About a week ago, a fraudulent order was placed for a copy of Javelin’s most recent report on Identity Fraud.  The online order was attempted, but the product was never delivered.  Certain red flags alerted our team that this transaction was a wee bit suspicious, including an address that didn't seem quite right.

“Is Maryland in the U.K.?  Hey, someone ask Nick Holland!”

Luckily the attempt was easy to spot, we weren't out any product, nor did we need to worry about some anonymous ne'er-do-well publishing the fruits of our labor on the Interwebs.  There were still a few loose ends that needed to be addressed though, as the Javelin team wanted to know the identity of who was responsible (no one likes feeling as though someone tried to rip them off).

On this question, our fine team ran into some trouble.  After speaking with him, they learned that the gentleman whose name was associated with the order had suffered fraud on some of his cards recently, but he did not own the brand of card used for the fraudulent order.  In addition, both the “admin” email address (“@somerandomwebaddress.com”) and the phone number provided with the order proved to be dead-ends.

I've considered putting my special investigator decoder ring back on, and giving this fraudster “the business”, but I just don’t have the time.  A keen eye on the customer, the transaction, and the payment helped prevent the fraud from occurring. 

Unfortunately, the web has provided criminals with a degree of anonymity which can make successfully identifying them all too time-consuming.  Is it worth chasing someone down for a fraud that was never actually completed, when they are unlikely to ever be charged for the one attempt? Odds are that our “customer” thought the whole thing would be funny, but the problem it represents isn’t.  Positive action is required – retailers, card issuers, processors, payment networks, and security vendors need to work together to share intelligence.  In this way we can collectively identify bad actors, limit their success, and keep records of all of their attempts for later prosecution (fingers crossed in the hope of seeing this realized!)  

Efforts from companies like 41st Parameter, MasterCard, RSA, and Visa though, may hold just this sort of promise. Beyond cooperation with other stakeholders, there are a number of  other actions that responsible merchants can and should take to prevent credit card fraud.  While Javelin recently tackled the important issue of online payment authentication, an ounce of prevention is worth a pound of cure.  The card number that our friendly neighborhood crook tried to use came from somewhere, and it is quite possible the source was a compromised merchant.  To that end we will be releasing a report on improving the security of payment card data, just in time to coincide with PCI’s latest and greatest guideline updates.

Thankfully our incident has come and gone, but other merchants are forced to confront fraudulent transaction attempts daily – Javelin’s efforts to educate on this issue will continue unabated.  When all was said and done, I heard someone from the finance team ask “Why would someone use a stolen credit card to buy a copy of our fraud report?” “Because it’s ironic” I replied – I then walked backed to my desk, fired up my laptop, and got back to work.

Author

About Al Pascual

An accomplished industry analyst, market researcher, and financial industry practitioner, Al Pascual is Javelin’s Research Director and Head of Fraud & Security. As Research Director, Al leads Javelin’s Advisory Services and Custom Research businesses. He oversees growth of these businesses while ensuring that Javelin’s research content meets quality standards and provides the innovative perspectives that clients expect from the firm.

As Head of Fraud & Security, Al provides clients actionable insights on a variety of fraud and security issues, acts as a partner in developing strategies for managing risk, and identifies and raises awareness of future threats and solutions. Al researches a range of topics, including the applicability of biometrics in banking and payments, the effect of data breaches on the integrity of consumer identities, the relationship between identity fraud and loyalty, and the best methods for securing payment data and transactions.

Al has presented findings from Javelin’s rigorous, industry-leading research at conferences around the world, including BAI, CARTES, Money20/20, NACHA, and RSA. Al has provided commentary on fraud and security issues to American Banker, Bloomberg, CNNMoney, Fox Business, Reuters, The New York Times, The Wall Street Journal, The Washington Post, and Wired.

Previously Al held risk management roles at HSBC, Goldman Sachs, and FIS. He is a member of the Association of Certified Fraud Examiners, the International Association of Financial Crimes Investigators, and the Federal Reserve Secure Payments Task Force. Al also serves on the board of advisers to the Information Security Media Group. He earned a Bachelor of Arts degree in History from the University of South Florida.

Stay in Touch!