Endpoint
10/15/2012
03:12 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Merchants Fighting Fraud Online -- But Not Effectively, Reveals Study By SignatureLink And CardNotPresent.com

Study respondents are not only aware of fraud, a full 65% are attempting to address it through active verification systems

RIDGELAND, Miss. and NEWBURYPORT, Mass., Oct. 15, 2012 /PRNewswire/ -- Although most merchants have made a concerted effort to fight e-commerce fraud, their methods are largely ineffective against fraudsters and off-putting to consumers, according to a new survey conducted jointly by leading card-not-present (CNP) industry news source CardNotPresent.com and eCommerce stabilizer SignatureLink, Inc.

The SignatureLink SecureBuy(TM) 2012 CNP Fraud Study, conducted in August and September 2012, polled 379 online and offline merchants of all sizes about their anti-fraud efforts.

CardNotPresent.com and SignatureLink expected to find that many merchants were ignoring the threat of payment fraud and simply accepting chargebacks as a cost of doing business online. As it turns out, study respondents are not only aware of fraud, a full 65% are attempting to address it through active verification systems like Verified by Visa and MasterCard SecureCode. That's an admirable effort, said SignatureLink CEO Greg Wooten, but it's often a case of the cure being worse than the disease.

"We applaud the many merchants using active authentication techniques," Wooten stated, "but the user experience could be improved among legitimate customers by deploying risk-based passive authentication to invoke active authentication."

The study also showed that 52% of merchants are performing pre-fraud screening, typically geolocation of the customer's IP address. Unfortunately, fraudsters can easily manipulate those screening solutions.

"Very few merchants are using second-generation geolocation solutions,"

explained Wooten. "The problem is that a fraudster with any skill whatsoever simply spoofs his IP address and easily bypasses a first-generation geolocation filter. The merchant ends up with a false sense of security while remaining vulnerable to fraud."

Perhaps the greatest opportunity for merchants to shore up their e-commerce fraud fighting efforts lies in chargeback prevention and management. The SignatureLink SecureBuy(TM) 2012 CNP Fraud Study revealed that only 10% of merchants collect the buyer's consent to their terms and conditions (T&Cs) and refund policies through voice or signed consent. Of the remaining 90% of merchants, 50% simply require the customer to check a box during the online checkout process, and 40% never require the buyer to consent to anything at all.

That means 90% of merchants engaging in e-commerce are leaving themselves wide open to Cybershoplifting(TM), where the customer makes a purchase, receives the merchandise, and then disputes the transaction with his or her credit card company, triggering chargebacks for merchants.

"That in itself is a problem," noted Steven Casco, founder and publisher of CardNotPresent.com, "because our study also found that over 60% of merchants never have the buyer's signature on file for any transaction, and over half of merchants lose the chargeback representment process almost every time."

Moreover, a link or pop-up to a merchant's T&C does not solve the problem. "This approach is not in line with current regulatory standards and is actually considered deceptive," stated Wooten. "There's no way for either side to prove their case or to determine what the T&Cs were for a given transaction. Had they captured a signature within the sales draft that carried a true chain of custody, it would be a different story -- because in the e-commerce fraud space, the signature ultimately rules."

The full results of the SignatureLink SecureBuy(TM) 2012 CNP Fraud Study are available at: http://www.signaturelink.com/2012-cnp-fraud-study.html

About CardNotPresent.com

As one of the only sources of content focused solely on the growing card-not-present (CNP) segment of the payments industry, CardNotPresent.com is an independent voice generating original news, information, education and inspiration for and about the companies and people operating in the CNP space.

The company's media platforms include the CardNotPresent.com portal, CNP Report, CNP Expo, and CNP Awards. Sign up for free to receive the twice-weekly CNP Report featuring comprehensive coverage of the CNP payments space at www.cardnotpresent.com/signup/

About SignatureLink, Inc.

Founded in 2002, SignatureLink, Inc. is the eCommerce stabilizer. The company debuted its patented, electronic handwritten signature technology -- the online signature pad -- in 2005. Since then, SignatureLink has diligently developed products that help online retailers successfully fight Cybershoplifting(TM) and other forms of eCommerce fraud to lower the cost of payment acceptance and increase profits. Visit http://www.signaturelink.com for more information.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.