About a week ago, a fraudulent order was placed for a copy of Javelin’s most recent report on Identity Fraud. The online order was attempted, but the product was never delivered. Certain red flags alerted our team that this transaction was a wee bit suspicious, including an address that didn't seem quite right.
“Is Maryland in the U.K.? Hey, someone ask Nick Holland!”
Luckily the attempt was easy to spot, we weren't out any product, nor did we need to worry about some anonymous ne'er-do-well publishing the fruits of our labor on the Interwebs. There were still a few loose ends that needed to be addressed though, as the Javelin team wanted to know the identity of who was responsible (no one likes feeling as though someone tried to rip them off).
On this question, our fine team ran into some trouble. After speaking with him, they learned that the gentleman whose name was associated with the order had suffered fraud on some of his cards recently, but he did not own the brand of card used for the fraudulent order. In addition, both the “admin” email address (“@somerandomwebaddress.com”) and the phone number provided with the order proved to be dead-ends.
I've considered putting my special investigator decoder ring back on, and giving this fraudster “the business”, but I just don’t have the time. A keen eye on the customer, the transaction, and the payment helped prevent the fraud from occurring.
Unfortunately, the web has provided criminals with a degree of anonymity which can make successfully identifying them all too time-consuming. Is it worth chasing someone down for a fraud that was never actually completed, when they are unlikely to ever be charged for the one attempt? Odds are that our “customer” thought the whole thing would be funny, but the problem it represents isn’t. Positive action is required – retailers, card issuers, processors, payment networks, and security vendors need to work together to share intelligence. In this way we can collectively identify bad actors, limit their success, and keep records of all of their attempts for later prosecution (fingers crossed in the hope of seeing this realized!)
Efforts from companies like 41st Parameter, MasterCard, RSA, and Visa though, may hold just this sort of promise. Beyond cooperation with other stakeholders, there are a number of other actions that responsible merchants can and should take to prevent credit card fraud. While Javelin recently tackled the important issue of online payment authentication, an ounce of prevention is worth a pound of cure. The card number that our friendly neighborhood crook tried to use came from somewhere, and it is quite possible the source was a compromised merchant. To that end we will be releasing a report on improving the security of payment card data, just in time to coincide with PCI’s latest and greatest guideline updates.
Thankfully our incident has come and gone, but other merchants are forced to confront fraudulent transaction attempts daily – Javelin’s efforts to educate on this issue will continue unabated. When all was said and done, I heard someone from the finance team ask “Why would someone use a stolen credit card to buy a copy of our fraud report?” “Because it’s ironic” I replied – I then walked backed to my desk, fired up my laptop, and got back to work.