vol. 5 issue 6, 24 may 2012 weekly - semafone

1 | 13 www.thepaypers.com Copyright © The Paypers

Update on developments in online payments Vol. 5 Issue 6, 24 May 2012 Bi-weekly

MRC LAS VEGAS (I): An ever -growing focus on technology and defining the best approach in the

never-ending battle against online fraud

Analysis: Gartner: A layered approach - the key to keeping

fraudsters at bay 1

Exclusive interviews with MRC METAwards Winners 2

Expert Opinion: CashRun - Optimize your Acceptance Rate to Accelerate Revenue Growth 11

Gartner: A layered approach - the key to keeping fraudsters at bay

Online fraud has become a unique and challenging problem for the internet age affecting the activity of thousands of companies, either small or large conglomerates, whose business model entails online payments. As technology has advanced, the days of simple username-password online protection have disappeared and fraud threats have become an inevitable part of the online experience, creating inconveniences for individuals and merchants alike.

Hereby, it has become very clear that internet and cloud-based properties are in need of new and improved fraud prevention tools. Technology developers and risk management companies have started to develop intelligent authentication and fraud mitigation systems to prevent criminals from defrauding victims. But unfortunately, time has shown an incontestable truth to many: a single layer of fraud prevention or authentication is not enough to keep the fraudsters at bay. Case in point: fraud prevention measures such as secure cookies, geolocation, dual controls, SMS passcodes, device identification, phone call

transaction validation or challenge questions have all been compromised by criminals. According to Gartner, a US-based information technology research and advisory company, by 2014, 15 percent of companies will adopt layered fraud prevention techniques for their internal systems to compensate for weaknesses inherent in using only authentication methods. In a report called "The Five Layers of Fraud Prevention and Using Them to Beat Malware" Gartner analyst and vice president Avivah Litan states that a layered approach must be taken into account by all companies in order to protect themselves and their customers against fraudsters. According to Gartner, the fraud prevention approach companies need to adopt entails five layers.

Layer 1 - endpoint-centric

This layer includes secure browsing applications or hardware, as well as transaction-

signing devices such as tokens, mobile devices or computers. Out-of-band or dedicated hardware-based transaction verification enables stronger security and a higher level of assurance than in-band processes do. The layer 1 technologies can be typically deployed faster than those in subsequent layers and are able to defeat malware-based attacks a lot longer.

Layer 2 - navigation-centric

It monitors and analyzes session navigation behaviour and compares it with navigation patterns which are expected on that particular website. In addition, it uses rules which can identify abnormal and suspicious navigation patterns. It is useful for spotting individual

AN EVER-GROWING FOCUS ON TECHNOLOGY AND DEFINING THE BEST

APPROACH IN THE NEVER-ENDING BATTLE AGAINST ONLINE FRAUD

THE APPROACH

FOCUS ON: MRC LAS VEGAS CONFERENCE (I)

Bi-weekly Update on developments in online payments


Vol. 5 Issue 6, 24 May 2012

suspect transactions as well as fraud rings. This layer can also generally be deployed faster than those in Layers 3, 4 and 5, and it can be effective in identifying and defeating malware-based attacks.

Layer 3 - user- and account-centric for a specific channel The layer monitors and analyzes user or account behaviour and associated transactions and identifies suspect behaviour, using rules or statistical models. It may also use continuously updated profiles of users and accounts, as well as peer groups to compare transactions and identify the suspect ones.

Layer 4 - user and account-centric across multiple channels and products

It is similar to Layer 3 as it also looks for suspect user or account behavior, but in addition to looks across channels and products and correlates alerts and activities for each user, account or entity.

Layer 5 - entity link analysis

The last layer analyzes the relationships among internal and/or external entities and their attributes (for example, users, accounts, account attributes, machines and machine attributes) to detect organized or collusive criminal activities or misuse.

According to the company, the implementation of this technology may take three to five years, depending on the size of the business. However it is important to have in mind that this will be a permanently ongoing process as fraud prevention rules and models require continuous maintenance and updating. Being aware of the prevalence of criminal attacks, Gartner recognizes the need for a fraud prevention tool which can be quickly deployed. That is why Gartner’s representatives advise companies to start implementing at least the first two layers. Enterprises which start by deploying lower layers can offer a certain level of protection but it is important to make sure this implementation is part of the overall strategy which relies on basic fraud prevention principles such as user and account profiling.

The Merchant Risk Council (MRC), a global trade association uniting online and multi-channel retailers, card networks, card issuers, law enforcement agencies

and solution providers to make the internet a preferred place to shop and do business, hosted its 10th Annual e-Commerce Payments & Risk Conference from March 27-29 at the Wynn Las Vegas Resort.

This highly anticipated event featured an all-star lineup of the world’s most recognized e-commerce leaders delivering unique and valuable insights on topics such as:

creative investigative techniques to frustrate fraudsters; balancing privacy and security legislation; transforming payment system security; building better risk detection from your data and expanding e-commerce

markets into Europe, China and beyond.

During the event, MRC also announced the winners of the METAwards and inaugural Merchant Spotlight Award at their annual conference in Las Vegas.

The METAward, (Merchant Emerging Technology Award) recognizes solution providers delivering the most innovative, cutting edge technology for managing payments and risk in electronic commerce. This year, MRC conference attendees chose the METAward winners from 3 finalists in the Start-up and Established company categories

VOICE OF THE INDUSTRY: METAWARDS WINNERS

EVENT HIGHLIGHTS

MRC—10th ANNUAL E-COMMERCE PAYMENTS & RISK CONFERENCE




who presented their innovations live on stage. Finalists in the Start-up category included Curaxian, XYverify and Semafone. The Established company category finalists included iovation, ThreatMetrix and 41st Parameter. After delivering impressive presentations on stage, Semafone and 41st Parameter captured the most votes from the conference attendees. Skype was the winner of the Merchant Spotlight Award.

Ori Eisen, Founder, Chairman and Chief Innovation Officer at 41st Parameter has spent the last fifteen years in the information technology industry, and is respected for his business knowledge and leadership. His background includes an in-depth application of innovative solutions for preventing business to consumer e-commerce fraud.

Prior to launching 41st Parameter, Mr. Eisen served as the Worldwide Fraud Director for American Express focusing on Internet, MOTO and counterfeit fraud. During his tenure with American Express, Mr. Eisen championed the project to enhance the American Express authorization request to include Internet specific parameters. Mr. Eisen is a founding member of the Merchant Risk Council and is currently serving on the Americas Advisory Board.

What is your company’s value proposition?

Ori Eisen: People depend on a variety of internet-connected devices for everything from banking to booking travel to shopping. This makes preventing online fraud and creating relevant customer experiences constant and complex business challenges. 41st Parameter is the global leader in device recognition and intelligence and we’ve combined our patented technologies with years of expertise to identify devices without cookies, without compromising privacy and without impacting performance.

Our FraudNet platform protects businesses from fraud before it happens. AdTruth, our digital media division, gives marketers a new and better way to recognize and reach their most valuable audiences across all types of devices. Both of these products are totally

privacy compliant and help keep the Internet more secure and relevant for everyone.

This year, your company has won the METAward at the MRC annual conference in Las Vegas. Could you elaborate a bit on the degree of innovation your product delivers?

Ori Eisen: It was such an honor to have SafeSession receive the 2012 METAward. Being recognized by so many industry experts was incredibly satisfying. SafeSession is unique in the innovative approach it provides to preventing the latest and most threatening types of fraud attacks including Session Hijacking, Man-in-the-Browser and Man-in-the-Middle attacks. Because these attacks provide the attacker with authorized access to an account or other protected resources, it is critical that merchants, banks and other enterprises have the ability to detect and defend against these fraud schemes.

SafeSession is the only technology available that allows businesses to detect when a session is being used by more than one device concurrently. 41st Parameter was the first company to anticipate and “set the trap” for MITM attacks, the first to detect such an attack in the wild and the first to prevent the potential fraud loss it carries. The technology we’ve created for SafeSession is unique and has been recognized as such with a number of patents. We’ll continue to innovate as new threats arise.

How does your technology contribute to the commercial and operational success of merchants?

Ori Eisen: As fraud attacks become more complex, it’s crucial that merchants establish sophisticated defenses in order to prevent fraudulent orders from being processed. By detecting hijacked sessions and preventing the fraudulent orders from being placed, merchants are able to improve their top-line revenue while increasing the lifetime value of their customers by keeping them protected.

SafeSession is just one of the many technologies that make up of our FraudNet fraud prevention suite. Unlike other fraud detection solutions, our technology allows merchants to permit legitimate transactions to continue even if a device has been compromised. This means customers – who are clearly unaware that their device may be compromised - can safely continue their interactions with a bank or vendor while being protected from any fraudulent transactions.

“41st can dramatically decrease the threat of card-not-

present fraud”

- Exclusive interview with Ori Eisen, 41st Parameter -




How can an e-commerce shop detect fraudulent payments for domestic and international orders?

Ori Eisen: In order to prevent fraudulent payments, it’s critical to have as much visibility into as many aspects of a transaction as possible. By looking at the various parameters of the device placing the order and comparing it against the user-entered information (payment details, shipping and billing information, etc.) 41st can dramatically decrease the threat of card-not-present fraud. It is also critical to not rely on any single device parameter as “fool proof” such as cookies, tags, IP address, etc. It’s important to remember that anything someone can easily remove from the device can just as easily be replicated or spoofed by fraudsters. It is also important not to automatically reject an order simple because of the suspicion of fraud. Businesses can’t afford to turn away valid business simply based on suspicion. Auto rejection costs companies a great deal in lost revenue and customer insult rates. It’s just too heavy-handed an approach.

Whatever solution merchants use to help detect and prevent fraud, it needs to meet the following criteria:

Approve legitimate orders quickly dentify fraudulent transactions quickly

Never auto-reject orders to avoid false positives

Reduce chargebacks

Minimize human review rates

Decrease fulfillment losses by stopping fraudulent orders before shipment

Protect valid customers' shopping experience

In your opinion, who should be most liable for personal internet security: customers, ISP providers or hardware and software vendors? What can federal authorities do to slow down security threats?

Ori Eisen: As decided by US Supreme Court in Lopez vs. Bank of America, banks are liable for their customers’ losses in fraud attacks. Because online fraud is a multi-billion dollar problem, it was only a matter of time before the Internet, as it currently exists, came to carry a level of risk that could become unprofitable for businesses. It is difficult to say who should carry the burden of the losses but at the end of the day, the money is lost and all parties - except for the criminals - experience the pain. Because the Internet is available to any citizen of any nation, there is no true “Internet jurisdiction.” Authorities have little to

no power to prosecute for Internet crimes. Additionally, most countries’ laws have not kept up with the times to reflect specific verbiage needed to prosecute many online crimes. These crimes continue to flourish because the criminals face little risk of being caught or prosecuted. Cybercrimes need to be recognized by authorities in all countries whose citizens have access to the Internet. Cybercriminals needs to be prosecuted if there is any hope to slow down these security threats. Further, governments need to be more agile in adjusting laws as new crime threats are detected – otherwise criminals’ innovation will always outpace the evolution of the market’s defenses.

Your technology makes a positive impact in the industry because …

Ori Eisen: SafeSession has been making a positive impact in the industry because it provides businesses with an additional line of defense against some of the most elusive fraud schemes.

Businesses are quickly alerted when an attack is being attempted so losses can be prevented. Also, when coupled with our other technologies such as link analysis tools, fraud investigators can use the information to find any other orders or transactions with the same customer information, device information, etc. and stop them all. We’ve been working hard to stay a step ahead of the bad guys and that effort has paid off in the ability for our clients to conduct business online more safely and securely.

Founded in 2009, Semafone offers an innovative solution which takes telephone payments out of the scope of PCI DSS regulations. The company’s mission is to secure voice transactions and reduce credit card fraud in contact centres worldwide in order to support the global scale of the PCI mandate. The company already has a customer base than includes Europe, North America and Africa.

“Semafone has taken a new approach to the problem of PCI compliance in the call centre”

- Exclusive interview with Graham Thompson , Semafone -




Sales and marketing director Graham Thompson has over twenty years’ experience in the technology sector and has been instrumental in founding and growing start-ups in both the UK and the US. Graham’s venture prior to joining Semafone was the establishment of ClusterSeven, where he was responsible for securing a roster of major clients including Citibank, UBS, Dresdner, Rabobank, RBS and Credit Suisse. Graham is a keen rugby fan and follows the sport whenever his hectic international schedule allows.

Semafone provides a solution which takes contact centres out of the scope of PCI DSS regulations for telephone payments. How exactly does it work?

Graham Thompson: Semafone ensures that sensitive card data completely bypasses call centre agents, the desktop and the network, taking the entire contact centre out of scope from PCI DSS. It eliminates the risk of fraud because no data is taken /seen by agents, nor is it held on any systems. With Semafone’s secure voice solution customers enter their payment information using the telephone keypad. Semafone masks the DTMF (Dual Tone Multi-Frequency) digits to a flat tone so that they cannot be de-coded by the call centre agent, nor recorded on the call recording system.

When the time comes to take a payment, simply moving to the payment page triggers Semafone’s SecureMode and as the customer taps in their information, the relevant fields are automatically populated (masked by asterisks), meaning the sensitive information does not enter the desktop. The payment details are then sent to the Payment Service Provider, where the payment is processed. Authorisation is sent back to the client’s system to allow the transaction to continue.

This year, your company has won the METAward at the MRC annual conference in Las Vegas. Could you elaborate a bit on the degree of innovation your product delivers?

Graham Thompson: Semafone is fast being recognised as the leader in secure voice transactions. The company has taken a new approach to the problem of PCI compliance in the call centre. Instead of attempting to secure every entry point of access to card data, Semafone has instead removed the entire contact centre from the scope of PCI. This not only protects customers’ card data from fraudulent usage but also drastically cuts the cost and burden of PCI compliance.

Semafone is also scalable to meet individual client’s needs and is flexible across multiple

system architectures. It integrates with existing contact centre technology, and can be hosted within a company’s telephony infrastructure on-site or through a telecommunication carrier’s cloud. Seamless integration with Payment Gateways ensures rapid deployment and minimum disruption to the business. The product truly delivers the most thorough and cost-effective solution to PCI compliance for the contact centre. In your opinion, does call centre fraud open a new frontier in cybercrime?

Graham Thompson: Fraudsters are finding that gaining access to card data is becoming increasingly difficult as the information security controls mandated by PCI DSS start to have an impact within the industry. SQL injections remain the most common form of attack but they are reaping less and less cards. Fraudsters naturally move to the next lowest hanging fruit - the contact centre presents one of these potential targets.

Fraudulent call centres can be used to commit various fraud types, including …

Graham Thompson: Identify theft remains the most common type of fraud within the contact centre. Contact centres are not only privy to card data but they also collect other attributes that can be used for identity theft including date of birth and address. With just a credit card number and date of birth it is possible to change the password on a 3D Secure account (Verify by Visa or MasterCard Secure). Not only are agents exposed to this data but it is also communicated over Voice over IP (VoIP) and can be harvested by the cybercriminal.

Your technology makes a positive impact in the industry because …

Graham Thompson: Semafone helps contact centres face the challenges of meeting the rigorous and often complicated compliance regulations for taking payments over the phone. In doing so, they protect both their customers’ card data and themselves from fraudulent card usage. The Semafone technology secures all voice transactions and helps combat the risk of data breaches. It can also reduce call handling times and abandonment rates and improves customer satisfaction; gaining greater efficiencies and effectiveness within the contact centre.

Many consumers admit to being unwilling to share credit card numbers with contact centres, fearing their personal card data will be compromised. Inputting the payment card number and security code themselves gives customers greater peace of mind than just




speaking it to an agent. There is also less room for communication or transcription errors. Customer satisfaction increases as callers understand and appreciate that this measure is a much more secure way of sharing card data. Semafone reduces the cost of PCI compliance, in some cases by more than 90%, as card data is no longer stored or recorded and the contact centre is taken out of scope for PCI DSS.

What are your company’s ambitions for the future, both in terms of product development and expansion?

Graham Thompson: Today Semafone thwarts both agent fraud and cyber fraud within the contact centre, preventing card data falling into criminal hands. The next step for Semafone is to stop cards that have already fallen into criminal hands being used within the contact centre. Chip and PIN for bricks and mortar together with 3D Secure for e-

commerce have stopped fraudsters from using cards within these environments. This has driven them to attempt to use stolen cards through contact centres. Semafone will provide solutions to authenticate the card holder when making a phone transaction to eliminate this avenue for criminal purposes.

Founded in 2003, Skype is communications software based in Luxembourg and owned by Microsoft. The service allows users to communicate with peers by voice, video, and instant messaging and includes additional features such as file transfers and videoconferencing. It has over 1200 employees in 12 cities globally and has in excess of 170million connected users.

Diarmuid Considine is the Fraud and Payment Operations manager at SKYPE, based in Tallinn, Estonia since 2009. He has previously worked in Sydney as the Fraud Manager of Virgin Mobile Australia and in Ireland for ESAT Digifone (now O2). He is a regular speaker at conferences globally and an active participant in the MRC.

Usually, Skype is associated more with voice calls, internet telephony and less with fraud. However, as in all business models that require online payments, fraud is a

reality. What are some of the main types of fraud-related issues that you have experienced?

Diarmuid Considine: It’s correct to say that we are not associated with Fraud but that is as a result of a lot of work in this area over many years. It is a reality that any company that provides paying services will be targeted by fraudsters and we are very dedicated to reduce and mitigate this as much as possible. Taking payments online globally means that CNP fraud is prevalent facilitating profit sharing schemes and online auctioning of accounts and credit.

Fraud has lately become a startling issue for VoIP carriers and providers. Why are VoIP providers suddenly being targeted for fraud and how can one recognize a fraudulent VoIP provider?

Diarmuid Considine: I am not so sure that it has been such a recent phenomenon but there is no doubt that it is a major concern. More and more customers are attracted to VoIP for a new communication experience while seeking out alternative better deals financially to their current providers. As that adoption increases, fraudsters are going to see if they can use this to their advantage. There is also a perception that VoIP might not be as mature in its fraud prevention capabilities versus the more established landline and cellular industries. Additionally, there is a greater level of anonymity in VoIP which fraudsters can benefit from unless the correct mitigations are put in place.

This year, your company has won the Merchant Risk Council Spotlight Award at the MRC annual conference in Las Vegas. Could you elaborate a bit on the degree of innovation in your approach to managing risk?

Diarmuid Considine: I think that the Merchant Spotlight award is a wonderful initiative started this year by the MRC as it encourages merchants to share best practice around Risk and/or Payments. It really has meant a lot to SKYPE to have received the inaugural award. The fraud team, supported by the wider department and PSPs, changed its mindset by taking on and delivering against a challenging revenue target whilst maintaining low fraud levels. We realized that we were processing a huge amount of positive data about good customers and could use a fraud problem-solving approach to enhance customer experience. The attention then that we paid to our good customers actually helped us to further fine tune our fraud mitigation practices so it had a dual benefit financially and really raised our profile within SKYPE.

"We are not associated with fraud but that is a result of a lot of work over many years"

- Exclusive interview with Diarmuid Considine, Skype -




Which are the main areas of fraud in VoIP today, and how can service providers protect themselves?

Diarmuid Considine: I touched on this earlier, but the main threats come from CNP with the view to monetizing out through profit sharing schemes. There has definitely been an increase also around Account Take Overs (or account hijacking) in the last year across the industry due to an increase in malware, phishing and weak passwords being shared across a customers’ online merchant accounts. With the recent introduction of more competition into the VoIP market place, it presents more opportunities for fraudsters to seek out the least protected company in terms of fraud prevention. In this respect, I believe that engaging with organisations like the Merchant Risk Council to get business best practice is essential to protect your company and customers.

Your Anti-Fraud Department (AFD), part of Skype's Business Operations Group, has moved from a 'cost of doing business' towards a 'commercial insight team' concept. What does this entail? Diarmuid Considine: Our main focus in SKYPE is to know and protect our customers and to reduce fraud as much as possible without restricting legitimate revenue. To this end, we have invested heavily in our infrastructure to provide us with the right tools and databases which our highly skilled team of analysts use to achieve this. To make the move towards a revenue contributor through commercial insights, it really takes the support of senior management and a change of mindset around your risk appetite. It has to be understood that achieving significant financial returns does not come without associated risk. Fraud teams should take on the opportunity to utilize their data and knowledge of behaviour patterns not just to improve blocking algorithms, but to reduce payment flow friction. Critical analyses of all of the fraud restrictions on legitimate customers can lead to reprofiling to higher credit limits, relaxing velocity controls, increasing payment types etc. for legitimate customers.

In your opinion, the future of online fraud prevention will largely depend on …

Diarmuid Considine: Collaboration on best practices and their timely adoption. Preventing fraud should not be seen as a competitive advantage because this is what plays into the fraudsters hands. Of course, it is essential to adhere to data exchange regulations but any company trying to ‘go it alone’ in fraud prevention is, in my opinion, going to come unstuck. I think also that greater communication between the major stakeholders e.g.

merchants, card issuers, acquiring banks etc. would yield significant returns but I do concede that it’s a huge undertaking.

This section represents a schematic summary of recent technologies aiming to mitigate online fraud. In the last column the ranking according to Alexa.com’s ranking of most visited websites is listed.

ONLINE FRAUD PREVENTION TODAY: RECENT DEVELOPMENTS

Company Business New service/tool

introduced

Name Alexa ranking

Guardian Analytics

behavioural analytics fraud pre-vention software developer

fraud detection tool

FraudMAP Mobile

>1,000,000

Transaction Net-work Services

payment gateway

e-identity routing service

Enhanced Routing

552,316

Experian

information services company

online finan-cial tool

Busi-nessIExpress

6,296

CSC (in partnership with Daon)

technology business solutions provider

biometric authentica-tion service

ConfidentID Mobile

738,324

Alaric

provider of payment and enter-prise fraud detection systems

online fraud preven-tion system

Fractals Fraud Integration Hub

>1,000,000

NorseCorp

provider of internet security intelligence services

payment gateway with fraud prevention

technology

nGate

>1,000,000

Inside Secure

contactless and NFC technology developer

security devices suite

VaultIC

988,423




Over the past several years, Jack Alton has worked with hundreds of ecommerce companies, helping them reduce fraud and increase sales opportunities. His interactions with merchants, vendors, consultants and analyst in the ecommerce industry have given him a wealth of knowledge and experience allowing him to create solutions that improve a companies overall performance. Jack has been a requested speaker and panelist at conferences such as the Merchant Risk Council.

What is Kount’s role in the prevention of online fraud and/or e-identity theft? Jack Alton: We have an all-in-one solution which is very customisable to each merchant’s individual needs, whatever sector of the industry they are in. Kount owns the patents on multi-layered device fingerprinting, proxy piercing and a number of other technologies. All these have been put together in one solution. Many other companies and several merchants take tools from diverse companies that put them together themselves and try to turn them into a very robust system. As you can imagine, often times those tools are not meant to work together, they are meant to work only individually. Therefore, there is a lot of customisation and integration that needs to take place, which means that those systems generally require more maintenance, more management and implicitly, more costs.

Kount is very simple to use and we provide enterprise level class security for our merchants. Our tab line is 'boost sales, beat fraud'. Because most of our merchants see that when they adopt a full fraud solution, one which manages fraud properly, it will actually allow them to accept more orders from more people in more places.

What makes your company’s product offering different from other similar ones available on the markets? Jack Alton: First of all, we have our own technology. Because of the deep integration between those tools, we can respond extremely quickly. Our average response time is 300 milliseconds and we believe it is much more accurate. We reduce fraud management by allowing customization at the merchant level to set whatever risk or comfort level they

have. For instance, most of our merchants have manual reviews under 2 or 3 percent, which means they are not spending resources and time looking at fraud. That process is automated for them, meaning that they can get back to the business. Along with that, the business analytical reporting that we offer gives them more information about the transactions that are coming through.

From your perspective, the most significant emergent trends in online fraud are…

Jack Alton: I think the size, the speed and sophistication level of networks now are still on the emergence. The fact that they have infiltrated almost every way of doing commerce online whether it is via Facebook or via mobile devices, whether it is with virtual currencies, makes these networks extremely sophisticated. To be able to acknowledge that, you need to have a very sophisticated and real-time model that gives you exactly what is happening at the time of the transaction.

Online payments methods other than credit cards are likely to become more popular especially in Europe with developers like MyBank. What is the impact of these payment methods on your business model? Jack Alton: At Kount there is no impact. The payment process, the payment type, the device, where it is, the location of the purchaser or the fraudster are irrelevant to us. We look at those signals, we analyze them and give a predictable review of whether that transaction is going to turn out to be valid or fraudulent.

It is important for a merchant not have to have several different methods to detect fraud. They should have one strategy and the platform they use should be able to support it. What we often see are people who have several strategies and several tools and they end up managing those themselves. Merchants did not get in the business to become fraud experts, they got in the business because they have a passion for something. Whenever they have to deal with fraud and with the effects of fraud it takes them away from their initial business role. We try to give that back to merchants.

What kind of additional security and fraud prevention challenges does mobile commerce present to merchants?

Jack Alton: I think some of the ways that fraudsters are using those devices are still being developed today. The fact that I can buy a phone and I can throw it away when I am done

MRC EXCLUSIVE INTERVIEWS (I)

“Boost sales, beat fraud!” - Exclusive interview with Jack Alton, Kount -




makes it a little bit more difficult to determine who owns that. The fact that I can bill through my phone company before it ever hits my credit card or my account makes it a bit more difficult to solve those types of problems. The fact that somebody steals my phone or uses my phone without me knowing it and the fact that this person gains access to my monetary funds and transactions makes it a little bit more difficult.

People can easily buy items via mobile, including small apps and tickets, because they are on the road and they have that device they can use very quickly. The adoption is clear. It’s happening and it’s going to continue to happen as people work on those devices more.

We did a little bit of research to show which devices indicate more fraud than the others. What is very interesting is that Android has shown more fraud rates than an iPhone and yet the Android transaction was about half that of an iPhone. An iPad is about twice that of an iPhone. So let’s say an iPad is making an average order of USD 100, an iPhone is making an average order of about USD 60 and an Android average order is about USD 30. One of the things that we’ve found is very interesting. To newer technology fraud is somewhere in check but for the older technology fraud is more prevalent because fraudsters know everyone is developing fraud tools for newer technologies.

What would be some top directions of development for online and mobile payment fraud prevention systems for your company?

Jack Alton: We look at fraud as an issue that needs to be handled strategically by a business and not by a bunch of tools that are put together or by different departments doing different things. One fraud strategy, one fraud platform that manages things is the best way to do it. Mobile is a part of that. As that fraud strategy develops for the business, we think it should be completely transparent regarding the device they are using. We really don’t care if it is a Macintosh, an iPad or a smartphone, it doesn’t really matter. We think fraud needs to be looked at all the same. Therefore, it does not make sense to me to have a different fraud strategy for mobile devices and a different strategy for phone orders or for a computer.

Phil Levy is Vice President, eCommerce Solutions for First Data Corporation. In this role, Phil is responsible for product strategy and commercialization of First Data’s suite of Card-not-Present payment solutions. Prior to joining First Data in 2009, Phil was Sr. Vice President, eCommerce at Fidelity National Information Services (FIS). In this role, Phil was responsible for product development, sales and customer support for the Company’s eCommerce payment processing and risk management business. Phil has more than 20 years experience in product management, sales, business development

and marketing with companies including i2 Technologies, Savvis Communications and Hewlett-

Packard. Phil is a graduate of Lafayette College and the University of Rochester, Simon School of Business.

What is First Data’s role in preventing online fraud and/or identity theft?

Phil Levy: We take a consultative approach, so we try to engage merchants and understand what their particular fraud challenges are. Then we let them know that there is both the technology aspect as well as the organizational questions that they have to answer. The best companies that we found have a role assigned in their organisation, someone who owns responsibility for fraud management.

We clearly see ourselves as a solution provider and since fraud is so inherent that in e-

commerce every transaction has the risk of turning into a loss, we have a product offering called Fraud FlexDetect. This is a comprehensive fraud management solution with a user interface that allows merchants to build their own rules and their own broad score card as well as the back office order review workflow tools to look more closely at certain orders and establish whether they are good orders, whether they need to be declined or, if possible, be contacted for further information. As a result, Fraud FlexDetect is our offering across all of our e-commerce platforms.

Is that via these partnerships or is it a direct sale?

Phil Levy: The Fraud FlexDetect architecture is built on Accertify’s fraud tools. First of all, it requires a single integration, meaning you are integrating with us for your payment

“It would be very powerful if there was a global database that people could contribute to”

- Exclusive interview with Phil Levy, First Data -




services. We are running the transactions with an expanded data set through the fraud scoring models and return what we call a enriched response when you still receive your authorisation response, your AVS response, your CVV response and your fraud scoring, as well as your fraud response. We call this a enriched response that is combined with a fraud team (if you have one) that does reviews in the same user interface. The team members log in and use the order review tools to more closely examine orders and dispositions.

Is it fair to think that in fighting online fraud there is a one size fits-all strategy and what is your company approach in this respect? Have you developed specific products for specific industries or regions? And what is your main target market?

Phil Levy: We cover all vertical markets and all regions. We have built a set of tools within the products that make it easier for smaller merchants to implement. Fraud can be quite complex if you do not have significant data and history to start thinking about writing the relevant rules based on the data elements that help you call off fragile orders. In connection to our internet payment gateway solutions, we have developed a wizard-based approach where a merchant answers a series of 15 risk parameter questions, including “What is your average order value?”, “Do you ship internationally?”, “Is it normal for the bill to address different from the ship to addresser?” etc. Therefore, based on a simple wizard interview, in the background the system develops a set of fraud rules and a fraud score card and which merchants do not have to maintain since they can just go in and change the parameters within the wizard.

The market is currently a bit too restrictive for merchants which have a more complex environment, more data to build a custom rule set on. Therefore we give them a total customised environment where they can write complex rules, nested rules, use the algorithms within the scoring engine to come up with a custom score card. So I would say that the primary thing we have done to address this “one-size-fits-all” strategy is a simpler approach for smaller merchants and a s they grow, we provide them with a migration path into a fully customised environment.

What connections, if any, do you see between the use of different payment methods and the amount of fraud?

Phil Levy: There are certainly fraud and chargebacks within non-card based transactions. Thus, in my opinion, the risk of loss applies across the board whether that is in the US, in

electronic cheque transactions or PayPal transactions. We collaborate with Acculynk and their PaySecure product which is an online PIN debit product, in Europe with direct debits and real-time bank transfers. There is risk inherent to all of these transaction types. Therefore, our approach is as follows: a merchant should implement a solution like Fraud FlexDetect or other comparable technology and then run every transaction through that scoring algorithm and through their process whether they are using an order review type approach or otherwise build the order history and not leave a set of transactions outside that order history and that database. That allows you to build the best insight into what is normal and what is not and also see the trends. As things change in merchants’ environment (they may enter a new country, they may have a new product in the product mix) and all these factors can change the fraud dynamics.

Is it possible to categorize fraudsters by country/by regions and with e-commerce becoming more and more international what can European online stores learn from American ones and vice-versa?

Phil Levy: We think of fraud as a global business and I think it is very organized and very international. In my opinion, the really sophisticated ones present a challenge to any merchant anywhere. One lesson is that merchants may take some example from the organizational part of the really big well-known brand names like Amazon and others and not just from the technological part. I think technology has been pretty well deployed, but we have seen these organizations evolve to having senior fraud leadership and then having even on staff PhD level statisticians to build models, because it is a tremendous amount of data to build models out of and even a technology like Fraud FlexDetect does not build a custom statistical model that can be implemented. If you go then to build a model, you could imply changes in your rules that are easy to implement through our user interface. So we have seen organisations with some really bright PhD level people and they often have the most effective programs.

What would be some top directions of development for online and mobile payments fraud prevention for your company?

Phil Levy: We are obviously tracking the development of mobile commerce, so currently fraud is just as prevalent from a mobile app or a mobile browser type application user. However, it is even harder to track them because these devices are in some cases throw-

away devices and so the trail becomes warm for the criminals or the fraudsters since they




can get rid of their iPhone or their iPad. So, I think that is probably the biggest development, location-based services or any database that gives you information on mobile subscribers and additional information about them that you can then use against the representative of online transactions or mobile commerce transactions could be very useful in the fraud decision.

In your opinion, what does the online fraud prevention industry lack and where should improvements be made? At a consumer-merchant level, is there need for more regulation?

Phil Levy: I am not much on increased regulations, but I think that one area where it has been tough to get cooperation are the shared fraud databases. Criminals who have impacted one merchant’s business are very likely to target another business and so on to the extent that you could share data. With regard to this aspect, there have been initiatives even within the MRC as far back as 5-6 years ago and it was difficult to get the notion that merchant A would be contributing data into a database that could then affect a consumer (a merchant B). There were all sorts of questions, legal and otherwise, and many large companies felt they did not want to take part. Yet, it would be very powerful if there was a global database that people could contribute to and take out of to see where fraud was occurring and not allow those stolen cards to be used for transactions on their websites. So, that would be one area that would be very powerful if we could crack that code.

Optimize your Acceptance Rate to Accelerate Revenue Growth

By Mr. Frank Lange – Director of Sales and Marketing Europe, CashRun GmbH. Untangling Fraud Prevention Industry

The ever-changing fraud schemes have resulted in a surge of fraud prevention solutions, each specializing in a specific area. Lacking the right information about prevention tools, merchants often fail to realize the true cost and the benefits of each solution, thus risk being locked in a system that is not adapted to their needs and has a high exit cost. Moreover, most of the solutions available today focus on threat detection, and only react to the negative aspects of an order. This approach eventually becomes detrimental for online businesses, as it increases unnecessarily the rejection

rate with genuine customers, which might generate higher losses than the fraud itself. Information is essential to analyze the long-term effects of a solution to the company’s objectives, as it is intertwined with the company’s profitability.

A quick look to the existing fraud prevention tools proves that no single tool when used alone is 100% accurate in effectively preventing fraud. For example, device fingerprinting can detect repeating fraud patterns, but can be easily spoofed by savvy users and it might fail when detecting first-time fraudsters. Address-related tools can be tricky too; merchants tend to rely on Address Verification Services to ship tangible goods without realizing that these services can be inefficient when dealing with international orders. Geolocation/IP address technologies seem to be the answer for these international orders: unfortunately these services are insufficient to ship intangible goods, sent solely electronically. Card Authentication Schemes have fully proved their effectiveness, but have been subject to fraud attacks since hackers have managed to create similar-looking pages to phish the credit card details of genuine customers, and make use of these stolen data to place fraudulent orders. An increasing number of consumers are reluctant to disclose their personal details given the recent security breaches, which directly affect the effectiveness of tools such as automated phone checks or e-mail validation services.

From fraud prevention to Fraud Risk Management

All tools described above are indeed helpful, yet the results drawn from them are not conclusive to effectively keep fraud at a minimum level. Fraud verification solutions nowadays rely on one or two of the tools described above, and that is simply not enough to detect fraud effectively. Only by combining several prevention tools can merchants obtain a clear picture of fraud. Today’s fraud schemes require comprehensive and flexible prevention systems that take into account all attributes in an order, weighing the negative aspects against the positive aspects to filter out fraudulent orders only, and to ensure the maximum number of genuine orders is approved. This approach to fight against fraud requires merchants to take the step from mere fraud prevention to comprehensive

fraud risk management, by accurately measuring the risk to optimize the acceptance rate rather than increasing the rejection rate. Merchants adopting this position against online fraud not only reduce fraudulent order significantly, but also achieve their corporate objectives and attain revenue growth.

About Mr. Frank Lange

Mr. Lange is a graduated business economist from International School of Management (ISM) in Dortmund, Germany. He has developed his career in the Internet and online payments industry, holding financial and organizational management positions in different companies. Mr. Lange brought in his vast experience in the payments arena and his strong financial background in e-companies when he joined CashRun in 2008 as the Director of Sales and Marketing Europe.

EXPERT OPINION




Mitch Muroff is the CEO and founder of Curaxian Inc. Mitch has over 24 yearsʼ experience in the payments industry and is passionate about improving risk management through better analytics and effective policies and processes. As Director of Electronic Payments and Risk Management for Yahoo! he kept fraud rates low at 30 businesses in 14 countries. Prior to Yahoo!, Mitch was Director of Risk Management for a division of AT&T and developed a transaction screening system from the ground up that was used across 4 global business lines and 10

million customers. A recognized thought leader in the payments industry, he is also a founding member of the Merchant Risk Councilʼs Benchmarking committee.

What is Curaxian’s role in preventing online fraud and/or identity theft?

Mitch Muroff: Curaxian Analytics is the only application on the market that can consistently detect new forms of fraud it’s never seen before and give merchants the information they need to resolve those attacks. It's also the only application that can analyze payments data and provide merchants with the information they need to reduce the fraud they currently have, while protecting good customers. A key differentiator is our ability to provide clear measurement of impact that a proposed risk strategy has on good customers.

How does your tool help companies find out which are the good customers or reduce the number of rejections for the good ones?

Mitch Muroff: Our analysis tools break a merchant’s business into segments and explain how many orders from good customers and from criminals are in each segment. If we show a merchant that a particular segment of their business is 99.99 percent fraud, they’d likely build a rule to stop that fraud. But if we show a merchant that a segment is 80 percent fraud and 20 percent good, then the merchant might analyze the segment more

deeply and/or develop a more nuanced strategy, such layering manual review or additional transaction authentication with new or existing rules. By providing the merchant with information that clearly and easily describes the good and bad orders in each segment, the merchant can develop rules and processes that target fraud while protecting good customers by tailoring response strategies to the proportions of good vs. bad orders in a given segment.

Today, merchants often build rules and processes sometimes based on intuition or using fraud data in the absence of data about good customer behavior. This is very dangerous. If a merchant builds a rule based on fraud data alone, they might not know how many good customers are affected by that rule and part of what we deliver is an analysis that shows both sides of the coin.

Distinguishing between good and bad customers is important when developing a risk mitigation strategy but it’s also important to routinely measure how many good orders are being rejected by existing rules or processes (insult rate or false positive rate). Curaxian Analytics allows a merchant to construct A/B tests that show the false positive rate for current rules or processes and give the merchant data to reduce false positives.

Where do you think the future challenges come from, in terms of fraud?

Mitch Muroff: I think the toughest future challenge we face in terms of managing fraud is getting the data we need to identify fraudulent transactions and using that data in the most effective possible way. Merchants rely upon a relatively small set of data elements to assess transaction risk. Criminals know exactly what data we’re looking at and how we’re using, so they are constantly developing strategies to thwart our analysis by making fraudulent transactions look more like good transactions.

We can always introduce new forms of authentication, but authentication is very expensive. If a merchant is selling a good or service with a low price and a high volume, it may not benefit them to introduce a complex and difficult validation step in that process. If you are protecting a bank account it makes perfect sense to do that. But if you are

MRC EXCLUSIVE INTERVIEWS (II)

“We are not a permanent solution to fraud, but an improvement tool”

- Exclusive interview with Mitch Muroff, Curaxian -




selling a discount airline ticket it might not make sense because it would alienate a lot of customers. This constrains our options.

We focus trends in authorization and chargeback activity. These are the only two facts that a criminal cannot change: a chargeback is a chargeback and a criminal cannot make a chargeback disappear. So, we work with facts that will always uncover the truth about fraud. Consequently, we will always be able to help merchants detect and resolve fraud attacks no matter how advanced criminal behavior becomes.

PSRA 2012 is Asia’s most informed meeting place for central banks, commercial banks, settlement systems architects and connected payment services providers. As more and more people now work overseas with mobile phones and internet access, mobile, e-

banking and newer payment technologies are seen as being powerful driving forces used to transact funds and this is what the forum will focus on.

Unquestionably, this is the most important meeting this year since main services providers such as Bank Indonesia, Bank of Thailand, Central Bank of the Philippines, Reserve Bank of India, National Payments Corp, Bank Negara Indonesia, Visa, MasterCard and PayPal will be present. Plus, Asian Central Banks will benchmark new payments methods in a matchless panel discussion.

PSRA 2012 allows you to modernize your payment systems securely and efficiently when you mitigate settlement risks and penalties in the face of increased transactions during this critical period of banking boom.

In the next two editions of the Online Paypers newsletter, we will continue to extensively cover the two recent MRC events (the 10th Annual E-commerce Payments & Risk Conference, held in Las Vegas and the 2012 MRC European Congress, held in Dublin) by including a series of reviews, interviews and expert opinions on online fraud prevention developments as well as latest trends in the e-identity space from a technological perspective. Major companies which have attended the MRC conferences and agreed to share their opinion and vision on the online fraud eco-system include ThreatMetrix, SilverTail, ReD, TeleSign and others.

Following these three special editions in the MRC events, the Online Paypers newsletter will redirect its focus on some of the most important developments and initiatives in the online payments and e-commerce space, structured per regions, in parallel with a series of exclusive interviews with representatives of payment services providers whose role on the online payments market is not difficult to define: Alipay, Ogone, WorldPay and Chase Paymentech. If you would like to contribute with an expert opinion on any of the topics above or make any other suggestions, do not hesitate to contact us at [email protected].

UPCOMING EVENT

About: Online Paypers is a bi-weekly update on developments in online payments by The Paypers, the portal for payment professionals.

Editors: Adriana Screpnic, Mihaela Mihaila, Ionela Barbuta and Melisande Mual.

Website: For more information, please visit our websites: www.thepaypers.com

Contact: For more information, you can contact us at: [email protected]

Subscription info: Online Paypers is a product of The Paypers and is published 24 times per year. Year subscription price: €495

Copyright: 2011 © The Paypers. All rights reserved. Reproduction or redistribution in any form without explicit prior written permission of The Paypers is prohibited.

Disclaimer: The Paypers sees to the utmost reliability of all its news products. Nevertheless we do not accept any responsibility for any possible inaccuracies.

YOUR OPINION IS IMPORTANT TO US!

mailto:[email protected]

http://www.arcmediaglobal.com/paymentsindo/

vol. 5 issue 6, 24 may 2012 weekly - semafone

Documents