This may be the best strategy to reduce online fraud risk

Fraud losses continue to plague online retailers, even though some recent statistics suggest that the tide is turning. A new study by Experian fraud analysts explores an innovative new data enhancement strategy to help make mitigating fraud risk a reality.

On the face of it, online fraud appears to be declining--at a limited rate. Charge-backs due to fraudulent activity decreased in 2003, according to the Merchant Risk Council (MRC), a nonprofit membership organization that works to protect and encourage secure online commerce for merchants and consumers. In the MRC's 2003 member survey, only 10% of respondents reported fraudulent charge-back rates greater than 1%, compared to 18% of respondents in 2002. However, the MRC survey also reported that, in general, merchants are spending higher rates of their revenue on fraud prevention, with 17% of merchants spending greater than 2% on fraud prevention in 2003, versus 13% of merchants in 2002.

More at Stake

In actual dollars, fraud losses are growing as the volume of business conducted online continues to increase dramatically. Online consumer purchases were up 25-30% in 2003 (U.S. Department of Commerce) and are expected to rise at a similar pace for the next several years.

Online fraud also imposes hidden costs that go well beyond actual dollars charged back. Revenue is lost when legitimate orders are turned away because they look suspicious and can't be quickly verified. Manual review rates are trending up, tying up staff time and delaying shipping--a particularly unwieldy dilemma for large merchants. And now, tighter restrictions by some credit card issuers are adding new pressure to reduce charge-backs and avoid penalties.

A Dearth of Useful Information

Online merchants face two concurrent challenges in fighting fraud. First, they typically rely on a limited amount of internal and order information that is not always effective in detecting fraudulent transactions. For example, the information provided in an online order is usually limited to name, address, phone number, and credit card number, and a merchant's internal database may only tell them if the customer has previously ordered from the site. Second, cyber criminals are growing increasingly sophisticated in their efforts to exploit the vulnerabilities of card-not-present (CNP) transactions.

Could new sources of real-time, automated data put the power back into retailers' hands? That's the question Experian fraud analysts addressed in a recent study, Optimizing Data Sources to Prevent Online Credit Card Fraud. This groundbreaking analysis reveals that the best defense against CNP fraud is to incorporate external data into the fraud detection and decisioning process. For example, do the name and addresses that are being supplied seem to be a valid combination? Are any of the addresses high risk, such as mail-box stores, hospitals, libraries, prisons, or freight-forwarding companies--the types of addresses typically used by fraudsters? Does the consumer own the card that is being used? Has the consumer activated fraud alerts?

Bear in mind that from a regulatory perspective, using data for identity verification and fraud detection is much different from using data to make a credit decision. Merchants are not extending credit, only ensuring that the requested transaction is legitimate and that customers are who they say they are and live where the merchandise is being shipped.

Many merchants don't reach for data beyond their own walls to determine the legitimacy of the most basic information supplied by the consumer. But CNP merchants need to ensure that the consumers they're dealing with are who they say they are and that they are providing legitimate information. They have to be sure that all of the different pieces of customer ID and other data are in sync. When pieces are missing, incorrect, or don't match the database during the authentication process, there's a much higher probability that the transaction is fraudulent--this has been proven.

Typically, online merchants rely on front-end information to identify potential fraud by checking:

* Order data, such as name, address, shipping priority, and bill-to versus ship-to address.

* Credit card data, such as card verification number (CVN) match and stolen-card lists.

* Internal positive and negative databases.

These simple checks are most effective for customers who have previously shopped at the merchant's site. However, for a new customer or a repeat customer using a different billing address, it's difficult to make a judgment call without looking at external data. Otherwise, even with high manual review rates, many orders will be turned away because of insufficient decisioning information.

Combining Internal and External Data

The Experian study focused on actual transaction data from two major online retailers. The companies' internal and order data were combined with predictive external attributes to determine an optimal fraud prevention strategy.

Statistical tools were used to help identify the most predictive set of internal and external data attributes and to combine them to create several "risk-based" segments. These individual segments displayed varying fraud rates. Some were seen to predict high numbers of fraud accounts with low false positives, while others were seen to predict high levels of genuine transactions with low fraud volume. The individual segments were then ranked in order of overall fraud detection rates from best to worst.

The most highly predictive external attributes included the following:

* Do the customer's name and phone number match the billing address?

* Does the Internet Protocol (IP) location match the billing address?

* Is an IP anonymizer being used?

* Is the credit card number verified to the customer's name and address?

* Has the billing or shipping address been associated with known fraudulent activity?

By incorporating this kind of external data into the decisioning process, many more frauds are uncovered than by using internal/order data alone. Segments where customers raised red flags on these attributes had fraud rates ranging from 4.5% to 23%. This can be compared to internal/order attributes, for which the individual fraud rates averaged around 2%.

* In the highest-risk segment, 54 frauds were found, compared to 16 valid orders, equating to a fraud rate of 77%.

* The lowest-risk segment in the study had six frauds versus 2,369 valid orders, equating to a fraud rate of 0.25%.

In both segments, the primary factor was the level of customer and address authentication present. Secondary factors included whether the credit card could be verified with the name and address supplied, the shipment type, and the payment type.

Card-Not-Present Score Provides 31% Improvement

The most predictive attributes can be evaluated separately, but this is not very useful for time-sensitive Internet retail operations. To make the information easy to use, the study included the development of a CNP identity score that synthesized the most relevant data into a single number--essentially the higher the score, the lower the level of risk in approving the transaction. This powerful score, which amalgamates both internal and external data, can reduce manual review significantly and identify more fraud, with fewer false positives.

In the study, the verification score detected 31% more fraud in the worst-scoring 20% of customers than would have been identified using only internal and order data. This represents a sizable lift (i.e., statistical improvement) in fraud identification with no resulting increase in manual reviews.

An additional benefit of a score-based approach is that the score can be used to drive decision strategies. For example, a score representing a medium level of risk may lead to an order being accepted if it relates to a low- value purchase or rejected if it relates to a high-value purchase or a high-risk good, such as a plasma TV.

A number of useful observations came out of this study, indicating a new and more promising avenue for reducing online fraud:

* Optimal risk prevention can be achieved by using internal, order, and external data.

* Segmentation can better define risk to help prioritize actions.

* Shared fraud data from other industries is highly predictive.

* Combining external and internal data in the form of a CNP-based score significantly increases fraud detection rates while decreasing manual reviews.

* CNP-based scores have the added benefit of allowing high-risk or suspicious orders to be prioritized in order of risk, allowing for additional streamlining of the order process.

* The performance of order, consumer, and internal data does not vary significantly across merchants.

In the Experian study, the best combination of a merchant's internal data alone identified 53.1% of total fraud in the worst-scoring 20% of customers. When external data was added to enhance the decisioning process, 84.1% of total fraud was identified--a 31% lift.

[FIGURE 1 OMITTED]

Stephan Barney may be contacted by e-mail at stephan.barney@experian.com.

Stephan Barney is director of business development for Experian's Fraud Solutions organization based in Costa Mesa, California. He has more than 13 years of experience in financial services and data management with a focus on credit and fraud risk management. Currently, he is responsible for transferring the risk management lessons learned from the financial services industry to new markets, specifically card-not-present merchants and retailers.

COPYRIGHT 2004 The Risk Management Association
COPYRIGHT 2005 Gale Group