Endpoint
10/15/2012
03:12 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Merchants Fighting Fraud Online -- But Not Effectively, Reveals Study By SignatureLink And CardNotPresent.com

Study respondents are not only aware of fraud, a full 65% are attempting to address it through active verification systems

RIDGELAND, Miss. and NEWBURYPORT, Mass., Oct. 15, 2012 /PRNewswire/ -- Although most merchants have made a concerted effort to fight e-commerce fraud, their methods are largely ineffective against fraudsters and off-putting to consumers, according to a new survey conducted jointly by leading card-not-present (CNP) industry news source CardNotPresent.com and eCommerce stabilizer SignatureLink, Inc.

The SignatureLink SecureBuy(TM) 2012 CNP Fraud Study, conducted in August and September 2012, polled 379 online and offline merchants of all sizes about their anti-fraud efforts.

CardNotPresent.com and SignatureLink expected to find that many merchants were ignoring the threat of payment fraud and simply accepting chargebacks as a cost of doing business online. As it turns out, study respondents are not only aware of fraud, a full 65% are attempting to address it through active verification systems like Verified by Visa and MasterCard SecureCode. That's an admirable effort, said SignatureLink CEO Greg Wooten, but it's often a case of the cure being worse than the disease.

"We applaud the many merchants using active authentication techniques," Wooten stated, "but the user experience could be improved among legitimate customers by deploying risk-based passive authentication to invoke active authentication."

The study also showed that 52% of merchants are performing pre-fraud screening, typically geolocation of the customer's IP address. Unfortunately, fraudsters can easily manipulate those screening solutions.

"Very few merchants are using second-generation geolocation solutions,"

explained Wooten. "The problem is that a fraudster with any skill whatsoever simply spoofs his IP address and easily bypasses a first-generation geolocation filter. The merchant ends up with a false sense of security while remaining vulnerable to fraud."

Perhaps the greatest opportunity for merchants to shore up their e-commerce fraud fighting efforts lies in chargeback prevention and management. The SignatureLink SecureBuy(TM) 2012 CNP Fraud Study revealed that only 10% of merchants collect the buyer's consent to their terms and conditions (T&Cs) and refund policies through voice or signed consent. Of the remaining 90% of merchants, 50% simply require the customer to check a box during the online checkout process, and 40% never require the buyer to consent to anything at all.

That means 90% of merchants engaging in e-commerce are leaving themselves wide open to Cybershoplifting(TM), where the customer makes a purchase, receives the merchandise, and then disputes the transaction with his or her credit card company, triggering chargebacks for merchants.

"That in itself is a problem," noted Steven Casco, founder and publisher of CardNotPresent.com, "because our study also found that over 60% of merchants never have the buyer's signature on file for any transaction, and over half of merchants lose the chargeback representment process almost every time."

Moreover, a link or pop-up to a merchant's T&C does not solve the problem. "This approach is not in line with current regulatory standards and is actually considered deceptive," stated Wooten. "There's no way for either side to prove their case or to determine what the T&Cs were for a given transaction. Had they captured a signature within the sales draft that carried a true chain of custody, it would be a different story -- because in the e-commerce fraud space, the signature ultimately rules."

The full results of the SignatureLink SecureBuy(TM) 2012 CNP Fraud Study are available at: http://www.signaturelink.com/2012-cnp-fraud-study.html

About CardNotPresent.com

As one of the only sources of content focused solely on the growing card-not-present (CNP) segment of the payments industry, CardNotPresent.com is an independent voice generating original news, information, education and inspiration for and about the companies and people operating in the CNP space.

The company's media platforms include the CardNotPresent.com portal, CNP Report, CNP Expo, and CNP Awards. Sign up for free to receive the twice-weekly CNP Report featuring comprehensive coverage of the CNP payments space at www.cardnotpresent.com/signup/

About SignatureLink, Inc.

Founded in 2002, SignatureLink, Inc. is the eCommerce stabilizer. The company debuted its patented, electronic handwritten signature technology -- the online signature pad -- in 2005. Since then, SignatureLink has diligently developed products that help online retailers successfully fight Cybershoplifting(TM) and other forms of eCommerce fraud to lower the cost of payment acceptance and increase profits. Visit http://www.signaturelink.com for more information.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.