Escolar Documentos
Profissional Documentos
Cultura Documentos
HB Prinsloo
CDE (A division of Comparex Africa (Pty) Ltd)
hermanp@ComparexAfrica.co.za
Abstract:
1 INTRODUCTIONA
From the submission of this article’s abstract to the actual writing of this text,
e-fraud has gained prominence in the South African news as a result of the
theft of a relatively large sum of money between May and July 2003 by one
cyber criminal from the Internet bank accounts of 10 clients of the
Amalgamated Banks of South Africa Group (ABSA Bank), one of the largest
banking groups in South Africa. A suspect was arrested towards the end of
July and charged with 10 counts of fraud (Cruywagen, 2003:3).
This was the first major incident of e-fraud to make news headlines over a
number of weeks in South Africa. It has had the widest potential effect as the
vast majority of the Internet using population in South Africa use Internet
Banking as a convenient and cost-effective way of managing their personal
financial affairs.
Although it has only gained prominence in the minds of the general public
recently, e-fraud has been with us in many guises for a number of years.
1
Cyber crimes can range from economic offences (fraud, theft, industrial
espionage, sabotage and extortion, product piracy, etc.) to infringements on
privacy, propagation of illegal and harmful content, facilitation of prostitution
and other moral offences, as well as organised crime (cf. Goodman,
1997:468, Golubev, 2003:2; PCB, 2001a:8; Turnbull, 2001:5). At its most
severe cyber crime borders on terrorism, encompassing attacks on human life
and against national security establishments, critical infrastructure, and other
vital elements of society (cf. Sweet, 2003:1; Messmer, 2002:1; CERT/CC,
2002:5; Schneier, 2003:1).
Koenig (2001:8) defines cyber crime as: “A criminal offence that has been
created or made possible by the advent of computer technology, or a
traditional crime which has been so transformed by the use of a computer that
law enforcement investigators need a basic understanding of computers in
order to investigate the crime.” Broadly, this definition generally refers to two
types of offences:
• Crimes against computers or information on computers (e.g. attacks on
network confidentiality, integrity and/or availability i.e. infringements on
privacy, unauthorised access to and illicit tampering with systems,
programs or data)
• Traditional crimes that are committed with the use of computers or some
form of information and communication technology (e.g. industrial
espionage, theft, forgery, extortion, propagation of illegal and harmful
content, facilitation of prostitution, etc.) (cf. McConnell International,
2000:1; Goodman, 1997:468; Turnbull, 2001:8.).
2
people-based, whereas the following are the means most often used to
commit crimes on-line:
• Message interception and alteration
• Unauthorised account access
• Identity theft
• Manipulation of stocks and bonds
• Extortion
• Unauthorised system access (e.g. system damage, degradation, or
denial of service)
• Industrial espionage
• Manipulation of e-payment systems
• Credit Card Theft (cf. Glaessner et al. 2002:24; Graycar & Smith, 2002:4;
& Centeno, 2002:11).
3
• Vulnerability of electronic data-processing media
The content and nature of the data on a storage device is not visible to
the technicians handling it. Very sensitive data can be handled
carelessly without the handler being aware of either the risk or the nature
of the data. Equipment can be stolen from cars, or disks that contain
very sensitive information can be mislaid.
• Human factors
In nearly any ICT environment, certain individuals require access to very
sensitive information. A young IT technician could, for instance, have
access to an organisation’s payroll data or R&D archive for the purpose
of creating backups. Such a person could succumb to temptation, be
bribed by competitors, or become disillusioned and destroy or
disseminate very sensitive information, leaving very little evidence.
“Insider” (full- or part-time employees, contracted workers, consultants,
partners or suppliers) security incidents such as access abuse and
equipment theft occur far more frequently than “external” attacks (cf. UN,
1994:7, 10; Settle, 2000:4; Centeno, 2002:14; Smith 1999b:5).
Alarmingly, very few companies do standard background checks on staff
members who are employed to work with sensitive data and are granted
unrestricted access to systems (Graycar & Smith, 2002:7). A trusted
insider may be recruited covertly by hostile parties long before any action
associated with an actual attack (the so-called “sleeper” problem) or
tricked into taking some action that breaches system security e.g. tricked
into disclosing a password or opening an e-mail attachment that installs
software that permits access by malicious outsiders (CSTB, 2002:5).
Personal financial pressure is the most widely reported warning signal
exhibited by employees prior to the discovery of internal fraud (KPMG,
1999:16).
4
• Attack tool developers are using more advanced techniques than
previously. Attack tool signatures are more difficult to discover through
analysis and more difficult to detect through signature-based systems
such as antiviral software and intrusion detection systems. Three
important characteristics are the anti-forensic nature, dynamic behaviour
and modularity of the tools. As an example of the difficulties posed by
sophisticated attack tools, many common tools use protocols like IRC or
HTTP (HyperText Transfer Protocol) to send data or commands from the
intruder to compromised hosts. As a result, it has become increasingly
difficult to distinguish attack signatures from normal, legitimate network
traffic (CERT/CC, 2002:2; PCB, 2001a:8).
• Firewalls are often relied on to provide primary protection from intruders.
However, technologies are being designed to bypass typical firewall
configurations; for example, IPP (the Internet Printing Protocol) and
WebDAV (Web-based Distributed Authoring and Versioning). Some
protocols marketed as being “firewall friendly” are, in reality, designed to
bypass typical firewall configurations. Certain aspects of “mobile-code”
(ActiveX controls, Java and JavaScript) make it difficult for vulnerable
systems to be protected and for malicious software to be discovered
(CERT/CC, 2002:2).
• Because of the advances in attack technology, a single attacker can
employ a large number of distributed systems to launch devastating
attacks against a single victim relatively easily. As the automation of
deployment and the sophistication of attack tool management both
increase, the asymmetric nature of the threat will continue to grow
(CERT/CC, 2002:3).
• The speed at which crimes can be committed.
• The fact that a crime is not always immediately apparent. A cyber
criminal can hack into a system and plant a program that is only
scheduled to do something at some time in the future. Similarly, a cyber
criminal can invade the computer of an innocent person and launch an
attack from the computer making it appear that the owner of the
computer perpetrated the crime. This makes it very difficult to catch and
prosecute proficient cyber criminals (CSTB, 2002:5).
• The lack of risk awareness.
• Merchants are often small and new with limited security skills and
budgets. They are selling new goods (digital content) that are more
vulnerable to fraud (Experian, 2000:2).
• The lack of cyber security skills and tools. Organisations often overlook
significant risks i.e. system providers do not produce systems that are
immune to attack, network and system operators do not have the
personnel and practices in place to defend themselves against attacks
and minimise damage (CERT/CC, 2001:1).
• Users are more vulnerable. With increasing Internet connectivity from
home and increasing PC power (available for hackers), average users
know little about risks and the security tools available to protect their
computers from external attacks.
• Global reach (including issues of jurisdiction, disparate criminal laws and
the potential for large-scale victimisation) makes legal prosecution more
5
difficult. Because transaction amounts are generally low, the electronic
evidence tools and skills available are very limited. Legislation has not
yet been fully adapted to the Internet environment and, where
transactions have taken place across borders, complex jurisdictional and
procedural issues may arise. The technical and legal complexities of
investigating and prosecuting cyber crimes are complicated by the
relatively low value of individual fraudulent transactions as well as the
complex legal process for prosecuting cases of fraud within the legal
systems of more than one country (cf. Experian, 2000:13; Smith 2002:5;
CSTB, 2002:3).
• Telecommunications can be used to further criminal conspiracies.
Because of sophisticated encryption systems and high-speed data
transfers, it is difficult for law enforcement agencies to intercept
information about criminal activities. This has particular relevance to
new international criminal activities (Giddens & Duneier, 2003:201).
• The volatility or transient nature of evidence, including no collateral or
forensic evidence such as eyewitnesses, fingerprints or DNA.
• The high cost of investigations
(cf. Centeno, 2002:3; Etter, 2001b:27; Etter, 2001a:6; Etter, 2002:5, 12;
Graycar & Smith, 2002:2; Groebel et al., 2001:25 & McConnell
International, 2000:2).
According to Centeno (2002:12), the most common types of on-line card fraud
reported are:
• Bogus merchants collecting card data and disappearing, charging either
unauthorised transactions, transaction amounts higher than agreed or
unauthorised recurring transactions
• Transactions performed with stolen card data (in the physical world or
obtained through intrusion in merchant servers) or data generated with
software tools
• Consumers fraudulently denying transactions and getting a transaction
reversed based on “card not present” legislation. Transaction reversal
and refund, also called charge backs, are estimated to be 12 times more
frequent for e-commerce than in the physical world, and two to three
times more than for “MOTO” (Mail Order Telephone Order) sales.
With a view to understanding what security measures are needed and, based
on results of the analysis of fraud figures available, on-line payment risks can
be classified into the following four categories:
1. Risk of merchant fraudulent behaviour: bogus merchants carrying out
data capture, disappearing and charging unauthorised transactions;
charging transaction amounts higher than agreed; charging unauthorised
recurrent payments.
2. Risk of identity and payment data theft for further fraudulent use on the
Internet or in the physical world (purchase, fraudulent card application,
account take-over). Identity data can be stolen through e-mail (or even
phone) scam, or through on-line unauthorised access to merchant or ISP
servers, to bank servers, to consumers’ PCs or to transactional data.
6
3. Risk of impersonation i.e. fraudulent use of (stolen) consumer identity
and/or payment data, or software generated account numbers for
purchasing.
4. Risk of a consumer fraudulently denying a transaction (cf. Centeno,
2002:3, 19; Graycar & Smith, 2002:4).
Etter (2001b:23) observes the it would seem that people who would not
dream of stealing or maliciously damaging other people’s property in real life
have no qualms or second thoughts about the opportunities and challenges
presented by the Internet.
7
hack into and steal telecommunications services means that people can
conduct illicit business without being detected or simply manipulate
telecommunication and cell phone services in order to receive free or
discounted telephone calls. Giddens & Duneier (2003:201) and PCB
(2001a:3) identify two types of hackers, namely, internal (including Internal
Saboteurs) and external (including Political Hackers or Hacktivists, who hack
either to highlight a lack of security or for personal reasons i.e. grudges.
Today most official documents are produced via a printout from a computer.
Fraudulent altering and counterfeiting of documents have become easier with
the availability of inexpensive, high quality scanners and colour printers (UN,
1994:14).
Viruses and other types of malicious code-like “worms” and logic bombs can
be very destructive. A calamitous virus may delete files or permanently
damage systems. A Trojan horse, masquerading as a utility e.g. anti-virus
software or animation, may copy user IDs and passwords, erase files or
release viruses (Groebel et al, 2001:52; PCB, 2001a:8). The effect of viruses
and other malicious programs are referred to as computer sabotage.
Computer sabotage can be the vehicle for gaining economic advantage over
a competitor, for promoting the illegal activities of ideologically motivated
8
terrorists or for stealing data or programs (also referred to as "bitnapping") for
extortion purposes (UN, 1994:15).
On-line casinos have proliferated widely, despite the fact that gambling is
illegal in many jurisdictions. The Internet is also being used to distribute
drugs, pharmaceuticals, tobacco and liquor, again regardless of jurisdictional
prohibitions. It is difficult to control pornography and offensive content in
cyberspace (Giddens & Duneier, 2003:201).
Cyber homicide - using computer technology to kill someone - has not yet
been reported but could be perpetrated in future. An aspiring mass murderer
could, for example, hack into a hospital’s computer system, learn about the
medication prescribed for patients and alter the dosages, causing them to die
(cf. Sweet, 2003:1; CSTB, 2002:6).
9
Pollitt (1997:285) defines cyber terrorism as a “pre-meditated, politically
motivated attack against information, computer systems, computer programs,
and data which results in violence against non-combatant targets by sub
national groups or clandestine agents”. There is a heightened vulnerability to
electronic vandalism and terrorism in western society today due to the fact
that much of modern life depends on computers and computer networks. For
many people, the most visible interaction they have with computers is typing
at the keyboard of a computer. Less visible are the computers and networks
that are critical for key functions such as managing and operating nuclear
power plants, dams, electric power grids, air traffic control systems and
financial infrastructures. Computers are also instrumental in the day-to-day
operations of companies, organisations and government. Companies large
and small rely on computers to manage payroll, track inventory and sales and
perform research and development. The distribution of food and energy from
producer to retail consumer relies on computers and networks at every stage.
In future, everyday items such as traffic lights, elevators, appliances and even
pacemakers will become more and more connected to computer systems and
thus vulnerable to attacks by cyber terrorists. Instructions for building
incendiary devices can be placed on and downloaded from the Internet (cf.
Giddens & Duneier, 2003:201; Groebel et al., 2001:48; Arquilla, 1998:1;
Devost et al., 1996:7; Etter, 2002:14, Messmer, 2002:1; Blyth, 1999:16,
CSTB, 2002:2, CERT/CC, 2002:5).
Fraud represents what is probably the largest category of cyber crime. The
Internet has created what appears to be the perfect cyber crime - borderless
fraud. So many different types of fraud are committed over computer
networks that they have become almost impossible to police effectively
(Groebel et al., 2001:57). There is an enhanced risk of electronic funds
transfer crimes. The widespread use of cash machines, e-commerce and
electronic money on the Internet heightens the possibility that some
transactions will be intercepted (Giddens & Duneier, 2003:201; Graycar &
Smith, 2002:3). Using computers, thieves can steal credit card details and
siphon funds from banks. Cyberspace can be just as easily used to commit
theft-by-threat or extortion. One of the most common types of cyber fraud is
on-line auction fraud where the vendor may describe products or services in a
false or misleading manner, or may take orders and money but fail to deliver
goods or deliver counterfeit goods (Golubev 2003:2). A growth in
10
telemarketing fraud has been noted as well as fraudulent charity schemes and
investment opportunities that are difficult to regulate (Giddens & Duneier,
2003:201).
For the purpose of this paper, the term e-fraud will be used to denote cyber
crimes relating to on-line credit card fraud and e-commerce.
11
2 E-FRAUD GLOBALLY
12
• In 2002 FBI Internet fraud centre complaints rose by 300% (Golub
2003:11).
• A recent investigation by MSNBC reveals that while overseas-based
criminals account for up to one third of all on-line fraud directed at United
States e-businesses, there is no evidence of a single prosecution against
these foreign perpetrators (Brunker, 2001:1). The US Treasury
maintains an Official US Government System web page called the
Financial Crimes Enforcement Network or FinCEN. Its mission is to
support law enforcement investigative efforts and foster inter-agency and
global cooperation against domestic and international financial crimes.
FinCEN has issued warnings on transactions involving the following
countries:
o The Arab Republic of o Nauru
Egypt o Nigeria
o The Bahamas o Niue
o The Cayman Islands o Panama
o The Cook Islands o The Philippines
o Dominica o The Russian
o Israel Federation
o Lebanon o St. Kitts & Nevis
o Liechtenstein o St. Vincent
o The Marshall Islands o The Grenadines
(FinCEN, 2003:1).
• Forty per cent of companies have been hit by the same fraudster more
than once with 18 % saying that they had been hit three times by the
same fraudster before the fraud was detected (PCB, 2001a:5).
• More than 50 per cent of all fraud committed in the first half of 2000 were
"cyber crimes". Internet fraud rose 46% towards the end of 2000.
Seventy per cent of large companies in the UK were hit by fraud and
each of the companies surveyed lost an average of £4 million every year
as a result of fraudulent activity. Not only is about 60% of fraud
committed from within but it was found that as much as 58% of this fraud
was uncovered ‘by accident’! Recovery rates remain low (with as few as
20% of organisations able to recover half or more), and the scope for the
commission of such fraud remains as high as ever with only 18% of
victims ‘very confident’ about their future safety. Twice as many believe
that the threat will be even greater in the next five years. Indeed, just
under half the 3500 respondent organisations felt cyber crime was ‘the’
risk of the future (PCB, 2001b:1).
• In the US, a survey done in March 2001 revealed that:
o 85% of respondents (primarily large corporations and government
agencies) detected security breaches
o 74% reported serious breaches
o 71% reported unauthorised access by insiders; 25% detected
system penetration from the outside
o 186 respondents reported losses of US$377m (compared to
US$265m from 249 respondents in 2000)
o most serious: Netspionage theft $151m reported by 6% of
respondents (compared to US$66m in 2000)
13
o financial fraud was US$55m (compared to US$39.7m in 1999)
o loss due to sabotage: US$27m (compared to US$10m combined
previous 3 years)
o 70% of respondents cited Internet connections as a frequent point
of attack (compared to 59% in 2000)
o 91% of respondents (as opposed to 79% in 2000) detected
employee abuse of Internet access privileges (PCB, 2001b:1).
14
rate of fraud on the Internet as opposed to other routes to market and the vast
majority (70%) thought that the Internet was inherently more risky (Experian,
2000:5).
From figure 2 below it is clear that the growth in e-commerce (turnover) has
surpassed the growth in losses relating to e-fraud in recent years.
It is difficult to get an indication of the extent of e-fraud in South Africa and the
effect that it has on South African e-merchants. One global survey that had
significant South African input is the 2001 e.fr@ud survey, the major findings
of which were that:
• only 9% of respondents admitted that a security breach had occurred in
their organisation within the previous 12 months
• while most believed that the security of credit card numbers and personal
information were by far their customers’ most important concerns, fewer
than 35% performed security audits on their e-commerce systems, and
only 12% had websites bearing the seal identifying that their e-
commerce systems had passed a security audit
• 79% stated that the highest probability of a breach occurring to their e-
commerce systems would be perpetrated through the Internet or other
external access (KPMG, 2001:35).
As indicated in figure 3 below, South African respondents (together with
French respondents) perceived the greatest likelihood of e-fraud happening in
their organisations:
15
Figure 3: e-Fraud - Perceived Likelihood of Occurrence
(KPMG, 2001:33)
The 2001 e.fr@ud survey found that South Africa had no cyber crime specific
laws in place (KPMG, 2001:35).
16
choice for thieves who, in another age, might have just been “petty
shoplifters or locker room pickpockets”.
• The political activist or terrorist – uses computer crime to make a
statement, launder money or expose certain information, and can make
use of a young technology expert to do the work (cf. UN 1994:7; Groebel
et al., 2001:23-24; Centeno, 2002:15; Smith, 1999a:3; & Turnbull,
2001:10):
2.3 PROFILES OF E-MERCHANTS WHO ARE AT RISK
According to Verisign (2001:2), (Scutt, 2001:7) and Centeno (2002:15), the
following e-merchant profiles are a greater risk for certain types of fraud than
others:
• Smaller merchants without robust security defences. Inexperienced
or small merchants with no or limited risk management tools can fall prey
to criminals using sophisticated spidering techniques and intelligent
agents to identify vulnerable points. Criminals use this information to
break into networks and other ICT infrastructure in order to steal smaller
merchants’ account access information for hijacking or merchant
takeovers.
• High-visibility merchants. It's a double-edged sword. Merchants need
to be visible to attract customers, yet fraud attempts are higher on
merchants who advertise heavily or those who are in the news.
Criminals know that merchants who are experiencing higher than normal
transaction volumes due to a special promotion or a news story have
less time to defend themselves against fraud.
• Larger merchants with high transaction volumes. However, given
the increasing sophistication of fraud protection systems deployed by
larger e-commerce merchants, smaller merchants with little to no
protection are starting to become targets of fraud.
• Merchants who sell high unit value goods, such as electronic items
and luxury goods that can easily be resold or sold on on-line auctions.
• Merchants hosting on-line auctions, which represents the vast
majority of consumer complaints in the US.
• Soft goods merchants - Merchants that sell digital contents or software
that can be downloaded from the Internet. The purchase of these goods
does not require physical address information e.g. a shipping address,
making it easier for criminals to disguise a fraudulent transaction.
• Merchants who sell internationally. It is difficult to validate the
address or identity of foreign buyers, and it is more difficult to investigate
fraudulent activity from an overseas source.
• All merchants face an increased risk of fraud during the holiday season
and special sales promotions. Criminals know that you have limited
time for fraud protection measures when sales volumes are high. Sales
double in the 4th quarter, while Internet fraud rates triple.
2.4 BEHAVIOURAL TRAITS ASSOCIATED WITH FRAUDULENT TRANSACTIONS
According to Experian (2000:7) the typical modus operandi of UK on-line
fraudsters using card not present (CNP) fraud is:
17
“Real name at real address but not The fraudster gives a real name and
the cardholder’s name” address, which would be verified by a
data source like the voters’ roll. The
name and address were probably
supplied to the voters’ roll for the
purpose of fraud but the card number
given matched a different name. This
suggests inadequate procedures for
linking the name, address and
cardholder’s name.
“Cardholder’s name at real address but The fraudster gives a name that
not the cardholder’s address” matches the account name but the
address provided does not match the
billing address. This again suggests
that there needs to be a link between
billing address and delivery address.
“False name at real address” This can only work where no reference
is made to a data source like the voters’
roll when authorising the transaction.
“Cardholder’s genuine name and This illustrates a dilemma faced by on-
address but parcel delivered to another line retailers who despatch goods to an
address” address other than the cardholder’s
billing address. In many cases e.g.
presents these transactions will be
genuine, but the process clearly lends
itself to extensive abuse by fraudsters,
and is an easy way to defraud an on-
line retailer.
Table 1 Typical Modus Operandi of UK On-line Fraudsters
Centeno (2002:15) Scutt (2001:6) & Visa (2002b:1) identify the following
behavioural traits associated with fraudulent transactions:
• A first-time shopper performing more transactions than usual, using large
order amounts, particularly when purchasing low-cost items
• Ordering several of the same item
• Attempting to make it hard to be traced by rushing orders (willing to pay
a lot for expedited delivery), making overnight orders and shipping to
Post Office boxes
• Using an anonymous or free e-mail address or free web-based e-mail
address
• Requesting the use of a ‘bill to’ address that is different from the ‘ship to’
address or international delivery address
• Using one single delivery address and multiple cards
• Using a single card to multiple delivery addresses
• Using multiple cards from a single IP address
• Acting as bogus merchants.
18
3 E-FRAUD AND ITS EFFECTS ON THE SMALL E-MERCHANT
19
5-10% 02%
10%+ 03%
Refused to say 23%
Table 2: Charge Backs as a Percentage of Total UK On-line
Transactions
(Experian, 2000:7)
20
The UK Association for Payment Clearing Services (APACS) reported in their
2000 annual review that the major growth areas for card crimes were in
counterfeit and card not present (CNP) fraud, which were largely responsible
for the steep increases in 2000 losses suffered by the UK merchants and
financial services industry (Apacs, 2001:23; Experian, 2000:7). Figure 4
below indicates that CNP and counterfeit card fraud made up a total of 55% of
all fraud suffered in the UK. The effect of e-fraud on this trend is clearly
visible in the exponential growth of these fraud categories in the preceding
decade:
For the year 2002 Apacs (2003a:18) reported that card not present (CNP)
fraud, fraud committed via mail order, telephone and the Internet continued to
grow (a 6% increase in 2 years if Figure 4 above is compared with Figure 5
below). Apacs (2003a:18) initiated a CNP Fraud Strategy Project that
involves the development of sector-based forums of high-risk merchants
alongside key banking members. The main objectives include developing
best practice material and considering effective, legal forms of data sharing.
21
2002 Fraud Losses by Category
CNP /
Application
Fraudulent
Fraud
Posession of
2%
Lost / Stolen Card Details
26% 26%
Mail Non- Other
receipt 2%
9% Counterfeit
Card
35%
Experian (2000:5) found that 77% of on-line retailers in the UK took orders
over the phone as well as the Internet; 13% took orders over the Internet only
and 10% took orders only over the phone, directing on-line shoppers to a toll
free number. On a general note, the overwhelming majority (96%) said that
they conducted business on-line with card not present (CNP) transactions,
and 95% said that their goods were of interest to thieves.
22
• Golub (2003:11) estimated the loss to e-merchants in terms of higher
fees, charge backs, bank charges and loss of inventory, etc. as a result
of the above three points to have been on average 7% of an e-
merchant’s turnover in 2002. Verisign (2001:1) details the losses of an
e-merchant who processes a fraudulent on-line transaction as:
o Higher discount rate on merchant account. Because of the
higher prevalence of e-fraud, discount rates for on-line transactions
are typically 30 to 60 per cent higher than off-line or "brick and
mortar" rates.
o The merchant carries the financial loss of a fraudulent on-line
transaction. According to CyberSource (2002:7), 31% of UK
merchants did not know they were liable for losses incurred as a
result of CNP fraud. Many were of the misconception that the
Credit Card Company, bank or shopper would pick up the cost.
o Inventory loss and shipping costs for physical goods that are
fraudulently purchased and delivered are also carried by the
merchant.
o Charge back penalties assessed by the acquiring bank of
US$15-US$30 per fraudulent transaction. In the UK, 20 per cent of
UK business-to-consumer retailers are paying charge back fees in
excess of one per cent of sales (Experian, 2000:8).
o Increased discount rates assessed to the merchant as a result of
processing fraudulent payments.
o Labour cost for the merchant to investigate and resolve the charge
back.
o Higher administration costs on orders due to staff spending
more time to screen orders. This may include calling the customer
and confirming the order (CyberSource, 2002:8).
o Fines and cancellation of merchants account. Fines and Five-
to six-figure card association fines or the cancellation of a
merchant's account when card fraud rates are consistently high (cf.
also Weber, 2001:8).
• Rejection of non-fraudulent transactions due to fear of fraud. In
addition, according to Gartner Group estimates, merchants reject an
estimated 5% of all transactions out of suspicion of fraud, while only 2%
of transactions are actually fraudulent. The result is a significant amount
of lost sales (up to 3% of sales volume) in an attempt to reduce fraud risk
(Verisign, 2001:1). Grant (2002:1) reports that 7% of on-line sales are
rejected for potential fraud but just 1.13% are actually fraudulent.
• Non-completion of transactions due to lack of consumer trust. On
an industry-wide level, it is also alarming that 23% of potential on-line
shoppers do not complete a transaction because of fear and not wanting
to enter their personal details on-line (Gobulev, 2003:3).
• Scutt (2001:5) summarises the cost of e-fraud as follows:
23
Cost of managing o Manually resolving bad transactions
fraudulent orders (estimated at up to £40/order)
Bank and Card Processor o Higher discount rates
fees o Charge back fees
o Fines
o Termination of service for excessive charge
backs
Cost of goods sold o Merchants are 100% liable for mail order
telephone order (MOTO) transactions
Table 3: The Costs of e-Fraud
From the above it is clear that some e-merchants stand to lose up to 10% of
their turnover (and a much higher percentage of their profit, if any) to fraud-
related costs (up to 7%) and the cost of rejecting sales in order to prevent e-
fraud (up to 3%). This figure could be reduced by up to one third (4% of
turnover) if a way could be found to improve the basis for rejecting potentially
fraudulent transactions.
Another issue relates to the time delay in identifying that a fraud has been
committed. In this respect, the majority of fraud becomes apparent after six
24
weeks. Thirty-three (33) per cent of companies said that it took over two
months (eight weeks+) before they were notified that they had been victims of
a fraud; and 18% said that it took between four and seven weeks. During this
time, their site was vulnerable to repeat attacks. Interestingly, although the
majority said that fraudsters tended to hit once on average, a sizeable number
said that they had been hit twice, and 18% said that they were hit on average
three times by the same fraudster before the fraud was detected. In fairness,
the time delay is often due to the fact that the genuine cardholder has yet to
open his/her monthly statement and report “unknown transactions” to the
issuer. (Experian, 2000:8).
The responses to the question about what problems companies faced when
trying to establish whether a customer was genuine, can be summarised as
follows:
25
Experian (2000:9) found a clear reluctance among UK Internet merchants to
trade with non-UK customers. Sixty (60) per cent of UK Internet merchants
said that only 10% of their Internet business was conducted with overseas
customers; 12% said it was between 11% and 20% (see table below):
0-10% 60%
11-20% 12%
21-30% 08%
31-40% 02%
41-50% 05%
51-60% 02%
61-70% 02%
71-80% 02%
Don’t know 03%
None 05%
Table 5 Trading with Overseas Customers
Looking at fraud levels, there was a clear indication that overseas business
was more prone to fraud. Twenty-six (26) per cent of the sample said that up
to 10% of non-UK card transactions were fraudulent; 13% thought it was
between 11 and 20%; and 22% didn’t know the answer (Experian, 2000:9).
Less than half (43%) of those surveyed reported any fraud to the police and
more than half (57%) of those who did encountered a ‘lack of interest’ from
the police. More worrying is that a prosecution was set in motion in only 9%
of the cases reported to the police. In 12% of cases the businesses tried to
recover the defrauded money themselves, most of them opting for a debt
recovery agent (Experian, 2000:13).
Due to the impact of e-fraud on consumer trust and the complexity of legal
prosecution, more and more emphasis will be placed on fraud prevention as
the first step in reducing fraud. Apart from the criminological and legal
aspects of e-fraud prevention (e.g. laws with stricter penalties, police having
specialised units to track down cyber criminals), two main categories of e-
fraud prevention can be recognised:
a. The technological and process-related or hard measures of e-fraud
prevention
b. The human or soft measures of e-fraud prevention (cf. Centeno,
2002:21; Smith, 1999a:7; Smith, 2000:18, Smith; 2002:5).
26
integrity, consumer and merchant authentication for each individual
transaction. Payment schemes are promoting security standards and best
practice to increase information security at banks, merchants and service
providers. The protection of consumers’ PCs is also increasingly stressed.
Often overlooked, the consumers’ PC vulnerability is considered one of the
major security threats by some security experts (Centeno, 2002:21).
27
The following appear as key building blocks to reduce e-fraud at service
providers:
• Awareness of security risks at all organisational levels
• Education of employees and end-users
• Good internal security managerial, organisational and operational
policies and procedures
• Screening and monitoring of employees (Centeno, 2002:23; Smith,
1999b:3).
The table below presents common general security mistakes that people
commit in relation to computer security:
28
• Not putting the correct policies and procedures to manage fraud in place
• Failing to do pre-employment integrity screening on relevant employees and
failing to institute red flag integrity screening of relevant employees during
employment
• Failing to keep all personal information in locked files and establish secure
procedures for data services and failing to encrypt all personal and
confidential information on computers
• Failing to secure methods for disposing of personal information
• Failing to appoint a 3rd party to carry out privacy audits/investigations that
gauge how vulnerable records are to theft
• Failing to verify the professional qualifications and integrity of 3rd party
service providers or potential partners
• Failing to limit the use of personal identifiers (Centeno, 2002:23; KPMG,
2000:8; Experian, 2002:7; Smith, 1999b:5; CSTB, 2002:6; Urban, 2003:21)
Table 6: Common Security Mistakes
29
• Be careful with programs where merchants or entities want to remember
your purchase data and allow you to use it again (e.g. cookies) OR
server-based payment wallets
• Do not store any financial data on your personal computer
• Before you dispose of an old computer, delete all personal information
• Avoid using easily available information as a password (cf. Centeno,
2002:24; Experian, 2002:7; Urban, 2003:18).
Merchant awareness and education is thus important and, to support it, some
US organisations have been identified to provide merchant information of
fraud types, statistics and best practices (cf. Antifraud.com, Scambusters.org).
30
• Create positive files to maintain customer loyalty
• Inform your customers of the company name that will appear on their
statements so the customers are not surprised.
(Scutt, 2001:26, 27).
Potential risks can be dealt with in two different but complementary ways:
• One approach is to apply risk control techniques to mitigate the negative
impact that these risks might impose on the business goals by reducing
the potential frequency and/or severity of events that might result in
unacceptable loss. This approach includes setting up a business early
warning system.
• The second approach i.e. loss funding ensures that these losses are
adequately funded when they do occur and that cash flows and balance
sheets are sufficiently protected (Caragata, 1997:55).
31
fraud on their own. They can only stop repeat offenders from attacking
merchants’ websites and call centres and are incapable of detecting first-
time fraudsters. And they are frequently out of date – fraudsters’ details
only become available when the merchant receives a charge back, which
can take up to 90 days to arrive (CyberSource, 2002:8).
• The hot list service of a professional credit bureau can generally be
accessed at a cost. These lists are more accurate and may also provide
protection against fraudsters attempting to defraud a merchant for the
first time.
32
3.2.3.4 Address Verification System (AVS)
Originally designed for mail order and telephone environments, AVS allows
for the verification of the billing address details provided by the purchaser with
the actual billing address details held on file by the cardholder’s issuing bank.
• This real-time check is carried out as part of the authorisation process
and a response, based on the validity of the address provided, is
returned to the merchant. Although not foolproof – as many as 75 per
cent of orders receiving a ‘no match’ reading with AVS are valid – this
check will allow merchants to better control fraud exposure through the
knowledge that the billing address given by the consumer can be verified
as genuine for that card (CyberSource, 2002:8).
33
3.2.3.7 Rules / Exceptions
Rules are typically “If … then” expressions that flag certain types of
transactions for review prior to processing.
• Examples:
o If the Amount is over 500 and the Shipping Type is
“express” to a shipping address that does not match the
billing address, then review the order before shipping.
o If more than 2 DVD Players were ordered, if the Shipping
Country is Romania, and the Shipping Type is “express”,
then review the order before shipping.
The benefit of Rules is that they allow the merchant to apply expert
knowledge relevant to the business. Rules are customisable and can be
modified as market conditions and fraud trends change. Rules make it easy
to determine why a transaction is flagged. The main drawback of rules is that
they require constant updating and monitoring to ensure that they are
effective. Rules are only as good as the people who build them and they are,
therefore, not effective at catching subtle patterns that may not be obvious to
the merchant (Scutt, 2001:20).
34
results. Since multiple factors contribute to the risk score, it is sometimes
difficult to interpret the score (Scutt, 2001:22).
35
3.2.3.9 Hybrid Solution (Arsenal Approach)
A hybrid solution combines the attributes of the above strategies, for example:
• Rules to enforce business rules or weed out bluntly fraudulent
transactions
• Real-time Authorisation to validate credit card number
• Statistical Model to evaluate the overall risk
• Rules to determine whether to Accept, Reject or Review the order
(Scutt, 2001:24).
E-business was hailed as the great equaliser a few years ago as it enabled
small merchants to compete on an equal footing with large multi-nationals
selling to a potential international client base. With regard to e-fraud and the
prevention of e-fraud the statistics and numbers above have shown that it is
becoming very difficult for smaller e-merchants to survive and remain
profitable if they cannot afford to subscribe to available fraud prevention
services that would allow more accurate screening of transactions.
36
4 THE FUNDAMENTALS OF PREDICTIVE FORENSIC PROFILING
4.1 THE PARETO PRINCIPLE
It is nearly a century since Vilfredo Pareto (1848 - 1923) defined what became
known as the Pareto principle (cf. Pareto 1906). Commonly known as the
80/20 rule, the Pareto principle describes the distribution of wealth in that, in
any population that contributes to a common effect, relatively few of the
contributors account for the bulk of the effect.
JM Juran was the first person to generalise the Pareto principle and apply it to
all areas of business as a means of focusing on the real problems or issues.
Juran, the father of quality control, coined the phrase 'the vital few and the
trivial many' that is regularly used to describe the Pareto principle. The Pareto
principle is generally used in conjunction with the Lorenz curve (and the Gini
Index) as a graphical representation of the actual deviation from an equal
distribution situation (cf. Lorenz, 1905.)
The Pareto principle can be applied to three scenarios as far as the smaller e-
merchant is concerned:
• 1. Reduce the number of good transactions rejected as a
precaution. In an attempt to minimise fraud, e-merchants are refusing
suspicious transactions worth between 5% and 7% of total turnover.
Research indicates that, of those rejected, the fraudulent transactions
amount to between 2% and 3% of total turnover. This leaves
transactions to the value of 3% to 4% of total turnover that are actually
good customers that were rejected as a precaution.
o If 20% of the good customers that were rejected are responsible
for 80% of the lost turnover, identifying only 0.4% to 0.6% of the
rejected customers could add 2.5% to 4% of total turnover to the
bottom line.
• 2. Reduce the impact of the most damaging fraudsters. If 80% of
fraud related losses can be ascribed to 20% of fraudulent customers,
fraud rates could be dramatically reduced if we could reduce the
amount of transactions from customers that fall into the 20% of
fraudulent transactions category.
37
o If we could find a way to reject orders from three quarters of the
20% most damaging customers, fraud related losses could be
reduced by 60%. If the fraud related losses of the average e-
merchant are 7% of total turnover that would lead to an increase
of 4.2% in total turnover.
• 3. Increase the impact of the best customers. If 20% of good
customers are responsible for 80% of total turnover, the early
identification of such customers will help us to serve them faster and
better, which will lead to greater customer satisfaction and sales
revenue from this vital 20% of the customer base.
If we do not take into account the benefit of serving the 20% of customers that
account for 80% of turnover better, and only focus on reducing the amount of
good orders that are rejected as well as reducing the impact of the worst 20%
of fraudsters, the impact on an average e-merchant’s business could be the
following:
Expenditure 321,000.00
Staff 60,000.00
Stock 150,000.00
Shipping 40,000.00
IT, Hosting, etc. 60,000.00
Merchant Fees & Bank Charges 11,000.00
Profit (-
Loss) -21,000.00
Expenditure 321,000.00
Staff 60,000.00
Stock 150,000.00
Shipping 40,000.00
38
IT, Hosting, etc. 60,000.00
Merchant Fees & Bank Charges 11,000.00
Profit (-
Loss) 1,350.00
Table 8: Practical Example based on a Small e-Merchant Scenario
39
4.2 A DEFINITION OF PREDICTIVE FORENSIC PROFILING
In order to achieve the improvements as per the two scenarios in Table 8
above, and assuming that the small e-merchant cannot afford any
sophisticated fraud prevention services or software, the following actions
could be taken:
Combining the two forms of profiling in the four activities above should be able
to give the small e-merchant some protection against e-fraud. It is vital to
note, however, that the fraudsters’ modus operandi changes and that any
profile created should be kept up to date to remain accurate.
In the next section, some practical steps a small e-merchant could take are
discussed.
40
5 THE PRACTICAL APPLICATIONS OF PREDICTIVE FORENSIC PROFILING
Note that verification differs in terms of its extent, and the e-merchant should
be careful to understand the exact features and extent of the verification
service offered by the credit card company. Verification can range from the
most basic algorithm check (i.e. only checking whether the card number is
theoretically possible so that fraudulently generated card numbers would be
verified) to sophisticated verification services that will verify that a number
exists and that the details supplied (e.g. expiry date, billing address) are
correct. In most cases verifications do not protect the merchant in the event
of a charge back.
41
If Yes, has this customer ordered within the past week? Yes
If Yes, has this customer ordered within the past month? Yes
If Yes, are the delivery and address details the same? Yes
If Yes, is the card number the same as a previous order, but Yes
with a different delivery address?
Are the billing and delivery addresses the same? No
If No, Did you confirm the billing address via telephone? No
Is the client requesting overnight or expedited delivery? No
Is the client ordering more than one of the same product or Yes
item?
What is the value of the order? R2000-R2500
How many items are on the order? < 10
Is the delivery address a PO Box or non-residential address? Yes
Are the contact numbers only mobile numbers? No
(The client did not give a landline work/daytime number)
Is the contact e-mail address a free or web-based e-mail Yes
address (like yahoo.com or absamail.com)
Table 9: Examples of Rules
Simple scoring based on the rules and, perhaps, a comparison of this profile
with any other forensic profiles, the data that may be taken into account and
the following outputs could be given:
42
5.3 FREE CONSUMER DATA
Where possible, names and billing and delivery addresses can be checked
against free directories or data (like the voters’ roll), if available.
43
6 REFERENCES
APACS see The Association for Payment Clearing Services (APACS) (UK).
44
http://www.cert.org/annual_rpts/cert_rpt_01.html (Accessed 12 August
2003).
Devost, M.G.; Houghton, B.K. & Pollard, N.A. 1996. Sun Tzu Art of War in
Information Warfare - Information Terrorism: Can You Trust Your Toaster?
[On-line]. Available WWW: www.devost.net/papers/suntzu.pdf - Accessed
12 August 2003).
45
Experian see Experian Ltd.
Experian Ltd. 2002. Lifting the lid off identity theft and transaction fraud.
An Experian White Paper. [On-line]. Available WWW:
http://www.experian.co.uk/downloads/business/Internetfraud.pdf (Accessed
12 August 2003).
Gartner, Inc. 2001. The monthly research review – May 2001. [On-line].
Available WWW: http://www4.gartner.com/1_researchanalysis/0501mrr.pdf
(Accessed 12 August 2003).
Gartner, Inc. 2002. Fraud Will Cost On-line Retailers $500 Million During
the Holidays. Gartner FirstTake (FT-18-9661) - 3 December 2002. [On-
line]. Available WWW:
http://www.dataquest.com/press_gartner/images/111814.pdf (Accessed 12
August 2003).
46
Goodman, M.D. 1997. Why the police don’t care about computer crime.
Harvard Journal of Law & Technology, 10(3), Summer:466-495.
Groebel, J.; Metze-Mangold, V.; Van der Peet, J. & Ward, D. 2001.
Twilight Zones in Cyberspace: Crimes, Risk, Surveillance and User-Driven
Dynamics. Düsseldorf : Stabsabteilung der Friedrich-Ebert-Stiftung. [On-
line]. Available WWW: http://library.fes.de/pdf-files/stabsabteilung/01102.pdf
(Accessed 12 August 2003).
Hales, M.G. 1995. Focusing on the 15% of the Pie. Bank Marketing,
Volume 27, No. 4 (April 1995): 29-34.
47
Exploitation. [On-line]. Available WWW:
http://www.kpmg.ca/english/services/docs/fas/ecommercecybercrime.pdf
(Accessed 12 August 2003).
Mann, R.J. 1999. A payments policy for the information age. University
Of Michigan Law School, Paper #00-001. [On-line]. Available WWW:
http://papers.ssrn.com/paper.taf?abstract_id=214632 (Accessed 12 August
2003).
McCardle, H.; Boxhall, J.; Ronderos, J. & Fransisco, R. 2001. Cyber crime
and its Effects on the Asia Pacific Region. Council for Security Co-operation
Asia and Pacific: Transnational Crime Working Group, a Sub Group Report.
[On-line]. Available WWW:
http://www.police.govt.nz/resources/2001/ecrimeforum/
cybercrime_and_its_effects.doc (Accessed 12 August 2003).
48
PMSEIC Working Group see Prime Minister's Science, Engineering and
Innovation Council, Working Group on Science, Crime Prevention & Law
Enforcement.
Reichheld, F.F. & Sasser, W.E. 1990. Zero Defections: Quality Comes to
Services. Harvard Business Review 68(5), September-October 1990, p.
105-111.
Settle, J.C. 2000. The Mag (nificent) Ten: How to Secure Your Networks -
ISW 2000 Position Paper. [On-line]. Available WWW:
www.cert.org/research/isw/isw2000/papers/7.pdf (Accessed 12 August
2003).
49
Smith, R.G. 2000. New age fraud - electronic fraud. Paper presented at
the Australian Society of Certified Practising Accountants Congress 2000.
Sydney, Australia, 24-26 October 2000. [On-line]. Available WWW:
http://www.aic.gov.au/conferences/other/smith_russell/2000-10-cpa.pdf
(Accessed 12 August 2003).
Sweet, M. 2003 Can the Internet Kill? Holding Web Investigators Liable for
their Criminal Customers. Duke Law & Technology Review: 0011. [On-
line]. Available WWW:
http://www.law.duke.edu/journals/dltr/articles/2003dltr0011.html (Accessed
12 August 2003).
Turnbull, R.G. 2001. Fraud and the New Technology – a Hong Kong
Perspective. In Proceedings of the 17th LawAsia Biennial Conference, 4-8
October 2001. Christchurch, New Zealand. [On-line]. Available WWW:
http://www.nzls.org.nz/conference/pdf%20files/TurnbullSa2.pdf (Accessed
12 August 2003).
50
United Nations. 1994. United Nations Manual on the prevention and
control of computer-related crime. International review of criminal policy -
Nos. 43 and 44. [On-line]. Available WWW: http://www.uncjin.org/
Documents/irpc4344.pdf (Accessed 12 August 2003).
VISA. 2002b. Take the Order – but don’s get taken in: know the signs of
possible fraud when the card is not present. [On-line]. Available WWW:
http://usa.visa.com/media/business/taketheorder.pdf?it=search (Accessed
12 August 2003).
51
7 BRIEF CV
ACADEMIC QUALIFICATIONS
PhD (2000) (e-Learning, Cognitive aspects of learning)
BA Hons (1996) (Divinity)
MA (1995) (Accadian)
BA Hons (1992) (Semitic Languages)
BA (1991)
CONTACT DETAILS:
Telephone: Direct line: +27 (0)11 266 5452
Cell/Mobile: +27 (0)83 272 6359
Fax: +27 (0)11 266 5107
E-mail: hermanp@comparexafrica.co.za
Address: C/o CDE, a division of Comparex Africa
PO Box 2680
Rivonia
2128
South Africa
52