As we wrap up Fraud Prevention Month, we teamed up with a longstanding industry expert to understand the current fraud landscape and what merchants can do to combat it. Gord Jamieson is a Senior Business Leader at Visa and is responsible for Canada Risk Services. His goal is to differentiate Visa from competition, reduce risks of regulatory impact and support core growth by engaging Canadian clients to minimize payment system risks.
To start, what would you say are the most common types of fraud businesses experience today?
COVID-19 has changed consumer buying patterns and behaviors. 79% of Canadian consumers have adjusted the way they pay for items in the wake of intensified safety concerns. Consumers have embraced digital card-not-present (CNP) commerce across the globe. As consumers adopt digital commerce, fraudsters have also been focusing on CNP fraud. While fraud rates increased in the beginning of COVID-19, along with CNP purchase volume, we have observed a downward trend since April.
CNP fraud represents over 90% of the fraud reported today by Canadian issuers.
E-commerce has grown rapidly since the mid-1990s. Today, consumers use a variety of devices and payment methods to buy products and services online. That means e-commerce fraud is growing too. Fraudsters are continuously developing new practices and strategies to take advantage of the latest e-commerce sales channels and payment options. The typical fraudster profile is also evolving; e-commerce fraud is no longer limited to individuals or small teams. Today fraud is an industry that involves national and global crime rings employing sophisticated techniques.
What puts businesses at the biggest risk for fraud?
CNP represents the largest risk for merchants and takes many forms:
- Account takeover. A fraudster uses stolen login credentials to gain control of someone else’s account on an eCommerce site, on a bank site, or through a payment solution. The fraudster might change personal information or use payment details within the account to make purchases.
- Buy online, pick up in-store. A fraudster uses stolen information to make a purchase online and then picks up the merchandise in a physical store before the retailer can detect the fraud.
- Clean fraud. A fraudster uses a stolen credit card to make an online purchase, entering enough correct cardholder information for the transaction to look genuine and successfully pass the business’s security checks.
- Card testing. A fraudster uses an automated bot to conduct numerous small-value transactions with stolen credit card numbers. The goal of these tests is to determine which cards can be used for other, higher-value fraudulent transactions and which should be discarded.
- First-person fraud. A customer buys an item using their own payment card, then claims that the purchase was unauthorized or the item did not arrive. The business reimburses the customer, who effectively gets the item free. (Also known as friendly fraud.)
- Refund or return fraud. A fraudster buys merchandise online with stolen credentials, then goes to a physical store and requests a refund, most often receiving a store gift card due to the lack of a valid store receipt.
- Reshipping fraud. A fraudster uses stolen payment details to buy goods. The fraudster then contacts the shipper and requests a redirect to a new address, or pays people — known as mules or freight forwarders — to act as delivery recipients. The mules reship the goods to the fraudster or another location for resale.
- Gray market fraud. A fraudster buys goods with a stolen credit card and then resells them in unauthorized markets or geographies, or at a discount. (Also known as reseller fraud.)
- Loyalty fraud. A fraudster gains unauthorized access to an account tied to a loyalty rewards program offered by a merchant.
Source: CyberSource e-Book – eCommerce Fraud Explained.pdf
Are merchants liable for the fraud that happens to their business?
In the card present channel, the merchant is protected from fraud liability if they are chip enabled; however, liability and dispute rights are determined by whether the transaction was read and fully authorized electronically, and whether or not the parties to the transaction were compliant with the Visa Rules.
In the CNP channel, the merchant is liable for fraud transactions and may be subject to disputes unless they participate in Visa Secure (3DS or 3 Domain Secure).
Should merchants ever be entering card data manually?
The most secure method to process a payment card is a chip read or contactless chip transaction. In some instances, when you process a chip read card, the terminal will not be able to read the chip or tap. When this occurs, it usually means one of four things:
- The terminal’s chip reader is not working properly.
- The card is not being inserted or tapped through the reader correctly.
- You may have a counterfeit or altered payment card.
- The chip on the card has been damaged or demagnetized.
Damage to the card may happen accidentally, but it may also be a sign that the card is counterfeit or has been altered. If a card won’t read, you should:
- Check the terminal to make sure that it is working properly and that you are inserting or tapping the card correctly.
- If the terminal is okay, take a look at the card’s security features to make sure the card is not counterfeit or has not been altered in any way.
- If the problem appears to be with the chip card, follow merchant store procedures. You may be allowed to use the terminal’s manual override feature to key-enter transaction data for authorization, or you may need to make a call to your voice-authorization.
- For key-entered or voice-authorized transactions, make an imprint of the front of the card. The imprint proves the card was present at the point-of-sale and can protect your business from potential disputes if the transaction turns out to be fraudulent. The imprint can be made either on the sales receipt generated by the terminal or on a separate manual sales receipt form signed by the customer.
For some merchants, a high key entry rate is due to misclassification of CNP transactions, so they look like card-present transactions. Consult with your acquirer to make sure your CNP transactions are correctly classified with accurate MO/TO and ECI indicators.
Source: Visa – Reducing Counterfeit Fraud Through Acceptance Best Practices
In the wake of COVID, many businesses are encouraging contactless payments. We know they’re potentially more sanitary, but are they really more secure?
Yes, every transaction, and your customers’ personal information, are protected by these security measures:
- Built in dynamic encryption technology. The data from each Visa contactless transaction is translated into a unique code that can be only used once. The cardholder’s name is not transmitted during the transaction and transaction data cannot be used to create a counterfeit card due to the unique data elements.
- Ultra-short two-centimetre read range. Helps eliminate risks of unauthorized devices “reading” the payment data.
- Visa’s Zero Liability Policy**. Ensures cardholders will not be held responsible for fraudulent purchases and can shop worry-free.
In April 2020, Visa updated the contactless maximum transaction amount in Canada to $250 CAD in direct response to the COVID-19 outbreak.
For contactless transactions in Canada, transaction size is inconsequential to determining liability and dispute rights. On a contactless transaction, liability and dispute rights are determined by whether the transaction was read and fully authorized electronically, and whether or not the parties to the transaction were compliant with the Visa Rules. Issuer disputes will be considered invalid if there is evidence that the transaction was electronically read and authorized.
Can you simply explain what an enumeration attack is?
Account Enumeration is a prolific problem that affects issuers, merchants, and acquirers globally. Cybercriminals are taking advantage of big data and artificial intelligence to find and exploit new vulnerabilities. To conduct fraudulent eCommerce transactions, cybercriminals use scalable and programmatic automated testing of common payment fields, a method also known as account enumeration. This practice can result in hundreds of millions of dollars in fraud losses across the payments ecosystem. Once valid payment information is obtained, it is then sold on the dark web and on cybercrime underground carding sites. Further, enumeration increases processing fees for acquirers and issuers, disrupts risk management models, and frustrates merchants as they may lose inventory, and waste resources fulfilling orders unrelated to legitimate customers.
What are some tips and best practices to help avoid enumeration attacks?
- Implement CAPTCHA controls to prevent automated transaction initiation by bots or scripts (e.g., five authorizations from one IP address or PAN within a set timeframe).
- Utilize 3-D Secure authentication.
- Alert on transactions with a large volume of approvals or declines from a similar BIN range.
- Alert on an increase in reversals being sent. Occasionally, fraudsters will immediately send a reversal after an authorization receives an approval.
- Analyze time zone differences and browser language inconsistency from the cardholder’s IP address and device. Classify these transactions as higher risk and perform more stringent review.
- Include IP addresses with multiple failed card payment data in a fraud detection blacklist database for manual review.
- Look for excessive usage and bandwidth consumption from a single user.
- Look for multiple tracking elements in a purchase linked to the same device. For example, multiple transactions with different payment accounts using the same email address and same device ID, may be a trigger for fraud classification or review.
- Look for logins for a single payment account coming from many IP addresses.
- Review logins with suspicious passwords (or unique encrypted hashes of passwords) that hackers commonly use. Some merchants are able to detect fraud based on a gray list with sector combinations of passwords commonly used in fraudulent transactions.
- Monitor the velocity of small and large transactions and use velocity checks for low amounts or authorization-only transactions. Account testing transactions are often less than $10 USD.
- Thresholds should also be set on the number of transactions within a specified timeframe.
- Monitor the velocity on various data elements such as IP address, device, email, Anti-Enumeration and Account Testing Best Practices
- Utilize fraud-detection systems that support device fingerprinting and botnet detection.
- Inject random pauses (i.e., throttling) when checking an account, to slow brute-force attacks that are dependent on time, especially for BINs that have been determined to have a high fraud rate.
- Include HTTP session velocities, which limit the number of operations per user session and set the session to expire after periods of inactivity.
- Lock out an account if a user inputs the user name / password and any account authentication data incorrectly on “x” number of login attempts.
- Limit the number of cards that can be added per ‘account’ and session.
- Limit the number of accounts that can be created per IP within a set time limit.
- Monitor the frequency of payment method changes on accounts.
- Utilize Re-Captcha for user registrations.
- Terminate sessions that are pending for guest users for a certain time period.
- Implement a web application firewall (WAF).
- Utilize basic tools for botnet detection, prevention, and removal. Tools like Network Intrusion Detection Systems (NIDS), rootkit detection packages, network sniffers, and specialized anti-bot programs may be used to provide more sophisticated botnet protection
Cross Site Request Forgery (CSRF) detection:
- Implement CSRF tokens to prevent simplistic automated attacks.
- Ensure all the site pages are loaded with “https” protocol and protected with CSRF token.
- Account information and terminal applications should be securely deleted from all memory slots when decommissioning a POS device
- Be cognizant of phishing scams aimed to obtain payment gateway credentials.
- Use a layered validation approach that employs CVV2 and Address Verification Service (AVS).
- Roll API keys if the card testing attacks are going directly to your API rather than the website form.
- Refund fraudulent payments to avoid disputes.
Source: Visa – Anti-Enumeration and Account Testing Best Practices for Merchants – White Paper, September 2020
How does Visa work with payment processors like Moneris to help business owners deal with fraudulent transactions?
Visa works with acquirers on a monthly basis to identify merchants that may have excessive levels of fraud and chargebacks, to assess their current fraud management capabilities and to develop a remediation plan. Visa also proactively monitors our network for account enumeration attacks and will alert the acquirer when one of their merchants is the victim of such an attack so steps can be taken to mitigate the attack.
What are the easiest things merchants can do to protect themselves online? In-store?
Merchants that operate in the CNP channel should deploy a layered approach to fraud management that involves a number of tools and services, such as:
- Validation services for CVV2, AVS, telephone number, 3DS Secure
- Proprietary data and customer history such as negative and positive lists, order velocity monitoring, customer order history
- Credit card alert services
Interested in learning more? Throughout March we’ll be publishing new and informative articles about fraud prevention, and how Moneris merchants can stay protected. Make sure to visit our Small Business Hub throughout Fraud Prevention Month for new postings, and take a look at some of our favourite fraud-related pieces, including Why You Need to Prevent Fraud Before it Becomes a Problem [Podcast] and How to Layer Your Fraud Prevention Tools.
 Visa Back To Business Study, December 2020
 Visa Risk MIS – Visa TC40 Fraud Reporting and Sales
 Visa Risk MIS – Visa TC40 Fraud Reporting and Sales
 Visa's Zero Liability Policy is not applicable to anonymous Visa Prepaid, Corporate and Commercial cards, or any transactions not processed by Visa. Requires keeping account and PIN safe. Other conditions and restrictions apply. For details, refer to issuer cardholder documentation.