Working with our design partners to deliver advanced web-based solutions

Home page

 
 
5 July 2004:On selling shoes to Jakarta

In this issue

This month I will talk about the risks associated with being an on-line merchant - and how to overcome them.

But first. 

Check out my blog here http://www.e-consultancy.com/blog/textor

Someone - please....


A few years ago we supplied some ecommerce software to a company that sold high fashion shoes.  They got an order from Jakarta, which they duly filled.  Then - (coincidence?) another order from Jakarta.  Which they were about to fill, until someone thought they had better check it out. 

When we looked on the files, there were about 50 orders, all from Indonesia, from different variants of customer name and address, all with difference credit cards.  All of the credit cards were of course stolen. 

By precentage of fraudulent transactions

Indonesia  1
Nigeria  2
Pakistan  3
Ghana  4
Israel  5
Egypt  6
Turkey  7
Lebanon  8
Bulgaria  9
India  10

In fact there is a rogues gallery of locations that you want to look twice at if you get an order on your e-commerce site.  Here are the figures from the latest Verisign security briefing:

Of course that is not to say that every order you get from Indonesia or Nigeria is going to be fraudulent.  There are many fine upstanding citizens in all these countries. 

How does the merchant guard against these fraudulent transactions?

CVS

CVS is the card verification system.  Every credit card has a three digit code on the back next to the signature.  By entering the code when the transaction is placed, you verify that you have the card. 

Frankly if a card is stolen then the CVS code is stolen too.  However it does make it harder to originate a fraud from some other source - particularly the carbons from credit card slips.  This certainly gives some added security but is not by any means a 100% check..

AVS

AVS is the Address verification service.  This time we check the address of the customer against the address that the bank holds on file.  They check the post code and house number, and this is only available by the way if the address is in the UK.

This is why some on-line merchants insist that the billing address of the transaction is the cardholders statement address.  AVS gives a pretty good defence against a stolen credit card or some other source of information (except a credit card statement taken from your garbage - when the adddress is hardly a secret). 

AVS/CVS together

Put the two together that you are defended against most types of fraud except of course details stolen from a web site that asks for both types of information!

One of the oldest frauds in the book is a web site that offers incredible discounts on goods.  Of course there are no goods and there is no merchant, just someone harvesting credit card numbers.  The classic low-tech version of this was the beach store selling t-shirts for a pound.  But "to keep their overheads low" they only accepted payment by credit card. 

Ultimate security.

Now there may be cases where Mr Jones of Southend places an order with you for delivery to Nigeria, but I wouldn't place money that this sort of order is legit.   So the ultimate security is to insist of delivering only to the address confirmed by the AVS. 

Now we have the perfect guarantee, the card may be stolen, all the address details may be stolen, but the goods are going to the owner of the card, not the fraudster - right?

Wrong!

Here is how it works.  The fraudster places an order on behalf of the card owner - say Mr Jones of Southend.  He knows that the goods will be delivered the next day because you guaranteed next day delivery, so the next day he strolls outside Mr Jone's house, and when the delivery van pulls up he walks over to it

'Hey is that my parcel from xxx, I am Mr Jones'. 
'Sure buddy - sign here'

It happens.  Of course it only makes sense for high-value goods but if the price is right someone will do it. 

What about hackers

It is possible for computer hackers to get into any on-line computer, or intercept messages on the Internet.  However provided you use a secure web server (SSL - I will maybe explain this in some future newsletter if I can figure a way of making it other than tedious in the extreme) and never ever transmit or store credit card information that has not been encrypted, you should be OK.

The encryption in SSL, like all encryption can be broken, but only using hours of super-computer time.  So this is pretty safe.  If you use a good payment gateway service (we major on Servebase) then physical and soft security will be good. 

Now I am panicking - what do I do

There is no need to panic unless of course you are selling gold bars on-line.  The Internet is very safe, and the risks are much the same as any mail order operation.  With CVS and AVS, plus delivery only to the cardholders address in the UK give you a very fraud-resistant operation.

If you deliver goods on-line then you have to accept some risk because there is no physical delivery.  There are fraud detection services which use patterns of purchasing among all their clients to detect possible fraudulent activity.  For example Retail Decisions (http://www.redplc.com/) or The Third Man (T3M) from Datacash. 

Use common sense

The big difference between your e-commerce site and a normal mail order operation is that because the orders are taken on-line there is no 'common sense' check before the order reaches the fulfilment function.  If you outsource your fulfilment to some third party and automate the process, then watch out - 50 pairs of shoes could be on their way to Jakarta. 

So it pays to be a little inefficient in processing the transactions and build in a check by someone who is going to apply common sense to the transaction before passing the order on.