Anyone who handles commerce online - stores, marketplaces, payment processors etc. I don’t care if you are a customer or a competitor. If you are dealing with fraud, you are my brother/sister of mine. Read on.
Share the knowledge/wisdom I gained so you benefit from it and hopefully spread the knowledge around. One of the issues with fraud material I have seen online/offline is that they fail to provide real data. I promise I will at the end of this blog. Yes, this is from real transaction data - not some made up statistics/intuition/I overheard from blah etc.
- Fraud happens, do not panic
- There are different types of chargebacks. Each requires a different risk minimization technique
- Build high-pass filters: “bad for fraudsters, neutral on UX”
- Real data from Balanced (see #5 below)
- Additional reading is shared at the end of this post
1. Fraud happens
You are living in delusion/denial if you are running an ecommerce business and think you are immune to fraud. It is bound to happen. It is a statistical certainty. And it’s not all that bad.
2. Got fraud? Do NOT panic
We have seen our customers – usually marketplaces – repeatedly panic after the first fraud attack. This is normal. Do NOT panic. A wise man once told me that the worst time to go over your insurance policy details is after you get sick. Same goes with fraud, check the following prior to being hit with any form of fraud:
- Who’s liable? You, the seller (in case of marketplaces), third party fraud protection etc.
- What are my next steps? Do I contact the seller to stop shipment (assuming he/she is not fraudulent)? Do I contact the buyer to make sure this is not a misunderstanding (more on this later)? Do I pull money out of the seller’s account? Do I blacklist seller/buyer? Do I have the ability (I mean software ability) to do so?
If you use Balanced, contact us, we will guide you through the process.
3. A consequence of fraud - Chargebacks
To understand chargeback, you need to first understand the flow of money. Assume that you are an online store selling shoes (‘Shoes r us’) and Joe comes in to buyer a pair of shoes.
Here are all the parties involved:
- Joe - Buyer
- Joe’s card network - Visa
- The bank which issued the card - Bank of America (Issuing bank)
- Processor for ‘Shoes r us’ - Balanced Payments
- The bank where funds will be deposited - Chase (Acquiring bank)
Money flows in this direction:
Issuing bank (_Bank of America_) –> Acquiring Bank (_Chase_) –> Processor (_Balanced Payments_) –> Merchant (_Shoes r us_)
Chargeback happens when Joe calls up Bank of America and tells them ‘I can’t recognize this charge’ or tells them ‘I paid $50 for this shoe and I have been charged $100’. Here are the possible reasons why Joe could have done that:
- Joe received an innocent email from Anuoluwa Obadina and clicked an attachment. Or that seemingly innocuous compliment on design of Joe’s credit card which made Joe overlook the extra time the waiter spent looking at the card. Ok, you get the picture, Joe’s credit card information was compromised.
- Joe genuinely forgot about the purchase.
- Joe is a douche bag who is attempting to game the system by claiming he never received the shoes.
Either way, if you are a marketplace or a merchant you are responsible for this (barring any special contracts you signed with the processor or a third party) Ultimately, what affects your bottom line as someone accepting cards online for good or services is not fraud, but chargebacks. Sure, they are correlated, but as I pointed above, chargebacks can happen due to reasons other than fraud. So, let’s move on and look at means to avoid them.
4 “Bad for fraudsters, neutral on UX”
Chargebacks happen due to different reasons and each type needs different approach. The premise for all fraud prevention is simple - “How do I create practices that makes it hard for fraudsters to operate and does not create a poor user experience for legitimate customers/users”? You could go ahead and collect blood sample for every seller in your marketplace. I pretty much guarantee zero fraud this case - because you will have zero transactions. What you really need is a middle ground - “Bad for fraudsters, neutral on UX.” Think of it like a high-pass filter: You want legitimate users to pass through your fraud system unaffected, while filtering out the fraudsters.
4.1 Misunderstanding - Customer genuinely does not recognize the charge.
‘Soft descriptor’ is your friend. ‘Soft descriptor’ is the line item you see in your credit card statement against each charge. Example of soft descriptors pulled from my own statement: ‘Taco Bell’, ‘Amazon.com amzn.com/bill’, ‘New York Pizza Palo Alto’, pretty obvious who made these charges. And that’s what you should strive for. A soft descriptor which makes it really obvious to the customer. For example, balanced lets you customize the soft descriptor. Here’s our recommendation on what to put in:
- Your marketplace name
- Your support number
If the customer calls in to your support number before reaching for the bank, BOOM you have just avoided a chargeback. Make sure someone is available in normal business hours and you have the ability to receive voice mail after hours.
4.2 Minimizing ‘friendly fraud’
I call Joe acting as a douche bag ‘friendly fraud’ (in reality, there’s nothing friendly about it). To minimize friendly fraud, here are our recommendations:
- Collect shipping address, shipping carrier and tracking code for any product that is being shipped. This is zeroth order stuff - no exceptions.
- On transactions above a certain threshold (say $250), make sure you get delivery confirmation.
I believe both (1) and (2) falls under “Bad for fraudsters, neutral for UX”. Legitimate sellers will understand the need for delivery confirmation on high valued items
4.3 Minimizing real Fraud
Ok, this probably deserves more than a Ph.D. thesis and blog post is not going to cover everything. I will try to cover as much as possible from the marketplace perspective.
4.3.1 Think probabilistic not deterministic
Wrong way to think - “Is this transaction fraudulent?”. Right approach - “What is the probability that this transaction is fraudulent?”. You see with fraud (as with most things in life), things are fuzzy. So, what you are really looking for is to minimize your risk. With this mentality, you accept the fact that sometimes you may be wrong. What you are working for is not an unrealistic path towards zero fraud, but the more pragmatic approach to minimizing your exposure. To this end, you have two friends - Data and that Bayes theorem everyone’s talking about. Bayes theorem itself is really simple and there’s tons of literature available online. So I am not going to get into that. The best one I have seen so far is here.
Now coming to data (and what I promised). Here are things you can look at:
4.3.2 Velocity/actual amount of transactions from what you believe is the same person.
This could be as simple as same email address/same IP address/cookie etc. It could get a bit more complex if you are using some sort of device fingerprinting (careful, check with your lawyer on privacy issues). You expect a normal shopping cart to have 1.7 items on an average and you now have a shopping cart which 17 items? You expect star wars DVD’s to be sold in your marketplace for $30 and now you have a DVD collection priced at $550. These are all outliers. By no means do they confirm fraud, but give you valuable signals and add further evidence (Bayes my friend, Bayes)
4.3.3 Social Signals
Are you signing in via facebook/twitter? If yes, do you know the number of friends/followers/following? Do you know the account creation date? So, you have a transaction for $550 on an item that’s normally priced at $55 by someone with zero friends on facebook and account created yesterday? Should you review this? I think we know the answer.
Anything that makes you think there’s collusion between buyer and seller. Simple example: Buyer steals someone else’s credit card information. Buyer also lists himself as a seller on your site. Buyer claims to “buy” the product and seller claims to “ship” it. Yours being “MVP, I need this site out asap” does no verification (no shipping information, tracking information etc.). Boom, you’ve just got defrauded. In this case, it was quite simple to detect that Buyer == Seller.
‘Address Verification System’. Verifies if you card number/expiration date matches with the billing address provided. The system, however is far from perfect due to the following reasons:
- Not all banks support it (damn)
- High in false positives (people move, mistype addresses etc.)
- Only verifies the numerical portion of the address
Looking at these factors, it is easy to conclude that if you take the iron hand approach of rejecting all transactions based on AVS failures, you will lost quite a bit of legitimate ones (I will provide exact data shortly). Our take on AVS - treat it as any other signal.
‘Card Security Code’. Flip you card and you will see a security code. Most banks do support CSC and unlike address, the false positives are rather low. Our data suggests very high fraud rate with relatively low number of false positives. Our recommendation on CSC failure - if you are starting off with low transaction volume and a rudimentary fraud system (or non-existing fraud system), treat CSC as hard failure. Accept the fact that you will lose 2% percent of legitimate transactions. If you have high transaction volume and have the means to look at other signals, do not give veto power to CSC. Treat it as a signal (with much higher weight that AVS)
|High Velocity(24 hrs)||21.7%|
|Txn amount > mean + 3*sigma||20.44%|
|Account created recently||5.2%|
|Country known to be high risk||14.87%|
|IP->billing distance high||4.29%|
|High # of cards from same person||100%|
So, the table has two columns - first one represents the signal and I believe it is self evident what the signal means. The second column represents the probability of a transaction being fraudulent given the signal is true. For example, if you have an AVS failure, the likelihood of the transaction being fraudulent is 5%. There is some subjectivity in this information - ‘High Velocity’ could mean different things. So, don’t treat these numbers like the Gospel, but as a general guide. The way to read it is a CSC failure about 4 times more risky than AVS.
- Essentials of Online payment Security and Fraud Prevention
- Using social network data for fraud prevention
- Detecting Malice
- Ohad Samet’s blog on risk