compliance, but debit-card processing application.
its another to keep up to date and be absolutely Mobile Commerce. While some interchange the
certain that a business is protected. terms mobile payment and mobile commerce, the
Small- and medium-sized businesses seldom latter has its own, distinctive definition. Mobile
consider themselves to be targets for card fraud commerce encompasses mobile payment, but also
criminals. But these businesses in particular must be includes a variety of mobile-based activities,
warned: criminals do not only target big including content purchase and delivery, money

11 | R e t a i l F r a u d S p e c i a l R e p o r t
transfer, auctions, browsing, marketing and As mobile payments continue to gain favor with
advertising, and location based-services. consumers, the market is almost guaranteed to get
Mobile POS. Mobile point-of-sale (POS) is more crowded with service provider options. Apple
predicted to be the future standard, even among tier- Pay, along with future Apple Watch applications, is
one retailers. Many leaders are investing in mobile purportedly the fastest-growing app for mobile
POShand-held checkout devices that serve as a payments. Samsungs recent acquisition of LoopPay
payment extension to the companys larger POS is another reach into the mobile market through
system. While these new mobile POS devices have Android phones. And as recently reported by The
some of the same characteristics as mobile payment Wall Street Journal, Google has shown renewed
acceptance devices, they are much more robust in interest in Softcard, formerly called ISIS, the mobile
terms of features and reliability. These new devices payments company that was formed out of a
will include the ability to accept mobile gift, NFC, consortium of AT&T, Verizon, and T-Mobile. There
QR/bar code, and include integrated loyalty and is also ConnectC, PayPal, and the Starbucks
reward. approach with QR codes, to name a few additional
Tablet POS. In todays marketplace, more and options or potential options.
more point-of-sale developers are focused on iPad With the growing number of mobile payment
and tablet development versus traditional systems. applications available to the consumer, associated
These new platforms afford developers with more challenges will also grow for retailers to
options, more capabilities, and a lower-cost accommodate the various forms of payments while
alternative, while retailers receive parallel benefits in remaining transparent to the customer experience.
terms of features and functionality, portability, and There is a real possibility that a consumer might tap
reduced cost. In fact, tablet-based POS systems open their device on a terminal in one store, use a QR code
up a new opportunity for smaller retailers that, due to in another, and complete a transaction via a mobile
high cost, were not able to leverage POS in the past application in another. There will be plenty of room
for their business. for confusion from both the consumer and front-line
employees at retail locations.

One More Consideration


In October 2015, the United States will begin the
transition to EMV or chip-and-PIN or chip-and-
signature technologies. This shift is being driven by
the fact that the U.S. has emerged as the global
capital for credit- and debit-card fraud, with a
predicted $10 billion losses in 2015 alone. Chip-and-
PIN technology reportedly provides more secure
transactions particularly as it relates to card-present,
in-store sales. The jury is still out on what its benefits
will be as it relates to online transactions. When the
technology was introduced in Europe, there were
cases where online fraud rose as much as 150
percent.
The biggest change to retailers with the transition
to chip-and-PIN card technology will be the
assignment of liability from any fraudulent
transactions taking place in stores. For retailers that
do not upgrade their POS infrastructure to
With the growing number of mobile payment accommodate this new payment form, the liability
applications available to the consumer, would shift to the retailer from the card issuer as it
associated challenges will also grow for has been in the past.
retailers to accommodate the various forms Most loss prevention executives have focused on
of payments while remaining transparent to theft as the biggest contributor to lost profits to their
the customer experience. organizations as it can be measured in hard dollars.
With the shift in liability, fraud will go from a
balance sheet line item to a real drain on retailers
operations.

12 | R e t a i l F r a u d S p e c i a l R e p o r t
Many retailers have not yet figured out how to The biggest challenge we faced was the
handle this new way of thinking about fraud and its misperception that the risk of fraud would be greater
impact on their stores once the changes to credit and with mobile payments than with the traditional credit-
debit cards take effect, especially for those who and debit-card swipe, said Bill Inzeo, who is
cannot afford to immediately comply, said Joseph director of insights and intelligence and asset
LaRocca, vice president and senior advisor on loss protection solutions for Walgreens. We went to
prevention for RetaiLPartners and formerly with the great lengths to educate our field organization that, if
National Retail Federation. The way we handle accepted according to policy, the risk factor does not
fraud incidents will change dramatically, not only go up with mobile payments.
from a liability standpoint, but also from the way When asked about the coming changes as it
those incidents will be processed through the legal relates to EMV chip technology, Inzeo feels that the
system. Today card issuers can upload their cases in benefits far outweigh the challenges. Walgreens
bulk, a process that is not yet in play for the retail upgraded its POS systems a couple of years ago with
community. an eye to future requirements. It made sure that all of
its hardware was capable of accepting the new cards.
The Good News They are now working with their programmers to
Because widespread adoption of these new forms develop code that will make accepting the new smart
of payments is still in the early stages, there is the cards seamless to the customer and the associate.
opportunity to plan accordingly. When it comes to adopting new technology like
Walgreens. The nations largest drug retailing mobile payments or chip-and-PIN cards, you need to
chain with over 8,000 locations, Walgreens has been approach it from a business and financial perspective
accepting various types of mobile payments for without the emotional ties to fraud and loss, said
several years. Walgreens acceptance of NFC Inzeo. We bring an objective point of view, evaluate
payments across the chain enabled its first adoption the risk, and provide recommendations that protect
of Google Wallet and the expansion of Apple Pay. our customers and the company, while delivering the
Since rolling out the new payment form, Walgreens shopping experience our customers and patients
has seen little to no impact on fraud levels. deserve and expect.
The retailer credits its proactive approach to eBay. Online retail giant eBay has perhaps the
adopting new technology to a successful most experience with mobile payments through its
implementation. For mobile payments, that included PayPal application. PayPal processed $46 billion in
a comprehensive communication strategy and mobile payment volume in 2014, up 68 percent over
partnering with key stakeholders within the 2013.
organization as well as third-party providers, Surprisingly, we have seen very little in the
including its credit- and debit-card processor. Setting form of fraud attributed to mobile payments, stated
clear expectations and finding alignment and Paul Jones, senior director of global asset protection
agreement at the start also helps the transition process for eBay and PayPal. We attribute much of that to a
to proceed more smoothly. well-thought-out and well-executed plan.
Walgreens asset protection solutions team When asked what retailers should consider when
actively participates in weekly meetings with its IT entering the realm of mobile payments in their stores,
partners so that any changes being considered or Jones emphasized the need for structured agreements.
made to the POS systems take into consideration the Like his counterparts at Walgreens, he stresses the
need for proactive protection against fraud. These need for expectations to be set up front along with
proactive measures are then designed into the back- alignment and agreement on implementation. eBay
end processes and are systematically included. The offers its retail partners protection against fraud by
company also educates its front-end cashiers on how assuming the risk and liability should a fraudulent
to handle mobile payments. The same basic transaction occur with its service. He urges others to
principles apply to mobile payments as to traditional address this point with their mobile payment service
credit- and debit-card transactionsthe card or the provider, whoever they may be.
mobile phone must be present. Along with designing the interface for maximum
One of the challenges Walgreens faced in rolling ease-of-use for the consumer, retailers need to put
out mobile payments was the misperception on the network security at the forefront of the process.
part of the field organization that fraud would be Echoing Walgreens advice, Jones recommended that
more prevalent. The company put together a loss prevention teams need to be involved from the
comprehensive communication strategy to educate beginning of any new project that has the potential to
the field to help them overcome this misperception. disrupt business through loss or fraud. You need to

13 | R e t a i l F r a u d S p e c i a l R e p o r t
be present from the start to be effective in the end, most merchants if they want to continue to achieve a
stated Jones. high level of customer service and satisfaction, said
Heinens Grocery Stores. Regional supermarket Guenther. But along the way, it helped us create a
chain Heinens, based out of Cleveland, Ohio, heightened sense of awareness for PCI compliance
currently accepts mobile payments in the form of and payment best practices for our organization.
Apple Pay and Google Wallet at its twenty-two retail
locations. The company is also in the planning and Prepare for the Future
implementation stages of converting its payment While the type of mobile payments that
terminals to accommodate the new EMV CHIP consumers will ultimately adopt and the number of
technology. options available to them will continue to grow, one
According to John Guenther, director of risk thing is certainmobile payments are here to stay
management and information security for the and will only become more prevalent in the years to
merchant, the security challenges that exists between come. In order to remain competitive, retailers will
near-field communications (NCF) technologies like need to find ways to accommodate mobile payments
those found in mobile payment devices and EMV and provide a seamless shopping environment for
chip-and-PIN technologies are quite different. their customers while accepting a whole host of
NFC devices concentrate on masking the mobile payments from a variety of devices.
consumer credit- and debit-card information from the Retailers will need to follow the emerging
retailer point-of-sale terminals through tokenization, mobile market closely so that they can deliver on
while chip-and-PIN focuses on a more secure consumer demands, concluded LaRocca. At the
payment transaction by requiring a higher level of end of the day, if a customer cannot conduct business
authenticating when using the card, explained in the manner that suits their individual needs, they
Guenther. Both forms of payment still have the will take their dollars elsewhere.
potential to be breachedmobile payments through Preventing mobile payment fraud will take on a
loading fraudulent cards into the device and chip- bigger role in the lives of many loss prevention
and-PIN for online transactions. executives with the upcoming shift in liability. But
Not unlike other retailers who have transitioned the good news in all of this is the fact that with
to the new payment technologies, Guenthers advice proper planning, open dialogue with all key
is to develop a comprehensive plan and to be able to stakeholders, advancements in technology, and a
clearly articulate the goals and objectives behind comprehensive communication strategy, retailers are
making the proposed changes to the companys in a good position to meet the challenges head on.
payment systems. Those who have already ventured into the world
He recommends formalizing the project with a of mobile payments have so far seen little to no
dedicated team, appointing a project manager to disruption to their businesses and feel that the
oversee all aspects of the conversion, engaging key goodwill generated among their customer base is well
stakeholders and third-party vendors, and asking the worth the time and efforts invested. Technology in
right questions from the start, such as: the retail environment is always changing, said
What middleware applications will be affected? Inzeo. By being proactive, you can adjust to
What reporting functions will change and how? anything. If you are involved from the beginning of
Will this be a standalone, integrated, or semi- the process, you can find success.
integrated process?
These are just a few of the questions that will
need to asked, answered, and understood for Contributors to this free report include Chris Trlica,
successful implementation. Bill Farmer, Scott Richard, JD Sherry, Lee A.
In the end, this journey into alterative payment Pernice, and the Association of Certified Fraud
forms is consumer driven and really not an option for Examiners.

14 | R e t a i l F r a u d S p e c i a l R e p o r t