Links Menu:   Velocity Of Use Technique   --   Reverse Lookup   --   Card Security schemes

One Hit - One Merchant & One Hit - Multiple Merchants

This is one of the more difficult types of fraud to detect and prevent. In this scheme a fraudster will acquire a credit card profile and will make a single purchase from your site. They will not reuse your site again, or if they do it will only occur after very long periods, greater than three months. They are making more than one purchase on the credit card itself, but it is at different vendors rather than multiple purchases from the same vendor. The fraudster will also typically be drawn to very highly fence-able goods: electronics, jewelry, mobile phones, computer goods and gift cards.

Number of Purchases: 1

Billing & Shipping Address: Typically different; the shipping address will typically be a drop point or abandoned point

Shipping Method: Express Shipping

Phone: Bogus, or the real consumer’s number

Purchase Amount: High

Fraud-Prevention Techniques: High (£) Pound amount rule with express shipping rule, reverse lookup address and phone, use of fraud screening that does cross-merchant velocity-of-use checking, card security schemes

 

Consumer-Perpetrated Fraud

This is a scheme in which the consumer or an accomplice of the consumer makes a purchase and then denies they made the purchase, or that they never received the goods or services. All of the data points will look good but the consumer will swear they did not make the purchase and did not receive the goods or services. They may also say they placed the order but never received the goods or services.

The consumer calls their issuing bank for the credit card and disputes the transaction for one of these reasons:

    • Claim they never made the charge
    • Claim their account was abused by someone else
    • Claim they never received the services
    • Claim that their spouse never made the transaction


If the consumer says they never placed an order, take a look at your past records to see if they have ever made a purchase from you before, and make sure you put them into at least a warm list to watch for them in the future.

Number of Purchases: 1 or more

Billing & Shipping Address: Typically the same; or if different, a real address with a real person

Phone: Real consumer’s number

Purchase Amount: Any

 

Morphing Fraud - Repeat Offenders

In short the morphing attack is where a fraudster is hitting a single merchant multiple times using slightly different data points each time. These attacks are typically of short duration with multiple purchases being made and sent to the same address or within a very close proximity. The fraudster may change every data point except one or two, so you have to be doing some good cross-reference checking to catch them.

This scheme has a couple of different variations. I call them the “bust-out,” the “slow morph” and the “multiple personality” morphing fraud attacks.

In the bust-out variation the fraudster will make multiple purchases from your site within a short timeframe with a number of different credit cards. All of the goods and/or services will be going to the same location, but all of the other data may change between purchases.

In the slow morph attack, the fraudster will make purchases over time with elapsed time between purchases to prevent raising any flags, and will change the credit card, address and phone slowly over time, just keeping in front of you.

In the multiple personality attack, the fraudster will set up several different personas with different cards and make periodic purchases over a 30 to 90-day timeframe. I have seen cases where the morphing attack was pulled off with 2 to 3 hits per month, all spread out over a 90-day period. The fraudster used three different credit cards and personas and made one purchase with each persona per month for a three-month period and then disappeared. The merchant in this case was using velocity of use and change, but was only counting usage and change for a 24-hour period to attempt to catch bust-outs. They finally caught on when they starting doing some research on past charge-backs to see the fraudster was using variations of the same name. For example “Sara, Sarah, Sam, Samantha, Bill, Bob, William, Willard and Wilda.”

The morphing attack is a little easier to spot if you have good velocity of use and change checks in place. The problem is determining how many purchases or changes constitute actual morphing. As a merchant we all pretty much assume and want to have our customers come back and buy from us. We never assume the fraudster knows this as well, and will play us based on this. Making a purchase once a month for three months wouldn’t in itself set off any alarms, but what they are buying and how the data points they send us change does.

In looking at catching morphing attacks you will have to really think about how you can look at previous account activity, and how you can look at the products purchased as well. The velocity of change and use checks are the best mechanisms to catch someone morphing their identity in their attack.

Some of the things you can look for to catch these morphing fraudsters include:

Look at the typical buying patterns for your merchandise. Would someone typically buy the product sold more than once in a day, week, month or year? For example if you sell televisions online, how often would the same person buy another television on the same day, week or month? If you sell jewelry, how often does someone buy the exact same piece of jewelry in a day, week, month or year?

If you are already looking at velocity of change and use on a daily basis today to stop bust-outs, don’t change it. Add another combined look at velocity of use and change over a 6-month period in which you look at the number of purchases on a given credit card, e-mail, phone and address. Track the number of changes of a credit card number to an e-mail, phone and address over time.

Look at the name associated with a credit number to see how many times it is changing. The name is typically not a good tool for doing fraud checks, but in the morphing attack, the attacker can change the name with everything else being the same. They don’t always do this. Though in the case I discussed earlier the fraudster used the same name, which is how we caught him, and stopped him from starting back up the following month with a fresh set of cards.

If you are doing e-commerce, track the IP address being used by the fraudster and check it against the IP address from past charge-backs to see if they are coming from the same points. It is very rare that they will have the same IP address, this typically means a real novice fraudster, but you can see trends to certain proxies or regions.

Number of Purchases: More than one

Billing & Shipping Address: Typically different, the shipping address will typically be a drop point or abandoned point

Phone: Bogus, or the real consumer’s number

Purchase Amount: Any

back to top

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Reverse Lookup

 

back to top     The Reverse Lookup is used to cross check the address and phone information a consumer has provided to you with a third-party resource to verify that the public records show the same consumer’s name is associated with the provided address and phone information. It is available as a hosted bureau service or you can purchase monthly and quarterly SW distribution of data.

Key considerations when implementing or buying this functionality include:

  • How often will your provider update the information or update their software?
  • Will the data include cell phones and business phones?
  • Are there any dead spots where information is not provided such as, international, Canada, Puerto Rico?
  • What is the accuracy of the data they have? Try them out: Have ten people’s information from around the country and see how well the service validates the information. Include someone who has been in place for a while, one that has recently moved and one that owns multiple properties.

How do this Work

If using it as a manual tool, you would enter the individual’s address and phone information into a hosted screen or utility their IT shop has set up for you, and the service or application would come back with some mix of the following types of reverse look up results:

I input the address and phone and it gave me the name of the person associated with each piece.

I input the phone number only and it gives the address and name associated with it.

I input an address and it gives me the phone and name associated with it.

 

How do you use the results?

You verify this data and see if it matches. You can do this test on the billing and/or shipping address. But beware — there are a lot of valid reasons why the shipping address could be different. If, however, you got a full match on AVS and you cannot validate the address, contact the bank. If you got a full match on AVS but cannot match the phone information contact the consumer for the correct information, or the bank if the number ends up being incorrect.

back to top

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Velocity

back to top       Velocity Of Use Technique Overview

The intent of velocity of use is to look for suspicious behavior based on the number of associated transactions a consumer is attempting. It works based on counting the number of uses of a data element within a predetermined timeframe. The theory is the higher the number of uses on a data element (e.g., credit cards) in a predefined time period (e.g., 24 hours), the higher the risk of taking an order.

Key considerations when implementing or buying this functionality include:

  • Decide up front on the data elements you want to perform velocity of use checks on. You will also need to know the number of uses you want to flag and the time intervals you want look in.
  • You will have to perform some normalization on the addresses if you are doing this in-house to ensure you get matches.
  • Make sure you are logging usage for all attempts, not just completed or valid orders.
  • Plan on maintaining data for at least 12 months. I recommend 18 months.
  • Will you want to have a pass/fail velocity of use check or a graduated scale type of solution? The graduated scale adds more risk as the number of uses increases. So a set of 3 orders happening in 5 minutes would have more risk than a set of 3 orders happening over 30 days.
  • There is a distinct advantage to using a third-party service that combines data from multiple merchants or banks to track velocity of use, as you get a much fuller picture on activity by a potential fraudster and have a better chance at picking up on run-up activity.

How do this Work

The velocity of use technique requires a supporting database and two calls to work. One call increases the count on a data element while the second call does a look up to see what the count is. If you are using a commercial solution or you are getting this functionality from a commercial fraud-screening service, you will only see one call to acquire this information as the solution will hide these calls from you

Based on the look up call you will get a pass or fail type of response and you will have to decide to reject, review or pass the order to another sales channel, such as a telephone order.

There are three components to performing a velocity of use check: the data element, the count and the time interval.

Typically the data elements used for velocity of use are the address (street address, state, zip code), phone number, credit card number and e-mail address. Name is not recommended as there are to many people with similar names and this could really kill their sales or fill their manual review bins. The address has to be looked at in whole, not in parts, counting the number by state or zip code can raise a lot of false alarms. If you typically don’t do a lot of business in one location in a short timeframe you may want to look at zip code or state. Likewise if you have identified a hot spot by zip code, you should apply a rule to perform further fraud-prevention tests on that order.

The count and timeframe are very tightly joined. There is no hard, set rule on what number of changes and timeframe to look at. In general you need to understand your good customers, know if you get a lot of repeat business, know if is it typical for your customers to make more than one purchase per day, week or year. You also need to think about when it becomes completely unrealistic.

Examples:

1) I sell printer ink, paper and refills – I would expect my customers to be repeat customers, and I would assume on non-b2b orders that consumers would not typically make more than one purchase per day, but it would not be unusual for a consumer to do two orders in one day, but three or more orders in one day would be highly suspect.

2) I sell laptop computers – I would expect my b2c customers to have more one time purchases with at least 12 months time between orders. I would be suspect of any b2c customer making more than one order per day on computers. This does not mean ordering more than one computer in an order, this means placing two separate orders for computers in one day or week.

3) I sell jewelry – I would expect my b2c customers to only make one purchase a day, and would be very suspect of two or more orders in a day. I would be somewhat suspect of more than one order in a week or month, and would want to take a closer look, and I routinely have b2c customers that make more than one purchase in a year.

4) I sell rechargeable cell phones – I would be highly suspect of more than one recharge in a day, I would be slightly suspect of more than one recharge in a week, and expect a recharge every other week or once a month.

The better commercial solutions, usually fraud-screening services, don’t simply pass and fail on velocity of use. They actually increment the level of risk by the number of uses until they reach a point that they reject the order. This is usually only found in solutions that allow weighting of tests. For example: If I am looking at a time interval of 15 minutes and a credit card number with only one use comes up I would get no added risk, but if the same credit card showed up twice in 5 minutes I would give it high risk. The more attempts in the time period, the higher the risk goes. Likewise the more time that passes between attempts, the lower the risk.

Set up a process that mandates that all attempted orders are logged into velocity, not just valid sales.

 

How do you use the results?

Log all attempted transactions, not just valid orders coming into the system.

Merchants can set up their velocity of use tests to look for orders to review or reject, but if you are going to reject based on velocity of use, make sure they fail other fraud tests as well. If the only test they fail is velocity of use, we would recommend you call the customer to validate the purchases.

90 days is the magic number before charge-backs appear, which means they won’t appear on a hot list until up to 90 days. Some fraudsters will time their attacks so orders are coming in at odd intervals: one order today, next one in three days, the next in one week, the next in four days etc. Make sure some of your velocity of use tests are looking at activity within the 90-day window. You can do this in real time, or to save processing time in the upfront orders set up an off-line batch routine that looks at activity by accounts or orders to establish counts over the 90-day window.

If someone fails this test and you are looking at a time period less than 24 hours, MAKE SURE YOU CANCEL OR PUT ON HOLD the original orders.

  Did You Know

Velocity of use counts the number of transaction attempts associated with common data elements, such as a credit card number or address, as a means of looking for suspicious behavior.

Velocity of use is a building block of any serious fraud-prevention solution. Keeping track of the number of uses by different data elements allows you to spot unusual trends and it allows you spot run-up activity. Most major fraud-screening solutions have this type of functionality built into it.

Velocity of use is good for detecting fraud rings, multiple fraud attacks from the same perpetrator and also can catch some forms of identity morphing. The more data elements you can track velocity of use on, the more effective the tool is. Good data elements to perform this test on are: credit card number, address, phone number, e-mail address and account number. If you establish accounts for your customers, perform velocity of use on the number of accounts associated with a particular individual.
 

back to top

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The CV number

back to top    CV number

The CV number is a tool for merchants to verify that the consumer is in possession of the card. This helps to prevent fraud in which the fraudster may have acquired the credit card number in the trash or online, but is not in possession of the physical card and cannot give this extra set of numbers. This number is a three or four digit number located either above the credit card number for American Express cards or on the back for Discover, MasterCard and Visa. Key considerations when implementing or buying this functionality include:

  • When a merchant implements this check on their website they will have to change their credit card submittal screen to show a picture of the credit card and where to find this number because a lot of consumers have no idea what this number is. It can cause some confusion and some additional customer service calls to complete an order.
  • Does not actually verify that the cardholder is making the purchase.
  • Not all consumers understand what/where this number is on their card.
  • Make sure all payment processors or banking institutions in use for payment support the card security check data elements.

 

How do this Work

The card security code is a three- or four-digit value. It has been implemented as a security feature to help stop counterfeit cards, and use of card numbers without the physical card. The value provides a cryptographic check of the information embossed on the card.

The three-digit number is derived from the card account number by means of an algorithm and a “seed.” It is possible to have repeat numbers, about every 900 cards there is a repeat. There would never be a number of all zeros or all zeros and a single one.

The card security value is printed on the signature panel on the back of Visa cards immediately following the Visa card account number or on the front of American Express cards just after the account number.

The Card Security Scheme validates two things:

  • 1) The customer has a card in his/her possession.
  • 2) The card account is legitimate.

The card security number is not contained in the magnetic stripe information, nor does it appear on sales receipts. Using the card security scheme helps to prevent merchants from receiving counterfeit cards or being a victim of fraud.

For transactions conducted over the Internet, you may ask cardholders for their CVV2 online. Their Internet screen might include these elements, for example:

CVV1

CVV2

 

 

 

 

 

Include CVV2 in Authorization Requests.

Authorization requests must include at least: The account number, expiration date, CVV2 value, and transaction dollar amount.

To learn more about the benefits of CVV2 and CVV2 technical requirements, contact the card association.

 

How do you use the results?

When a merchant processed their authorization call they will get back a “match” or “no match” response. If they receive a no-match I recommend an auto decline. Merchants should tell the consumer they cannot validate the card security number they submitted, and ask them to call in their order to their call center. This allows the merchant to coach a legitimate consumer to find the card security number.

back to top

Free Web Hosting