Internet Fraud

What is Internet Fraud?

There are many types of Internet fraud the most obvious being credit card. Credit card fraud can be viewed from two perspectives, that of the consumer to business (CtoB) and that of business to consumer (BtoC).

The Internet is the perfect environment for every crook, thief, and pickpocket to ply his or her trade with almost complete anonymity. There is so much credit card fraud on the net it is beyond belief

Some surveys indicate 57 percent of Internet users have shopped on line. One estimates 20 to 40 percent of online purchase are fraud attempts. Twenty eight percent of attempted online purchases failed and that four of five consumers who have purchased goods online within the last 12 months experienced at least one failed purchase attempt.

Things may not be improving. MSNBC reported last week that VISA quietly informed select merchants that 485,000 credit card numbers were stolen from a major e-tailer about a year ago. According to the report the company covered up the issue.

Being in the online business means a tremendous increase in fraudulent purchases made with stolen credit card information. In many cases, the thief has more complete and current information about the actual cardholder than the credit card company. In some cases, credit card numbers that receive an approval number turn out to be totally fictitious numbers -- based on the algorithm (programming formula) used to produce authentic numbers

One one such occasion an unscrupulous business bought a database of customers and their credit card number from an ailing organisation. The owner then set about charging their credits, albeit small individual amounts to the tune of 38 million dollars before being caught.

On another occasion a teenager gleaned thousands of credit cards from an e-commerce sites and then gave them away one at a time on the Internet for weeks. He did this because his blackmail attempt upon the owner of the database of credit cards would not play ball. It is suspected that the teenager could gain access to the credit card numbers in the first instance because they were not encrypted.

So why is this situation getting so bad? Technology! Yes, the very same technology that allows us an online business also allows others to rip us off. The advent of free, web-based, non-ISP e-mail addresses such as @hotmail.com, @usa.net, @juno.com and upwards of 1200 of free e-mail forwarding addresses afford a credit card thief a perfect veil to hide behind.

The free e-mail addresses can't be traced back to the real owner;it usually takes a court order to get an e-mail forwarding service to disclose customer information.

In Australia the Banking Ombudsman's annual report said he received 1,003 complaints about credit cards, the most common for unauthorised transactions and incorrect debiting of an account.

It was the first time credit card complaints outstripped those about home loans, the Ombudsman, Mr Colin Neave, said. He further said the rise in complaints reflected the increased use of credit cards; in the past three years credit card debt has almost doubled, to $16 billion.

How do thieves get Credit Cards?

• There are stolen credit cards.
• Credit cards misused by friends, family and work colleagues.
• There are Lists of stolen credit card numbers on the internet located within special news groups.
• There are programs that will generate valid but fictitious credit card numbers. There are now underground software programs available that can generate an unlimited number of mathmaticaly valid, yet fictitious credit card numbers. Combine that with complete anonymity and it spells big trouble. In addition, there are newsgroups out there that actually post stolen credit card data. So someone picks your pocket now and ten minutes later all your data is available worldwide.
• Unscrupulous organisations will harvest details on a person and then create a credit card in their name having found only partial information on the individual.
• The banks give credit card merchant accounts to anyone: gambling establishments, escort services that are thinly disguised prostitution rings, pornographers etc. The fact that a business accepts credit cards means nothing in terms of their credibility. This merchant can now distribute the purchase’s credit card information freely or use it to make purchases.
  
  The net is not like a walk in retail store where the card is swiped through a terminal. If a consumer has his or her card physically stolen they are likely to know it pretty quickly, it gets reported and the card is stopped from authorizing any more charges. If a merchant hijacks a person’s credit card information the person is probably not going to know it until the bill comes several weeks later.
• Just as in the more conventional sense, if a person has their credit card details hijacked by, say the local waiter in a restaurant, the person says I did not make these charges but will still not be aware until the next account arrives.

How are E-tailer Handling Credit Card Transactions?

Some retailers are starting to acknowledge exactly how much pain that the problem is causing them, and how much damage it is doing to their bottom line. A major Australian e-tailer, estore, had to employ workers to manually verify credit card orders, which he said filtered out 99 per cent of fraudulent transactions. "If we were to automate order process so that all orders were shipped automatically without manual verification of suspect orders, we estimate the impact to be five to seven per cent of overall revenues," they said. If this can be considered as typical, then the normal levels of fraud could be wiping most, if not all, of e-tailer's profit margins. Interesting to note e-store is no longer in business.

Who is responsible for the fraudulent transaction?

By and large in Australia it is the financial institution that is responsible for the recovery. However we are now dealing in the international market with no boundaries. Of shore organisations often use foreign processors that can make reversing transactions very difficult.

Internet Fraud Statistics

In February 2000, Mastercard started monitoring how Internet transactions run through its payment processing systems for the first time. Steve Draper, director of e-commerce at Mastercard, said "The first thing to see is how big a problem it is," said Mr Draper. "What's missing in the market place is definitive statistics - and the only ones who can provide that are credit card vendors. The technology has crept up fairly quickly on us too, and we have only had since February the ability to classify transactions by source. What's missing is a track record."

The first online vendor to break the silence on the issue was Expedia, a NASDAQ-listed online travel provider which is 80 per cent owned by Microsoft. The company admitted it would take a charge of between US$4 million and US$6 million in the second quarter of 2000 due to a sustained bout of credit card fraud from November to February by what are thought to be professional thieves. By comparison, Expedia's revenue in the last quarter of 1999, which contained half of the duration of the crime, amounted to US$17.8 million. If you run the numbers, the ratio of real revenue against fraud could have been as stark as six to one. These sorts of numbers would scare any retailer.

Online auction transactions, while still the majority of Internet fraud complaints, are decreasing. But other categories of Internet fraud, such as work-at-home scams, are rising. As with telemarketing fraud, Nigerian money offers have made the top ten. Rankings and percentage of total complaints are shown below:

Methods of Contact

Con artists in newsgroups are the most common way that consumers are solicited for fraudulent Internet offers:

How do we avoid Internet Fraud?

KURT – Know your company, Understand the offer, Check the companies Record, Time, don’t be rushed.

Do business with companies you know and trust.

Be sure you know who the company is and where it is physically located. Businesses operating in cyberspace may be in another part of the country or in another part of the world. Resolving problems with companies that are unfamiliar can be more complicated in long-distance or cross-border transactions.

Understand the offer.

Look carefully at the information about the products or services the company is offering, and ask for more information, if needed. A legitimate company will be glad to provide it; a fraudulent marketer won't. Be sure you know what is being sold, the total price, the delivery date, the return and cancellation policy, and the terms of any guaranty. Print out the information so that you have documentation if you need it.

Check out the company's track record.

Ask your state or local consumer protection agency if the company has to be licensed or registered, and with whom, and check to see if it is. Keep in mind that fraudulent companies can appear and disappear quickly, especially in cyberspace, so lack of a complaint record is no guarantee that a company is legitimate.

Be careful to whom you give your financial or other personal information.

Don't provide your bank account numbers, credit card numbers, tax file number or other personal information unless you know the company is legitimate and the information is necessary for the transaction. Even with partial information, con artists can make unauthorized charges, deduct money from your account, and impersonate you to get credit in your name.

Take your time to decide.

While there may be time limits for special offers, high-pressure sales tactics are often danger signs of fraud.

Be aware that there are differences between private sales and sales by a business.

All sorts of goods and services are sold or traded by individuals through unsolicited e-mails, newsgroups postings, chat room discussions, web auctions and online classified advertisements. While most people are honest, your legal rights against the seller may not be the same as with a business, and you could have difficulty pursuing your complaint if the merchandise is misrepresented, defective or never delivered.

You may be better off paying by credit card than with a check, cash or money order, as long as you know with whom you're doing business.

When you use your credit card for a purchase and there is a problem, you have the right to notify your card issuer that you are disputing the charge, and you don't have to pay it while your dispute is being investigated. It's easier to resolve a problem if you haven't already paid. Also, unless you are purchasing through a secured site (preferably using the new Secured Encryption Technology), it may be safer to provide your payment information by phone or mail rather than online.

Don't judge reliability by how nice or flashy a website may seem.

Anyone can create, register and promote a website; it's relatively easy and inexpensive. And just like any other forms of advertising, you can't assume that someone has screened and approved it.

Know that people in cyberspace may not always be what they seem.

Someone who is sharing a "friendly" tip about a money-making scheme or great bargain in a chat room or on a bulletin board may have an ulterior motive: to make money. And sometimes those friendly people turn out to be crooks!

Know that unsolicited e-mail violates computer etiquette and is often used by con artists.

It also violates most agreements for Internet service. Report "spamming," as unsolicited e-mail is called, to your online or Internet service provider.

Is it safe to do Internet Commerce?

Yes, providing you use the same common sense that you would in a convention buying selling situation. Do not buy from the back of a truck or from the seedier side of the tracks.

Arthur Hissey
Computer Research & Technology
www.crt.net.au