Foiling Internet Fraudsters

Batman once said, "If only they would use their genius for good instead of evil!" While Internet fraudsters will never stop finding new ways to use cyberspace to victimize, fraud examiners now have methods to prevent their crimes rather than just trying to investigate after the fact. 

A Nigerian Criminal Enterprise (NCE) has been using computers in Lagos, Nigeria, to perpetrate a version of the forwarder scam - placing thousands of Internet orders using randomly generated credit card numbers and expiration dates on the Web sites of hundreds of U.S. businesses.

Members of this NCE recruit U.S. citizens to receive merchandise and forward the goods back to Nigeria where they sell them on the black market. Christian Internet chat rooms are their favorite recruiting grounds. Preying on the willingness of their recruits to help out those in need, the NCE operative poses as a young woman trying to get needed computer equipment or clothing ostensibly without paying oppressive Nigerian import taxes. The good-deed doer begins receiving stolen property and sends it to Nigeria using a stolen account number for an overnight delivery company supplied by the NCE operative. By the time authorities ring the doorbell of the unsuspecting accomplice, the NCE has recruited a new forwarder to take that person's place. One company received more than $4 million in fraudulent orders in one year from an NCE using 23 different forwarders.

With no possibility of arrest or prosecution, fraud examiners have to protect their companies from such attacks without interrupting the flow of legitimate customer orders. Fraud examiners need to concentrate on foiling Internet fraudsters rather than trying to investigate after the fact.

Not all companies are fully aware of the tools used to protect Web sites from this menace. While almost all companies use a credit card verification system of some kind, not all such systems are equally effective.

The simplest verification system for Internet credit card numbers affirms that a specific number has in fact been issued and that the expiration date matches the credit card number provided. While this will prevent an order from using an unassigned number, this doesn't tell the merchant company to whom that number has been issued only that it has been issued. Since the NCE has the ability to predict the expiration dates of credit card numbers (using a computer program), such systems are insufficient to stop an NCE attack.

Address verification system codes
Address Verification System (AVS) codes are generated at the time the merchant requests credit card authorization. The code tells the merchant if the billing address provided on the order matches the billing address of record for the credit card number. Specific codes mean different levels of matching. For example, the credit card payment company Paymentech(c) (one of many such companies that offer AVS) uses the following AVS response codes (among others):

I-1 means the billing address on the order is a complete match to the billing address of record for the credit card provided.

I-5 means that only the Zip Code doesn't match; perhaps the customer has been issued a new one without updating the billing address of record.

The codes to worry about are I-4 and I-8.

AVS code I-4 means that the street address isn't a match, while the Zip Code does match. Blocking such orders may seem to be a given, but there's a slight problem. AVS logic looks for a number at the beginning of an address. Addresses that begin with a letter aren't recognized and result in an I-4 code. Too many customers use addresses that begin with a letter (P.O. Box 100, or One Rockefeller Plaza) to make this a suspect code.

AVS code I-8 means that nothing matches - the street address and the Zip Code are both different. Perhaps the customer moved and forgot to change the address, but this is probably an NCE attack, which is sending randomly generated credit card numbers with the addresses of their forwarders in both the billing and ship to address fields. Beware.

Canceling I-8 orders
Many companies have begun canceling orders that are coming back from Paymentech(c) with an AVS code of I-8. The customer is notified that the billing address of record didn't match the billing address entered on the order. The customer can re-order using the proper address from his credit card statement. This simple step saved the previously mentioned company $4 million in credit card "charge backs" in addition to the handling time. A charge back is the process in which the true credit card holder refuses payment for a good or service that he didn't order. The merchant's account is debited for the money unless the merchant can prove that the card holder actually received the good or service.

Internet credit card orders require the merchant to enter into a credit card transaction similar to a person coming into a store with a bag on their head and trying to make a credit card purchase without ID or bothering to sign the credit card slip. Who would allow such a thing? Internet merchants do it every day!

Card Security Value
To the rescue comes the "V" code or the Card Security Value (CSV) system. You've probably seen or used the extra three digits on the back of your Visa(c) and MasterCard(c) or the extra four digits on the front of your American Express(c) to place an order on line. The extra digits are entered as a separate field in Internet orders and phone orders where the card isn't present. The "V" code is verified at the time the card company verifies the card. An extra assurance that the customer actually has the card in hand, the "V" code isn't used in the traditional "card present" transaction or on the credit card bill. Therefore, a fraudster, who obtains a credit card receipt or a bill from the trash can, can't place a "card not present" order using the credit card number and expiration date even if they have the card owner's true billing address of record. The fraudster has 1,000 possible "V" codes (000-999) to try before he can place a successful order. There are greener pastures for organized fraudsters unless they can rely on a computer program to rapidly attempt credit card orders using a numeric progression of "V" codes until the right one is found. There are actually such enterprising fraudsters out there! As Batman once said, "If only they would use their genius for good instead of evil!"

CAPTCHA
The latest tool for Internet fraud prevention can even stop the fraudsters' computerized attacks on the "V" code. CAPTCHA is starting to be seen on some Internet order sites. A CAPTCHA (an acronym for "Completely Automated Public Turning test to tell Computers and Humans Apart") is a type of challenge-response test used in computing to determine if the user is human. The term was coined in 2000 by Luis von Ahn, Manuel Blum, and Nick Hopper of Carnegie Mellon University, and John Langford of IBM. (For more information on CAPTCHA see http://en.wikipedia.org/wiki/Captcha.)

A common type of CAPTCHA requires that the user type the letters of a distorted and/or obscured sequence of letters or digits that appears on the screen. A CAPTCHA image shows a random string, which the user has to type to submit a form. This is a simple problem for (seeing) humans. But computers, which have to use character recognition, have a difficult time decoding the alienated random string. Following are some examples of CAPTCHAs that randomly appear on your order screens to ensure the ordering entity is a person and not a computer:

[Figure 1 is no longer available.— Ed.]

Using the "V" code in conjunction with CAPTCHA and the blocking of orders that have AVS codes like the Paymentech(c) I-8 code will save your company from the headaches of most organized credit card fraud attacks today.

No automated system can prevent a single fraudster from using a stolen credit card. For example, it's always a good policy to call the billing phone number on all high-dollar orders when the "ship-to" address is different from the billing address to ensure that the area code of the billing phone number is the area code for the billing address and not the ship-to address. But the newer automated systems blended with traditional methods will form a complete and sound program of protection and fraud prevention.

Joel Bartow, CFE, is the director of fraud prevention for ClientLogic, based in Nashville, Tenn., with more than 40 locations globally.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.