Monday, March 1, 2010

Dealing with International Fraud - a Few Basics

When we started looking for customers in the first payments startup I worked for, low hanging fruit were obvious. All you had to do to find them was look for a merchant's international shipping policy - or lack thereof - and continue from there. The value proposition we offered, where we would make final accept/decline decisions and insure them, was just good enough to be true and be worth a lot of money for those who wanted to expand internationally. Still, it wasn't easy to convince these guys to expand, I'll tell you that - for every one who was willing to check us out, at least ten were pretty happy selling internally in the US. Who thought of the international market at that time? Looking back at it, this was around the dawn of managed fraud and risk services, and though we spearheaded the offering for the more dangerous segments we most definitely weren't the only ones.

Now, however, of all the questions I am asked, the ones I hear the most - and with the most urgency in them - are the ones regarding international purchases. Unlike a few years ago, when merchants let themselves brutally limit international buyers and focused on domestic markets, it's clear today that global expansion is a key for sustained success. Every beginning publisher wants to talk localization. And they should: this is way more general than digital goods and content. While US eCommerce is forecasted to grow to 8% of all retail purchases in 2012, according to Gartner, European b2c sales are forecasted to outgrow US sales, and grow 20% in 2010, according to eMarketer. This is an amazing opportunity – and it means that a lot of real goods need to be shipped around the world. However, when you get to actually approving these transactions, often you find that you just don't get the tools you're used to outside of the biggest eCommerce markets and some don't even exist outside of the US.

So how do you deal with those tricky international purchases?

• Remember what international fraudsters aren’t – they’re not the people they are stealing from. Sounds very basic, but it will serve you well – most fraudsters are young, computer savvy males from 3rd world countries trying to use Western world cards and bank accounts. Note obvious mismatches in details: if details given for the customer (phone number, card bin country, address) just don’t match, come from distant parts of a country or look invented, beware.

• Purchasing history from other merchants, through a 3rd party vendor, serves you mostly when you delay shipment (either because it’s standard practice or you’re suspicious). For all other cases, you need to have velocity checks and an ability to identify returning fraudsters alternating details. There are some good machine-ID companies out there, but you also have to complement with rules that identify purchasing behavior that is different than what you are used to in your industry and shop.

Contacting users makes sense – but only when you understand what contacting them tells you. Calling a VoIP phone does no good, same as emailing someone whose email domain ranges from the ridiculous @legit.com to the less obvious @army.com; some seemingly fine domains host sites that are nothing but a blank page, so checking occasionally makes sense.

IP intelligence can teach you a lot – you wouldn’t be surprised to hear that there are more fraudsters and more exploited, Trojan infested computers in big cities with high speed internet. It’s always good to know more about your user’s connection, especially if they are risky – if someone is initiating a payment to your site from within Microsoft’s Azure cloud, you may be up for some trouble.

• Find alternative data sources. No other country has such extensive public data sources of its citizens as the US, but free and paid data bases exist outside of the US too. A good address and name resource like 192.com helps you know more about your customer, and social networks span world wide. Too bad fraudsters can use this too…

• And, last but not least – know that there are legitimate people out there acting very ordinarily, but in a way that might strike you initially as dangerous. Where people relocate between states in the US, in the EU they do so between countries. Belgium and France share a language, and exactly as an Austrian might have a German bank account, so can someone from the Turkish minority. Time to polish your skills in geography, and read some Wikipedia pages!

Applying the above should take you a few additional steps in your way to open up your site to international commerce. And one additional thing to remember: deploying a great set of filters in place is close to useless without having a team reiterate on it and improve it as user behavior changes - the alternative is reactive risk management, slowly closing down itself using black lists and limitations until you resort back to the good ol’ US domestic shipping. Don’t let that happen to you, the international opportunity is too big to miss on.

6 comments:

AKBAN veterans said...

Concise and informative. Tnx

David Jones said...

Thats a nice post Ohad.

Two comments:
1. I think its also worth pointing out that bad guys will often choose a proxy or compromised host that maps the IP Geo well to their CC BIN or Cardholder address.
So folks need to know how to drill deeper into IP and its relationship with transaction data anomalies.

2. re:good guys - I agree that once a merchant starts off handling off shore orders; they start shadow boxing false positives that can be a huge drain on resources. So automated information-surfacing tools for decision support are your friend :)

Enjoying the blog!

cheers
d.

SghnDubh said...

Being a "VIP" high-volume customer of PayPal, offering certain customers use of credit cards directly on my site, and selling millions in publisher-authorized virtual goods, I've dealt with my share of fraud.

You list a few sensible precautions that might help prevent the 'casual fraudster.' But there are highly "professional" rackets involved in online fraud. They're quite savvy enough to seem completely legit to the merchant, transaction after transaction.

So while some of the burden rests with merchants to screen out more obvious fraud, the biggest help would be to legislate the banks back into better due-diligence. They're the ones issuing the "approvals" then shifting fraud charges to the merchant. AVS & CVV2 are a joke; banks don't even consider those codes if the customer claims fraud.

A bank's "approval" should carry with it the risk. Doubtful this will change, so the continued innovation of third-party, credit-card-less payment processors will help.

Wired has a good article related to this very topic this month.

Ohad Samet said...

Thanks for the comments. As noted, I didn't intend to give a comprehensive guide, agree there are many ways to game a fraud/risk detection system. I'm not a fan of scare tactics, though, and know (based on experience) that dealing with fraud scalably and profitably is doable.

As for coverage by the banks, we have coverage by card issuers. It's called Verified by Visa and it's efficiently killing sales worldwide... :)

Meir Torgeman said...

Ohad, I believe that whoever are dealing with Fraud and it’s close to his heart, will enjoy to read this post.
Keep on to let us enjoying your posts.

Meir

EdoReloaded said...

Thanks for this post.
I agree with your "basics". I am struggling in finding more resources, advanced trainings, histories to make mine. There is not enough data available and who ever teaches, usually doesn't have the background to give the right ideas.
Maybe a data analyst, looking at the numbers in a "nude" way, without thinking about "fraud", may tell me something. In the meanwhile, if anybody has any suggestion, it's more than welcome to forward it to me.

Cheers!