Blog article
See all stories »

First Class flights and Margaritas on the beach

You spend all year long working, and in summer time you deserve some R&R.

Option 1: look after holiday packages. Fly charter, book a reasonably priced hotel, and rent a compact car to do some sightseeing.

Option 2: search for the most expensive destination you can find. Fly first class, book an all-inclusive five star resort with morning massages, rent a convertible and go sip margaritas on the beach.

Easy choice, if you’re a fraudster.

According to RSA eCommerce Transaction Monitoring data, the average card spend in low-cost travel deal websites (think about all those last-minute deals) is $380. But the average fraudulent spend is roughly $1600.

$1600 on last-minute holiday deals on average. When it’s someone else’s money, you can afford spoiling yourself ;)

No wonder all the fraudsters are now on holiday.

You could argue that this makes spotting the frauds pretty straightforward: just go after any crazy high-priced deal someone is buying. But the thing is, if you decline everyone who wants a high-priced last-minute deal, you lose a huge amount of good business. Very good business, actually. So catching the fraud while letting the good transactions through isn’t that simple.

Lets look at car insurance as another example. RSA data shows the average card spend on car insurance payments is $336, and the average fraud spend is $919.

I can only hope the reason behind this huge gap is the fact fraudsters drive very expensive cars. Otherwise, how can you explain it? I mean, how wild can you go about buying car insurance, even when you’re a fraudster?

“Hello, this is ABC auto insurance, how can I assist you?”

“Er… I want to buy insurance for my car. I want something REALLY fancy. What’s the most expensive policy you have?”

“Excuse me”?

“Expensive. Hit me with all you got”.

Low-cost holidays? Not if you're a fraudster!

Comments: (1)

Uri Rivner
Uri Rivner - BioCatch - Tel Aviv 26 August, 2010, 12:31Be the first to give this comment the thumbs up 0 likes

One note: several people asked me what RSA eCommerce Transaction Monitoring data is all about, so I’m providing an explanation below. Since it’s now summer time, and people tend to doze off easily, I am NOT recommending it except for those who really want to get some deep dive on eCommerce (online shopping) fraud and how programs like Verified by Visa and MasterCard SecureCode handle it.


The data relates to online shopping at eCommerce merchants representing 70% of 3D Secure traffic in either low-cost-holidays or auto insurance, using cards that belong to 3 of the Top 5 UK issuers, during April 2010.

It doesn’t talk about bottom-line fraud, only attempted fraud. The vast majority of these eCommerce fraud attempts are stopped by a combination of visible defences such as Verified by Visa and MasterCard SecureCode, with invisible defences such as transaction monitoring and real-time data sharing between the card issuers.

Here it’s important to note a common misconception about these online authentication schemes. From time to time you read research reports saying these programs, designed a decade ago, offer little resistance to today’s sophisticated fraud tools. But the reality is that eCommerce protection is far more effective than people think. According to the UK payments administration report, Internet card spending has risen by almost 200% over the last five years to £55.6 billion. At the same time, eCommerce fraud grew only 31% to £153.2 million.

Let us translate these figures to basis points (100 basis points equals 1% of the spending). In 2004, eCommerce fraud amounted to 63 basis points. In 2009, it amounts to 28 basis points.

The main difference between 2004 and 2009 is the adoption of Verified by Visa and MasterCard SecureCode by UK merchants. In 2004 it was a fraction of eCommerce; today roughly half of eCommerce is protected by these schemes.

But that’s only part of the story. In 2004 the card issuers had to handle the eCommerce fraud using the same tools that stop face-to-face fraud: neural networks relying on a relatively flat set of data points. But in 2009, almost all the UK card issuers deployed sophisticated behind-the-scenes dedicated eCommerce transaction monitoring tools that look at factors such as the IP address and geo-location of the transaction and the user’s device fingerprints. They also share fraud data in real-time, and make sure the findings of one fraud department – say, that a certain Internet Café IP address is used for a growing amount of eCommerce fraud transactions – are shared instantly (and anonymously) with every other fraud department in the country.

As a result, the combination of visible cardholder authentication and invisible monitoring is quite lethal to fraud. RSA powers most of the Verified by Visa / MasterCard SecureCode services as well as the behind-the-scenes eCommerce transaction monitoring for the majority of US and UK banks; RSA data shows that the combination of a merchant using 3D Secure and an issuer deploying state-of-the-art eCommerce fraud detection systems brings fraud levels in the UK to 11 basis points on average, with many issuers experiencing far lower rates. That’s bottom-line losses; in terms of attempted fraud, that’s far higher.

So let us do some math: 28 basis points is the average in UK, and 11 is the average for 3D Secure. About half of the eCommerce in the UK runs through 3D Secure, and this means that websites NOT protected by it suffer from an average of 45 basis points, or four times the level of fraud protected by 3D Secure. That’s MASSIVE.

Uri Rivner

Uri Rivner

Chief Cyber Officer


Member since

14 Apr 2008


Tel Aviv

Blog posts




This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

See all