Endpoint
10/15/2012
03:12 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Merchants Fighting Fraud Online -- But Not Effectively, Reveals Study By SignatureLink And CardNotPresent.com

Study respondents are not only aware of fraud, a full 65% are attempting to address it through active verification systems

RIDGELAND, Miss. and NEWBURYPORT, Mass., Oct. 15, 2012 /PRNewswire/ -- Although most merchants have made a concerted effort to fight e-commerce fraud, their methods are largely ineffective against fraudsters and off-putting to consumers, according to a new survey conducted jointly by leading card-not-present (CNP) industry news source CardNotPresent.com and eCommerce stabilizer SignatureLink, Inc.

The SignatureLink SecureBuy(TM) 2012 CNP Fraud Study, conducted in August and September 2012, polled 379 online and offline merchants of all sizes about their anti-fraud efforts.

CardNotPresent.com and SignatureLink expected to find that many merchants were ignoring the threat of payment fraud and simply accepting chargebacks as a cost of doing business online. As it turns out, study respondents are not only aware of fraud, a full 65% are attempting to address it through active verification systems like Verified by Visa and MasterCard SecureCode. That's an admirable effort, said SignatureLink CEO Greg Wooten, but it's often a case of the cure being worse than the disease.

"We applaud the many merchants using active authentication techniques," Wooten stated, "but the user experience could be improved among legitimate customers by deploying risk-based passive authentication to invoke active authentication."

The study also showed that 52% of merchants are performing pre-fraud screening, typically geolocation of the customer's IP address. Unfortunately, fraudsters can easily manipulate those screening solutions.

"Very few merchants are using second-generation geolocation solutions,"

explained Wooten. "The problem is that a fraudster with any skill whatsoever simply spoofs his IP address and easily bypasses a first-generation geolocation filter. The merchant ends up with a false sense of security while remaining vulnerable to fraud."

Perhaps the greatest opportunity for merchants to shore up their e-commerce fraud fighting efforts lies in chargeback prevention and management. The SignatureLink SecureBuy(TM) 2012 CNP Fraud Study revealed that only 10% of merchants collect the buyer's consent to their terms and conditions (T&Cs) and refund policies through voice or signed consent. Of the remaining 90% of merchants, 50% simply require the customer to check a box during the online checkout process, and 40% never require the buyer to consent to anything at all.

That means 90% of merchants engaging in e-commerce are leaving themselves wide open to Cybershoplifting(TM), where the customer makes a purchase, receives the merchandise, and then disputes the transaction with his or her credit card company, triggering chargebacks for merchants.

"That in itself is a problem," noted Steven Casco, founder and publisher of CardNotPresent.com, "because our study also found that over 60% of merchants never have the buyer's signature on file for any transaction, and over half of merchants lose the chargeback representment process almost every time."

Moreover, a link or pop-up to a merchant's T&C does not solve the problem. "This approach is not in line with current regulatory standards and is actually considered deceptive," stated Wooten. "There's no way for either side to prove their case or to determine what the T&Cs were for a given transaction. Had they captured a signature within the sales draft that carried a true chain of custody, it would be a different story -- because in the e-commerce fraud space, the signature ultimately rules."

The full results of the SignatureLink SecureBuy(TM) 2012 CNP Fraud Study are available at: http://www.signaturelink.com/2012-cnp-fraud-study.html

About CardNotPresent.com

As one of the only sources of content focused solely on the growing card-not-present (CNP) segment of the payments industry, CardNotPresent.com is an independent voice generating original news, information, education and inspiration for and about the companies and people operating in the CNP space.

The company's media platforms include the CardNotPresent.com portal, CNP Report, CNP Expo, and CNP Awards. Sign up for free to receive the twice-weekly CNP Report featuring comprehensive coverage of the CNP payments space at www.cardnotpresent.com/signup/

About SignatureLink, Inc.

Founded in 2002, SignatureLink, Inc. is the eCommerce stabilizer. The company debuted its patented, electronic handwritten signature technology -- the online signature pad -- in 2005. Since then, SignatureLink has diligently developed products that help online retailers successfully fight Cybershoplifting(TM) and other forms of eCommerce fraud to lower the cost of payment acceptance and increase profits. Visit http://www.signaturelink.com for more information.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant