Iron fist-style safeguards in velvet gloves

Covering your transactional website in the cyberspace equivalent of barbed wire may help prevent fraud, but Steve Hemsley looks at how marketers strike a balance between stimulating legitimate sales and online security

Retail fraud used to focus on tangible assets like cash and stock but today’s criminals are much more hi-tech, with 13% of online businesses losing more than 5% of their revenues to fraud and 41% of consumers not shopping online because of concerns over security, according to the CyberSource 2009 Fraud Report.

Marketers need to address this urgently because the list of online cons appears to be ever increasing. Popular techniques include phishing – when fake emails appear to be from a bank or retailer; trojans – computer viruses that track keystrokes and capture passwords; and internet-based click fraud – a crime that revolves around pay-per-click advertising when a person or automated system imitates a legitimate user of a web browser and clicks on an ad to generate a charge every time without having any interest in the ad’s link.

Add general credit card fraud to this list and criminals stealing someone’s identity by taking over their account or fraudulently applying for an account using another person’s details. It is enough to make anyone think twice about buying or selling online.

APACS, the UK payments association, says losses from online banking fraud rose by 132% in 2008 to £52.5m. A rise in the number of online shops is partly behind the increase, but tackling fraud will remain a priority for the card industry as it tries to reassure stores and their customers.

APACS is urging more web retailers to take up 3D secure online payment systems such as MasterCard SecureCode or Verified by Visa. This way, any customer who has registered their bank card for additional security checks cannot complete a payment until extra personal details have been entered.

The bank page that pops up when a customer attempts to complete a purchase is served by their financial services provider rather than the retailer. Rob Turner, chief executive of website OnHotels, says fraudulent transactions fell by more than 50% when he adopted a fully 3D system. His company also uses secure hosting company Iomart to protect its website and online data.

“We cannot eliminate fraud completely because many customers use a bank which does not have additional security protocols or they have chosen not to register for them,” says Turner. “We do not want to prevent such customers from using our website so fraud will always occur. It comes down to being vigilant.”

Carl Clump, chief executive of Retail Decisions, a company that helps to protect retailers against online card fraud, agrees that to maintain consumer confidence in using online sales channels, stores must find the right balance between preventing fraudulent transactions and maximising legitimate sales.

“Denying too many transactions can be as detrimental to consumer confidence as allowing too many fraudulent sales to occur,” he warns.

Despite APACS doing its best to promote the use of 3D secure payment systems, they are not without their critics. Jane Crossley, consultant at data specialist Jaywing, claims such systems make many consumers click away at the final stage of the shopping process because they get bored and frustrated at inputting so many details.

“Some 30% of sales can be lost when 3D secure processes are invoked,” she says. “It may reduce fraud but it does little to help retailers in a recession. An alternative would be to apply 3D security to high-risk transactions only.”

Retailers may also need to be aware that young people are most at risk online because they are less security conscious, according to a survey by advice website GetSafeOnline that was carried out in April. Many 18- to 25-year-olds put personal details on social networking sites like Facebook and are susceptible to identity fraud.

So what should online marketers do? In March, global industry standards body the PCI Security Standards Council unveiled guidelines to help retailers. The advice includes not storing data that isn’t needed and monitoring who has access to and control of the security system.

“A strong security strategy can be a differentiator for consumers and can help a brand by protecting its reputation,” says Steve Wright, an online data security expert at PricewaterhouseCoopers.

It would also be wrong for marketers to assume that responsibility for preventing fraud lies solely with the IT team. Email marketing campaigns can take a battering if consumer trust is damaged by experiences of scamming, while the appearance of security logos on a website can boost consumer trust. Online hotel search site QuickRooms has seen sales increase by 7% since it began displaying a VeriSign EV SSL security certificate.

This measure reassures consumers that personal information sent between a web browser and web server is encrypted, which protects against phishing schemes. The browser also turns green to illustrate everything is secure and the name of the company that owns the website also appears in the address bar.

“You need added assurances to turn browsers into buyers,” says QuickRooms product manager Stephen Mills. “This is just part of our security procedure. We don’t store credit card details anywhere and we do manual checks with hotels such as checking copies of passports.”

Marketers must also ensure their back-end processes linked to online purchases are secure. When a consumer has difficulty buying online, they will often call a contact centre to complete a transaction.

Derek Bishop, managing director of customer service and outsourcing specialist Abeo Consulting, cites a number of security breaches at contact centres in the last 18 months from sales made via web shopping applications. Earlier this year, the BBC exposed how a criminal gang was selling UK credit card details stolen from Indian call centres.

“The focus on enhancing web security has led many customers to divert their attention away from offline security and maybe some call centres are too relaxed,” warns Bishop. “Consumers cannot know what security processes are in place at a call centre and, based on trust, are providing their card details, including security codes and expiry dates to potential fraudsters on a daily basis.”

The days when the only crime retailers had to worry about was conventional shoplifting now seem a million miles away.

Case Study

Just after John Sollars launched online printer cartridge retailer Stinky Ink Shop, fraudsters hit his site. He was getting seven or eight small orders a day from different addresses and shipped £32,000-worth of goods in six weeks that he was never paid for.

“As the sales had come from a ring of criminals all over the UK, it was too big a task to file reports at every local police authority and nothing would have happened anyway as the individual transactions were of low value,” says Sollars.

He fought back using email marketing and search engine optimisation to generate extra traffic. He also installed software from ecommerce company Actinic that incorporates features to help protect against fraud. Payment methods can be restricted by geographic region so merchants can identify high-risk areas and refuse card payments. Shoppers also have to accept the site’s terms and conditions before ordering.

Chris Barling, chief executive at Actinic, says fraud is a classic area where marketing’s requirements can conflict with best practice.
“Most online retailers would like to complete all aspects of a sales transaction at their own website but to do this you need black-belt level security,” he says. “Retailers should outsource the payment part of the website to the likes of PayPal or other online payment providers.”