History of Fraud Online

Fraud is not new. The taking of property from others has been around as long as man has been on this earth. Fraud is characterized as the taking of goods or services from another by use of trick or device.

In some cases the concept of fraud is very clear, such as cases in which a fraudster is clearly trying to pass off stolen credit cards or trying to steal goods going to another individual. But not all fraudsters are hardened criminals. In some cases, what may look like a good consumer is actually nothing more than a fraudster.

For example a consumer may believe he or she is smarter than the merchant and will order a product with the intent of using it and returning it. Or a consumer may order goods, receive it, and say they didn’t receive it.

For some consumers, who are normally good consumers, they don’t believe these types of activities are actually fraud. But to the merchant the end result is no different than if a hardened criminal had used a stolen credit card.

How has Fraud Evolved?

Going back to the mid 1990’s, we can see the beginning of real commerce from the Internet. I want to start our discussion here to show how in a span of only ten years so many different fraud scams evolved in order to give you a feel for the scope and pace of change.

With the start of e-commerce back in 1994 we started to see the first true buy buttons appear on the Internet. Not soon after we started to see several types of fraud. The first fraud trend to be seen was the use of “Famous Names” to commit fraud. In this attack, the fraudster would use third-party stolen credit cards with the celebrity of the day’s name.

In this attack you need to remember when you complete an authorization, the name used in the purchase is not checked. The fraudsters knew this and they used this to their advantage. They also knew human behavior: Businesses were excited about the Internet, “a whole new world,” and they were too excited about the fact they got an order in the first place to actually think someone might be trying to steal from them. Likewise how many people actually check the names of each order to see if the name looks real?

It had to be a fun conversation, and an embarrassing moment for all, when they saw how many orders were being placed by Mickey Mouse, Bill Clinton, Lex Luther and John Wayne.

So merchants got smarter and they implemented rules to check the name being used. But it was only partially effective, as there are so many possible names, and so many people with the same name. Likewise the fraudsters moved on to new attacks.

Next came the technical attacks in which developers created card-generator applications that could come up with real credit card numbers, and they put them out on the Internet. Credit card generators were available everywhere for download on the Internet and fraudsters wasted no time using these generators to find credit card numbers they could use to make purchases.

These attacks were typically targeted at the same vendor, meaning a fraudster would focus their attacks on a single merchant to defraud them over and over again. As time progressed a new trend emerged in which the fraudsters start to jump from site to site, not staying long and hitting multiple merchants with fewer hits to make their activities less noticeable. This was very disturbing as most of the merchants at this time were relying on home-grown applications and manual reviews to prevent fraud. Merchants had no way to see cross-merchant activity until the card associations reported it, and by then it was too late.

After 1996 fraudsters started to use the Internet as a test bed for stolen credit cards. Before the Internet, fraudsters used to take stolen cards to the local gas station where they could test to see if the card was still active and good by trying to buy a gallon of gas at the pump. If it worked they went on a shopping spree. The trend now is for fraudsters to use the Internet to test credit cards and then go on shopping sprees.

Up to this point the fraudsters were still relying on old tried-and-true techniques to get credit card information. They used skimming, dumpster diving, mail theft, actual theft of people’s cards and application fraud. But as Internet commerce grew you started to see a group of fraudsters using the Internet to harvest credit card information. The fraudsters would go out on the Internet to attack merchant sites and get new identities and card information to use to defraud the same, or other, merchants. These fraudsters use a technique called “cracking” as their main method to retrieve this data.

If the Internet boom was a creative boom, the fraudsters were right there with the industry. Groups of fraudsters found more and more clever ways to steal goods and services without the hassle of having to find actual credit cards and trying to mask their identities. Fraudsters started to hijack orders. They would hack into merchant sites or watch consumers and find out where and when they placed an order so they could steal the shipment. The fraudster would either wait for the goods to arrive and take them at the point of delivery. Or they would call the merchant, or shipping company, and change the delivery address while it was in route. As the Internet began to peak in the late ’90’s, so did the fraudster’s creativity in committing fraud.

As 1998 rolled around, the Internet was filled with e-commerce websites. Established merchants are climbing all over themselves to get online, and new merchants are trying to set up the next big retail conglomerate. Everyone is predicting the fall of the direct retail channels and the rise of the e-commerce world. So what a better time for fraudsters to commit more sophisticated securities and property scams.

Fraudsters took this Internet fever and used it to their benefit by setting up dummy merchant sites where they could funnel credit cards through their own site to create cash flow and then before the charge-backs rolled in they would shut the doors and leave the country. In some cases the merchants would share credit card information with fraud rings to have them commit fraud at other sites.

Not too long after this we started to see the mass theft of identifies from the Internet through information that is provided online under the Freedom of Information Act. The most famous example of this was the mass theft of Military IDs from the Internet and then the follow on use of these identifies to steal from multiple merchants. Since then the private sector and government have become more careful about sharing this information. The problem for our government is the Freedom of Information Act, making a lot of this information public domain. But the sad fact remains that even if this information was not on the Internet, a fraudster can still go to state and county public offices to collect this type of data. Understanding this dilemma, merchants started to look for new ways to verify consumer information.

So merchants online started to think about ways they could stop fraud. One of the methods merchants developed was the use of consumer accounts. The merchant would set up a consumer account the first time the consumer tried to make a purchase. When the merchant set up the new account they would perform a series of checks to validate that the information the consumer provided was true. Merchants typically asked for more data from the consumer with this method, but they offered the consumer an easier “one-click” checkout process as an incentive to provide it. The concept was good, and consumers and merchants liked the new account method. This method was very popular at auction and larger e-commerce sites. But fraudsters liked this new method as well. Most merchants were only performing their fraud checks when an account was set up. Merchants weren’t performing fraud checks when a consumer changes their shipping address, or added a new card. For fraudsters, they could set up new accounts with one credit card, and change the credit card information in their account as many times as they wanted to commit fraud. In a 90-day charge-back cycle they could process a lot of purchases with a lot of credit cards. Fraudsters could also take over a consumer’s existing account and change the shipping address and place a number of orders.

As auction sites like eBay and uBid got popular a lot of new fraud schemes arrived specifically targeted at this community, from selling bogus goods to misleading the consumer as to the type and condition of goods sold. The online auction fraudster had many more scams they could pull. From setting up a number of auctions and selling goods they don’t really have, collecting the payments and then changing their identity, to using stolen credit cards to buy goods they sell on auction sites. Fraudsters could also use the buyer’s credit card information to buy additional goods that they then could sell back to other consumers on the site.

After 2000 we really started to see organization in the fraud attacks. Online gangs and fraud rings start to emerge. From Asia to Nigeria to Russia we saw a very systematic fashion of attacks coordinated to move goods from the site to a third party to fence and sell them.

We also saw the emergence of social engineering in which fraudsters become bolder in their attacks, taking the initiative to contact the issuing banks, the merchants and credit bureaus to complete their fraud. Even when flags are raised the fraudster will have taken initiatives to validate their identity enough to get the merchant to ship the actual goods.

This is only a snapshot of the fraud scams committed over the last ten years, and only focuses on the online aspect of the card-not-present transaction. The fact is Visa estimates online fraud to be approximately seven times that of fraud in the card-present world. Some independent analysts have the estimate as high as 12 times. The initiatives by the card associations will help curb fraud, but as a merchant today you have to be prepared to fight this battle; and for some of you reading this, that battle may mean the survival of your business.