Uri Rivner - Refine Intelligence - Tel Aviv 26 August, 2010, 12:31 0 likes

One note: several people asked me what RSA eCommerce Transaction Monitoring data is all about, so I’m providing an explanation below. Since it’s now summer time, and people tend to doze off easily, I am NOT recommending it except for those who really want to get some deep dive on eCommerce (online shopping) fraud and how programs like Verified by Visa and MasterCard SecureCode handle it.

***

The data relates to online shopping at eCommerce merchants representing 70% of 3D Secure traffic in either low-cost-holidays or auto insurance, using cards that belong to 3 of the Top 5 UK issuers, during April 2010.

It doesn’t talk about bottom-line fraud, only attempted fraud. The vast majority of these eCommerce fraud attempts are stopped by a combination of visible defences such as Verified by Visa and MasterCard SecureCode, with invisible defences such as transaction monitoring and real-time data sharing between the card issuers.

Here it’s important to note a common misconception about these online authentication schemes. From time to time you read research reports saying these programs, designed a decade ago, offer little resistance to today’s sophisticated fraud tools. But the reality is that eCommerce protection is far more effective than people think. According to the UK payments administration report, Internet card spending has risen by almost 200% over the last five years to £55.6 billion. At the same time, eCommerce fraud grew only 31% to £153.2 million.

Let us translate these figures to basis points (100 basis points equals 1% of the spending). In 2004, eCommerce fraud amounted to 63 basis points. In 2009, it amounts to 28 basis points.

The main difference between 2004 and 2009 is the adoption of Verified by Visa and MasterCard SecureCode by UK merchants. In 2004 it was a fraction of eCommerce; today roughly half of eCommerce is protected by these schemes.

But that’s only part of the story. In 2004 the card issuers had to handle the eCommerce fraud using the same tools that stop face-to-face fraud: neural networks relying on a relatively flat set of data points. But in 2009, almost all the UK card issuers deployed sophisticated behind-the-scenes dedicated eCommerce transaction monitoring tools that look at factors such as the IP address and geo-location of the transaction and the user’s device fingerprints. They also share fraud data in real-time, and make sure the findings of one fraud department – say, that a certain Internet Café IP address is used for a growing amount of eCommerce fraud transactions – are shared instantly (and anonymously) with every other fraud department in the country.

As a result, the combination of visible cardholder authentication and invisible monitoring is quite lethal to fraud. RSA powers most of the Verified by Visa / MasterCard SecureCode services as well as the behind-the-scenes eCommerce transaction monitoring for the majority of US and UK banks; RSA data shows that the combination of a merchant using 3D Secure and an issuer deploying state-of-the-art eCommerce fraud detection systems brings fraud levels in the UK to 11 basis points on average, with many issuers experiencing far lower rates. That’s bottom-line losses; in terms of attempted fraud, that’s far higher.

So let us do some math: 28 basis points is the average in UK, and 11 is the average for 3D Secure. About half of the eCommerce in the UK runs through 3D Secure, and this means that websites NOT protected by it suffer from an average of 45 basis points, or four times the level of fraud protected by 3D Secure. That’s MASSIVE.