Web merchants stung by credit-card fraud
March 11, 1999
by Cynthia Morgan
(IDG) -- The new subscribers' credit cards were fake, which puzzled webmaster Danny Sullivan. His Searchenginewatch.com, an online 'zine near Britain's Stonehenge, was hardly a ripe target for thieves.
So Sullivan traced the transactions to their source, uncovering a scam that bilked companies such as Amazon.com Inc. and Cyberian Outpost Inc. out of hundreds of thousands of dollars in computers, software, books, music and other merchandise.
Along the way, Sullivan also uncovered one of the Internet's dirtier secrets: Credit- card fraud is alive and well on the Web — but its victims are mostly electronic-commerce merchants, not consumers. Criminals use stolen credit-card numbers to ring up online purchases — usually of high-ticket electronic items or downloadable products such as software and images — and stick online merchants with the tab.
In some cases, fraudulent transactions accounted for 20% or more of Web merchants' sales until managers got wise and installed antifraud software. "There were days when we had more fraud than legitimate sales," one chief technology officer said.
Worse, law enforcement officials, banks and credit-card associations often are too busy, too untrained or too indifferent to help catch the crooks.
Sullivan found that the thieves — who turned out to be five university students — used the site to test credit-card numbers and then used successful numbers to scam U.S. merchants. Finding the thieves was easy compared with finding someone who could stop them. "I finally called the '800' numbers on back of my credit cards, saying, 'Please help, someone is being ripped off,'" he said. A few weeks later, authorities finally responded and arrested the thieves.
Similarly, the temp who covered for NETrageous Inc.'s Stephanie Sebeck during her vacation failed to notice that orders for the company's Internet marketing materials on three different credit cards were going to the same address. When angry cardholders denied the charges, Sebeck called the police. "We found the thief, told them where he lived, what he took, sent the paperwork. [The police] said, 'We have more important things to do than chase down $1,500,'" said Sebeck, vice president of operations at the Olney, Md., firm.
The experience prompted NETrageous owners Audri and Jim Lanford to start Scambusters, a fraud-alert Web site for online retailers. More than 50,000 merchants have subscribed to the free site. Judging from their tales, online credit-card fraud is rising fast, Audri Lanford said.
Banks that issue the credit cards don't cover the cost of the scams. "We don't take any loss via the Internet because we can charge it all back [to the merchant] using Visa and MasterCard rules. The merchant, not us, bears the cost," said Rob Milson, manager of fraud operations at Mellon Bank in Pittsburgh.
Like their counterparts in the mail- and telephone-order businesses, Internet credit-card transactions lack a signature or the identification-carrying magnetic stripe on the back of the card. Merchants who accept them agree to pay full cost — and often penalty fees — if a sale is invalid.
"Banks aren't going to protect merchants. We certainly understand that their first duty is to cardholders. If we don't want people stealing from us, that's our problem," said Jim Shanks, CIO at computer equipment retailer CDW Inc. in Vernon Hills, Ill.
An online merchant who asked not to be named said one bank had dropped him for having unacceptably high fraud rates, forcing him to turn to a far more expensive, "high-risk" bank to continue accepting customer cards. "We got our fraud down now, but if it ever exceeds 1% of our total, we're out. That, of course, means instant bankruptcy," he said.
Fraud nearly vanquished San Francisco-based BuyDirect Inc. when it opened for business in 1996, said William Headapohl, president of the online software store. "Our fraud rate was unacceptably high and banks wanted to drop us. If we hadn't had strong financial backing and worked hard to reduce our fraud rates, we would have been put out of business pretty quickly."
Using antifraud software and elaborate screening systems, the company reduced its fraud rate to under 1%.
Credit-card associations and many merchants said online fraud constitutes under 1% of all transactions. But anecdotal evidence suggests the rate may be far higher — especially for sites that are poorly maintained or sell big-ticket merchandise. Merchants simply don't see the benefit of reporting thefts. "Most [online merchants] no longer even bother to get in touch with the authorities," Headapohl explained. "It would cost too much to track thieves down and prosecute. And if they're international, you don't even know where to begin. Who's got jurisdiction?"
Selling internationally is one of the key reasons for starting an electronic-commerce site, yet foreign sales are the riskiest of all. "Our international fraud rates were so bad in the beginning, we thought we were going to have to exclude overseas sales altogether," Headapohl said. "Companies like ours were routinely seeing fraud rates in excess of 20%."
The greatest concentrations of credit-card thieves come from Romania, Egypt, Russia, Belarus, Israel, Thailand, Pakistan and Mexico, merchants and law enforcement officials said. The problem is so bad, in fact, that many merchants refuse to do business with buyers in these countries.
Usually, the amounts lost in online transactions are too small to warrant attention by law enforcement officials. "Everyone we've talked with had absolutely no success getting police interested, even for amounts as high as $50,000," said Scambusters' Audri Lanford.
Instead, most successful Web merchants avoid fraud by outsourcing credit-card verification to third parties with sophisticated (and expensive) neural-net antifraud software. Or they develop their own antifraud systems. Another approach is to take verification procedures off-line and check cards manually.
A combination of these procedures, analysts said, provides the best of both worlds: expert authorization handling and expert knowledge of the company's customer base.
"You shouldn't have to rely on banks or the law for fraud protection," Shanks said. "You should know your own customers better than anyone else, so you should also be the best at telling when someone's trying to steal from you."
"Fraud can make the difference between profit or no profit," Shanks added. "Look, if it's your pile of money, who do you want guarding it? Somebody else?"
Tech developers giving consumers more reasons to shop online
RELATED IDG.net STORIES:
Web sites that fight credit-card fraud
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.