Their main concern was that companies could set up shop, accept tons of credit card charges, and then vanish, leaving the banks short. Mail order fraud was also big. A stolen credit card could be used to place orders over the phone, and when the fraudulent charges were discovered, merchants would suffer from chargebacks.

At the time, it wasn’t even necessary to provide a correct expiration date, as long as the card wasn’t already expired. Then credit card companies began verifying billing addresses to authenticate mail orders. Eventually, an additional verification code was added to cards, referred to as a CVC or CVV. We still use these codes today, but they can be fraudulently obtained in a number of ways.

When merchants moved from catalogs to websites, IP addresses were used to track transactions. But bad guys figured out how to spoof them.

Now we have a number of new technologies designed to fight credit card fraud. The most effective and widely implemented is device reputation, an effective online fraud prevention method that helps protect retailers from fraudulent CNP transactions by examining the computer or other device for a history of unwanted behavior, plus any suspicious activity at the time of transaction.

If a customer’s PC, smartphone, or tablet indicates an abnormally high level of risk, the merchant can reject the purchase in advance. iovation, the global leader in device reputation, flagged 35 million online transactions as high-risk in the last year for its clients and will flag 50 million or more by the end of 2011.

Protect yourself from credit card fraud by checking your statements regularly. Set up your own email alerts so that at a minimum, you are notified of any transactions over your specified amount occur on your account. Businesses set up triggers and alerts to protect themselves, shouldn’t you?

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

The study found that IP theft (£9.2bn) and industrial espionage (£7.6bn), combined, account for over two-thirds of the overall cost to UK businesses per annum. IP theft is largely committed against companies with high volumes of IP or IP that’s easy to hack, while industrial espionage includes stealing or exploiting non-IP data from organizations that depend on large amounts of financial transactions and monetary activities.

Other significant cyber crimes that impact UK businesses include extortion (£2.2bn), direct online theft (£1.3bn), and loss or stolen customer data (£1bn), according to the report.

Because organizations today are becoming increasingly dependent on cyber space for business commerce, communications, and daily operations and production, cyber threats pose a significant threat to individual nations, as well as the global economy. This is why reports like these are so important.

Understanding the economical impact cyber crime can have on businesses, industry, and the economy can play a critical role in setting effective security policies and implementing proactive fraud preventative strategies, such as iovation’s device reputation service, which combats new and evolving forms of cyber crime that have a negative impact on organizations across the globe.

According to the Wall Street Journal article, “Hackers Shift Attacks to Small Firms,” as small businesses make the leap to computerized systems, they are becoming prime targets for cyber thieves.

Business owner Joe Agelastri, who runs a pair of magazine shops in the Chicago-area, found out the hard way. After cyber criminals planted a software program on his cash registers, which sent customer credit-card numbers to Russia, the breach cost him around $22,000, slicing his annual profits in half. Though somewhat puzzled, Agelastri is just one of a growing number of small business owners who have experienced firsthand how prolific a problem cyber fraud has become in the SMB community.

“We thought there would be very little chance that somebody would come into a business of our size to pull off something like this.”

According to former hacker and small business security consultant, Bryce Case Jr., the “too small to hack” mentality is what hackers take advantage of. Weaker security due to budgetary limitations, combined with the fact that in the same time it takes to hack a major company cyber thieves can undetectably steal data from dozens of small companies, is playing a key role in more small companies being targeted by cyber criminals. In Case’s words:

“the juice has become worth the squeeze. Even the pizza place has addresses, names and credit-card information.”

In fact, a 2010 study by the U.S. Secret Service and Verizon Communications Inc.’s forensic analysis unit that investigates attacks found that 63% of data breaches were within companies with 100 employees or less. The WSJ article also cites that Visa estimates that 95% of the credit-card security breaches it finds come from its smallest business customers.

The problem with small businesses that are operating with inadequate security in place is a single breach can potentially cost them their business. This isn’t the case for larger companies, who generally have the budget and experts on staff to protect their assets. If anything, stories like these are lessons for small businesses, who need to overcome the mentality that they are too small to hack and take appropriate measures to safeguard their customers and valuable business assets. After all, when it comes to hacking, cyber criminals don’t discriminate.

Based on the study results released by LexisNexis, U.S. retailers incurred losses of $191 billion in 2008 due to identity theft, stolen merchandise and fees associated with chargebacks. Even more alarming is the fact that, between the three primary groups surveyed—merchants, financial institutions and consumers—the cost of fraud to retailers is almost 10 times greater than the losses absorbed by financial institutions and 20 times greater than the losses suffered by individual consumers.

“We weren’t completely surprised that merchants are paying more than half of the share of the cost of unauthorized transactions as compared to financial institutions. But we were very surprised that it was 90-10,” says James Van Dyke, founder and president of Javelin Strategy and Research.

The report also noted that nearly a third of shoppers decreased online purchases after becoming a victim of fraud. This means that not only do online merchants bare the direct cost of fraud losses, they also suffer from lost revenue due to damaged consumer trust in online security and fraud prevention procedures.

With trends clearly showing an increase in fraud against all varieties of merchants, one of the overwhelming proposals within the industry is for an increased cooperation between online businesses for the sake of gaining better insight into fraud tactics. “With the economic downturn and increasing sophistication in criminal fraud methods, it is crucial that merchants and financial institutions work together to mitigate fraud,” said Dennis Becker, vice president of Risk Solutions for LexisNexis.

Luckily, thanks to organizations like The Merchant Risk Council, sharing fraud information is a method that’s gaining wider acceptance within the industry. “The MRC is working with a wide variety of multi-channel and e-Commerce merchants with the stated mission of mitigating losses stemming from card-not-present fraud,” said Tom Donlea, MRC Executive Director. “Research programs such as this are valuable to the merchant community looking to benchmark their verification and authentication processes and fraud prevention tools that thwart such nefarious activity.”

The retail sites for Amazon.com, Apple, Best Buy, Target and Wal-Mart each saw more than 4 million unique visits Friday, comScore said, with Amazon receiving the most traffic (up 28% from 2008). Apple, Best Buy and Wal-Mart sites also experienced double-digit traffic gains. According to Experian Hitwise, another Web monitoring firm, other e-commerce standouts included Sears, Staples and Dell.

These results are welcome news for retailers who have been concerned that fear of identity theft could have a noticeably negative impact on sales. Just last week SC Magazine predicted overall online spending to be down this year because of such fears. Luckily, so far, this does not appear to be the case.

With online commerce looking healthy, online retailers can now turn their focus from enticing online shoppers to ensuring that the orders that are coming in are valid. With the increase in shopping will inevitably come an increase in fraud. Unfortunately, as the volume of orders increases, it often involves increased time spent on manual reviews to distinguish the fraudulent orders from the legitimate ones.

Periods of high volume online shopping, such as now, underline the need for effective tools that can identify fraud more quickly with less manual intervention. Running checks on the device history, in addition to credit, identity, and shipping information, are all important steps in finding (and stopping) online criminals and repeat offenders.

We at iovation wish all online retailers a profitable and fraud-free online shopping season!

But while that kind of fraud certainly does exist, there is another type of fraud that can be equally troublesome and, to some extent, even harder to combat: fraud committed by individuals using their own legitimate information. A very common example of this kind of crime is shipping fraud and it takes several different forms. Here are a few examples and tips on how companies can address this problem.

• Denying receipt of goods – In this case, an individual will legitimately place an order and actually receive the goods, but then turn around and deny that they were received. Strangely enough, people will even do this more than once for the same good after another item has been shipped. Online businesses that ship high-value goods often combat this by requiring signatures for receipt of goods. For many businesses, however, this is isn’t a practical solution. Ideally, organizations would like to be able to identify individuals who have a habit of doing this on any site.
• Denying the purchase – In this era of rampant identity theft, many individuals are using it to their advantage, claiming that their credit card was stolen and they were not the ones who made the purchase, therefore they should not have to pay for it. This is a hard type of fraud to detect and defeat, and the only real solution is to require a signature, or have an internal tracking system to identify repeat fraud.
• Returning the wrong good – I have talked with merchants before who have had individuals return old or damaged goods in place of the new ones they ordered and then demand a refund. These cases can be easier to address by simply refusing to refund the purchase, but they are still a problem that businesses would like to be able to address before shipping.

All in all, shipping fraud can be difficult to detect and defeat, but it is worth considering that typically individuals who do this once don’t quit while they’re ahead. Instead they become repeat offenders, targeting multiple online merchants. Tracking the activity of online criminals and sharing that information among a network of online businesses can significantly reduce this type of fraud. Imagine the benefit if businesses could identify the computer before a purchase was completed, and determine if that computer already has a history of shipping fraud.

There’s an old adage that applies here: “Fool me once, shame on you. Fool me twice, shame on me.”  When it comes to online fraud, businesses would do well to track fraudulent activity, learn from past experiences, and work together to minimize fraud this shopping season.

With a website devoted to the new campaign, it’s easy to take a quick look at some statistics about fraud in the UK, and some of them are quite frightening. While the information on the site is based on UK numbers, the concerns that those statistics raise are likely applicable in many countries, as identify theft is a world-wide problem.

A few stand-out numbers:

• £1.2 billion : The annual amount that identify fraud costs the UK economy
• 60,000: The approximate number of UK residents who have been a victim of identity theft in the current year. (Up 36% from the same time last year.)
• 36: The percentage of businesses that have no clear policy on how to dispose of documents including sensitive information (such as customers’ names, addresses, credit information, photocopies of passports, etc.)

As a whole, the site paints a clear picture: identity theft is a real problem with real consequences, which most people are aware of—and yet neither businesses nor individuals are, in great enough numbers, taking the steps required to prevent it from happening.

Here at iovation, we’re working on the other end of things: helping companies defend against online criminals using stolen identities to commit fraud. While businesses and individuals need to do more to prevent identity information from being stolen, it is also important for online companies to do everything they can to prevent criminals who are using those stolen identities. Unfortunately, most online businesses depend entirely upon information provided by the user, leaving them no way to know if, for example, 50 accounts, all set up with different names and addresses, are actually all coming from the same computer.

To do their part, businesses need to look at the different technologies, people, and processes that can complement core identity-based systems and expand the net to catch online fraud. For my part, I will be at the E-Commerce Expo next week in London to talk to online retailers about combating online fraud. Certainly this is a problem that businesses need to address together. Building national awareness of the problem and encouraging businesses to work together and share best practices is an important step to curbing this epidemic.

The Merchant Risk Council (MRC) represents the largest and most influential constituency focused exclusively on making eCommerce more safe and secure. iovation is a proud sponsor of the Merchant Risk Council and brings you this interview and podcast with Executive Director, Tom Donlea.

Listen to the Podcast >

iovation: This is Scott Olson on behalf of iovation. I am here with Tom Donlea, the Executive Director of the Merchant Risk Council. Hi Tom.

Tom Donlea: Hi Scott.

iovation: Tom, as the Executive Director of the Merchant Risk Council, you lead this trade association made up of merchants, vendors, e-commerce management professionals, and law enforcement. I imagine this role gives you a great deal of insight into the key issues facing online merchants. After having just completed the Merchant Risk Council semi-annual platinum meeting and now preparing for the upcoming conference in March, is there one topic you would say is getting more attention than others?

Tom Donlea: Yes, Scott. I think for the MRC it has clearly been the economy. A lot of our merchants are increasingly focused on managing their costs and minimizing losses. They are getting a lot of pressure, so they are coming to the MRC with some very specific requests; three in fact. The first thing is they are looking for benchmarking data. They want to look at their costs, the resources they are using, and investments that they should put toward managing fraud risk.

Another piece of this, another part of the membership value, is utilizing the newest and most proven technologies available. They want to make sure that they have the right things in place, whether it is the device recognition, IP geolocation, or some of the other new technologies that are really key for the merchants.

The third thing that merchants are looking for is figuring out how to squeeze every dollar possible out of their program and their operational expenses. We are helping them connect with other members and learn about industry best practices to make sure that they are as efficient as they can be.

iovation: In recent e-commerce fraud surveys, Merchant Risk Council members show consistently lower fraud rates than the industry average. So from your experience, what are these businesses doing right?

Tom Donlea: Belonging to an organization like the MRC allows our member merchants to collaborate and then determine and discover best practices. Through our organization, the merchants have access to industry leaders. And through those presentations and forums, they are staying on top of the latest services from solution providers.

We introduce those topics and issues through webinars that we hold. We do about 20 a year right now. We hold two big conferences each year and we also have a wide enough member base from the merchant community that allows deep collaboration. Merchants from travel, gaming, the apparel industry, electronics—they are all able to gain a greater understanding of the solutions that are most widely adopted and are benefiting the bottom line, and that are, of course, appropriate for the business model.

Increasingly, merchants are looking to the MRC for advocacy. When we gather folks from the travel industry, for example, and we are hearing common issues that they have that are industry-wide issues, the MRC is positioning itself to go to battle, to cause positive change in the industry on behalf of those merchants. And we are excited to play that role.

iovation: You have followed iovation as one of the vendors and the growing interest in device-based fraud solutions for several years now. Would you say the use of this technology is now being considered a best practice for your members?

Tom Donlea: Yes, absolutely. On an annual basis, we do a fraud survey. Every year that we conduct this survey we ask our members, “What sort of third-party solutions or technology solutions are you adding to your arsenal of fraud detection tools?” Device reputation technology is one of the latest advances, and we see our merchants increasingly utilizing that type of technology to develop and enhance their fraud screening tools.

Of course, our merchants know that there is no single silver bullet that is going to eliminate fraud risk when it comes to accepting payments online. But they do know that they have got to have a diverse portfolio of tools. Not only do our members have lower fraud rates than the general industry standards for companies at the same level of revenue, but they also employ more tools than your typical e-commerce company. Through the MRC, and through meeting companies like iovation, they have learned that they must have a broad array of tools in order to meet the challenges of taking diverse payments online.

iovation: Speaking of tools and the different fraud types that your members address, most people think the Merchant Risk Council members deal primarily with financial fraud such as fraudulent chargebacks and payment fraud. What are the other risks that your Merchants are addressing?

Tom Donlea: It’s interesting that both security and authentication are becoming important issues. We’ve seen in recent headlines that data security is more and more of an issue with retailers and with consumers. The challenge for many of our e-commerce and multi-channel retailers is that they not only want to offer an inviting and convenient shopping environment for the consumer, they also want to provide the safety and security for that customer’s personal data. It’s a huge motivator for us to boost that consumer confidence in e-commerce as a channel; a focus on security is a part of that. We know that it’s important for the customers, as well as our members. The shoppers who are conducting business online, they’ve got to trust those MRC members before, during, and after placing an online transaction.

We’ve been very proactive in providing programs and events to educate retailers on the root causes of the data breaches, the regulatory issues involving the Payment Card Industry—or PCI, as we call it —and then providing them examples of compromised systems. What could have been done in advance to avoid that? Then, certainly, the remediation that happens following mistakes like the TJX breach, for example.

Authentication is another issue that we’re really focused on. Of course, authentication for financial transactions is always paramount for our members. I know iovation has lots of clients in the dating, social networking, gaming area. This has become an increasing percentage of our membership as well. For those companies, the customer experience, again, is paramount, which includes: “if I become a member of a social networking site, I want to avoid any sort of predatory behavior, phishing or any scams that are going on.” That non-financial authentication is a very, very big deal for those companies because they have to make sure that the customer experience is continually excellent.

iovation: Earlier, you mentioned that the economy was one of the major issues, and this past year, certainly, has been very challenging for a great majority of retailers across all categories. Yet the Merchant Risk Council has grown in both membership and participation. Why do you think this is?

Tom Donlea: Well, I like to think that our membership base is savvy enough to understand that it’s more vital to address fraud risk, security risk, and electronic payment issues during these hard times. They’re trying to squeeze cost out of operational systems, maximize the number of transactions they can take online, and the consumers, where they are as far as their level of safety with doing business online. MRC is bridging the gap between the merchant community and the issuer community, which includes financial institutions, who often times provide the primary interactions for that consumer in relationship to making payments online.

We’re developing forums that are allowing these communities to communicate with each other, and break down artificial walls that really do affect the consumer’s experience of placing a transaction online. We want the banks who are issuing credit cards and the retailers who are hoping to accept those legitimate transactions to have open communication and improve the industry through those efforts. We also provide active year-round forums for networking, for education, and then for advocating on behalf of our merchant members. The members that belong to the MRC, they benefit from having a distribution list that allows them to interact with their peers and competitors in a non-competitive way.

We provide benchmarking studies. We provide online learning. We have in-person conferences. We’re also expanding into Europe. I’m not sure that we talked about that but it’s very exciting for us. Then, we also have active year-round committees where folks are, again, focusing on common issues that need to be addressed by an industry group in order to improve the industry for the better. Now, more than ever, the MRC is providing resources that allow our members to address their current fraud and secured payment processes, improve their productivity, and increase profitability. Really, what we’re trying to do is make sure our members are looking out further on the horizon and are prepared for those challenges in our three program areas for fraud, security issues, and related payments on a global basis so that they’re really prepared for the future.

iovation: Certainly, the Merchant Risk Council plays a very important role in addressing online fraud and abuse. I really appreciate you taking the time today, Tom, to share with us some of the insights from the Merchant Risk Council and your members.

Tom Donlea: That’s great, Scott. We appreciate the chance to talk with you and we appreciate iovation’s involvement in the MRC.

To learn more about iovation’s fraud-fighting solutions that enable online retailers to prevent thousands of fraudulent activities each day—including credit card fraud, shipping fraud, identity theft, carding and more—watch this video, titled Preventing Fraud and Abuse in Online Retail.