What to look for in a web-based fraud detection system

For online retailers the growth of online shopping is a double-edged sword. While the recession is driving more shoppers online to search for bargains, the more people that shop online the greater the risk of fraud, which makes the cost of acquiring online customers a bit of a tricky biscuit.

As an online retailer you may spend considerable sums not only on customer acquisition but also on automated anti-fraud monitoring technologies, but do the benefits outweigh the costs?

Some online retailers would probably say no, yet as the recession continues to bite, anti-fraud software vendors are eager to tout their automated fraud monitoring solutions, however with so much choice out there and with vendors prescribing different solutions for different operational silos and levels of fraud, how can retailers be sure that they are choosing the right solution?

Gartner recently published its Magic Quadrant for Web Fraud Detection, which describes the market as "still maturing" and consisting of vendors that have "a lot of work to do to round out their product lines". In other words this is a rapidly evolving market and vendors are having to keep up with the rapidly changing =nature of online fraud, which means that solutions with built in flexibility and the ability to quickly introduce new functionality as and when needed without a major overhaul of the existing installation, is key.

Gartner says most web fraud detection systems can be broken down into two types: rules-based software and predictive software that uses artificial intelligence to detect potentially fraudulent behaviours. According to Gartner, predictive software is more effective at catching fraud as rules-based systems tend to be based on past known events that have already occurred, therefore it is not good at detecting new or unknown types of fraud. The more rules you have, the more difficult it is to manage, so Gartner suggests that rules-based systems are only suitable for those companies with minimum levels of fraud.

When selecting a fraud detection system Gartner advises firms to opt for those solutions with a 70% fraud detection rate and a "false-positive" rate of one in five in order to minimise the time spent unnecessarily investigating legitimate transactions. Some anti-fraud solutions such as "geolocation" and "client device identification" have a short shelf life and can be spoofed or fail to keep up with increasingly sophisticated attacks.

Gartner also advises firms to buy solutions that provide value-added services such as authentication in conjunction with fraud detection as well as solutions that work across multiple channels and accounts. Those vendors whose web detection solutions can easily "plub and play" with different authentication technologies score highly.

Prioritising alerts is also key. "Enterprises want and need to be able to prioritise alerts based on their severity and urgency," writes Gartner. "Unless the system returns a score that ranks the severity, it is difficult to know which alerts demand priority attention."

Ease of use may sound like a no-brainer but Gartner says most web fraud detection vendors fall short in terms of providing consoles that enable alerts to be investigated easily. Sufficient levels of reporting also tends to be a downfall. More advanced fraud detection solutions, says Gartner, not only look at log on details or web site access, but also transaction information and user navigation.

Online retailers fight "recession fraud"

A survey conducted by Vanson Bourne indicates that online retailers are fighting back against the increased threat of "recession fraud".

The research conducted on behalf of SPSS, a predictive analytics software provider, shows that 37% of online businesses had implemented new measures such as customer behaviour analysis, restricting purchases from "high risk" locations or countries and reducing the number of payment methods available, to help reduce online payment fraud.

The 2009 UK Online Fraud Report estimates that UK online retailers lost up to 5% of total revenues to fraud in 2008, however, while retail sales on the high street are declining, online sales are increasing (up 14% in December 2008 compared to the previous year), so retailers cannot afford to be complacent about fraud.

One in four retailers surveyed by Vanson Bourne indicated they are using customer analytics, which focus on unusual behaviour patterns, to detect fraud. Eighteen percent said they had also reduced the number of payment methods in the belief that it reduced the opportunities for fraudsters.

Learning the lessons of due diligence

A few months back when the alleged Bernard Madoff Ponzi scheme was first exposed, I remember writing on this blog that the alleged $50 billion fraud was only the tip of the iceberg, and that the recession would result in other scams or alleged frauds being exposed.

Not that I want to beat my own drum, but it doesn't take much to realise that a deep economic recession and tightened credit availability are all it takes to bring suspected frauds that have gone undetected, to light. When banks don't want to lend and investors panic and want to withdraw funds, things start to unravel.

I don't think we can say that the credit crisis is causing fraud to spiral out of control, however, it is resulting in greater levels of discovery. Since Madoff, there has been the $1.5 billion fraud at Indian IT firm Satyam Computers, other Ponzi schemes and dodgy investor scams are being uncovered on a regular basis and now the SEC alleges that Allen Stanford duped investors who bought bonds from his Stanford International Bank in Antigua and claim that he also lied about the performance of their savings and the extent of investors' exposure to Bernard Madoff's alleged Ponzi scheme.

Not only is more fraud likely to be uncovered in trying economic times, but also financial regulators are on the war path, eager to redress the perception that they failed to adequately supervise financial firms when times were good. Now that times are not so good we can expect to see the heavy hand of regulation come down on banks.

In the UK the Financial Services Authority is calling for a sea change in the way commercial banks, investment banks and building societies manage their liquidity. The new liquidity standards, which are scheduled to come into force in October, will also impact US banks with branches in the UK and are designed to try and prevent an event like the Lehman's collapse in the US, spilling over into the UK by forcing bank branches to become self-sustaining when it comes to liquidity.

While managing liquidity is not directly related to fraud, what is perhaps more interesting is that observers believe the FSA is likely to not only make an example of those banks that fail to comply with its new liquidity standards, but they may also "disbar" those company chairman and executive directors of banks that don't measure up.

Corporate governance is back on the agenda again and it is the guys at the top that are likely to take the heat, however one has to question how serious the regulators really are when you read reports that a former disqualified company director was able to foil the FSA merely by changing his name and becoming a director of three companies.

We have all heard the corporate governance rant before - isn't that what Sarbanes-Oxley was all about? Yet financial accounting scandals are still very much with us and some suggest it is only going to get worse as company executives resort to fiddling the books in order to preserve banking covenants, meet analyts' expectations or avoid bankruptcy.

But heightened levels of corporate governance in the form of greater regulatory oversight is not the panacea some think it is. If anything is to be learned from the Madoff and Stanford cases it is the lack of due diligence by investors and investment funds. All the warning signs were there; fly-by-night accountants and a lack of separation of duties; and if anyone had bothered to do their due diligence they would have uncovered enough to raise alarm bells.

However, it seems everyone wanted to believe the unbelievable; market beating returns; and it seems we all want to believe that some of the gold dust will rub off on us, which means a lot of financiers are not subjected to the level of scrutiny that they should be.

Corporate bribery

Former investment banks are in the spotlight again, this time relating to allegations of corporate bribery.

According to a report in the Financial Times, Morgan Stanley's global head of real estate investing has been suspended following disclosure of a Securities & Exchange Commission (SEC) filing that indicates a China-based employee violated the foreign corrupt practices act.

Morgan Stanley was a major investor in Chinese real estate, a sector which is believed to be plagued by bribery and corruption. A number of fraud and risk specialists I have spoken to in recent weeks have highlighted increasing reports of corporate bribery and corruption where business contracts are awarded on the basis of financial rewards.

In the US and the UK corporate bribery can attract substantial fines, which often exceed the initial bribe. According to Kroll's 2008-2009 Global Fraud Report, regulatory and compliance breaches increased from 19% to 25%.

Balancing fraud and profit

I received an interesting email from an Amsterdam-based company, Directness, which is running a Risk v Reward: Balancing Fraud and Profit conference for retailers in Amsterdam tomorrow.

Organiser, Adam Dorrell, said that the event was triggered by retailers such as Nike, Philips and Sony getting fed up with the cost of fraud. The problem for many retailers is that they have to invest considerable sums in automated solutions for combating credit card fraud, but the return on investment is uncertain in that they may be spending more to acquire customers, only to lose them to fraud or "charge-backs".

Do the risks outweigh the rewards? Well if you believe what you read in the newspapers and various surveys that are published, the risks, particularly in the online shopping world appear to be significant. This appears to have convinced a significantly large proportion (41%) of the UK population not to shop online, according to CyberSource's latest annual survey of more than 150 merchants and 1000 consumers.

Security was an issue for the 41% of UK consumers that said they did not shop online. Out of the total sample, including those that did shop online, 66% said they were concerned about the level of risk. Given that most online shopping sites now carry a secure padlock icon or the green VeriSign bar which demonstrates that the web site has met more stringent standards around web site integrity, this is still a surprisingly high number.

Some of the other basic precautions online shoppers can take is signing up to the MasterCard SecureCode or Verified by Visa programmes, which adds an additional authentication layer by asking for a password, but not all shopping sites carry this and arguably it is still open to abuse if the password is easy to guess or replicate.

CHIP and PIN while reducing fraud when the card is presented, has only served to increase the incidence of fraud in card-not-present transactions (online or over the telephone). Some security vendors suggest that one-time passwords are more secure, but there has been no uptake of this by the card companies.

Another problem is that the cost of fraud is borne by the poor retailer who has to foot the cost of charge backs and fraud in general, as well as investing in anti-fraud measures. It will be interesting to hear what comes out of the event in Amsterdam tomorrow and whether retailers can come up with a joint industry solution to combat fraud. We hope to provide you with coverage after the event.

Lloyds warns against phishing attacks

Newly-merged UK-banking group Lloyds TSB and HBOS have taken the unusual step of warning customers that fraudsters may take advantage of their merger to launch phishing attacks.

In recent years, phishing scams which typically involve the sending of "official-looking" emails asking customers to confirm bank password, security and account details, have been steadily rising. Banks and other security providers have cautioned customers not to respond or open emails sent to them asking for such information.

However, in an effort to head off a potential attack as it goes through a long and protracted merger with HBOS, Lloyds TSB said customers should be on their guard and that it would not email them requesting account, PIN or security information.

More Ponzi schemes

While the alleged Bernard Madoff Ponzi scheme is capturing most of the headlines, other Ponzi schemes are also coming to light.

According to newspaper reports, Japanese police have arrested a 75-year-old bedding company executive on suspicion of running a "pyramid scheme" that promised investors high returns.

According to some experts, Ponzi schemes are increasing and are recurrent. Estimates suggest that in 2002, US citizens lost $9.6 billion to Ponzi schemes. Some suggest that Ponzi schemes are happening with increasing frequency and point the finger at unregulated hedge funds or alternative investments put together by investment advisors.

Madoff - who is to blame?

The US Securities & Exchange Commission (SEC) continues to cop flak over its handling of tip offs regarding the alleged Bernard Madoff Ponzi scheme.

According to a report in the UK's Financial Times newspaper, Lord Jacobs a peer who lost money in the alleged $50 billion scheme, is pointing the finger at the SEC for "the grossest negligence it is possible to conceive" for not fully investigating a whistleblower’s detailed exposé.

He is not alone in his condemnation of the US regulator. Members of the US Senate Committee on Banking, Housing and Urban Affairs also expressed disbelief and amazement at how regulators did not uncover the alleged Madoff Investment Securities Ponzi scheme, citing numerous "red flags" such as the fact that he did not use a separate custodian for his investment advisory business, and that his accountant was not registered with The Public Company Accounting Oversight Board (PCAOB).

However, as a privately held broker-dealer, the Senate hearing heard how Madoff was able to avoid adhering to these requirements. At the same Senate hearing, senior representatives from the SEC defended their investigations of Madoff saying their examinations which were limited to the scope of his broker/dealer business, not his investment advisory business, did not find fraud.

Madoff registered as an investment advisor in 2006. The SEC said it could not examine every investment advisor and that 10% of registered advisors were examined every three years, but that these examinations were limited in their scope and targeted specific activities. The SEC also pointed towards resource constraints.

Nevertheless it seems that the SEC is going to cop a lot more flak over its handling of the alleged Ponzi scheme as a number of investors that have lost money question how detailed tip offs from a reliable source failed to uncover anything. The truth perhaps lies somewhere in the fact that the SEC said it only examined Madoff's broker/dealer activities, not his investment advisory business. Regulatory loopholes appeared to have allowed Madoff's investment advisory activities to escape rigorous scrutiny.