- Inc. Technology - http://technology.inc.com -
New Tools for Stopping E-commerce Fraud
Posted By Michelle V. Rafter On August 1, 2008 @ 12:00 am In Computer Security | 3 Comments
Javed Ikbal is in the IT security business. But it wasn’t until his credit card number was stolen in the Frankfurt, Germany, airport last summer that he realized how vigilant companies have to be about keeping online transactions safe.
Ikbal, who runs a Boston area IT security consulting firm, says whoever stole his credit card used it to buy $1,700 in merchandise online from Circuit City , the home electronics retailer. However, Circuit City flagged the transaction because the order didn’t include his phone number, came from a computer logged onto the Internet through a German IP address, and was supposed to be mailed to Illinois, even though Ikbal’s billing address is nowhere near there. Based on those warning signs Circuit City called Ikbal, who alerted the retailer it was a bogus order on a stolen card number.
Even though it involves a large business, Ikbal uses the example to show how stopping e-commerce fraud is feasible for even a very small online merchant or other company handling financial transactions online. Measures to stop e-commerce fraud are out there and many of them are cheap — or even free, such as checking the country of origin of an online order against the buyer’s credit card billing address, he says. That’s important because many small businesses can’t or won’t spend a lot on security, says Ikbal, a principal of zSquad , in Plainville, Mass., a firm that creates and audits corporate IT security plans. “They think they have a firewall or that their hosting service will provide security,” he says. “Even for companies that make $10 million a year or more, we find shocking lapses in security.”
Protecting the online store
According a December 2007 report on e-commerce fraud from The Aberdeen Group , a Boston technology researcher, companies that are most successful at reducing their risk of fraud and simultaneously make customers feel safe do the following to protect online transactions:
Ikbal also suggests companies do the following:
Warn users to upgrade buggy Web browsers. Shoppers who use older Web browsers, such as Internet Explorer 4 or 5, put themselves and online merchants in danger of being hacked because of known security breaches in those programs, Ikbal says. Since Web servers automatically detect the browser someone uses to log on, a company can redirect anyone with an older browser to a special page on the website that notifies them they need to upgrade before they can continue, Ikbal says. “They could make viewing it a condition for establishing an account,” he says. “It costs nothing. You just have to program your website to respond according.”
Set strict credit card policies and stick to them. Require that the address a buyer inputs for an order matches the one the credit card processor has on file for that individual. Also require that anyone making a purchase enter three- or four-digit CCV security code found on the back of the credit card. When an order is placed, the merchant can send the data to the card processor to see if it’s a match. If it’s not “the order shouldn’t be denied, but the merchant should call the person and ask about it,” Ikbal says.
Check IP location of incoming orders. Companies that process orders in real time — if they’re selling software buyers pay for and download for example — can use an IP location service such as IP2Location  or Akimai  to instantly identify a visitor’s geographical location. The cost is usually 30 or 40 cents per transaction or less, Ikbal says. Online merchants who don’t process orders in real time can manually look up IP addresses. “If someone sells only in the US, they should be careful if they see a transaction coming from Eastern Europe or North Korea, which are hotbeds of fake credit card transactions,” Ikbal says.
SIDEBAR: Create a Security Policy
One of the cheapest things a small business can do is create a security policy and post it online, according to security experts. Security policies aren’t hard to come by. The Anti-Phishing Working Group , a five-year-old industry association, posts links to security policies at several large companies on its website including:
Article printed from Inc. Technology: http://technology.inc.com
URL to article: http://technology.inc.com/2008/08/01/new-tools-for-stopping-e-commerce-fraud/
URLs in this post:
 Circuit City: http://www.circuitcity.com/
 zSquad: http://technology.inc.comwww.zsquad.com
 The Aberdeen Group: http://www.aberdeen.com/default.asp
 EV SSL: http://cabforum.org/faq.html
 IP2Location: http://www.ip2location.com/
 Akimai: http://www.akamai.com/
 Anti-Phishing Working Group: http://www.antiphishing.org/
 eBay: http://pages.ebay.com/help/confidence/isgw-account-theft-spoof.html
 spoof e-mail tutorial: http://pages.ebay.com/education/spooftutorial/index.html
 Citibank: http://www.citi.com/domain/spoof/learn.htm
 US Bank: http://www.usbank.com/cgi_w/cfm/promo/personal/fraud_email_info_and_help.cfm
 How to Avoid Phishing Scams: http://www.antiphishing.org/consumer_recs.html
 What To Do If You’ve Given Out Your Personal Financial Information: http://www.antiphishing.org/consumer_recs2.html
Copyright © 2011 Inc Technology. All rights reserved.