At a recent conference in Dublin, the world’s biggest online vendors, including Amazon, Facebook, Google and eBay, gathered to hear about the latest technologies being employed to outsmart online fraudsters
MATTHIEU CHAPELLE has a thing against dodgy farmers. This doesn’t manifest itself in some form of rage towards dairy producers or John Deere drivers, rather the bane of his existence are fraudulent “gold farmers”, a particular type of criminal that are the scourge of the online gaming world.
Chapelle is billing manager for Gala Networks, the Dublin-based publisher of massively multiplayer online games, who describes the farmers in questions as a “highly organised, professional network” of fraudsters who use stolen credit card numbers to harvest virtual goods which are then sold on for real-world currency.
Chapelle was explaining Gala’s approach to fighting the fraudsters at the recent European Congress of the Merchant Risk Council (MRC) in Dublin’s Burlington Hotel. A non-profit organisation, just a decade ago the MRC was a “rag-tag bunch of online vendors” but now there are more than 300 member companies, including some of the biggest brands on the planet.
“Online video game fraud is a €3 billion industry,” Chapelle revealed, before adding that “it doesn’t matter if you’re selling holidays, music or electronics, online merchants all face an issue with fraud.”
As Nicolas Vedrenne, the MRC’s Europe managing director noted, “80 per cent of fraud comes from organised crime”. These “global mafias” as he put it use data breaches, stolen credit-card details and identity theft as weapons. On average 1.2 per cent of online transactions turn out to be fraudulent.
With the e-commerce market increasing by 13 per cent year-on-year (and expected to be worth €203 billion by 2014), this leaves the MRC trying desperately to spread the word about how to stop the fraudsters before they get a bigger piece of the action.
“The problem,” said Vedrenne, “is you have these criminals accumulating massive amounts of data which they can sell over the internet. So, a student with no money may be tempted to buy some old credit card numbers and overnight buy a plane ticket, some Nike shoes and play some video games.”
Vedrenne, and MRC executive director Greg Goeckner admit it’s difficult to address the issue publicly without “giving a step-by-step guide on how to carry out fraud”, but the Dublin congress was an attempt at just that.
MRC members in attendance with notable operations in Ireland included Amazon, Facebook, Google, eBay, Yahoo, EA, Apple, Dell, Microsoft, Gala, Paddy Power as well as congress sponsors Chase Paymentech. Also there were the US Secret Service and the UK-based Serious Organised Crime Agency (SOCA).
Indeed, the latter pair’s presence may have inspired the many references to an “arms race” by congress speakers, as a metaphor for how they try to keep pace with the fraudsters. To tackle the problem, merchants are bulking up their data requirements from customers to ensure a transaction is real, but laborious checkout facilities are a turn-off for many online customers.
It should be remembered that the customer, to a certain extent, is left untouched in all this. If money has been taken from your account to buy virtual currency or a very real Caribbean holiday, you’ll get it back. The cost to the merchant though is great.
Gambling sites are giving real money to those who have bet with fake funds, travel agencies are paying the full cost of holidays when trips are bought fraudulently, while merchants dealing in physical or digital goods see stock or intellectual property lost to unscrupulous foes.
Another worry, one which Verdenne referred to several times, is the increasing customer penchant for buying goods via mobile devices. Pascal Burg, a director with financial strategy consultants Edgar, Dunn Company, feels that in the long-term mobile-based payments may, in fact, be safer.
Burg presented a study on payment trends in which he told how near field communication (NFC) chips can now be used to safely store account details within a mobile’s SIM card, or on an SD card, embedded chip or software.
Google Wallet – which allows users swipe smartphones over an in-store terminal to pay for goods – uses NFC. A lack of in-store infrastructure will see such systems “held back for a few years yet” said Burg.
However, Samsung, Blackberry, HTC, Google and Nokia have all built NCF-enabled phones. Intel and Mastercard have created an NFC mobile phone chip which communicates with Intel Ultrabook laptops, generating a six-digit code to complete transactions with an e-commerce site automatically.
Taking out his iPhone (which isn’t NFC-enabled as yet), Burg said “it will be as easy as waving this over the computer and the transaction is complete”.
Many MRC members were more concerned though by the report from Akif Khan, EMEA director, products and services with payment management company, CyberSource. Khan was presenting the results of a European online fraud survey completed by 60 MRC members in order to benchmark fraud figures. Producing the aforementioned stat of an average fraud rate of 1.2 per cent, the survey showed 69 per cent of merchants are using IP geo-location technologies to check that someone claiming to be from Crumlin isn’t actually in Caracas.
Meanwhile, 36 per cent are using device fingerprinting technology, which, Khan explains, sees merchants “put scripts on to their site which gathers information from the device used for a transaction”. Quick to point out that no personal information is gathered here; Khan said the data refers to memory size, time-zone or the configuration of the operating system to “create a fingerprint for that device”.
Other findings included 37 per cent of respondents using Visa’s enhanced “3-D Secure” passwords during transactions, with 84 per cent of merchants surveyed asking customers for credit card verification codes.
As for Gala’s Chapelle, many at the Burlington found his talk on gold farmers provided a handy to-do list for tackling fraudsters. The company has reduced incidents of “chargebacks” (return of funds to credit card companies following fraud) by around 90 per cent since last summer to this spring.
For those looking to follow the example, the Frenchman recommended initiating a black-listing process for iffy IP addresses as well as using 3-D secure, geo-location technology and manual transaction reviews.
Those pesky farmers may take a while to plunder Gala’s goods again.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/sandbox.irishtimes/GW3FWAURWFGM7FF4RMYJLBG7ZI.png)