Posted by SecExtra on February 29th, 2008

As fraudsters continually educate themselves on ways to circumvent many traditional anti-fraud systems and establish more elaborate crime rings, banks and merchants alike need to be aware of what else they can be doing to find the right balance of security and ease-of-use in their customer transactions. Ori Eisen, Founder and Chief Innovation Officer at The 41st Parameter, shows ten ways in which organisations can boost their anti-fraud techniques.

There are many possible lines of action that companies can take to detect more fraudulent transactions. Using a combination of multiple tactics is the most effective because it creates a complex net that fraudsters would have to negotiate. Here are ten of the key approaches to fighting fraud through your organisation:

1. Check for billing and shipping address
Check if the billing and shipping addresses are different. In many cases the crook will send the good to another address than the billing address. Additionally, if a crook uses a “drop-shipment” address, you can spot that many orders are diverted to this address and place it on a negative list.

2. Increase device ID data
Instead of focusing on single data elements, such as the IP address, it is essential to construct a more comprehensive profile to establish the true identity of the device being used to complete a transaction. Visibility of the time that a transaction is made, compared to the time zone and the language settings of the device itself, can highlight inconsistencies. For example, if a device is supposed to be in France, but has Russian language settings and runs a transaction in the Pacific Time Zone, there is cause to investigate that case further.

3. Maintain standard checking systems
Address Verification Systems (AVS), Card Verification Values (CVV2) and Verify are all important security mechanisms. They cut out a lot of low level fraud, especially from one-off or unprepared fraudsters. These systems put up an important barrier that legitimate consumers do not find difficult to overcome.

4. Know that IPs can be spoofed
Monitoring IP addresses is not an entirely fraud-proof approach. More sophisticated fraudsters are able to appear from anywhere in the world by ‘spoofing’ the IP address of another computer. Where the IP address of the genuine card holder is available, they are able to make a transaction appear entirely legitimate if the IP address is a key parameter of assessing cases.

5. Check for lazy keystrokes
Flags for suspicious activity should be raised if there are instances where names, email addresses, passwords etc. are entered using keys grouped together on the keyboard. For example, if someone uses combinations of the letters “asdf”, it may be because they are saving time to rush through vast amounts of data entry. These small give-aways can be another tell-tale sign of a suspicious customer profile.

6. Be wary of anonymous email addresses
While many legitimate customers will use popular email clients such as Hotmail, Yahoo and Gmail, these are also an easy way for fraudsters to set up many new addresses. As email platforms, they are open to anyone, which means that you cannot trust a transaction simply because it has an easily created email address that matches the card holder’s name.

7. Check for ‘email tumbling’
A quick and easy way to pick out organised fraud is to spot sequential email addresses – signs of ‘email tumbling’. If you have transactions from joebloggs001@, joebloggs002@, joebloggs003@ etc, then these are signs that a fraudster is automatically generating email addresses.

8. Continue to conduct manual investigations
While automatic analysis tools will pick out links between some transactions based on data that may not be obvious to a fraud investigator, there is an important place for human reviews. While it should not constitute more than around five per cent of all fraud analysis, it is important to establish themes that a computer would not be aware of. For example, would a computer pick out the names David Beckham, Wayne Rooney and Steven Gerrard as all being linked if they were disparate in almost every other way? This is where a human eye can pick out cases that require further investigation.

9. Capitalise on discovering bad transactions
If you uncover a fraudulent transaction, it can be the key to discovering a raft of similar cases. Use every parameter of information relating to the original case that you can find, and search for any others that share the same details – even if that is only in one parameter. The similarity may be small – it could be the email, postal address, phone number, or the time zone – but as these correlations build, you will be able to pinpoint more cases that could be bad.

10. Use free mapping tools
Free-to-use mapping services, such as Google Maps, can be used to add more weight to an investigation. If someone has given a “residential” address, then you can check that it is residential and not commercial. If someone has different shipping and billing addresses, you can ascertain whether the addresses are close together. If they are miles apart, there is reason to be suspicious.

Many of these approaches will raise red flags on suspicious cases. However, focusing in on only one or two will mean that there are still many transactions that can slip through the net. The parameters that you chose to set as a business will depend on a wide range of factors – from the characteristics of your customer base to the capability of your fraud team – but within these ten steps are approaches that will cut some fraud from your business.