May 19, 2014 – The Newest Trend in Credit Card and Identity Fraud
We have reported much in recent months regarding the increasing sophistication of ID thieves, and the huge supply of compromised credit card and ID data that has come onto the dark-markets as a result of the high-profile data breaches at retailers around the globe.
One area we hear from our customers in recent months is an increase in the incidences of “buy-online, pickup in-store” fraud.
Retailers become Hybrid Channel Operators
Retailers have struggled to handle the competition from pure-online internet “eTailers”. The last decade and more has been a struggle to reconcile the channel conflict experienced by the traditional retail industry, which typically conducted business with its customers in-person at the store, or via catalogue sales. Much has been written about how retail businesses were losing customers who were often seen coming to the store to look at and touch the product in-person, then buying online from competitors who could afford lower margins on the product due to their lower expenses resulting from not having to operate physical store locations.
As a result, most major retailers either already have, or are in the process of creating programs allowing their customers to buy the product online through their eCommerce portal, and to pick up the item immediately at a local store location. Today, a Google search was conducted using the search term “buy online pickup in store” and the first ten results were websites from many of the major U.S. retailers featuring details of their programs. In order of appearance:
As can be seen, the major players in the retail industry are pursuing this channel vigorously.
Online Sales are Prone to Fraud
What FraudFighter has heard from several enterprise retail customers is that the move to “buy online, pickup in-store” has resulted in a spike in fraudulent transactions. This is not shocking, nor should it be surprising. Online retailers can tell you that they have experienced fraudulent transaction rates that often run 3-5 times as great as those seen in traditional brick n’ mortar stores.
The reasons for this difference in fraud levels are fairly understandable. Criminals using fraudulent documents are much safer doing so from the anonymous internet than in person in the store.
However, “buy online, pickup in-store” is particularly vulnerable to fraud. Consider the following:
Fraudster doesn’t always know whether the stolen credit card data they have obtained is still valid. By shopping online, the criminal can try multiple credit cards until he/she finds one that works.
oOnly after successfully creating one or more transactions will the bad-guys then produce (or, order from a dark-market vendor) a fraudulent plastic credit card and matching driver license containing the name and address of the person who owns the credit card. The fake ID will feature the criminal’s picture witht he card-holder's name.
One of the steps online retailers have taken to avoid fraudulent card transactions is to demand that the billing address matches the shipping address. With the pick-up in store option, this validation technique is eliminated.
oIt should be noted, however, that many pure-online retailers do NOT require this technique, and have opted for other validation methods, which helps explain the extremely high rates of fraud seen in the online channel.
Retailers utilizing the “buy online, pickup in-store” strategy rarely require the customer to “swipe” the credit card during product pick-up. Thus, fraudulent credit cards produced during the transaction need not even be minimally functional, e.g. – a magnetic strip encrypted with the stolen card data need not be created.
Thus, the practice of buy online, pickup in-store actually plays into the hands of the criminal, because it removes a great deal of the jeopardy that they might normally experience for attempting to conduct a fraudulent purchase.
A Sensible Solution
Most retailers may not have much in the way of resources available to combat this newer issue. However, if past experience is any guideline, we should anticipate widespread exploitation of the vulnerability will begin as word of the easy opportunity for earnings spreads among the criminal community.
Fortunately, it is not necessary to implement a remarkably expensive or complex solution to deal with this issue.
At the most fundamental level, this type of fraud can be prevented by ID authentication and/or document validation at the point of transaction where these customers are processed in-store. Stated another way: verify that the person is who they say they are by checking to make sure that the credit card and ID document they are presenting are not counterfeits.
The simplest and lowest-cost method to achieve these results is to implement Ultra-Violet document verification scanners at the transaction counters. FraudFighter UV detectors, such as the nation’s best-selling device, the UV-16, allow the user to authenticate driver licenses, credit cards, passports and a variety of other important transactional documents, such as currency, traveler checks, money orders, and more. The test is simple, instant and highly accurate.
Best of all, the equipment can be had for significantly less than $100, and does not require an IT person or an operations specialist to install. Just plug it in, turn it on, and you’re in business!