On Monday, November 17, at 6:30 p.m. EST, e-mails were sent out to eBay customers advising them: "Your account may be used by a third party in a fraudulent activity with eBay. As a result, your access to bid or buy on eBay has been restricted." The e-mail provided what appeared to be a hyperlink to eBay. The re-registration form required the consumer to provide credit card data and his or her ATM personal identification number (PIN), social security number, date of birth, and mother's maiden name. The site replicated the top line of eBay's home page and incorporated all the eBay internal links. Unfortunately for those who complied, the request did not originate from eBay but was an instance of the fraudulent activity known as "phishing." A phishing scheme sends consumers to a bogus Web site that is correctly branded to look identical to an authentic Web site and asks them to provide identity and bank account data that can subsequently be used for account takeover or identity theft. Customers of Citibank, PayPal, C2iT, and even Visa have all been hit in the past six months by phishers. (Attempts to reach an authority at eBay proved fruitless. Twelve hours after the scheme was discovered, the phony Web site was still alive and kicking.)
Phishing, worms, hackers, hijacking, and "spyware" are the quintet of criminal activities currently attacking the consumer side of the Internet. Attacks by viruses and worms for 2003 are up 100 percent over 2002 and predicted to hit over 180,000 for the full year. The BugBear.B worm-virus was hard coded with the domain names of 1,300 financial institutions and has the ability to copy both corporate and user passwords. Major financial services institutions, including Royal Bank of Canada and Scotiabank, acknowledged that funds had been stolen from their customers via this mechanism. No wonder then that, according to the Federal Trade Commission, consumer complaints of online banking fraud multiplied fourfold last year.
Then there are the cases of spyware, where keyboard loggers steal every name, user ID and password, and all financial account information entered through a PC keyboard. And it is not just home PCs that are at risk. An outsider installed spyware on PCs at 13 Kinko's stores and for two years downloaded sufficient information to attack bank accounts of 450 customers.
With more and more PCs online all the time through DSL and cable modems, direct hacker attacks are even more frequent and successful. In the first eight months of this year, over 90,000 attacks on online PCs originated from Brazil alone! The Internet, which globalizes commerce, also globalizes fraud. PC vulnerability, through direct attacks on PCs and schemes to extract identity and financial account data, is one major aspect of Internet security that is not acknowledged, much less addressed by the payments industry.
The number of articles on Internet security breaches is up 700 percent in the past 24 months. No wonder that consumers are fearful! When consumers open their newspapers to read that more than 10 million MasterCard and Visa accounts were "stolen" from a major processor, it is not surprising then that 71 percent of consumers state that lack of security is the single greatest barrier to their paying online or using the Internet for financial services.
When one dissects the economic impact of fraud, the costs are considerable. Most reports take into account only the cost of lost goods and services. Online credit card fraud is estimated at somewhere between $2 billion and $3 billion. Visa acknowledges that online fraud accounts for 30% of all credit card fraud, even where online payments account for less than 8% of all credit card purchases. Online retailers on average report that they "lose" $0.07 on every dollar due to fraud, taking into account both the indirect as well as the direct costs.
The indirect costs can be considerable. For the merchant, costs for shipping and handling, discount fees, and chargeback fines for fraudulent transactions are considerable. For the acquirer and the issuer, there is an average cost of $25 each to process the chargeback that results from a fraudulent transaction. For an issuer it can take up to $2,000 in additional charges by the cardholder to recoup the chargeback costs for one transaction. And, if the card needs to be replaced, add another $10 to this expense. For the acquirer, with even lower margins, the impact of a chargeback on the bottom line is even more pronounced.
The consumer pays too, even though issuers do not hold them liable for any fraud. The National Consumers League reported that online fraud (of which credit card fraud is a component) hit $14.6 billion in 2002. According to a Federal Trade Commission report, identity theft, much of which is perpetrated over the Internet (see "phishing" above), hit 9.9 million consumers and cost businesses $48 billion last year, the estimated cost to consumers being $5 billion. Admittedly, these numbers are high insofar as skimming, counterfeit, and account takeover are misreported as identity theft more often than not. In the end, however, it is all fraud.
Another financial impact is lost business and revenue opportunities for merchants, acquirers, and issuers. Many merchants use scoring, rules, and transaction analysis to predict risk on a transaction level. If a transaction is seen as high risk, it is often declined. Merchants decline about 12 percent of online transactions as compared to only 5% of transactions in the physical world. For every fraudulent transaction that has been avoided, two or three legitimate sales have been lost. The cost to the industry in lost business exceeds $1 billion in the United States alone.
These are not easy problems to solve. While authentication is the most pressing security concern, it is not the only major issue. Today financial services institutions rely on weak methods to authenticate their customers over the Internet, mainly by means of user IDs and passwords. Given the ease by which consumers are lured to fake Web sites either by e-mail scams, phishing schemes, or fraudulent merchants, there is no method for consumers to be able to authenticate a server before providing vital identity and account data. Along with spyware and hackers that suck data out of the user's PC, these fraudsters are able to obtain data necessary to counterfeit cards, take over accounts, and even steal identities.
Visa and MasterCard are fighting back on multiple fronts. Both have initiatives to ensure online retailers do a better job of protecting their Web sites from intrusive attacks (hacking) and internal theft of data by employees. Visa, with its Customer Information Security Program (CISP) and MasterCard, with its Site Data Protection (SDP) program, both offer rules, guidance, and audit criteria to raise the bar for Web site security. These multifaceted programs also include audits of online merchants' Web sites by external services. As admirable as these programs are, with over 400,000 online retailers in North America alone, and over 1,000 new retailers coming online each week, it is difficult to see how this process can be managed. These programs unfortunately do not address the larger risk from the fraudulent merchants, who will be gone before the fraud is detected. As easy as telemarketing scams have been, online fraud is even cheaper and easier to perpetrate on a global scale.
On the authentication front, the card associations are also in the process of deploying their online authentication initiatives, Verified by Visa and SecureCode, both based on Visa's 3DSecure technology. This initiative is less ambitious than its predecessor, the public-key based Secure Electronic Transaction (SET) program, launched in 1996, which failed to gain traction. The new initiative focuses strictly on password-based authentication of the cardholder by the issuer, through a proxy access control server. Although MasterCard and Visa have both provided large incentives (including shifting liability for fraud from the merchant to the issuer when the merchant supports the program), less than 1 percent of online retailers have launched the program in its first full year of operation. Support from issuers has been quicker to come by: All of the larger issuers and thousands of smaller ones have launched the program or are in the process of doing so.
The jury is still out on broad merchant acceptance of a process that many of the larger and more sophisticated online retailers, such as Amazon.com, see as intrusive. It also remains to be seen if consumers are prepared for a program that requires them to learn yet another password. (Bear in mind that only 40 percent of consumers use PIN-based automated teller machines even 35 years after launch of the ATM.) However, this program is still in its formative stage and, providing the associations and their members put their marketing muscle behind it, this could be the urgently needed initial step toward managing the fraud problems.
The good news is that despite all this doom and gloom, e-commerce continues to grow. Online credit cards transactions, which accounted for 5 percent of all purchases in 2002, are anticipated to grow 50 percent in 2003 to 8.6 percent of all purchases, according to MasterCard International.
John Gould is director of the Consumer Credit practice at TowerGroup, a Needham, Mass.-based research and consulting firm focused exclusively on the global financial services industry.