e-fraud and predictive forensic profiling - reducing losses by combining science with a crystal ball

8/14/2019 E-Fraud And Predictive Forensic Profiling - Reducing Losses By Combining Science With A Crystal Ball

1/52

e-Fraud and Predictive Forensic Profiling -reducing losses by combining science with a crystal ball

HB PrinslooCDE (A division of Comparex Africa (Pty) Ltd)

[email protected]

Abstract:

This article focuses on cyber crime, especially the effects of e-fraud onsmaller e-merchants. It describes simple, cost-effective measures that thesmaller e-merchant can implement in order to prevent fraudulent transactionsand improve turnover and profit.

List of key words:

Cyber crime, on-line fraud, e-fraud, smaller e-merchant, micro e-merchant, e-business, prevention of e-fraud, predictive profiling, forensic profiling,predictive forensic profiling.

1 INTRODUCTIONA

From the submission of this articles abstract to the actual writing of this text,e-fraud has gained prominence in the South African news as a result of thetheft of a relatively large sum of money between May and July 2003 by onecyber criminal from the Internet bank accounts of 10 clients of theAmalgamated Banks of South Africa Group (ABSA Bank), one of the largestbanking groups in South Africa. A suspect was arrested towards the end ofJuly and charged with 10 counts of fraud (Cruywagen, 2003:3).

This was the first major incident of e-fraud to make news headlines over anumber of weeks in South Africa. It has had the widest potential effect as thevast majority of the Internet using population in South Africa use InternetBanking as a convenient and cost-effective way of managing their personalfinancial affairs.

Although it has only gained prominence in the minds of the general publicrecently, e-fraud has been with us in many guises for a number of years.

1.1 D EFINING E -FRAUD , E-CRIME AND CYBER CRIME

At this juncture it is important to attempt to define the concepts of e-fraud andcyber crime.

The terms e-Crime, cyber crime, "computer crime", "InformationTechnology crime," and "high-tech crime" are often used interchangeably. No

universally uniform or accepted definition of cyber crime exists, partly due tothe many guises of cyber crimes (Groebel et al.: 2001:17).

1
mailto:[email protected]:[email protected]


2/52


3/52

people-based, whereas the following are the means most often used tocommit crimes on-line: Message interception and alteration Unauthorised account access Identity theft Manipulation of stocks and bonds Extortion Unauthorised system access (e.g. system damage, degradation, or

denial of service) Industrial espionage Manipulation of e-payment systems Credit Card Theft (cf. Glaessner et al. 2002:24; Graycar & Smith, 2002:4;

& Centeno, 2002:11).

Currently the most vulnerable aspects of technology have been identified by

Etter (2001b:24) as: Electronic commerce On-line banking Pharmacies with electronic prescription services and interfaces to

medical aids Health care services and records Education.

The vulnerability of information and communication technology (ICT) systemscan be ascribed to the following interrelated factors: Density of information and processes

Billions of characters of data can be saved on a relatively small storagedevice. Vast amounts of data can be relatively quickly and easilydestroyed or deleted.

System accessibilityComputer systems were originally designed to allow multiple users touse the same computer. Today ICT systems and users can access andcommunicate with other systems across the globe. The fact that thesystem cannot be physically guarded makes it vulnerable, despite theplethora of ever-evolving security systems designed to protect a globallyaccessible ICT system.

System complexityThe exponential growth in processing power and complexity in operatingsystems makes it impossible for even the designers of such systems tounderstand the number of logic states that are possible during executionin a multi-programming or multi-processing environment. This makes asystem vulnerable to intrusion via an (unintentional) back door in thesystem.

Electronic vulnerabilityComputer systems rely on electronic and generally alsotelecommunications technology that are subject to potential problemswith reliability, fragility, environmental dependency and vulnerability to

interference and the interception of data.

3


4/52

Vulnerability of electronic data-processing mediaThe content and nature of the data on a storage device is not visible tothe technicians handling it. Very sensitive data can be handledcarelessly without the handler being aware of either the risk or the natureof the data. Equipment can be stolen from cars, or disks that containvery sensitive information can be mislaid.

Human factorsIn nearly any ICT environment, certain individuals require access to verysensitive information. A young IT technician could, for instance, haveaccess to an organisations payroll data or R&D archive for the purposeof creating backups. Such a person could succumb to temptation, bebribed by competitors, or become disillusioned and destroy ordisseminate very sensitive information, leaving very little evidence.Insider (full- or part-time employees, contracted workers, consultants,partners or suppliers) security incidents such as access abuse andequipment theft occur far more frequently than external attacks (cf. UN,1994:7, 10; Settle, 2000:4; Centeno, 2002:14; Smith 1999b:5).Alarmingly, very few companies do standard background checks on staffmembers who are employed to work with sensitive data and are grantedunrestricted access to systems (Graycar & Smith, 2002:7). A trustedinsider may be recruited covertly by hostile parties long before any actionassociated with an actual attack (the so-called sleeper problem) ortricked into taking some action that breaches system security e.g. trickedinto disclosing a password or opening an e-mail attachment that installssoftware that permits access by malicious outsiders (CSTB, 2002:5).Personal financial pressure is the most widely reported warning signal

exhibited by employees prior to the discovery of internal fraud (KPMG,1999:16).

The following factors related to cyber crime complicate effective lawenforcement and pose new and unique challenges for investigators: The environment is a more favourable vehicle for fraudsters to

communicate and act due to its anonymity, easy access, and rapidexchange of resources such as hacking programs and credit cardnumbers (cf. Gartner, 2001:15).

The possibility of committing computer-facilitated crime also makes iteasier to automate and commit fraud on a larger scale (Schneier,

2003:1); the level of automation in attack tools continues to increase.Automated attacks commonly involve four phases: Scanning for potential victims; Compromising vulnerable systems; Propagating the attack; and Coordinating the management of attack tools . Since 1999, with theadvent of distributed attack tools, attackers have been able to manageand coordinate large numbers of deployed attack tools distributed acrossmany Internet systems. Today, distributed attack tools are capable oflaunching denial-of-service attacks more efficiently, scanning forpotential victims and compromising vulnerable systems. Coordinationfunctions now take advantage of readily available public communicationsprotocols such as Internet Relay Chat (IRC) and instant messaging (IM)(CERT/CC, 2002:1).

4


5/52

Attack tool developers are using more advanced techniques thanpreviously. Attack tool signatures are more difficult to discover throughanalysis and more difficult to detect through signature-based systemssuch as antiviral software and intrusion detection systems. Threeimportant characteristics are the anti-forensic nature, dynamic behaviourand modularity of the tools. As an example of the difficulties posed bysophisticated attack tools, many common tools use protocols like IRC orHTTP (HyperText Transfer Protocol) to send data or commands from theintruder to compromised hosts. As a result, it has become increasinglydifficult to distinguish attack signatures from normal, legitimate networktraffic (CERT/CC, 2002:2; PCB, 2001a:8).

Firewalls are often relied on to provide primary protection from intruders.However, technologies are being designed to bypass typical firewallconfigurations; for example, IPP (the Internet Printing Protocol) andWebDAV (Web-based Distributed Authoring and Versioning). Someprotocols marketed as being firewall friendly are, in reality, designed tobypass typical firewall configurations. Certain aspects of mobile-code(ActiveX controls, Java and JavaScript) make it difficult for vulnerablesystems to be protected and for malicious software to be discovered(CERT/CC, 2002:2).

Because of the advances in attack technology, a single attacker canemploy a large number of distributed systems to launch devastatingattacks against a single victim relatively easily. As the automation ofdeployment and the sophistication of attack tool management bothincrease, the asymmetric nature of the threat will continue to grow(CERT/CC, 2002:3).

The speed at which crimes can be committed. The fact that a crime is not always immediately apparent. A cybercriminal can hack into a system and plant a program that is onlyscheduled to do something at some time in the future. Similarly, a cybercriminal can invade the computer of an innocent person and launch anattack from the computer making it appear that the owner of thecomputer perpetrated the crime. This makes it very difficult to catch andprosecute proficient cyber criminals (CSTB, 2002:5).

The lack of risk awareness. Merchants are often small and new with limited security skills and

budgets. They are selling new goods (digital content) that are morevulnerable to fraud (Experian, 2000:2).

The lack of cyber security skills and tools. Organisations often overlooksignificant risks i.e. system providers do not produce systems that areimmune to attack, network and system operators do not have thepersonnel and practices in place to defend themselves against attacksand minimise damage (CERT/CC, 2001:1).

Users are more vulnerable. With increasing Internet connectivity fromhome and increasing PC power (available for hackers), average usersknow little about risks and the security tools available to protect theircomputers from external attacks.

Global reach (including issues of jurisdiction, disparate criminal laws andthe potential for large-scale victimisation) makes legal prosecution more

5


6/52

difficult. Because transaction amounts are generally low, the electronicevidence tools and skills available are very limited. Legislation has notyet been fully adapted to the Internet environment and, wheretransactions have taken place across borders, complex jurisdictional andprocedural issues may arise. The technical and legal complexities of

investigating and prosecuting cyber crimes are complicated by therelatively low value of individual fraudulent transactions as well as thecomplex legal process for prosecuting cases of fraud within the legalsystems of more than one country (cf. Experian, 2000:13; Smith 2002:5;CSTB, 2002:3).

Telecommunications can be used to further criminal conspiracies.Because of sophisticated encryption systems and high-speed datatransfers, it is difficult for law enforcement agencies to interceptinformation about criminal activities. This has particular relevance tonew international criminal activities (Giddens & Duneier, 2003:201).

The volatility or transient nature of evidence, including no collateral orforensic evidence such as eyewitnesses, fingerprints or DNA.

The high cost of investigations(cf. Centeno, 2002:3; Etter, 2001b:27; Etter, 2001a:6; Etter, 2002:5, 12;Graycar & Smith, 2002:2; Groebel et al., 2001:25 & McConnellInternational, 2000:2).

According to Centeno (2002:12), the most common types of on-line card fraudreported are: Bogus merchants collecting card data and disappearing, charging either

unauthorised transactions, transaction amounts higher than agreed or

unauthorised recurring transactions Transactions performed with stolen card data (in the physical world orobtained through intrusion in merchant servers) or data generated withsoftware tools

Consumers fraudulently denying transactions and getting a transactionreversed based on card not present legislation. Transaction reversaland refund, also called charge backs, are estimated to be 12 times morefrequent for e-commerce than in the physical world, and two to threetimes more than for MOTO (Mail Order Telephone Order) sales.

With a view to understanding what security measures are needed and, basedon results of the analysis of fraud figures available, on-line payment risks canbe classified into the following four categories:1. Risk of merchant fraudulent behaviour: bogus merchants carrying out

data capture, disappearing and charging unauthorised transactions;charging transaction amounts higher than agreed; charging unauthorisedrecurrent payments.

2. Risk of identity and payment data theft for further fraudulent use on theInternet or in the physical world (purchase, fraudulent card application,account take-over). Identity data can be stolen through e-mail (or evenphone) scam, or through on-line unauthorised access to merchant or ISPservers, to bank servers, to consumers PCs or to transactional data.

6


7/52

3. Risk of impersonation i.e. fraudulent use of (stolen) consumer identityand/or payment data, or software generated account numbers forpurchasing.

4. Risk of a consumer fraudulently denying a transaction (cf. Centeno,2002:3, 19; Graycar & Smith, 2002:4).

According to Etter (2001b:23) cyber crime will increasingly feature in manytrans-national crimes involving drug trafficking, people smuggling and moneylaundering and while many e-crimes will be old style crimes simply involvingthe use of ICT, new forms of crime will also emerge. In addition, the barriersto committing crime, that is electronic crime, have dropped significantly andcriminals are becoming younger.

Etter (2001b:23) observes the it would seem that people who would notdream of stealing or maliciously damaging other peoples property in real life

have no qualms or second thoughts about the opportunities and challengespresented by the Internet.

1.2 T HE MOST P REVALENT CYBER CRIMES

Technology has most certainly changed the risk landscape as far as fraud isconcerned:

Figure 1: Technology-enabled Fraud

(CyberSource, 2002:6)Goodman and Brenner (2002:14) identify the following activities as the mostprevalent cyber crimes:

1.2.1 Hacking and Related Activities

Hacking, or gaining unauthorised access to a computer system, computerprograms or data, opens a range of possibilities for inflicting damage (cf. UN,1994: 13 & Groebel et al., 2001:43). Illegal infiltration of telecommunications

systems means that eavesdropping, ranging from spouse monitoring toespionage has become easier (Giddens & Duneier, 2003:201). The ability to

7


8/52

hack into and steal telecommunications services means that people canconduct illicit business without being detected or simply manipulatetelecommunication and cell phone services in order to receive free ordiscounted telephone calls. Giddens & Duneier (2003:201) and PCB(2001a:3) identify two types of hackers, namely, internal (including Internal

Saboteurs) and external (including Political Hackers or Hacktivists, who hackeither to highlight a lack of security or for personal reasons i.e. grudges.

1.2.2 Commercial Espionage

Losses suffered through misappropriation of computerised intellectualproperty cost copyright owners close to $20 billion last year. Netspionageinvolves confidential information being stolen by hackers to sell to acompetitor or to be used for individuals business exploits. Espionage wasoriginally limited to governments but, with the advent of the Information Age,the rise of corporate espionage has been rapid. One tool used to stealsecrets is TEMPEST (Transient Electromagnetic Pulse EmanationSurveillance Technology), which allows a scanner to read the output from acomputer up to a kilometre away. It is non-invasive and virtually undetectable(PCB, 2001a:4).

1.2.3 Data Manipulation

Computer fraud by input manipulation (also called Data-Diddling) is one ofthe most common computer crimes. Input manipulation is easy to perpetrateand difficult to detect, does not require sophisticated computer knowledge andcould be perpetrated by a data capturer with limited data processing systemaccess (UN, 1994:14). A more sophisticated form of data manipulation is themodification of software programs that are also difficult to detect. The mostcommon example is the Salami technique where thin slices of financialtransactions are stolen i.e. rounding down the cents in financial transactionsand diverting the cents from millions of transactions to a bank account(Goodman and Brenner, 2002:15).

1.2.4 Computer Forgery

Today most official documents are produced via a printout from a computer.Fraudulent altering and counterfeiting of documents have become easier withthe availability of inexpensive, high quality scanners and colour printers (UN,1994:14).

1.2.5 Viruses and other Malicious Programs

Viruses and other types of malicious code-like worms and logic bombs canbe very destructive. A calamitous virus may delete files or permanentlydamage systems. A Trojan horse, masquerading as a utility e.g. anti-virussoftware or animation, may copy user IDs and passwords, erase files orrelease viruses (Groebel et al, 2001:52; PCB, 2001a:8). The effect of virusesand other malicious programs are referred to as computer sabotage.Computer sabotage can be the vehicle for gaining economic advantage overa competitor, for promoting the illegal activities of ideologically motivated

8


9/52

terrorists or for stealing data or programs (also referred to as "bitnapping") forextortion purposes (UN, 1994:15).

1.2.6 Software Pirating

The unauthorised reproduction of computer programs can mean a substantialeconomic loss to the legitimate owners. It has become relatively easy toviolate copyright rules by copying materials, software, films and CDs (Giddens& Duneier, 2003:201). The problem has reached trans-national dimensionswith the trafficking of these unauthorised reproductions over moderntelecommunication networks (UN, 1994:16; PCB, 2001a:8).

1.2.7 Gambling, Pornography and other Offences against Morality

On-line casinos have proliferated widely, despite the fact that gambling isillegal in many jurisdictions. The Internet is also being used to distribute

drugs, pharmaceuticals, tobacco and liquor, again regardless of jurisdictionalprohibitions. It is difficult to control pornography and offensive content incyberspace (Giddens & Duneier, 2003:201).

1.2.8 Child Pornography

Many types of paedophilic activity - viewing images, discussing activities,arranging tourism, enticing a child to a meeting - are carried out over theInternet. The Internet gives the paedophile the advantages of a wider scopeof communications and the likelihood of eluding the law, given the

jurisdictional problems that arise in prosecuting cases that transcend bordersas is the nature of the Internet (cf. Giddens & Duneier, 2003:201; Groebel etal, 2001:65).

1.2.9 Cyber Homicide

Cyber homicide - using computer technology to kill someone - has not yetbeen reported but could be perpetrated in future. An aspiring mass murderercould, for example, hack into a hospitals computer system, learn about themedication prescribed for patients and alter the dosages, causing them to die(cf. Sweet, 2003:1; CSTB, 2002:6).

1.2.10 Stalking, Harassment and Hate Speech

Stalking and harassment are malicious activities directed at a particularperson. Cyber stalking can pose not only virtual but real threats to on-lineusers. The dissemination of hate and racist speech has a more general focusbut can be equally traumatic for those it targets and is becoming morewidespread because of the Internet. Stalking, harassment, hate-filled andracist speech perpetrated over computer networks is not universallyconsidered to be illegal (Giddens & Duneier, 2003:201; Groebel et al,2001:71).

1.2.11 Cyber Terrorism

9


10/52

Pollitt (1997:285) defines cyber terrorism as a pre-meditated, politically motivated attack against information, computer systems, computer programs,and data which results in violence against non-combatant targets by sub national groups or clandestine agents . There is a heightened vulnerability toelectronic vandalism and terrorism in w estern society today due to the fact

that much of modern life depends on computers and computer networks. Formany people, the most visible interaction they have with computers is typingat the keyboard of a computer. Less visible are the computers and networksthat are critical for key functions such as managing and operating nuclearpower plants, dams, electric power grids, air traffic control systems andfinancial infrastructures. Computers are also instrumental in the day-to-dayoperations of companies, organisations and government. Companies largeand small rely on computers to manage payroll, track inventory and sales andperform research and development. The distribution of food and energy fromproducer to retail consumer relies on computers and networks at every stage.In future, everyday items such as traffic lights, elevators, appliances and evenpacemakers will become more and more connected to computer systems andthus vulnerable to attacks by cyber terrorists. Instructions for buildingincendiary devices can be placed on and downloaded from the Internet (cf.Giddens & Duneier, 2003:201; Groebel et al., 2001:48; Arquilla, 1998:1;Devost et al., 1996:7; Etter, 2002:14, Messmer, 2002:1; Blyth, 1999:16,CSTB, 2002:2, CERT/CC, 2002:5).

1.2.12 Money Laundering and Organised Crime

Money laundering is estimated at between 2% and 5% of the world GDP(PMSEIC Working Group, 2000:4). Electronic money laundering can be usedto move the illegal proceeds from a crime via Electronic Funds Transfer (EFT)to conceal the origin of the funds (Giddens & Duneier, 2003:201; Graycar &Smith, 2002:3). Even if money laundering remains largely tied to the off-lineworld, the capabilities of the Internet and other networks mean that there willbe great incentives for money launderers to exploit this avenue (cf. Groebel etal., 2001:60; & Etter, 2002:15).

1.2.13 Internet Fraud, e-Commerce Fraud and i-Payment Fraud

Fraud represents what is probably the largest category of cyber crime. TheInternet has created what appears to be the perfect cyber crime - borderlessfraud. So many different types of fraud are committed over computernetworks that they have become almost impossible to police effectively(Groebel et al., 2001:57). There is an enhanced risk of electronic funds transfer crimes. The widespread use of cash machines, e-commerce andelectronic money on the Internet heightens the possibility that sometransactions will be intercepted (Giddens & Duneier, 2003:201; Graycar &Smith, 2002:3). Using computers, thieves can steal credit card details andsiphon funds from banks. Cyberspace can be just as easily used to committheft-by-threat or extortion. One of the most common types of cyber fraud ison-line auction fraud where the vendor may describe products or services in afalse or misleading manner, or may take orders and money but fail to delivergoods or deliver counterfeit goods (Golubev 2003:2). A growth in

10


11/52

telemarketing fraud has been noted as well as fraudulent charity schemes andinvestment opportunities that are difficult to regulate (Giddens & Duneier,2003:201).

For the purpose of this paper, the term e-fraud will be used to denote cyber

crimes relating to on-line credit card fraud and e-commerce.

11


12/52

2 E-FRAUD GLOBALLY

e-Fraud, notably fraudulent on-line credit card transactions via e-business

sites on the Internet, is a global problem that is much more prevalent thanbricks and mortar fraud, and also much more difficult to detect andprosecute. It leads to significant profit erosion and losses suffered by e-merchants (McConnell International, 2000:1). Some recent statistics include: Identity theft complaints to US authorities rose by 40% each year from

1992 to 1997. The US Treasury Department estimated that identity theftcauses losses of up to US$3 billion each year from credit card fraudalone (PCB, 2001a:5).

Visa recently surveyed 15 Banks from 12 EU countries. It found thatcredit card payments account for nearly half of all complaints, more than

one in five of which came from people billed for on-line transactions whohad not even shopped on the Internet (PCB, 2001a:5). A recent report from the National Consumers Council revealed that 50%

of Internet users are unlikely to supply their credit card details on theInternet because they think its too risky (PCB, 2001a:5).

Over 50 per cent of all fraud committed in the first half of 2000 were"cyber crimes (PCB, 2001a:1).

Fraudulent transactions make up 1.06% of total on-line transactionscompared to only 0.06% of off-line transactions. The Gartner Groupestimates that on-line transaction fraud is 17 times higher than in-store

fraud (Gartner, 2002:1). In 2002 26 million adults used the Internet compared to fewer than 10million in 1999. Over the same period, the number of adults makingInternet card payments increased nine fold, from 1.3 million in 1999 to11.8 million in 2002. Around 3% of all card payments to a total value of9 billion were made over the Internet last year. This is expected to growto 10% by 2012 (Apacs 2003b:10).

Direct sales over the Internet are expected to reach US$5 trillion in theUnited States and Europe by 2005 (McCardle et al., 2001:5).

Gartner (2002:1) estimates that in 2001 alone on-line fraud cost e-

merchants US$700 million, excluding costs such as investigations, legalfees, etc. One in six on-line customers have been the victim of credit card fraud

and one in 12 have had their identity stolen on-line (Golub 2003:11). It has been estimated that the typical identity theft victim learns about the

crime only 14 months after it has occurred, sustains US$18,000 infraudulent charges and spends 175 hours over two years restoringhis/her clean credit and good name (PCB, 2001a:5).

Visa estimates that Internet transactions account for about 2% of its totaltransactions. However, of all the fraudulent transactions that Visa

handles, 50% occur in Internet transactions (Verisign, 2002:9).

12


13/52

In 2002 FBI Internet fraud centre complaints rose by 300% (Golub2003:11).

A recent investigation by MSNBC reveals that while overseas-basedcriminals account for up to one third of all on-line fraud directed at UnitedStates e-businesses, there is no evidence of a single prosecution againstthese foreign perpetrators (Brunker, 2001:1). The US Treasurymaintains an Official US Government System web page called theFinancial Crimes Enforcement Network or FinCEN. Its mission is tosupport law enforcement investigative efforts and foster inter-agency andglobal cooperation against domestic and international financial crimes.FinCEN has issued warnings on transactions involving the followingcountries:

o The Arab Republic ofEgypt

o The Bahamaso The Cayman Islandso The Cook Islandso Dominicao Israelo Lebanono Liechtensteino The Marshall Islands

o Nauruo Nigeriao Niueo Panamao The Philippineso The Russian

Federationo St. Kitts & Neviso St. Vincento The Grenadines

(FinCEN, 2003:1). Forty per cent of companies have been hit by the same fraudster more

than once with 18 % saying that they had been hit three times by thesame fraudster before the fraud was detected (PCB, 2001a:5).

More than 50 per cent of all fraud committed in the first half of 2000 were"cyber crimes". Internet fraud rose 46% towards the end of 2000.Seventy per cent of large companies in the UK were hit by fraud andeach of the companies surveyed lost an average of 4 million every yearas a result of fraudulent activity. Not only is about 60% of fraudcommitted from within but it was found that as much as 58% of this fraudwas uncovered by accident! Recovery rates remain low (with as few as20% of organisations able to recover half or more), and the scope for thecommission of such fraud remains as high as ever with only 18% ofvictims very confident about their future safety. Twice as many believe

that the threat will be even greater in the next five years. Indeed, justunder half the 3500 respondent organisations felt cyber crime was therisk of the future (PCB, 2001b:1).

In the US, a survey done in March 2001 revealed that:o 85% of respondents (primarily large corporations and government

agencies) detected security breacheso 74% reported serious breacheso 71% reported unauthorised access by insiders; 25% detected

system penetration from the outsideo 186 respondents reported losses of US$377m (compared to

US$265m from 249 respondents in 2000)o most serious: Netspionage theft $151m reported by 6% of

respondents (compared to US$66m in 2000)

13


14/52

o financial fraud was US$55m (compared to US$39.7m in 1999)o loss due to sabotage: US$27m (compared to US$10m combined

previous 3 years)o 70% of respondents cited Internet connections as a frequent point

of attack (compared to 59% in 2000)o 91% of respondents (as opposed to 79% in 2000) detected

employee abuse of Internet access privileges (PCB, 2001b:1).

Experian (2000:2) commissioned one of the most extensive research studieson the effect of Internet fraud on UK Retailers. Eight hundred (800) UKretailers were interviewed and it was found that: Nine out of every ten Internet fraudsters in the UK were getting away

with it! Only 9% of fraud cases reported to the police by UK on-lineretailers resulted in prosecution.

70% of companies thought that the Internet was inherently more risky

than other routes to market, with the majority of respondentsexperiencing an increase in fraud on the Internet over the previous year.Fifty-two (52) per cent of on-line traders claimed that Internet fraud was aproblem for their organisation and 55% said it was a growing problem.

Retailers became aware far too late that they had been victims of fraud.Almost half the companies (48%) said it could take more than a monthbefore they were made aware that they had been the victims of cardfraud. Eighteen (18) per cent said that it took up to seven weeks.

11% of respondents had had their sites hacked into. Only 15% of companies had automated systems for detecting fraud. The

vast majority employ expensive and inaccurate manual processes. Only52% use any external data to verify a customers name and address. Fraudsters have realised that methods of prevention are currently so

inadequate that they need spend little time or effort covering their tracks.Less than 10% of fraudsters bother with a redirection service at thegoods delivery address, and only 10% make the effort to set up a falsetelephone account.

58% of companies thought that the fear of fraud was a significant barrierto successful trading on the Internet.

Although Experians own client experience suggested an average level

of charge backs of some 2.5% of sales, the survey indicated thatretailers were experiencing lower than expected levels of fraud chargebacks with 20% of companies experiencing charge backs in excess of1% of sales as a result of fraud. Forty-eight (48) per cent report chargebacks of between 0 and 0.5%, and 8% report levels between 0.5% and1.0%. This may indicate that on-line retailers are reluctant to reveal thetrue extent of their on-line fraud problem.

On the perception of fraud, 52% of UK Internet retailers claimed that Internetfraud was a problem for their organisation. Added to this, 58% of companiesthought that the fear of fraud was a significant barrier to successful trading onthe Internet and a similar number (57%) said that they had experienced anincrease in fraud since using the Internet. Finally, 52% experienced a higher

14


15/52

rate of fraud on the Internet as opposed to other routes to market and the vastmajority (70%) thought that the Internet was inherently more risky (Experian,2000:5).

From figure 2 below it is clear that the growth in e-commerce (turnover) has

surpassed the growth in losses relating to e-fraud in recent years.

Figure 2: Growth of e-Fraud and On-line Security Incidents comparedto Growth in Web Commerce (or e-commerce) between 1998 and 2002

(Golub 2003:11)

2.1 E-FRAUD IN S OUTH AFRICA

It is difficult to get an indication of the extent of e-fraud in South Africa and theeffect that it has on South African e-merchants. One global survey that hadsignificant South African input is the 2001 e.fr@ud survey, the major findingsof which were that: only 9% of respondents admitted that a security breach had occurred in

their organisation within the previous 12 months while most believed that the security of credit card numbers and personal

information were by far their customers most important concerns, fewerthan 35% performed security audits on their e-commerce systems, andonly 12% had websites bearing the seal identifying that their e-commerce systems had passed a security audit

79% stated that the highest probability of a breach occurring to their e-commerce systems would be perpetrated through the Internet or otherexternal access (KPMG, 2001:35).

As indicated in figure 3 below, South African respondents (together withFrench respondents) perceived the greatest likelihood of e-fraud happening intheir organisations:

15


16/52

Figure 3: e-Fraud - Perceived Likelihood of Occurrence(KPMG, 2001:33)

2.1.1 Legislation against Cyber Crime in South Africa

The 2001 e.fr@ud survey found that South Africa had no cyber crime specificlaws in place (KPMG, 2001:35).

2.2 P ROFILES OF CYBER CRIMINALS

The following kinds of cyber or computer criminals can be identified: The outside hacker with or without criminal objectives, with

increasingly sophisticated skills and tools. Even attacks with no directcriminal action can cost a company millions e.g. hacking into a webserver and disabling a website.

The computer technology insider disgruntled employees or ex-employees using their knowledge of an organisations IT landscape todelete data, expose data publicly, or sell data to competitors. A highernumber of insider attacks as opposed to outsider attacks are reported.

The white collar criminal is situation-motivated and sees himself as abusiness or personal problem-solver rather than as a criminal. The whitecollar criminal generally begins his/her career trying to hide errors, solvefinancial problems, get a better job and survive a short-term businessdownturn e.g. a loyal and trusted employee in financial difficulties whosells sensitive information to a competitor.

The career criminal is an organised criminal with significant skills,resources and high financial gain motivation who views computers astools of the trade. He works hard at mastering the technology and usingit to accomplish his goals just like any other professional and sometimesmake use of a young technology expert to do the work for him. The

significant increase in both college students and unsophisticated fraudperpetrators seems to indicate that the Internet has become the first

16


17/52

choice for thieves who, in another age, might have just been pettyshoplifters or locker room pickpockets.

The political activist or terrorist uses computer crime to make astatement, launder money or expose certain information, and can makeuse of a young technology expert to do the work (cf. UN 1994:7; Groebelet al., 2001:23-24; Centeno, 2002:15; Smith, 1999a:3; & Turnbull,2001:10):

2.3 P ROFILES OF E -MERCHANTS WHO ARE AT RISK

According to Verisign (2001:2), (Scutt, 2001:7) and Centeno (2002:15), thefollowing e-merchant profiles are a greater risk for certain types of fraud thanothers: Smaller merchants without robust security defences. Inexperienced

or small merchants with no or limited risk management tools can fall preyto criminals using sophisticated spidering techniques and intelligentagents to identify vulnerable points. Criminals use this information tobreak into networks and other ICT infrastructure in order to steal smallermerchants account access information for hijacking or merchanttakeovers.

High-visibility merchants. It's a double-edged sword. Merchants needto be visible to attract customers, yet fraud attempts are higher onmerchants who advertise heavily or those who are in the news.Criminals know that merchants who are experiencing higher than normaltransaction volumes due to a special promotion or a news story haveless time to defend themselves against fraud.

Larger merchants with high transaction volumes. However, giventhe increasing sophistication of fraud protection systems deployed bylarger e-commerce merchants, smaller merchants with little to noprotection are starting to become targets of fraud.

Merchants who sell high unit value goods , such as electronic itemsand luxury goods that can easily be resold or sold on on-line auctions.

Merchants hosting on-line auctions , which represents the vastmajority of consumer complaints in the US.

Soft goods merchants - Merchants that sell digital contents or softwarethat can be downloaded from the Internet. The purchase of these goodsdoes not require physical address information e.g. a shipping address,making it easier for criminals to disguise a fraudulent transaction.

Merchants who sell internationally. It is difficult to validate theaddress or identity of foreign buyers, and it is more difficult to investigatefraudulent activity from an overseas source.

All merchants face an increased risk of fraud during the holiday seasonand special sales promotions. Criminals know that you have limitedtime for fraud protection measures when sales volumes are high. Salesdouble in the 4th quarter, while Internet fraud rates triple.

2.4 B EHAVIOURAL TRAITS ASSOCIATED WITH FRAUDULENT TRANSACTIONS

According to Experian (2000:7) the typical modus operandi of UK on-linefraudsters using card not present (CNP) fraud is:

17


18/52

Real name at real address but notthe cardholders name

The fraudster gives a real name andaddress, which would be verified by adata source like the voters roll. Thename and address were probably

supplied to the voters roll for thepurpose of fraud but the card numbergiven matched a different name. Thissuggests inadequate procedures forlinking the name, address andcardholders name.

Cardholders name at real address butnot the cardholders address

The fraudster gives a name thatmatches the account name but theaddress provided does not match thebilling address. This again suggeststhat there needs to be a link betweenbilling address and delivery address.

False name at real address This can only work where no referenceis made to a data source like the votersroll when authorising the transaction.

Cardholders genuine name andaddress but parcel delivered to anotheraddress

This illustrates a dilemma faced by on-line retailers who despatch goods to anaddress other than the cardholdersbilling address. In many cases e.g.presents these transactions will begenuine, but the process clearly lends

itself to extensive abuse by fraudsters,and is an easy way to defraud an on-line retailer.

Table 1 Typical Modus Operandi of UK On-line Fraudsters

Centeno (2002:15) Scutt (2001:6) & Visa (2002b:1) identify the followingbehavioural traits associated with fraudulent transactions: A first-time shopper performing more transactions than usual, using large

order amounts, particularly when purchasing low-cost items Ordering several of the same item Attempting to make it hard to be traced by rushing orders (willing to pay

a lot for expedited delivery), making overnight orders and shipping toPost Office boxes

Using an anonymous or free e-mail address or free web-based e-mailaddress

Requesting the use of a bill to address that is different from the ship toaddress or international delivery address

Using one single delivery address and multiple cards Using a single card to multiple delivery addresses Using multiple cards from a single IP address Acting as bogus merchants.

18


19/52

3 E-FRAUD AND ITS EFFECTS ON THE SMALL E -MERCHANT

e-Merchants (the owners of e-business websites) are exposed by codes of

conduct and legislation that have been put in place to stimulate public trust inand uptake of e-business: Proof of Shipping. E-merchants are generally obliged, by their

merchant agreement with the bank, to provide proof of shipping beforefunds are released into their bank accounts i.e. they have to haveshipped the product or inventory to the consumer before the transfer offunds takes place (Mann, 1999:47).

Card not Present Transaction. At the same time, on-line transactionsare considered "card not present" (CNP) transactions since the card wasnot swiped through a point of sale (POS) and the identity of the

cardholder could not be verified in person. Card not presenttransactions imply that should a dispute arise between the cardholderand the merchant i.e. the cardholder alleges that he never made thetransaction, the card company will refund or charge back the cardholderin full (with minimal investigation and for a period of 180 days or 6months after the transaction date) whilst deducting the whole amountfrom the merchant as well as deducting a penalty payment from themerchant (Mann, 1999:14; Experian, 2000:7).

Charge backs. The issue of charge backs is highly sensitive to on-lineretailers, and it is difficult to assess the true extent of the problem. In thecase of a fraudulent transaction, the e-merchant loses everything: thetransaction amount gets withdrawn from his merchant account, a penaltycharge is levied and since the product has been shipped and delivered,the e-merchant suffers the loss of inventory as well as the shipping costsassociated with the fraudulent transaction. In some cases, on-lineretailers will actually meet the cost of fraud personally to avoid highercharge backs and the risk of losing their merchants licence. Asportrayed in Table 1 below, 48% of UK Internet retailers admitted to0.5% charge back as a result of Internet fraud; 8% said their level was upto 1%; and 20% said that their level was in excess of 1% of totaltransactions. However, a significant proportion (23%) refused to give ananswer to this particular question (Experian, 2000:7).

Charge backs as aPercentage of Total

Transactions

UK Internet Retailers

Up to 0.50% 48%1.00% 08%1.50% 03%2.00% 03%3.00% 03%4.00% 02%4.50% 02%5.00% 02%

19


20/52

5-10% 02%10%+ 03%

Refused to say 23%

Table 2: Charge Backs as a Percentage of Total UK On-line

Transactions(Experian, 2000:7)

20


21/52


22/52

2002 Fraud Losses by Category

ApplicationFraud

2%

Other2%

CounterfeitCard35%

Lost / Stolen26%

Mail Non-receipt

9%

CNP / Fraudulent

Posession ofCard Details26%

Figure 5: Detailed Breakdown of Credit Card Fraud in the UK for the

year 2002(Apacs, 2003a:18)

Experian (2000:5) found that 77% of on-line retailers in the UK took ordersover the phone as well as the Internet; 13% took orders over the Internet onlyand 10% took orders only over the phone, directing on-line shoppers to a tollfree number. On a general note, the overwhelming majority (96%) said thatthey conducted business on-line with card not present (CNP) transactions,and 95% said that their goods were of interest to thieves.

Figure 6: The Exponential Growth of Counterfeit and CNP Fraud(attributable to the effects of e-fraud) in the UK during the decade 1991-

2000

(Apacs, 2001:19)

3.1 T HE COSTS OF E -FRAUD

22


23/52

Golub (2003:11) estimated the loss to e-merchants in terms of higherfees, charge backs, bank charges and loss of inventory, etc. as a resultof the above three points to have been on average 7% of an e-merchants turnover in 2002. Verisign (2001:1) details the losses of ane-merchant who processes a fraudulent on-line transaction as:o Higher discount rate on merchant account. Because of the

higher prevalence of e-fraud, discount rates for on-line transactionsare typically 30 to 60 per cent higher than off-line or "brick andmortar" rates.

o The merchant carries the financial loss of a fraudulent on-linetransaction . According to CyberSource (2002:7), 31% of UKmerchants did not know they were liable for losses incurred as aresult of CNP fraud. Many were of the misconception that theCredit Card Company, bank or shopper would pick up the cost.

o Inventory loss and shipping costs for physical goods that are

fraudulently purchased and delivered are also carried by themerchant.o Charge back penalties assessed by the acquiring bank of

US$15-US$30 per fraudulent transaction. In the UK, 20 per cent ofUK business-to-consumer retailers are paying charge back fees inexcess of one per cent of sales (Experian, 2000:8).

o Increased discount rates assessed to the merchant as a result ofprocessing fraudulent payments.

o Labour cost for the merchant to investigate and resolve the chargeback.

o Higher administration costs on orders due to staff spendingmore time to screen orders. This may include calling the customerand confirming the order (CyberSource, 2002:8).

o Fines and cancellation of merchants account. Fines and Five-to six-figure card association fines or the cancellation of amerchant's account when card fraud rates are consistently high (cf.also Weber, 2001:8).

Rejection of non-fraudulent transactions due to fear of fraud. Inaddition, according to Gartner Group estimates, merchants reject anestimated 5% of all transactions out of suspicion of fraud, while only 2%

of transactions are actually fraudulent. The result is a significant amountof lost sales (up to 3% of sales volume) in an attempt to reduce fraud risk(Verisign, 2001:1). Grant (2002:1) reports that 7% of on-line sales arerejected for potential fraud but just 1.13% are actually fraudulent.

Non-completion of transactions due to lack of consumer trust. Onan industry-wide level, it is also alarming that 23% of potential on-lineshoppers do not complete a transaction because of fear and not wantingto enter their personal details on-line (Gobulev, 2003:3).

Scutt (2001:5) summarises the cost of e-fraud as follows:

Cost of losing validorders

o Loss of ordero Loss of customer loyalty

23


24/52

Cost of managingfraudulent orders

o Manually resolving bad transactions(estimated at up to 40/order)

Bank and Card Processorfees

o Higher discount rateso Charge back feeso Fineso Termination of service for excessive charge

backsCost of goods sold o Merchants are 100% liable for mail order

telephone order (MOTO) transactions

Table 3: The Costs of e-Fraud

From the above it is clear that some e-merchants stand to lose up to 10% oftheir turnover (and a much higher percentage of their profit, if any) to fraud-related costs (up to 7%) and the cost of rejecting sales in order to prevent e-fraud (up to 3%). This figure could be reduced by up to one third (4% ofturnover) if a way could be found to improve the basis for rejecting potentiallyfraudulent transactions.

According to Experian (2000:6), UK Internet retailers had a low take up ofautomated fraud detection systems, which suggested that products werescarce or not being used, if available. This suggested that automatedsolutions were too expensive. Fifty-five (55) per cent of these retailersemployed manual fraud detection systems and only 15% used automatedsystems. Just over half (52%) said that they used external data to verifyeither the name or the address of the shopper. Of the number that usedexternal information sources, 61% said they used the Postal Address File,which verified that an address was genuine but did not link address to name.Thirty-nine (39) per cent used the voters roll to verify name and address links;29% used a telephone CD or bureau service to verify phone numbers and just12% checked with a Card Hot List (APACS) to see whether the card numberbelonged to a stolen credit card. Only 25% of UK Internet merchants askedfor a work e-mail address alongside a home e-mail address for addedverification when taking an order. When asked what fraud solutions weremost needed, the majority (63%) identified an urgent requirement for instanton-line personal identity verification systems that check both name andaddress and link cardholder details to a billing address. Many mentioned that

more was required from the banks and card issuers to ensure that thisrequirement was met.

A significant finding of Experians (2002:8) research on fraud amongst UKInternet merchants was the lack of sophistication in the modus operandi ofInternet fraudsters. It appears that verification systems are so inadequate thatfraudsters need make little effort to cover their tracks. In the experience ofmost on-line retailers, around 10% of fraud takes place with a re-directionservice at the end of it and only 10% of fraud occurs with the fraudster havingopened a telephone account in a false name.

Another issue relates to the time delay in identifying that a fraud has beencommitted. In this respect, the majority of fraud becomes apparent after six

24


25/52

weeks. Thirty-three (33) per cent of companies said that it took over twomonths (eight weeks+) before they were notified that they had been victims ofa fraud; and 18% said that it took between four and seven weeks. During thistime, their site was vulnerable to repeat attacks. Interestingly, although themajority said that fraudsters tended to hit once on average, a sizeable number

said that they had been hit twice, and 18% said that they were hit on averagethree times by the same fraudster before the fraud was detected. In fairness,the time delay is often due to the fact that the genuine cardholder has yet toopen his/her monthly statement and report unknown transactions to theissuer. (Experian, 2000:8).

With regard to overseas trading, Experian (2000:9) reports that UK Internetmerchants found it difficult to authenticate overseas customers. The mostcommon response from those merchants who traded overseas was the lackof data available to verify whether a name and address provided by acustomer was genuine (33% of all companies).

The responses to the question about what problems companies faced whentrying to establish whether a customer was genuine, can be summarised asfollows:

Dont accept non-UK customers orconduct business overseas.

45%

No way of finding whether anoverseas customer is genuinethrough absence of effectivedatabases.

33%

Have problems identifying the cardissuer.

22%

Table 4 Verifying Overseas Orders

25


26/52

Experian (2000:9) found a clear reluctance among UK Internet merchants totrade with non-UK customers. Sixty (60) per cent of UK Internet merchantssaid that only 10% of their Internet business was conducted with overseascustomers; 12% said it was between 11% and 20% (see table below):

0-10% 60%11-20% 12%21-30% 08%31-40% 02%41-50% 05%51-60% 02%61-70% 02%71-80% 02%Dont know 03%

None 05%Table 5 Trading with Overseas Customers

Looking at fraud levels, there was a clear indication that overseas businesswas more prone to fraud. Twenty-six (26) per cent of the sample said that upto 10% of non-UK card transactions were fraudulent; 13% thought it wasbetween 11 and 20%; and 22% didnt know the answer (Experian, 2000:9).

Less than half (43%) of those surveyed reported any fraud to the police andmore than half (57%) of those who did encountered a lack of interest from

the police. More worrying is that a prosecution was set in motion in only 9%of the cases reported to the police. In 12% of cases the businesses tried torecover the defrauded money themselves, most of them opting for a debtrecovery agent (Experian, 2000:13).

3.2 E-FRAUD P REVENTION

Due to the impact of e-fraud on consumer trust and the complexity of legalprosecution, more and more emphasis will be placed on fraud prevention asthe first step in reducing fraud. Apart from the criminological and legalaspects of e-fraud prevention (e.g. laws with stricter penalties, police having

specialised units to track down cyber criminals), two main categories of e-fraud prevention can be recognised:a. The technological and process-related or hard measures of e-fraud

preventionb. The human or soft measures of e-fraud prevention (cf. Centeno,

2002:21; Smith, 1999a:7; Smith, 2000:18, Smith; 2002:5).

3.2.1 Hard Measures of e-Fraud Prevention

Different hard or technology-based security measures are proposed by card

companies and banks to address the on-line payment fraud risks consumersand merchants face. These measures aim to provide data confidentiality and

26


27/52

integrity, consumer and merchant authentication for each individualtransaction. Payment schemes are promoting security standards and bestpractice to increase information security at banks, merchants and serviceproviders. The protection of consumers PCs is also increasingly stressed.Often overlooked, the consumers PC vulnerability is considered one of the

major security threats by some security experts (Centeno, 2002:21).

Figure 7: Comparison of Fund Prevention Methods

(CyberSource, 2002:8)

3.2.2 Soft Measures of e-Fraud Prevention

Recognising the importance of the human factor in building security, specialattention is paid to non-technology based or soft measures since humansthemselves may be the weakest link in securing information systems. Thestrongest cryptography will not help if a user compromises the password(Centeno, 2002:22). Three main groups of role players would need to bemade aware of and educated about the risks of e-fraud:

3.2.2.1 Organisations and Service ProvidersPerhaps the greatest risk of fraud to an organisation lies within its own staff.Smith (1999b:4) reports that fraud is most often carried out by employees,particularly at senior management level. The administration of moderntechnologically-based security systems involves a wide range of personnelfrom those who manufacture security devices to those who maintain sensitiveinformation concerning passwords and account records. Each has the abilityto make use of confidential information or facilities to commit fraud or, what ismore likely to occur, collude with people outside the organisation to perpetratean offence.

27


28/52


29/52

Not putting the correct policies and procedures to manage fraud in place Failing to do pre-employment integrity screening on relevant employees and

failing to institute red flag integrity screening of relevant employees duringemployment

Failing to keep all personal information in locked files and establish secureprocedures for data services and failing to encrypt all personal andconfidential information on computers

Failing to secure methods for disposing of personal information Failing to appoint a 3 rd party to carry out privacy audits/investigations that

gauge how vulnerable records are to theft Failing to verify the professional qualifications and integrity of 3 rd party

service providers or potential partners Failing to limit the use of personal identifiers (Centeno, 2002:23; KPMG,

2000:8; Experian, 2002:7; Smith, 1999b:5; CSTB, 2002:6; Urban, 2003:21)

Table 6: Common Security Mistakes

3.2.2.2 Consumer AwarenessConsumers can play a significant role in reducing merchant fraud risk byplaying an active role and adopting a cautious attitude when shopping on-line.Recommendations for fraud prevention are: Verify the merchants identity, company information (name, physical

address and phone number) and use of codes of conduct or trust marks.Check the sellers reputation (in online auctions)

Be suspicious about very advantageous deals from free e-mailaddresses

Check whether secure socket layer (SSL) protocol is used for dataprotection

Check the companys security policies and tools used, in particular theprivacy policy and how personal details may be used

Look for insurance for buyers Pay on delivery or with a credit card as this generally provides refund

rights Ask the bank for a random card number option Keep a trace (e-mail), print the order screen, the terms and conditions

and any communication with the merchant Update your virus protection software regularly and when a new virus

alert is announced in the media Do not download files or click on hyperlinks sent to you by people you

dont know Use a firewall program Use a secure browser Always log off and close Web browsers after on-line transactions

29


30/52

Be careful with programs where merchants or entities want to rememberyour purchase data and allow you to use it again (e.g. cookies) ORserver-based payment wallets

Do not store any financial data on your personal computer

Before you dispose of an old computer, delete all personal information Avoid using easily available information as a password (cf. Centeno,2002:24; Experian, 2002:7; Urban, 2003:18).

Finally, consumers also have a significant role to play in identifying fraudpromptly by analysing their bank and card service providers statements indetail. Faster fraud detection can contribute to fraud prevention by blocking alost, stolen or counterfeited card or other stolen identity data, and byidentifying a fraudulent merchant or a fraud pattern (Centeno, 2002:24).

3.2.2.3 Merchant AwarenessThe contribution merchants can make to fraud prevention by screeningfraudulent transactions is often overlooked. The lack of consumerauthentication by issuer banks combined with merchants liability forfraudulent credit card transactions have motivated the development ofmerchant-based authentication solutions, thereby reducing on-line fraud bybetween 66% and 80%.

These solutions sometimes combine hard and soft measures. Theyinclude address validation (in the US and the UK), on-line authorisation,

customer follow-up (e-mail confirmation, etc.), customer history databaseconsultation, fraud scoring systems, customer data format and contentediting, rejecting orders with incomplete information, proof of delivery to theverified billing address, domain site check, application of additional measuresfor high risk purchases (call customer, ask for issuer bank and phone number,ask for exact name on credit card), stating on the website that anti-fraudmeasures have been put in place, etc. (Centeno, 2002:24)

Merchant awareness and education is thus important and, to support it, someUS organisations have been identified to provide merchant information offraud types, statistics and best practices (cf. Antifraud.com, Scambusters.org).

Merchants can do the following to combat the incidence of e-fraud: Prevent errors

Prevent duplicate purchases Use pick-lists, where feasible, on the order form

Collect complete customer billing/shipping information plus phonenumber and e-mail address for additional fraud screening and to facilitatefollow-up communication with the customer

Establish a process for reviewing suspicious orders Examine your charge backs to uncover any gaps to be closed with new

rules Create negative files to prevent repeat offenders

30


31/52

Create positive files to maintain customer loyalty Inform your customers of the company name that will appear on their

statements so the customers are not surprised.(Scutt, 2001:26, 27).

Risk management is effective if it reliably protects the organisation's businessgoals, assuming that the goals are achievable and sustainable. It is efficient ifit does this at the lowest sustainable long-term cost. A framework or modelneeds to encompass both of these measures i.e. of effectiveness andefficiency if it is to be truly useful. To do this well, an organisation needs to begood at: Defining and articulating its sustainable business goals, and

understanding how these goals are achieved Identifying and assessing risks that could prevent these business goals

from being achieved Controlling these risks to the extent that they do not threaten the

achievement of the business goals Making financial provision for these risks so that financial losses do not

threaten the achievement of the business goals Ensuring, over time, that the business goals continue to be reliably

protected at the lowest overall cost (Caragata, 1997:54).

Potential risks can be dealt with in two different but complementary ways: One approach is to apply risk control techniques to mitigate the negative

impact that these risks might impose on the business goals by reducingthe potential frequency and/or severity of events that might result inunacceptable loss. This approach includes setting up a business earlywarning system.

The second approach i.e. loss funding ensures that these losses areadequately funded when they do occur and that cash flows and balancesheets are sufficiently protected (Caragata, 1997:55).

3.2.3 Risk Management Tools Available to Merchants to Combat e-Fraud

The following risk management tools can be employed to protect merchantsagainst e-Fraud:

3.2.3.1 Hot ListsOne of the first checks a merchant should put in place on his website or at hiscall centre is an internal hot list. Any person who carries out a fraudulent activity that results in a charge

back will have his/her details entered on the hot list. When the fraudsterreturns to the site and presses the buy button to make a purchase,

his/her personal details will be forwarded to the hot list and thetransaction will be blocked. Hot lists are not an effective deterrent to

31


32/52

fraud on their own. They can only stop repeat offenders from attackingmerchants websites and call centres and are incapable of detecting first-time fraudsters. And they are frequently out of date fraudsters detailsonly become available when the merchant receives a charge back, whichcan take up to 90 days to arrive (CyberSource, 2002:8).

The hot list service of a professional credit bureau can generally beaccessed at a cost. These lists are more accurate and may also provideprotection against fraudsters attempting to defraud a merchant for thefirst time.

3.2.3.2 Negative / Positive FilesAll Internet merchants should create and maintain: Negative Files that store all the attributes (e.g. name, address, card, etc.)

of orders that resulted in charge backs or were blocked because ofattempted fraud.

Positive Files on order to recognise trusted customers based on theirname, address, card, etc. and therefore skip fraud checks (Scutt,2001:16).

Negative and Positive files have the benefit of defending the merchantagainst repeat offenders. Orders from good customers can be identifiedand processed swiftly. Negative and Positive files can be used as thebasis for automatic approval/decline

One drawback of Negative Files is that fraudsters rarely come back afterbeing caught out. Good customers card numbers that were used infraud attacks can become imbedded in a negative file (Scutt, 2001:17).

3.2.3.3 Velocity ChecksMost merchants will use a velocity check to back up a hot list. Whereas a hot list is used to target known criminals, velocity checks are

designed to identify fraudsters before they have a chance to act.Retailers will be looking at two patterns of on-line purchasing behaviour velocity of use and velocity of change to detect potential fraudsters.Velocity of use covers instances when criminals use fraudulentlyobtained credit card details to make multiple purchases on one site in theshortest possible time. Systems that check for velocity of use will notehow often a certain e-mail address, credit card number or phone numberhas been used over a certain period to obtain goods. It will then blockfurther suspect purchases. Systems that check for velocity of changesearch for instances where one detail on a credit card for instance theexpiry date has been changed repeatedly to enable the fraudster tomake purchases. Some criminals will have obtained customers creditcard numbers over the Internet using a card generator. These systemscannot provide fraudsters with expiry dates so the criminal circumventsthe problem by manually inputting different dates again and again untilhe gets the right one. Merchants can use software solutions on theirservers to identity this type of behaviour (CyberSource, 2002:8).

32


33/52

3.2.3.4 Address Verification System (AVS)Originally designed for mail order and telephone environments, AVS allowsfor the verification of the billing address details provided by the purchaser withthe actual billing address details held on file by the cardholders issuing bank. This real-time check is carried out as part of the authorisation process

and a response, based on the validity of the address provided, isreturned to the merchant. Although not foolproof as many as 75 percent of orders receiving a no match reading with AVS are valid thischeck will allow merchants to better control fraud exposure through theknowledge that the billing address given by the consumer can be verifiedas genuine for that card (CyberSource, 2002:8).

3.2.3.5 Card Verification Card verification is a system introduced by several card issuers to assist

the acquiring bank, issuing bank and merchant in validating CNP

transactions. The check is based on three or four additional digits,distinct from the account number, that are printed on the front or back ofthe card. They do not appear in either the magnetic stripe or chip.These digits help to validate the card as genuine and to assist indetermining that the purchaser is actually in possession of the physicalcard. As a measure to reduce the risk of fraud, merchants can requestthese card verification digits on their website payment page or verballyas part of a telephone order (CyberSource, 2002:8).

3.2.3.6 Real-time AuthorisationReal-time authorisation:

Validates that the card number is valid and that sufficient funds areavailable

Validates the expiry date for the card (not all processors) Verifies the billing address for the card AVS (in most cases, US

only) Where available, verifies the CVV2/CVC2/CID (special 3 or 4 digit

PIN code), passed by the merchant, against the code on file for thatcard (Scutt, 2001:14).

The benefit of Real-time Authorisation is that there is no need to validatean order once it has been declined. Unfortunately real-time authorisationdoes not protect the merchant from charge backs (Scutt, 2001:15).

33


34/52

3.2.3.7 Rules / ExceptionsRules are typically If then expressions that flag certain types oftransactions for review prior to processing. Examples:

o If the Amount is over 500 and the Shipping Type isexpress to a shipping address that does not match thebilling address, then review the order before shipping.

o If more than 2 DVD Players were ordered, if the ShippingCountry is Romania, and the Shipping Type is express,then review the order before shipping.

The benefit of Rules is that they allow the merchant to apply expertknowledge relevant to the business. Rules are customisable and can bemodified as market conditions and fraud trends change. Rules make it easy

to determine why a transaction is flagged. The main drawback of rules is thatthey require constant updating and monitoring to ensure that they areeffective. Rules are only as good as the people who build them and they are,therefore, not effective at catching subtle patterns that may not be obvious tothe merchant (Scutt, 2001:20).

Use Any Boolean Expression Use Any Field in the Databaseo = equal too != not equal too < less thano greater thano >= greater than/equal to

Use * as a wildcard

Combine statements witho ANDo OR

o Billing Address, City, Province,Postal Code

o Shipping Address, City, Province,Postal Code

o Credit Card Numbero Current Time, Day, Month, Yearo Item Counto Quantity of a single itemo Total Cost of Ordero IP Addresso Item Serial Number

(Scutt, 2001:19).

Table 7: Building Rules / Exceptions

3.2.3.8 Statistical ModelsStatistical models, like a risk scoring facility are essentially learn by exampletools that test the transaction attributes of an incoming Internet order withknown fraudulent activity listed in the statistical model database. The outputof a statistical model is typically a risk score (e.g. 1-100). Statistical modelsleverage historical and forensic data in order to catch new fraud attempts.The risk score is determined by evaluating numerous factors simultaneously.Subtle patterns that would normally be overlooked by the merchant will behighlighted by the statistical model.

Unfortunately, most merchants do not have the required ample, accurate, andcleansed historical data required by a statistical model to provide accurate

34


35/52

results. Since multiple factors contribute to the risk score, it is sometimesdifficult to interpret the score (Scutt, 2001:22).

35


36/52

3.2.3.9 Hybrid Solution (Arsenal Approach)A hybrid solution combines the attributes of the above strategies, for example: Rules to enforce business rules or weed out bluntly fraudulent

transactions Real-time Authorisation to validate credit card number Statistical Model to evaluate the overall risk Rules to determine whether to Accept, Reject or Review the order

(Scutt, 2001:24).

The overall return on investment (ROI) depends on many factors:o Overall fraud rateso Total volume of transactionso

Margin on transactionso Cost to review ordero In-house risk management expertise.

A multi-tool (hybrid) solution typically leads to the highest ROI becausebetter screening reduces the volume of orders to be reviewed (Scutt,2001:24).

E-business was hailed as the great equaliser a few years ago as it enabledsmall merchants to compete on an equal footing with large multi-nationalsselling to a potential international client base. With regard to e-fraud and theprevention of e-fraud the statistics and numbers above have shown that it isbecoming very difficult for smaller e-merchants to survive and remainprofitable if they cannot afford to subscribe to available fraud preventionservices that would allow more accurate screening of transactions.

36


37/52

4 T HE FUNDAMENTALS OF PREDICTIVE FORENSIC PROFILING

4.1 T HE P ARETO P RINCIPLE

It is nearly a century since Vilfredo Pareto (1848 - 1923) defined what becameknown as the Pareto principle (cf. Pareto 1906). Commonly known as the80/20 rule, the Pareto principle describes the distribution of wealth in that, inany population that contributes to a common effect, relatively few of thecontributors account for the bulk of the effect.

JM Juran was the first person to generalise the Pareto principle and apply it toall areas of business as a means of focusing on the real problems or issues.Juran, the father of quality control, coined the phrase 'the vital few and thetrivial many' that is regularly used to describe the Pareto principle. The Paretoprinciple is generally used in conjunction with the Lorenz curve (and the GiniIndex) as a graphical representation of the actual deviation from an equaldistribution situation (cf. Lorenz, 1905.)

More recent research confirms that the Pareto principle is surprisinglyaccurate in almost all industry verticals. The following trends can be found atthe bottom end of the customer base: On average, 20% of a companys customers contribute up to 85% of the

profits whilst 40-50% of customers eliminate 50% of the profits 50-60% of all customers are marginal or unprofitable Unprofitable customers account for 35-45% of activity costs Unprofitable customers consume 25-55% of total resources Very small unprofitable customers consume more resources than all

profitable customers combined (cf. Buttle, 1999: 5; Caufield, 1999:4;Hales, 1995:30; Humbarger, 2002:5; Reichheld & Sasser, 1990:108).

The Pareto principle can be applied to three scenarios as far as the smaller e-merchant is concerned:

1. Reduce the number of good transactions rejected as aprecaution. In an attempt to minimise fraud, e-merchants are refusingsuspicious transactions worth between 5% and 7% of total turnover.

Research indicates that, of those rejected, the fraudulent transactionsamount to between 2% and 3% of total turnover. This leavestransactions to the value of 3% to 4% of total turnover that are actuallygood customers that were rejected as a precaution.

o If 20% of the good customers that were rejected are responsiblefor 80% of the lost turnover, identifying only 0.4% to 0.6% of therejected customers could add 2.5% to 4% of total turnover to thebottom line.

2. Reduce the impact of the most damaging fraudsters. If 80% offraud related losses can be ascribed to 20% of fraudulent customers,fraud rates could be dramatically reduced if we could reduce theamount of transactions from customers that fall into the 20% offraudulent transactions category.

37


38/52

o If we could find a way to reject orders from three quarters of the20% most damaging customers, fraud related losses could bereduced by 60%. If the fraud related losses of the average e-merchant are 7% of total turnover that would lead to an increaseof 4.2% in total turnover.

3. Increase the impact of the best customers. If 20% of goodcustomers are responsible for 80% of total turnover, the earlyidentification of such customers will help us to serve them faster andbetter, which will lead to greater customer satisfaction and salesrevenue from this vital 20% of the customer base.

If we do not take into account the benefit of serving the 20% of customers thataccount for 80% of turnover better, and only focus on reducing the amount ofgood orders that are rejected as well as reducing the impact of the worst 20%of fraudsters, the impact on an average e-merchants business could be thefollowing:

Small e-Merchant with annual turnover of 300,000.00

Scenario 1: Current SituationIncome 300,000.00

Sales 300,000.00

Expenditure 321,000.00Staff 60,000.00Stock 150,000.00Shipping 40,000.00IT, Hosting, etc. 60,000.00Merchant Fees & Bank Charges 11,000.00

Profit ( -Loss ) -21,000.00

Scenario 2: Situation after ImprovementsIncome 322,350.00

Sales 300,000.00Improvements 22,350.00Reduce amount of good transactions that were rejected as a precaution @ 3.25% of turnover

9,750.00

Reduce the impact of the most damaging fraudsters @ 4.2% of turnover

12,600.00

Expenditure 321,000.00

Staff 60,000.00Stock 150,000.00Shipping 40,000.00

38


39/52

IT, Hosting, etc. 60,000.00Merchant Fees & Bank Charges 11,000.00

Profit ( -Loss ) 1,350.00

Table 8: Practical Example based on a Small e-Merchant Scenario

39


40/52

4.2 A D EFINITION OF P REDICTIVE FORENSIC P ROFILING

In order to achieve the improvements as per the two scenarios in Table 8above, and assuming that the small e-merchant cannot afford any

sophisticated fraud prevention services or software, the following actionscould be taken:

Reduce the number of good transactions that were rejected as aprecaution at an average 3.25% of turnover

Establish a profile of good clients Forensic

Establish a profile of all fraud attacks Forensic

Use industry trends and research to refine fraudulenttransaction risk profile Predictive

Reduce the impact of the most damaging fraudsters at 4.2% of turnover

Establish a profile of the top 20 most damaging fraudulenttransactions and compare with the profile of all fraud attacks Forensic

Three of the four activities identified above can be classified as forensicprofiling activities. Forensic profiling can be defined as retrospectivelyanalysing behavioural data in order to come up with a profile that could helpwith the early identification of a similar profile in future. Predictive profilingcan be defined as creating a predicted model or profile, based on externaldata that could help with the early identification of an instance of the predictedmodel or profile in future.

Combining the two forms of profiling in the four activities above should be ableto give the small e-merchant some protection against e-fraud. It is vital tonote, however, that the fraudsters modus operandi changes and that anyprofile created should be kept up to date to remain accurate.

In the next section, some practical steps a small e-merchant could take arediscussed.

40


41/52

5 THE PRACTICAL APPLICATIONS OF PREDICTIVE FORENSIC PROFILING

If it is indeed possible to achieve the improvements as per table 5 above, it

may indeed be viable for the smaller e-merchant to introduce a simple yeteffective fraud reduction strategy.

Combining predictive rules based on international statistics with a merchantsown forensic data could have a marked impact on a smaller merchantsprofitability and turnover. The following strategy may be of help to smaller e-merchants.

5.1 V ERIFICATION P ROVIDED BY CREDIT CARD COMPANY

Credit card companies are developing more and more products designed toprotect against losses relating to NCP transactions.

Note that verification differs in terms of its extent, and the e-merchant shouldbe careful to understand the exact features and extent of the verificationservice offered by the credit card company. Verification can range from themost basic algorithm check (i.e. only checking whether the card number istheoretically possible so that fraudulently generated card numbers would beverified) to sophisticated verification services that will verify that a numberexists and that the details supplied (e.g. expiry date, billing address) arecorrect. In most cases verifications do not protect the merchant in the eventof a charge back.

Where available (and affordable), the smaller e-merchant should subscribe toservices such as real-time verification (where all details are verified with thecredit card company in real-time while the order is being processed).

5.2 R ULES / E XCEPTIONS

A red flag, rules based early warning system can be effortlessly put in placeby most e-merchants. A simple Excel spreadsheet with a drop downquestionnaire or a simple access database could allow employees processingorders to identify and escalate potentially fraudulent orders.

A predictive example of rules, based on current e-fraud statistics, could be:

Is this an overseas order? YesIf Yes, which continent? AfricaIf Yes, which country? AlgeriaIf No, which province?Does the credit card issuer country correspond with thedelivery and billing address? (i.e. Someone living inJohannesburg is unlikely to use a CC issued by an Americanbank.)

Yes

Has the customer ever ordered before? Yes

41


42/52


43/52


44/52

6 R EFERENCES

APACS see The Association for Payment Clearing Services (APACS) (UK).

Arquilla, J. 1998. The Great Cyberwar of 2002. WIRED Magazine, 6(2)February 1998. [On-line]. Available WWW:http://www.wired.com/wired/archive/6.02/cyberwar_pr.html (Accessed 12August 2003).

Belousov, A. 2003. Some Aspects of Investigating Computer Crimes.[On-line]. Available WWW: http://www.crime-research.org/eng/library

/Belousov0603.html (Accessed 12 August 2003).

Blyth, T. 1999. Cyberterrorism and Private Corporations: New ThreatModels and Risk Management Implications. [On-line]. Available WWW:www.terrorism.com/documents/TRC-Analysis/iw-privatrisk.pdf (Accessed 12August 2003).

Brunker, M. 2001. E-business vs. the perfect cybercrime: U.S. authoritiescant touch credit card fraud from overseas. [On-line]. Available WWW:http://msnbc.com/news/376973.asp?cp1=1#BODY (Accessed 12 August2003).

Buttle, F. 1999. The SCOPE of customer relationship management.International Journal of Customer Relationship Management, March/April1999:1-25. [On-line]. Available WWW:www.kitshoffgleaves.co.uk/documents/FButtle_Scope_crm.PDF (Accessed12 August 2003).

Caragata, P. 1997. Business Early Warning Systems: CorporateGovernance for the New Millennium. New York: Butterworths.

Caufield, S. 1999. Does CRM really pay? A general managementperspective. [On-line]. Available WWW:www.nomissolutions.pwp.blueyonder.co.uk/NomisWebsite/DoesCRMReallyP

ay.pdf (Accessed 12 August 2003).Centeno, C. 2002. Building Security and Consumer Trust in InternetPayments The potential of soft measures. Institute for ProspectiveTechnological Studies, Directorate General Joint Research Centre EuropeanCommission. Background Paper No. 7 Electronic Payment SystemsObservatory (ePSO). April 2002. [On-line]. Available WWW:http://epso.jrc.es/Docs/Backgrnd-7.pdf (Accessed 12 August 2003).

CERT/CC see CERT Coordination Center.

CERT

Coordination Center. 2001. CERT

Coordination Center 2001Annual Report. [On-line]. Available WWW:

44
http://www.wired.com/wired/archive/6.02/cyberwar_pr.htmlhttp://www.terrorism.com/documents/TRC-Analysis/iw-privatrisk.pdfhttp://body/http://www.nomissolutions.pwp.blueyonder.co.uk/NomisWebsite/DoesCRMReallyPay.pdfhttp://www.nomissolutions.pwp.blueyonder.co.uk/NomisWebsite/DoesCRMReallyPay.pdfhttp://epso.jrc.es/Docs/Backgrnd-7.pdfhttp://www.cert.org/annual_rpts/cert_rpt_01.htmlhttp://epso.jrc.es/Docs/Backgrnd-7.pdfhttp://epso.jrc.es/Docs/Backgrnd-7.pdfhttp://www.nomissolutions.pwp.blueyonder.co.uk/NomisWebsite/DoesCRMReallyPay.pdfhttp://www.nomissolutions.pwp.blueyonder.co.uk/NomisWebsite/DoesCRMReallyPay.pdfhttp://epso.jrc.es/newsletter/vol10/docs/ePSO-N10.pdfhttp://body/http://www.terrorism.com/documents/TRC-Analysis/iw-privatrisk.pdfhttp://www.iwar.org.uk/law/resources/cybercrime/mcconnell/CyberCrime.pdfhttp://www.wired.com/wired/archive/6.02/cyberwar_pr.html


45/52

http://www.cert.org/annual_rpts/cert_rpt_01.html (Accessed 12 August2003).

CERT Coordination Center. 2002. CERT Coordination Center Overviewof Attack Trends. [On-line]. Available W

e-fraud and predictive forensic profiling - reducing losses by combining science with a crystal ball

Documents