E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Science With A Crystal Ball

1. e-Fraud and Predictive Forensic Profiling -
reducing losses by combining science with a crystal ball
HB Prinsloo
CDE (A division of Comparex Africa (Pty) Ltd)
hermanp@ComparexAfrica.co.za
Abstract:
This article focuses on cyber crime, especially the effects of e-fraud on
smaller e-merchants. It describes simple, cost-effective measures that the
smaller e-merchant can implement in order to prevent fraudulent transactions
and improve turnover and profit.
List of key words:
Cyber crime, on-line fraud, e-fraud, smaller e-merchant, micro e-merchant, e-
business, prevention of e-fraud, predictive profiling, forensic profiling,
predictive forensic profiling.
1 INTRODUCTIONA
From the submission of this article’s abstract to the actual writing of this text,
e-fraud has gained prominence in the South African news as a result of the
theft of a relatively large sum of money between May and July 2003 by one
cyber criminal from the Internet bank accounts of 10 clients of the
Amalgamated Banks of South Africa Group (ABSA Bank), one of the largest
banking groups in South Africa. A suspect was arrested towards the end of
July and charged with 10 counts of fraud (Cruywagen, 2003:3).
This was the first major incident of e-fraud to make news headlines over a
number of weeks in South Africa. It has had the widest potential effect as the
vast majority of the Internet using population in South Africa use Internet
Banking as a convenient and cost-effective way of managing their personal
financial affairs.
Although it has only gained prominence in the minds of the general public
recently, e-fraud has been with us in many guises for a number of years.
1.1 DEFINING E-FRAUD, E-CRIME AND CYBER CRIME
At this juncture it is important to attempt to define the concepts of e-fraud and
cyber crime.
The terms “e-Crime”, “cyber crime,” "computer crime", "Information
Technology crime," and "high-tech crime" are often used interchangeably. No
universally uniform or accepted definition of cyber crime exists, partly due to
the many guises of cyber crimes (Groebel et al.: 2001:17).
1

2. Cyber crimes can range from economic offences (fraud, theft, industrial
espionage, sabotage and extortion, product piracy, etc.) to infringements on
privacy, propagation of illegal and harmful content, facilitation of prostitution
and other moral offences, as well as organised crime (cf. Goodman,
1997:468, Golubev, 2003:2; PCB, 2001a:8; Turnbull, 2001:5). At its most
severe cyber crime borders on terrorism, encompassing attacks on human life
and against national security establishments, critical infrastructure, and other
vital elements of society (cf. Sweet, 2003:1; Messmer, 2002:1; CERT/CC,
2002:5; Schneier, 2003:1).
The UN Manual on the prevention and control of computer-related crime
provides the following definition of cyber crime: “Computer crime can involve
activities that are traditional in nature, such as theft, fraud, forgery and
mischief, all of which are generally subject everywhere to criminal sanctions.
The computer has also created a host of potentially new misuses or abuses
that may, or should, be criminal as well” (UN, 1994:7).
Koenig (2001:8) defines cyber crime as: “A criminal offence that has been
created or made possible by the advent of computer technology, or a
traditional crime which has been so transformed by the use of a computer that
law enforcement investigators need a basic understanding of computers in
order to investigate the crime.” Broadly, this definition generally refers to two
types of offences:
• Crimes against computers or information on computers (e.g. attacks on
network confidentiality, integrity and/or availability i.e. infringements on
privacy, unauthorised access to and illicit tampering with systems,
programs or data)
• Traditional crimes that are committed with the use of computers or some
form of information and communication technology (e.g. industrial
espionage, theft, forgery, extortion, propagation of illegal and harmful
content, facilitation of prostitution, etc.) (cf. McConnell International,
2000:1; Goodman, 1997:468; Turnbull, 2001:8.).
On a global scale, society’s dependence on technology is increasing
exponentially. The use of computers and computer technology has
proliferated in all spheres of life and it plays a central role in such diverse
activities as banking, transport systems, the financial markets, hospitals and
telecommunications today. In this respect technology affects all of us on a
daily basis in ways that we do not necessarily take into account. Our
dependence on technology, combined with the cyber criminal’s perceived low
risk of arrest and prosecution and the fact that legislation is not always
adequate to facilitate the prosecution of trans-national cyber criminals,
exponentially increases the risk posed by cyber criminals on society today
(cf. Smith, 2002:5; Turnbull, 2001:19; Groebel et al.: 2001:15 & Smith
2000:1). In the USA, the average damage suffered by a physical bank
robbery is US $3 200, compared to US $23 000 for the average swindle and
damage of US $500 000 caused by the average computer crime (Belousov,
2003:1). In the physical environment, fraud was traditionally paper-based or
2

3. people-based, whereas the following are the means most often used to
commit crimes on-line:
• Message interception and alteration
• Unauthorised account access
• Identity theft
• Manipulation of stocks and bonds
• Extortion
• Unauthorised system access (e.g. system damage, degradation, or
denial of service)
• Industrial espionage
• Manipulation of e-payment systems
• Credit Card Theft (cf. Glaessner et al. 2002:24; Graycar & Smith, 2002:4;
& Centeno, 2002:11).
Currently the most vulnerable aspects of technology have been identified by
Etter (2001b:24) as:
• Electronic commerce
• On-line banking
• Pharmacies with electronic prescription services and interfaces to
medical aids
• Health care services and records
• Education.
The vulnerability of information and communication technology (ICT) systems
can be ascribed to the following interrelated factors:
• Density of information and processes
Billions of characters of data can be saved on a relatively small storage
device. Vast amounts of data can be relatively quickly and easily
destroyed or deleted.
• System accessibility
Computer systems were originally designed to allow multiple users to
use the same computer. Today ICT systems and users can access and
communicate with other systems across the globe. The fact that the
system cannot be physically guarded makes it vulnerable, despite the
plethora of ever-evolving security systems designed to protect a globally
accessible ICT system.
• System complexity
The exponential growth in processing power and complexity in operating
systems makes it impossible for even the designers of such systems to
understand the number of logic states that are possible during execution
in a multi-programming or multi-processing environment. This makes a
system vulnerable to intrusion via an (unintentional) back door in the
system.
• Electronic vulnerability
Computer systems rely on electronic and generally also
telecommunications technology that are subject to potential problems
with reliability, fragility, environmental dependency and vulnerability to
interference and the interception of data.
3

4. • Vulnerability of electronic data-processing media
The content and nature of the data on a storage device is not visible to
the technicians handling it. Very sensitive data can be handled
carelessly without the handler being aware of either the risk or the nature
of the data. Equipment can be stolen from cars, or disks that contain
very sensitive information can be mislaid.
• Human factors
In nearly any ICT environment, certain individuals require access to very
sensitive information. A young IT technician could, for instance, have
access to an organisation’s payroll data or R&D archive for the purpose
of creating backups. Such a person could succumb to temptation, be
bribed by competitors, or become disillusioned and destroy or
disseminate very sensitive information, leaving very little evidence.
“Insider” (full- or part-time employees, contracted workers, consultants,
partners or suppliers) security incidents such as access abuse and
equipment theft occur far more frequently than “external” attacks (cf. UN,
1994:7, 10; Settle, 2000:4; Centeno, 2002:14; Smith 1999b:5).
Alarmingly, very few companies do standard background checks on staff
members who are employed to work with sensitive data and are granted
unrestricted access to systems (Graycar & Smith, 2002:7). A trusted
insider may be recruited covertly by hostile parties long before any action
associated with an actual attack (the so-called “sleeper” problem) or
tricked into taking some action that breaches system security e.g. tricked
into disclosing a password or opening an e-mail attachment that installs
software that permits access by malicious outsiders (CSTB, 2002:5).
Personal financial pressure is the most widely reported warning signal
exhibited by employees prior to the discovery of internal fraud (KPMG,
1999:16).
The following factors related to cyber crime complicate effective law
enforcement and pose new and unique challenges for investigators:
• The environment is a more favourable vehicle for fraudsters to
communicate and act due to its anonymity, easy access, and rapid
exchange of resources such as hacking programs and credit card
numbers (cf. Gartner, 2001:15).
• The possibility of committing computer-facilitated crime also makes it
easier to automate and commit fraud on a larger scale (Schneier,
2003:1); the level of automation in attack tools continues to increase.
Automated attacks commonly involve four phases: Scanning for potential
victims; Compromising vulnerable systems; Propagating the attack; and
Coordinating the management of attack tools. Since 1999, with the
advent of distributed attack tools, attackers have been able to manage
and coordinate large numbers of deployed attack tools distributed across
many Internet systems. Today, distributed attack tools are capable of
launching denial-of-service attacks more efficiently, scanning for
potential victims and compromising vulnerable systems. Coordination
functions now take advantage of readily available public communications
protocols such as Internet Relay Chat (IRC) and instant messaging (IM)
(CERT/CC, 2002:1).
4

5. • Attack tool developers are using more advanced techniques than
previously. Attack tool signatures are more difficult to discover through
analysis and more difficult to detect through signature-based systems
such as antiviral software and intrusion detection systems. Three
important characteristics are the anti-forensic nature, dynamic behaviour
and modularity of the tools. As an example of the difficulties posed by
sophisticated attack tools, many common tools use protocols like IRC or
HTTP (HyperText Transfer Protocol) to send data or commands from the
intruder to compromised hosts. As a result, it has become increasingly
difficult to distinguish attack signatures from normal, legitimate network
traffic (CERT/CC, 2002:2; PCB, 2001a:8).
• Firewalls are often relied on to provide primary protection from intruders.
However, technologies are being designed to bypass typical firewall
configurations; for example, IPP (the Internet Printing Protocol) and
WebDAV (Web-based Distributed Authoring and Versioning). Some
protocols marketed as being “firewall friendly” are, in reality, designed to
bypass typical firewall configurations. Certain aspects of “mobile-code”
(ActiveX controls, Java and JavaScript) make it difficult for vulnerable
systems to be protected and for malicious software to be discovered
(CERT/CC, 2002:2).
• Because of the advances in attack technology, a single attacker can
employ a large number of distributed systems to launch devastating
attacks against a single victim relatively easily. As the automation of
deployment and the sophistication of attack tool management both
increase, the asymmetric nature of the threat will continue to grow
(CERT/CC, 2002:3).
• The speed at which crimes can be committed.
• The fact that a crime is not always immediately apparent. A cyber
criminal can hack into a system and plant a program that is only
scheduled to do something at some time in the future. Similarly, a cyber
criminal can invade the computer of an innocent person and launch an
attack from the computer making it appear that the owner of the
computer perpetrated the crime. This makes it very difficult to catch and
prosecute proficient cyber criminals (CSTB, 2002:5).
• The lack of risk awareness.
• Merchants are often small and new with limited security skills and
budgets. They are selling new goods (digital content) that are more
vulnerable to fraud (Experian, 2000:2).
• The lack of cyber security skills and tools. Organisations often overlook
significant risks i.e. system providers do not produce systems that are
immune to attack, network and system operators do not have the
personnel and practices in place to defend themselves against attacks
and minimise damage (CERT/CC, 2001:1).
• Users are more vulnerable. With increasing Internet connectivity from
home and increasing PC power (available for hackers), average users
know little about risks and the security tools available to protect their
computers from external attacks.
• Global reach (including issues of jurisdiction, disparate criminal laws and
the potential for large-scale victimisation) makes legal prosecution more
5

6. difficult. Because transaction amounts are generally low, the electronic
evidence tools and skills available are very limited. Legislation has not
yet been fully adapted to the Internet environment and, where
transactions have taken place across borders, complex jurisdictional and
procedural issues may arise. The technical and legal complexities of
investigating and prosecuting cyber crimes are complicated by the
relatively low value of individual fraudulent transactions as well as the
complex legal process for prosecuting cases of fraud within the legal
systems of more than one country (cf. Experian, 2000:13; Smith 2002:5;
CSTB, 2002:3).
• Telecommunications can be used to further criminal conspiracies.
Because of sophisticated encryption systems and high-speed data
transfers, it is difficult for law enforcement agencies to intercept
information about criminal activities. This has particular relevance to
new international criminal activities (Giddens & Duneier, 2003:201).
• The volatility or transient nature of evidence, including no collateral or
forensic evidence such as eyewitnesses, fingerprints or DNA.
• The high cost of investigations
(cf. Centeno, 2002:3; Etter, 2001b:27; Etter, 2001a:6; Etter, 2002:5, 12;
Graycar & Smith, 2002:2; Groebel et al., 2001:25 & McConnell
International, 2000:2).
According to Centeno (2002:12), the most common types of on-line card fraud
reported are:
• Bogus merchants collecting card data and disappearing, charging either
unauthorised transactions, transaction amounts higher than agreed or
unauthorised recurring transactions
• Transactions performed with stolen card data (in the physical world or
obtained through intrusion in merchant servers) or data generated with
software tools
• Consumers fraudulently denying transactions and getting a transaction
reversed based on “card not present” legislation. Transaction reversal
and refund, also called charge backs, are estimated to be 12 times more
frequent for e-commerce than in the physical world, and two to three
times more than for “MOTO” (Mail Order Telephone Order) sales.
With a view to understanding what security measures are needed and, based
on results of the analysis of fraud figures available, on-line payment risks can
be classified into the following four categories:
1. Risk of merchant fraudulent behaviour: bogus merchants carrying out
data capture, disappearing and charging unauthorised transactions;
charging transaction amounts higher than agreed; charging unauthorised
recurrent payments.
2. Risk of identity and payment data theft for further fraudulent use on the
Internet or in the physical world (purchase, fraudulent card application,
account take-over). Identity data can be stolen through e-mail (or even
phone) scam, or through on-line unauthorised access to merchant or ISP
servers, to bank servers, to consumers’ PCs or to transactional data.
6

7. 3. Risk of impersonation i.e. fraudulent use of (stolen) consumer identity
and/or payment data, or software generated account numbers for
purchasing.
4. Risk of a consumer fraudulently denying a transaction (cf. Centeno,
2002:3, 19; Graycar & Smith, 2002:4).
According to Etter (2001b:23) cyber crime will increasingly feature in many
trans-national crimes involving drug trafficking, people smuggling and money
laundering and while many e-crimes will be ‘old style’ crimes simply involving
the use of ICT, new forms of crime will also emerge. In addition, the barriers
to committing crime, that is electronic crime, have dropped significantly and
criminals are becoming younger.
Etter (2001b:23) observes the it would seem that people who would not
dream of stealing or maliciously damaging other people’s property in real life
have no qualms or second thoughts about the opportunities and challenges
presented by the Internet.
1.2 THE MOST PREVALENT CYBER CRIMES
Technology has most certainly changed the risk landscape as far as fraud is
concerned:
Figure 1: Technology-enabled Fraud
(CyberSource, 2002:6)
Goodman and Brenner (2002:14) identify the following activities as the most
prevalent cyber crimes:
1.2.1 Hacking and Related Activities
Hacking, or gaining unauthorised access to a computer system, computer
programs or data, opens a range of possibilities for inflicting damage (cf. UN,
1994: 13 & Groebel et al., 2001:43). Illegal infiltration of telecommunications
systems means that eavesdropping, ranging from spouse monitoring to
espionage has become easier (Giddens & Duneier, 2003:201). The ability to
7

8. hack into and steal telecommunications services means that people can
conduct illicit business without being detected or simply manipulate
telecommunication and cell phone services in order to receive free or
discounted telephone calls. Giddens & Duneier (2003:201) and PCB
(2001a:3) identify two types of hackers, namely, internal (including Internal
Saboteurs) and external (including Political Hackers or Hacktivists, who hack
either to highlight a lack of security or for personal reasons i.e. grudges.
1.2.2 Commercial Espionage
Losses suffered through misappropriation of computerised intellectual
property cost copyright owners close to $20 billion last year. Netspionage
involves confidential information being stolen by hackers to sell to a
competitor or to be used for individuals’ business exploits. Espionage was
originally limited to governments but, with the advent of the Information Age,
the rise of corporate espionage has been rapid. One tool used to steal
secrets is TEMPEST (Transient Electromagnetic Pulse Emanation
Surveillance Technology), which allows a scanner to read the output from a
computer up to a kilometre away. It is non-invasive and virtually undetectable
(PCB, 2001a:4).
1.2.3 Data Manipulation
Computer fraud by input manipulation (also called “Data-Diddling”) is one of
the most common computer crimes. Input manipulation is easy to perpetrate
and difficult to detect, does not require sophisticated computer knowledge and
could be perpetrated by a data capturer with limited data processing system
access (UN, 1994:14). A more sophisticated form of data manipulation is the
modification of software programs that are also difficult to detect. The most
common example is the “Salami technique” where thin slices of financial
transactions are stolen i.e. rounding down the cents in financial transactions
and diverting the cents from millions of transactions to a bank account
(Goodman and Brenner, 2002:15).
1.2.4 Computer Forgery
Today most official documents are produced via a printout from a computer.
Fraudulent altering and counterfeiting of documents have become easier with
the availability of inexpensive, high quality scanners and colour printers (UN,
1994:14).
1.2.5 Viruses and other Malicious Programs
Viruses and other types of malicious code-like “worms” and logic bombs can
be very destructive. A calamitous virus may delete files or permanently
damage systems. A Trojan horse, masquerading as a utility e.g. anti-virus
software or animation, may copy user IDs and passwords, erase files or
release viruses (Groebel et al, 2001:52; PCB, 2001a:8). The effect of viruses
and other malicious programs are referred to as computer sabotage.
Computer sabotage can be the vehicle for gaining economic advantage over
a competitor, for promoting the illegal activities of ideologically motivated
8

9. terrorists or for stealing data or programs (also referred to as "bitnapping") for
extortion purposes (UN, 1994:15).
1.2.6 Software Pirating
The unauthorised reproduction of computer programs can mean a substantial
economic loss to the legitimate owners. It has become relatively easy to
violate copyright rules by copying materials, software, films and CDs (Giddens
& Duneier, 2003:201). The problem has reached trans-national dimensions
with the trafficking of these unauthorised reproductions over modern
telecommunication networks (UN, 1994:16; PCB, 2001a:8).
1.2.7 Gambling, Pornography and other Offences against Morality
On-line casinos have proliferated widely, despite the fact that gambling is
illegal in many jurisdictions. The Internet is also being used to distribute
drugs, pharmaceuticals, tobacco and liquor, again regardless of jurisdictional
prohibitions. It is difficult to control pornography and offensive content in
cyberspace (Giddens & Duneier, 2003:201).
1.2.8 Child Pornography
Many types of paedophilic activity - viewing images, discussing activities,
arranging tourism, enticing a child to a meeting - are carried out over the
Internet. The Internet gives the paedophile the advantages of a wider scope
of communications and the likelihood of eluding the law, given the
jurisdictional problems that arise in prosecuting cases that transcend borders
as is the nature of the Internet (cf. Giddens & Duneier, 2003:201; Groebel et
al, 2001:65).
1.2.9 Cyber Homicide
Cyber homicide - using computer technology to kill someone - has not yet
been reported but could be perpetrated in future. An aspiring mass murderer
could, for example, hack into a hospital’s computer system, learn about the
medication prescribed for patients and alter the dosages, causing them to die
(cf. Sweet, 2003:1; CSTB, 2002:6).
1.2.10 Stalking, Harassment and Hate Speech
Stalking and harassment are malicious activities directed at a particular
person. Cyber stalking can pose not only virtual but real threats to on-line
users. The dissemination of hate and racist speech has a more general focus
but can be equally traumatic for those it targets and is becoming more
widespread because of the Internet. Stalking, harassment, hate-filled and
racist speech perpetrated over computer networks is not universally
considered to be illegal (Giddens & Duneier, 2003:201; Groebel et al,
2001:71).
1.2.11 Cyber Terrorism
9

10. Pollitt (1997:285) defines cyber terrorism as a “pre-meditated, politically
motivated attack against information, computer systems, computer programs,
and data which results in violence against non-combatant targets by sub
national groups or clandestine agents”. There is a heightened vulnerability to
electronic vandalism and terrorism in western society today due to the fact
that much of modern life depends on computers and computer networks. For
many people, the most visible interaction they have with computers is typing
at the keyboard of a computer. Less visible are the computers and networks
that are critical for key functions such as managing and operating nuclear
power plants, dams, electric power grids, air traffic control systems and
financial infrastructures. Computers are also instrumental in the day-to-day
operations of companies, organisations and government. Companies large
and small rely on computers to manage payroll, track inventory and sales and
perform research and development. The distribution of food and energy from
producer to retail consumer relies on computers and networks at every stage.
In future, everyday items such as traffic lights, elevators, appliances and even
pacemakers will become more and more connected to computer systems and
thus vulnerable to attacks by cyber terrorists. Instructions for building
incendiary devices can be placed on and downloaded from the Internet (cf.
Giddens & Duneier, 2003:201; Groebel et al., 2001:48; Arquilla, 1998:1;
Devost et al., 1996:7; Etter, 2002:14, Messmer, 2002:1; Blyth, 1999:16,
CSTB, 2002:2, CERT/CC, 2002:5).
1.2.12 Money Laundering and Organised Crime
Money laundering is estimated at between 2% and 5% of the world GDP
(PMSEIC Working Group, 2000:4). Electronic money laundering can be used
to move the illegal proceeds from a crime via Electronic Funds Transfer (EFT)
to conceal the origin of the funds (Giddens & Duneier, 2003:201; Graycar &
Smith, 2002:3). Even if money laundering remains largely tied to the off-line
world, the capabilities of the Internet and other networks mean that there will
be great incentives for money launderers to exploit this avenue (cf. Groebel et
al., 2001:60; & Etter, 2002:15).
1.2.13 Internet Fraud, e-Commerce Fraud and i-Payment Fraud
Fraud represents what is probably the largest category of cyber crime. The
Internet has created what appears to be the perfect cyber crime - borderless
fraud. So many different types of fraud are committed over computer
networks that they have become almost impossible to police effectively
(Groebel et al., 2001:57). There is an enhanced risk of electronic funds
transfer crimes. The widespread use of cash machines, e-commerce and
electronic money on the Internet heightens the possibility that some
transactions will be intercepted (Giddens & Duneier, 2003:201; Graycar &
Smith, 2002:3). Using computers, thieves can steal credit card details and
siphon funds from banks. Cyberspace can be just as easily used to commit
theft-by-threat or extortion. One of the most common types of cyber fraud is
on-line auction fraud where the vendor may describe products or services in a
false or misleading manner, or may take orders and money but fail to deliver
goods or deliver counterfeit goods (Golubev 2003:2). A growth in
10

11. telemarketing fraud has been noted as well as fraudulent charity schemes and
investment opportunities that are difficult to regulate (Giddens & Duneier,
2003:201).
For the purpose of this paper, the term e-fraud will be used to denote cyber
crimes relating to on-line credit card fraud and e-commerce.
11

12. 2 E-FRAUD GLOBALLY
e-Fraud, notably fraudulent on-line credit card transactions via e-business
sites on the Internet, is a global problem that is much more prevalent than
“bricks and mortar” fraud, and also much more difficult to detect and
prosecute. It leads to significant profit erosion and losses suffered by e-
merchants (McConnell International, 2000:1). Some recent statistics include:
• Identity theft complaints to US authorities rose by 40% each year from
1992 to 1997. The US Treasury Department estimated that identity theft
causes losses of up to US$3 billion each year from credit card fraud
alone (PCB, 2001a:5).
• Visa recently surveyed 15 Banks from 12 EU countries. It found that
credit card payments account for nearly half of all complaints, more than
one in five of which came from people billed for on-line transactions who
had not even shopped on the Internet (PCB, 2001a:5).
• A recent report from the National Consumers Council revealed that 50%
of Internet users are unlikely to supply their credit card details on the
Internet because they think it’s too risky (PCB, 2001a:5).
• Over 50 per cent of all fraud committed in the first half of 2000 were
"cyber crimes” (PCB, 2001a:1).
• Fraudulent transactions make up 1.06% of total on-line transactions
compared to only 0.06% of off-line transactions. The Gartner Group
estimates that on-line transaction fraud is 17 times higher than in-store
fraud (Gartner, 2002:1).
• In 2002 26 million adults used the Internet compared to fewer than 10
million in 1999. Over the same period, the number of adults making
Internet card payments increased nine fold, from £1.3 million in 1999 to
£11.8 million in 2002. Around 3% of all card payments to a total value of
£9 billion were made over the Internet last year. This is expected to grow
to 10% by 2012 (Apacs 2003b:10).
• Direct sales over the Internet are expected to reach US$5 trillion in the
United States and Europe by 2005 (McCardle et al., 2001:5).
• Gartner (2002:1) estimates that in 2001 alone on-line fraud cost e-
merchants US$700 million, excluding costs such as investigations, legal
fees, etc.
• One in six on-line customers have been the victim of credit card fraud
and one in 12 have had their identity stolen on-line (Golub 2003:11).
• It has been estimated that the typical identity theft victim learns about the
crime only 14 months after it has occurred, sustains US$18,000 in
fraudulent charges and spends 175 hours over two years restoring
his/her clean credit and good name (PCB, 2001a:5).
• Visa estimates that Internet transactions account for about 2% of its total
transactions. However, of all the fraudulent transactions that Visa
handles, 50% occur in Internet transactions (Verisign, 2002:9).
12

13. • In 2002 FBI Internet fraud centre complaints rose by 300% (Golub
2003:11).
• A recent investigation by MSNBC reveals that while overseas-based
criminals account for up to one third of all on-line fraud directed at United
States e-businesses, there is no evidence of a single prosecution against
these foreign perpetrators (Brunker, 2001:1). The US Treasury
maintains an Official US Government System web page called the
Financial Crimes Enforcement Network or FinCEN. Its mission is to
support law enforcement investigative efforts and foster inter-agency and
global cooperation against domestic and international financial crimes.
FinCEN has issued warnings on transactions involving the following
countries:
o The Arab Republic of o Nauru
Egypt o Nigeria
o The Bahamas o Niue
o The Cayman Islands o Panama
o The Cook Islands o The Philippines
o Dominica o The Russian
o Israel Federation
o Lebanon o St. Kitts & Nevis
o Liechtenstein o St. Vincent
o The Marshall Islands o The Grenadines
(FinCEN, 2003:1).
• Forty per cent of companies have been hit by the same fraudster more
than once with 18 % saying that they had been hit three times by the
same fraudster before the fraud was detected (PCB, 2001a:5).
• More than 50 per cent of all fraud committed in the first half of 2000 were
"cyber crimes". Internet fraud rose 46% towards the end of 2000.
Seventy per cent of large companies in the UK were hit by fraud and
each of the companies surveyed lost an average of £4 million every year
as a result of fraudulent activity. Not only is about 60% of fraud
committed from within but it was found that as much as 58% of this fraud
was uncovered ‘by accident’! Recovery rates remain low (with as few as
20% of organisations able to recover half or more), and the scope for the
commission of such fraud remains as high as ever with only 18% of
victims ‘very confident’ about their future safety. Twice as many believe
that the threat will be even greater in the next five years. Indeed, just
under half the 3500 respondent organisations felt cyber crime was ‘the’
risk of the future (PCB, 2001b:1).
• In the US, a survey done in March 2001 revealed that:
o 85% of respondents (primarily large corporations and government
agencies) detected security breaches
o 74% reported serious breaches
o 71% reported unauthorised access by insiders; 25% detected
system penetration from the outside
o 186 respondents reported losses of US$377m (compared to
US$265m from 249 respondents in 2000)
o most serious: Netspionage theft $151m reported by 6% of
respondents (compared to US$66m in 2000)
13

14. o financial fraud was US$55m (compared to US$39.7m in 1999)
o loss due to sabotage: US$27m (compared to US$10m combined
previous 3 years)
o 70% of respondents cited Internet connections as a frequent point
of attack (compared to 59% in 2000)
o 91% of respondents (as opposed to 79% in 2000) detected
employee abuse of Internet access privileges (PCB, 2001b:1).
Experian (2000:2) commissioned one of the most extensive research studies
on the effect of Internet fraud on UK Retailers. Eight hundred (800) UK
retailers were interviewed and it was found that:
• Nine out of every ten Internet fraudsters in the UK were getting away
with it! Only 9% of fraud cases reported to the police by UK on-line
retailers resulted in prosecution.
• 70% of companies thought that the Internet was inherently more risky
than other routes to market, with the majority of respondents
experiencing an increase in fraud on the Internet over the previous year.
Fifty-two (52) per cent of on-line traders claimed that Internet fraud was a
problem for their organisation and 55% said it was a growing problem.
• Retailers became aware far too late that they had been victims of fraud.
Almost half the companies (48%) said it could take more than a month
before they were made aware that they had been the victims of card
fraud. Eighteen (18) per cent said that it took up to seven weeks.
• 11% of respondents had had their sites hacked into.
• Only 15% of companies had automated systems for detecting fraud. The
vast majority employ expensive and inaccurate manual processes. Only
52% use any external data to verify a customer’s name and address.
• Fraudsters have realised that methods of prevention are currently so
inadequate that they need spend little time or effort covering their tracks.
Less than 10% of fraudsters bother with a redirection service at the
goods delivery address, and only 10% make the effort to set up a false
telephone account.
• 58% of companies thought that the fear of fraud was a significant barrier
to successful trading on the Internet.
• Although Experian’s own client experience suggested an average level
of charge backs of some 2.5% of sales, the survey indicated that
retailers were experiencing lower than expected levels of fraud charge
backs with 20% of companies experiencing charge backs in excess of
1% of sales as a result of fraud. Forty-eight (48) per cent report charge
backs of between 0 and 0.5%, and 8% report levels between 0.5% and
1.0%. This may indicate that on-line retailers are reluctant to reveal the
true extent of their on-line fraud problem.
On the perception of fraud, 52% of UK Internet retailers claimed that Internet
fraud was a problem for their organisation. Added to this, 58% of companies
thought that the fear of fraud was a significant barrier to successful trading on
the Internet and a similar number (57%) said that they had experienced an
increase in fraud since using the Internet. Finally, 52% experienced a higher
14

15. rate of fraud on the Internet as opposed to other routes to market and the vast
majority (70%) thought that the Internet was inherently more risky (Experian,
2000:5).
From figure 2 below it is clear that the growth in e-commerce (turnover) has
surpassed the growth in losses relating to e-fraud in recent years.
Figure 2: Growth of e-Fraud and On-line Security Incidents compared
to Growth in Web Commerce (or e-commerce) between 1998 and 2002
(Golub 2003:11)
2.1 E-FRAUD IN SOUTH AFRICA
It is difficult to get an indication of the extent of e-fraud in South Africa and the
effect that it has on South African e-merchants. One global survey that had
significant South African input is the 2001 e.fr@ud survey, the major findings
of which were that:
• only 9% of respondents admitted that a security breach had occurred in
their organisation within the previous 12 months
• while most believed that the security of credit card numbers and personal
information were by far their customers’ most important concerns, fewer
than 35% performed security audits on their e-commerce systems, and
only 12% had websites bearing the seal identifying that their e-
commerce systems had passed a security audit
• 79% stated that the highest probability of a breach occurring to their e-
commerce systems would be perpetrated through the Internet or other
external access (KPMG, 2001:35).
As indicated in figure 3 below, South African respondents (together with
French respondents) perceived the greatest likelihood of e-fraud happening in
their organisations:
15

16. Figure 3: e-Fraud - Perceived Likelihood of Occurrence
(KPMG, 2001:33)
2.1.1 Legislation against Cyber Crime in South Africa
The 2001 e.fr@ud survey found that South Africa had no cyber crime specific
laws in place (KPMG, 2001:35).
2.2 PROFILES OF CYBER CRIMINALS
The following kinds of cyber or computer criminals can be identified:
• The outside hacker – with or without criminal objectives, with
increasingly sophisticated skills and tools. Even attacks with no direct
criminal action can cost a company millions e.g. hacking into a web
server and disabling a website.
• The computer technology insider – disgruntled employees or ex-
employees using their knowledge of an organisation’s IT landscape to
delete data, expose data publicly, or sell data to competitors. A higher
number of insider attacks as opposed to outsider attacks are reported.
• The white collar criminal – is situation-motivated and sees himself as a
business or personal problem-solver rather than as a criminal. The white
collar criminal generally begins his/her career trying to hide errors, solve
financial problems, get a better job and survive a short-term business
downturn e.g. a loyal and trusted employee in financial difficulties who
sells sensitive information to a competitor.
• The career criminal – is an organised criminal with significant skills,
resources and high financial gain motivation who views computers as
tools of the trade. He works hard at mastering the technology and using
it to accomplish his goals just like any other professional and sometimes
make use of a young technology expert to do the work for him. The
significant increase in both college students and unsophisticated fraud
perpetrators seems to indicate that the Internet has become the first
16

17. choice for thieves who, in another age, might have just been “petty
shoplifters or locker room pickpockets”.
• The political activist or terrorist – uses computer crime to make a
statement, launder money or expose certain information, and can make
use of a young technology expert to do the work (cf. UN 1994:7; Groebel
et al., 2001:23-24; Centeno, 2002:15; Smith, 1999a:3; & Turnbull,
2001:10):
2.3 PROFILES OF E-MERCHANTS WHO ARE AT RISK
According to Verisign (2001:2), (Scutt, 2001:7) and Centeno (2002:15), the
following e-merchant profiles are a greater risk for certain types of fraud than
others:
• Smaller merchants without robust security defences. Inexperienced
or small merchants with no or limited risk management tools can fall prey
to criminals using sophisticated spidering techniques and intelligent
agents to identify vulnerable points. Criminals use this information to
break into networks and other ICT infrastructure in order to steal smaller
merchants’ account access information for hijacking or merchant
takeovers.
• High-visibility merchants. It's a double-edged sword. Merchants need
to be visible to attract customers, yet fraud attempts are higher on
merchants who advertise heavily or those who are in the news.
Criminals know that merchants who are experiencing higher than normal
transaction volumes due to a special promotion or a news story have
less time to defend themselves against fraud.
• Larger merchants with high transaction volumes. However, given
the increasing sophistication of fraud protection systems deployed by
larger e-commerce merchants, smaller merchants with little to no
protection are starting to become targets of fraud.
• Merchants who sell high unit value goods, such as electronic items
and luxury goods that can easily be resold or sold on on-line auctions.
• Merchants hosting on-line auctions, which represents the vast
majority of consumer complaints in the US.
• Soft goods merchants - Merchants that sell digital contents or software
that can be downloaded from the Internet. The purchase of these goods
does not require physical address information e.g. a shipping address,
making it easier for criminals to disguise a fraudulent transaction.
• Merchants who sell internationally. It is difficult to validate the
address or identity of foreign buyers, and it is more difficult to investigate
fraudulent activity from an overseas source.
• All merchants face an increased risk of fraud during the holiday season
and special sales promotions. Criminals know that you have limited
time for fraud protection measures when sales volumes are high. Sales
double in the 4th quarter, while Internet fraud rates triple.
2.4 BEHAVIOURAL TRAITS ASSOCIATED WITH FRAUDULENT TRANSACTIONS
According to Experian (2000:7) the typical modus operandi of UK on-line
fraudsters using card not present (CNP) fraud is:
17

18. “Real name at real address but not The fraudster gives a real name and
the cardholder’s name” address, which would be verified by a
data source like the voters’ roll. The
name and address were probably
supplied to the voters’ roll for the
purpose of fraud but the card number
given matched a different name. This
suggests inadequate procedures for
linking the name, address and
cardholder’s name.
“Cardholder’s name at real address but The fraudster gives a name that
not the cardholder’s address” matches the account name but the
address provided does not match the
billing address. This again suggests
that there needs to be a link between
billing address and delivery address.
“False name at real address” This can only work where no reference
is made to a data source like the voters’
roll when authorising the transaction.
“Cardholder’s genuine name and This illustrates a dilemma faced by on-
address but parcel delivered to another line retailers who despatch goods to an
address” address other than the cardholder’s
billing address. In many cases e.g.
presents these transactions will be
genuine, but the process clearly lends
itself to extensive abuse by fraudsters,
and is an easy way to defraud an on-
line retailer.
Table 1 Typical Modus Operandi of UK On-line Fraudsters
Centeno (2002:15) Scutt (2001:6) & Visa (2002b:1) identify the following
behavioural traits associated with fraudulent transactions:
• A first-time shopper performing more transactions than usual, using large
order amounts, particularly when purchasing low-cost items
• Ordering several of the same item
• Attempting to make it hard to be traced by rushing orders (willing to pay
a lot for expedited delivery), making overnight orders and shipping to
Post Office boxes
• Using an anonymous or free e-mail address or free web-based e-mail
address
• Requesting the use of a ‘bill to’ address that is different from the ‘ship to’
address or international delivery address
• Using one single delivery address and multiple cards
• Using a single card to multiple delivery addresses
• Using multiple cards from a single IP address
• Acting as bogus merchants.
18

19. 3 E-FRAUD AND ITS EFFECTS ON THE SMALL E-MERCHANT
e-Merchants (the owners of e-business websites) are exposed by codes of
conduct and legislation that have been put in place to stimulate public trust in
and uptake of e-business:
• Proof of Shipping. E-merchants are generally obliged, by their
merchant agreement with the bank, to provide proof of shipping before
funds are released into their bank accounts i.e. they have to have
shipped the product or inventory to the consumer before the transfer of
funds takes place (Mann, 1999:47).
• Card not Present Transaction. At the same time, on-line transactions
are considered "card not present" (CNP) transactions since the card was
not swiped through a point of sale (POS) and the identity of the
cardholder could not be verified in person. “Card not present”
transactions imply that should a dispute arise between the cardholder
and the merchant i.e. the cardholder alleges that he never made the
transaction, the card company will refund or charge back the cardholder
in full (with minimal investigation and for a period of 180 days or 6
months after the transaction date) whilst deducting the whole amount
from the merchant as well as deducting a penalty payment from the
merchant (Mann, 1999:14; Experian, 2000:7).
• Charge backs. The issue of charge backs is highly sensitive to on-line
retailers, and it is difficult to assess the true extent of the problem. In the
case of a fraudulent transaction, the e-merchant loses everything: the
transaction amount gets withdrawn from his merchant account, a penalty
charge is levied and since the product has been shipped and delivered,
the e-merchant suffers the loss of inventory as well as the shipping costs
associated with the fraudulent transaction. In some cases, on-line
retailers will actually meet the cost of fraud personally to avoid higher
charge backs and the risk of losing their merchant’s licence. As
portrayed in Table 1 below, 48% of UK Internet retailers admitted to
0.5% charge back as a result of Internet fraud; 8% said their level was up
to 1%; and 20% said that their level was in excess of 1% of total
transactions. However, a significant proportion (23%) refused to give an
answer to this particular question (Experian, 2000:7).
Charge backs as a UK Internet Retailers
Percentage of Total
Transactions
Up to 0.50% 48%
1.00% 08%
1.50% 03%
2.00% 03%
3.00% 03%
4.00% 02%
4.50% 02%
5.00% 02%
19

20. 5-10% 02%
10%+ 03%
Refused to say 23%
Table 2: Charge Backs as a Percentage of Total UK On-line
Transactions
(Experian, 2000:7)
20

21. The UK Association for Payment Clearing Services (APACS) reported in their
2000 annual review that the major growth areas for card crimes were in
counterfeit and card not present (CNP) fraud, which were largely responsible
for the steep increases in 2000 losses suffered by the UK merchants and
financial services industry (Apacs, 2001:23; Experian, 2000:7). Figure 4
below indicates that CNP and counterfeit card fraud made up a total of 55% of
all fraud suffered in the UK. The effect of e-fraud on this trend is clearly
visible in the exponential growth of these fraud categories in the preceding
decade:
Figure 4: Detailed Breakdown of Credit Card Fraud in the UK for the
year 2000
(Apacs, 2001:20)
For the year 2002 Apacs (2003a:18) reported that card not present (CNP)
fraud, fraud committed via mail order, telephone and the Internet continued to
grow (a 6% increase in 2 years if Figure 4 above is compared with Figure 5
below). Apacs (2003a:18) initiated a CNP Fraud Strategy Project that
involves the development of sector-based forums of high-risk merchants
alongside key banking members. The main objectives include developing
best practice material and considering effective, legal forms of data sharing.
21

22. 2002 Fraud Losses by Category
CNP /
Application
Fraudulent
Fraud
Posession of
2%
Lost / Stolen Card Details
26% 26%
Mail Non- Other
receipt 2%
9% Counterfeit
Card
35%
Figure 5: Detailed Breakdown of Credit Card Fraud in the UK for the
year 2002
(Apacs, 2003a:18)
Experian (2000:5) found that 77% of on-line retailers in the UK took orders
over the phone as well as the Internet; 13% took orders over the Internet only
and 10% took orders only over the phone, directing on-line shoppers to a toll
free number. On a general note, the overwhelming majority (96%) said that
they conducted business on-line with card not present (CNP) transactions,
and 95% said that their goods were of interest to thieves.
Figure 6: The Exponential Growth of Counterfeit and CNP Fraud
(attributable to the effects of e-fraud) in the UK during the decade 1991-
2000
(Apacs, 2001:19)
3.1 THE COSTS OF E-FRAUD
22

23. • Golub (2003:11) estimated the loss to e-merchants in terms of higher
fees, charge backs, bank charges and loss of inventory, etc. as a result
of the above three points to have been on average 7% of an e-
merchant’s turnover in 2002. Verisign (2001:1) details the losses of an
e-merchant who processes a fraudulent on-line transaction as:
o Higher discount rate on merchant account. Because of the
higher prevalence of e-fraud, discount rates for on-line transactions
are typically 30 to 60 per cent higher than off-line or "brick and
mortar" rates.
o The merchant carries the financial loss of a fraudulent on-line
transaction. According to CyberSource (2002:7), 31% of UK
merchants did not know they were liable for losses incurred as a
result of CNP fraud. Many were of the misconception that the
Credit Card Company, bank or shopper would pick up the cost.
o Inventory loss and shipping costs for physical goods that are
fraudulently purchased and delivered are also carried by the
merchant.
o Charge back penalties assessed by the acquiring bank of
US$15-US$30 per fraudulent transaction. In the UK, 20 per cent of
UK business-to-consumer retailers are paying charge back fees in
excess of one per cent of sales (Experian, 2000:8).
o Increased discount rates assessed to the merchant as a result of
processing fraudulent payments.
o Labour cost for the merchant to investigate and resolve the charge
back.
o Higher administration costs on orders due to staff spending
more time to screen orders. This may include calling the customer
and confirming the order (CyberSource, 2002:8).
o Fines and cancellation of merchants account. Fines and Five-
to six-figure card association fines or the cancellation of a
merchant's account when card fraud rates are consistently high (cf.
also Weber, 2001:8).
• Rejection of non-fraudulent transactions due to fear of fraud. In
addition, according to Gartner Group estimates, merchants reject an
estimated 5% of all transactions out of suspicion of fraud, while only 2%
of transactions are actually fraudulent. The result is a significant amount
of lost sales (up to 3% of sales volume) in an attempt to reduce fraud risk
(Verisign, 2001:1). Grant (2002:1) reports that 7% of on-line sales are
rejected for potential fraud but just 1.13% are actually fraudulent.
• Non-completion of transactions due to lack of consumer trust. On
an industry-wide level, it is also alarming that 23% of potential on-line
shoppers do not complete a transaction because of fear and not wanting
to enter their personal details on-line (Gobulev, 2003:3).
• Scutt (2001:5) summarises the cost of e-fraud as follows:
Cost of losing “valid” o Loss of order
orders o Loss of customer loyalty
23

24. Cost of managing o Manually resolving bad transactions
fraudulent orders (estimated at up to £40/order)
Bank and Card Processor o Higher discount rates
fees o Charge back fees
o Fines
o Termination of service for excessive charge
backs
Cost of goods sold o Merchants are 100% liable for mail order
telephone order (MOTO) transactions
Table 3: The Costs of e-Fraud
From the above it is clear that some e-merchants stand to lose up to 10% of
their turnover (and a much higher percentage of their profit, if any) to fraud-
related costs (up to 7%) and the cost of rejecting sales in order to prevent e-
fraud (up to 3%). This figure could be reduced by up to one third (4% of
turnover) if a way could be found to improve the basis for rejecting potentially
fraudulent transactions.
According to Experian (2000:6), UK Internet retailers had a low take up of
automated fraud detection systems, which suggested that products were
scarce or not being used, if available. This suggested that automated
solutions were too expensive. Fifty-five (55) per cent of these retailers
employed manual fraud detection systems and only 15% used automated
systems. Just over half (52%) said that they used external data to verify
either the name or the address of the shopper. Of the number that used
external information sources, 61% said they used the Postal Address File,
which verified that an address was genuine but did not link address to name.
Thirty-nine (39) per cent used the voters’ roll to verify name and address links;
29% used a telephone CD or bureau service to verify phone numbers and just
12% checked with a Card Hot List (APACS) to see whether the card number
belonged to a stolen credit card. Only 25% of UK Internet merchants asked
for a work e-mail address alongside a home e-mail address for added
verification when taking an order. When asked what fraud solutions were
most needed, the majority (63%) identified an urgent requirement for instant
on-line personal identity verification systems that check both name and
address and link cardholder details to a billing address. Many mentioned that
more was required from the banks and card issuers to ensure that this
requirement was met.
A significant finding of Experian’s (2002:8) research on fraud amongst UK
Internet merchants was the lack of sophistication in the modus operandi of
Internet fraudsters. It appears that verification systems are so inadequate that
fraudsters need make little effort to cover their tracks. In the experience of
most on-line retailers, around 10% of fraud takes place with a re-direction
service at the end of it and only 10% of fraud occurs with the fraudster having
opened a telephone account in a false name.
Another issue relates to the time delay in identifying that a fraud has been
committed. In this respect, the majority of fraud becomes apparent after six
24

25. weeks. Thirty-three (33) per cent of companies said that it took over two
months (eight weeks+) before they were notified that they had been victims of
a fraud; and 18% said that it took between four and seven weeks. During this
time, their site was vulnerable to repeat attacks. Interestingly, although the
majority said that fraudsters tended to hit once on average, a sizeable number
said that they had been hit twice, and 18% said that they were hit on average
three times by the same fraudster before the fraud was detected. In fairness,
the time delay is often due to the fact that the genuine cardholder has yet to
open his/her monthly statement and report “unknown transactions” to the
issuer. (Experian, 2000:8).
With regard to overseas trading, Experian (2000:9) reports that UK Internet
merchants found it difficult to authenticate overseas customers. The most
common response from those merchants who traded overseas was the lack
of data available to verify whether a name and address provided by a
customer was genuine (33% of all companies).
The responses to the question about what problems companies faced when
trying to establish whether a customer was genuine, can be summarised as
follows:
Don’t accept non-UK customers or 45%
conduct business overseas.
No way of finding whether an 33%
overseas customer is genuine
through absence of effective
databases.
Have problems identifying the card 22%
issuer.
Table 4 Verifying Overseas Orders
25

26. Experian (2000:9) found a clear reluctance among UK Internet merchants to
trade with non-UK customers. Sixty (60) per cent of UK Internet merchants
said that only 10% of their Internet business was conducted with overseas
customers; 12% said it was between 11% and 20% (see table below):
0-10% 60%
11-20% 12%
21-30% 08%
31-40% 02%
41-50% 05%
51-60% 02%
61-70% 02%
71-80% 02%
Don’t know 03%
None 05%
Table 5 Trading with Overseas Customers
Looking at fraud levels, there was a clear indication that overseas business
was more prone to fraud. Twenty-six (26) per cent of the sample said that up
to 10% of non-UK card transactions were fraudulent; 13% thought it was
between 11 and 20%; and 22% didn’t know the answer (Experian, 2000:9).
Less than half (43%) of those surveyed reported any fraud to the police and
more than half (57%) of those who did encountered a ‘lack of interest’ from
the police. More worrying is that a prosecution was set in motion in only 9%
of the cases reported to the police. In 12% of cases the businesses tried to
recover the defrauded money themselves, most of them opting for a debt
recovery agent (Experian, 2000:13).
3.2 E-FRAUD PREVENTION
Due to the impact of e-fraud on consumer trust and the complexity of legal
prosecution, more and more emphasis will be placed on fraud prevention as
the first step in reducing fraud. Apart from the criminological and legal
aspects of e-fraud prevention (e.g. laws with stricter penalties, police having
specialised units to track down cyber criminals), two main categories of e-
fraud prevention can be recognised:
a. The technological and process-related or hard measures of e-fraud
prevention
b. The human or soft measures of e-fraud prevention (cf. Centeno,
2002:21; Smith, 1999a:7; Smith, 2000:18, Smith; 2002:5).
3.2.1 Hard Measures of e-Fraud Prevention
Different “hard” or technology-based security measures are proposed by card
companies and banks to address the on-line payment fraud risks consumers
and merchants face. These measures aim to provide data confidentiality and
26

27. integrity, consumer and merchant authentication for each individual
transaction. Payment schemes are promoting security standards and best
practice to increase information security at banks, merchants and service
providers. The protection of consumers’ PCs is also increasingly stressed.
Often overlooked, the consumers’ PC vulnerability is considered one of the
major security threats by some security experts (Centeno, 2002:21).
Figure 7: Comparison of Fund Prevention Methods
(CyberSource, 2002:8)
3.2.2 Soft Measures of e-Fraud Prevention
Recognising the importance of the human factor in building security, special
attention is paid to non-technology based or “soft” measures since humans
themselves may be the weakest link in securing information systems. The
strongest cryptography will not help if a user compromises the password
(Centeno, 2002:22). Three main groups of role players would need to be
made aware of and educated about the risks of e-fraud:
3.2.2.1 Organisations and Service Providers
Perhaps the greatest risk of fraud to an organisation lies within its own staff.
Smith (1999b:4) reports that fraud is most often carried out by employees,
particularly at senior management level. The administration of modern
technologically-based security systems involves a wide range of personnel
from those who manufacture security devices to those who maintain sensitive
information concerning passwords and account records. Each has the ability
to make use of confidential information or facilities to commit fraud or, what is
more likely to occur, collude with people outside the organisation to perpetrate
an offence.
27

28. The following appear as key building blocks to reduce e-fraud at service
providers:
• Awareness of security risks at all organisational levels
• Education of employees and end-users
• Good internal security managerial, organisational and operational
policies and procedures
• Screening and monitoring of employees (Centeno, 2002:23; Smith,
1999b:3).
The table below presents common general security mistakes that people
commit in relation to computer security:
User Security Mistakes
• Opening unsolicited e-mail attachments, without verifying the source or
checking the content
• Failing to install security patches (specially Microsoft Office, Internet Explorer
and Netscape)
• Installing screen savers or games from unknown sources
• Not making and testing backups
• Using a modem while connected through a LAN
• Writing down passwords or even storing passwords in password files
• Leaving the machine on and unattended and leaving laptops unsecured and
unattended
• Poor password selection
• Talking (about confidential data like passwords)
• Failing to do transaction monitoring. Transaction monitoring software that
can automatically screen all transactions and report suspicious transactions
via an electronic alert is available (cf. Centeno, 2002:23; KPMG, 2000:15;
Smith, 1999:5).
Senior Management Security Mistakes
• Assigning unscreened and untrained people to security maintenance and
providing neither training nor time to learn
• Failing to see the consequences of poor security. Senior managers, system
and network operators in the private sector spend only as much on security
as they can justify on business grounds, which may be much less than the
business needs. The same is true of government agencies that must work
within budget constraints
• Failing to deal with the operational aspects of security i.e. following up fixes
• Relying primarily on a firewall for security
• Failing to realise how much money the business information and
organisational reputation are worth
• Authorising reactive short-term fixes so that problems re-emerge rapidly
• Pretending problems will go away if they are ignored
28

29. • Not putting the correct policies and procedures to manage fraud in place
• Failing to do pre-employment integrity screening on relevant employees and
failing to institute red flag integrity screening of relevant employees during
employment
• Failing to keep all personal information in locked files and establish secure
procedures for data services and failing to encrypt all personal and
confidential information on computers
• Failing to secure methods for disposing of personal information
• Failing to appoint a 3rd party to carry out privacy audits/investigations that
gauge how vulnerable records are to theft
• Failing to verify the professional qualifications and integrity of 3rd party
service providers or potential partners
• Failing to limit the use of personal identifiers (Centeno, 2002:23; KPMG,
2000:8; Experian, 2002:7; Smith, 1999b:5; CSTB, 2002:6; Urban, 2003:21)
Table 6: Common Security Mistakes
3.2.2.2 Consumer Awareness
Consumers can play a significant role in reducing merchant fraud risk by
playing an active role and adopting a cautious attitude when shopping on-line.
Recommendations for fraud prevention are:
• Verify the merchant’s identity, company information (name, physical
address and phone number) and use of codes of conduct or trust marks.
Check the seller’s reputation (in online auctions)
• Be suspicious about very advantageous deals from free e-mail
addresses
• Check whether secure socket layer (SSL) protocol is used for data
protection
• Check the company’s security policies and tools used, in particular the
privacy policy and how personal details may be used
• Look for insurance for buyers
• Pay on delivery or with a credit card as this generally provides refund
rights
• Ask the bank for a random card number option
• Keep a trace (e-mail), print the order screen, the terms and conditions
and any communication with the merchant
• Update your virus protection software regularly and when a new virus
alert is announced in the media
• Do not download files or click on hyperlinks sent to you by people you
don’t know
• Use a firewall program
• Use a secure browser
• Always log off and close Web browsers after on-line transactions
29

30. • Be careful with programs where merchants or entities want to remember
your purchase data and allow you to use it again (e.g. cookies) OR
server-based payment wallets
• Do not store any financial data on your personal computer
• Before you dispose of an old computer, delete all personal information
• Avoid using easily available information as a password (cf. Centeno,
2002:24; Experian, 2002:7; Urban, 2003:18).
Finally, consumers also have a significant role to play in identifying fraud
promptly by analysing their bank and card service provider’s statements in
detail. Faster fraud detection can contribute to fraud prevention by blocking a
lost, stolen or counterfeited card or other stolen identity data, and by
identifying a fraudulent merchant or a fraud pattern (Centeno, 2002:24).
3.2.2.3 Merchant Awareness
The contribution merchants can make to fraud prevention by screening
fraudulent transactions is often overlooked. The lack of consumer
authentication by issuer banks combined with merchants’ liability for
fraudulent credit card transactions have motivated the development of
merchant-based authentication solutions, thereby reducing on-line fraud by
between 66% and 80%.
These solutions sometimes combine “hard” and “soft” measures. They
include address validation (in the US and the UK), on-line authorisation,
customer follow-up (e-mail confirmation, etc.), customer history database
consultation, fraud scoring systems, customer data format and content
editing, rejecting orders with incomplete information, proof of delivery to the
verified billing address, domain site check, application of additional measures
for high risk purchases (call customer, ask for issuer bank and phone number,
ask for exact name on credit card), stating on the website that anti-fraud
measures have been put in place, etc. (Centeno, 2002:24)
Merchant awareness and education is thus important and, to support it, some
US organisations have been identified to provide merchant information of
fraud types, statistics and best practices (cf. Antifraud.com, Scambusters.org).
Merchants can do the following to combat the incidence of e-fraud:
• Prevent errors
– Prevent duplicate purchases
– Use pick-lists, where feasible, on the order form
• Collect complete customer billing/shipping information plus phone
number and e-mail address for additional fraud screening and to facilitate
follow-up communication with the customer
• Establish a process for reviewing suspicious orders
• Examine your charge backs to uncover any gaps to be closed with new
rules
• Create negative files to prevent repeat offenders
30

31. • Create positive files to maintain customer loyalty
• Inform your customers of the company name that will appear on their
statements so the customers are not surprised.
(Scutt, 2001:26, 27).
Risk management is effective if it reliably protects the organisation's business
goals, assuming that the goals are achievable and sustainable. It is efficient if
it does this at the lowest sustainable long-term cost. A framework or model
needs to encompass both of these measures i.e. of effectiveness and
efficiency if it is to be truly useful. To do this well, an organisation needs to be
good at:
• Defining and articulating its sustainable business goals, and
understanding how these goals are achieved
• Identifying and assessing risks that could prevent these business goals
from being achieved
• Controlling these risks to the extent that they do not threaten the
achievement of the business goals
• Making financial provision for these risks so that financial losses do not
threaten the achievement of the business goals
• Ensuring, over time, that the business goals continue to be reliably
protected at the lowest overall cost (Caragata, 1997:54).
Potential risks can be dealt with in two different but complementary ways:
• One approach is to apply risk control techniques to mitigate the negative
impact that these risks might impose on the business goals by reducing
the potential frequency and/or severity of events that might result in
unacceptable loss. This approach includes setting up a business early
warning system.
• The second approach i.e. loss funding ensures that these losses are
adequately funded when they do occur and that cash flows and balance
sheets are sufficiently protected (Caragata, 1997:55).
3.2.3 Risk Management Tools Available to Merchants to Combat e-
Fraud
The following risk management tools can be employed to protect merchants
against e-Fraud:
3.2.3.1 Hot Lists
One of the first checks a merchant should put in place on his website or at his
call centre is an internal hot list.
• Any person who carries out a fraudulent activity that results in a charge
back will have his/her details entered on the hot list. When the fraudster
returns to the site and presses the ‘buy’ button to make a purchase,
his/her personal details will be forwarded to the hot list and the
transaction will be blocked. Hot lists are not an effective deterrent to
31

32. fraud on their own. They can only stop repeat offenders from attacking
merchants’ websites and call centres and are incapable of detecting first-
time fraudsters. And they are frequently out of date – fraudsters’ details
only become available when the merchant receives a charge back, which
can take up to 90 days to arrive (CyberSource, 2002:8).
• The hot list service of a professional credit bureau can generally be
accessed at a cost. These lists are more accurate and may also provide
protection against fraudsters attempting to defraud a merchant for the
first time.
3.2.3.2 Negative / Positive Files
All Internet merchants should create and maintain:
• Negative Files that store all the attributes (e.g. name, address, card, etc.)
of orders that resulted in charge backs or were blocked because of
attempted fraud.
• Positive Files on order to recognise “trusted customers” based on their
name, address, card, etc. and therefore skip fraud checks (Scutt,
2001:16).
• Negative and Positive files have the benefit of defending the merchant
against repeat offenders. Orders from good customers can be identified
and processed swiftly. Negative and Positive files can be used as the
basis for automatic approval/decline
• One drawback of Negative Files is that fraudsters rarely come back after
being caught out. Good customers’ card numbers that were used in
fraud attacks can become imbedded in a negative file (Scutt, 2001:17).
3.2.3.3 Velocity Checks
Most merchants will use a velocity check to back up a hot list.
• Whereas a hot list is used to target known criminals, velocity checks are
designed to identify fraudsters before they have a chance to act.
Retailers will be looking at two patterns of on-line purchasing behaviour –
velocity of use and velocity of change – to detect potential fraudsters.
Velocity of use covers instances when criminals use fraudulently
obtained credit card details to make multiple purchases on one site in the
shortest possible time. Systems that check for velocity of use will note
how often a certain e-mail address, credit card number or phone number
has been used over a certain period to obtain goods. It will then block
further suspect purchases. Systems that check for velocity of change
search for instances where one detail on a credit card – for instance the
expiry date – has been changed repeatedly to enable the fraudster to
make purchases. Some criminals will have obtained customers’ credit
card numbers over the Internet using a card generator. These systems
cannot provide fraudsters with expiry dates so the criminal circumvents
the problem by manually inputting different dates again and again until
he gets the right one. Merchants can use software solutions on their
servers to identity this type of behaviour (CyberSource, 2002:8).
32

33. 3.2.3.4 Address Verification System (AVS)
Originally designed for mail order and telephone environments, AVS allows
for the verification of the billing address details provided by the purchaser with
the actual billing address details held on file by the cardholder’s issuing bank.
• This real-time check is carried out as part of the authorisation process
and a response, based on the validity of the address provided, is
returned to the merchant. Although not foolproof – as many as 75 per
cent of orders receiving a ‘no match’ reading with AVS are valid – this
check will allow merchants to better control fraud exposure through the
knowledge that the billing address given by the consumer can be verified
as genuine for that card (CyberSource, 2002:8).
3.2.3.5 Card Verification
• Card verification is a system introduced by several card issuers to assist
the acquiring bank, issuing bank and merchant in validating CNP
transactions. The check is based on three or four additional digits,
distinct from the account number, that are printed on the front or back of
the card. They do not appear in either the magnetic stripe or chip.
These digits help to validate the card as genuine and to assist in
determining that the purchaser is actually in possession of the physical
card. As a measure to reduce the risk of fraud, merchants can request
these card verification digits on their website payment page or verbally
as part of a telephone order (CyberSource, 2002:8).
3.2.3.6 Real-time Authorisation
Real-time authorisation:
• Validates that the card number is valid and that sufficient funds are
available
• Validates the expiry date for the card (not all processors)
• Verifies the billing address for the card – AVS (in most cases, US
only)
• Where available, verifies the CVV2/CVC2/CID (special 3 or 4 digit
PIN code), passed by the merchant, against the code on file for that
card (Scutt, 2001:14).
The benefit of Real-time Authorisation is that there is no need to validate
an order once it has been declined. Unfortunately real-time authorisation
does not protect the merchant from charge backs (Scutt, 2001:15).
33

34. 3.2.3.7 Rules / Exceptions
Rules are typically “If … then” expressions that flag certain types of
transactions for review prior to processing.
• Examples:
o If the Amount is over 500 and the Shipping Type is
“express” to a shipping address that does not match the
billing address, then review the order before shipping.
o If more than 2 DVD Players were ordered, if the Shipping
Country is Romania, and the Shipping Type is “express”,
then review the order before shipping.
The benefit of Rules is that they allow the merchant to apply expert
knowledge relevant to the business. Rules are customisable and can be
modified as market conditions and fraud trends change. Rules make it easy
to determine why a transaction is flagged. The main drawback of rules is that
they require constant updating and monitoring to ensure that they are
effective. Rules are only as good as the people who build them and they are,
therefore, not effective at catching subtle patterns that may not be obvious to
the merchant (Scutt, 2001:20).
Use Any Boolean Expression Use Any Field in the Database
o = equal to o Billing Address, City, Province,
o != not equal to Postal Code
o < less than o Shipping Address, City, Province,
o <= less than/equal to Postal Code
o > greater than o Credit Card Number
o >= greater than/equal to o Current Time, Day, Month, Year
o Item Count
Use “*” as a wildcard o Quantity of a single item
o Total Cost of Order
Combine statements with o IP Address
o AND o Item Serial Number
o OR (Scutt, 2001:19).
Table 7: Building Rules / Exceptions
3.2.3.8 Statistical Models
Statistical models, like a risk scoring facility are essentially “learn by example”
tools that test the transaction attributes of an incoming Internet order with
known fraudulent activity listed in the statistical model database. The output
of a statistical model is typically a risk score (e.g. 1-100). Statistical models
leverage historical and forensic data in order to catch new fraud attempts.
The risk score is determined by evaluating numerous factors simultaneously.
Subtle patterns that would normally be overlooked by the merchant will be
highlighted by the statistical model.
Unfortunately, most merchants do not have the required ample, accurate, and
cleansed historical data required by a statistical model to provide accurate
34

35. results. Since multiple factors contribute to the risk score, it is sometimes
difficult to interpret the score (Scutt, 2001:22).
35

36. 3.2.3.9 Hybrid Solution (Arsenal Approach)
A hybrid solution combines the attributes of the above strategies, for example:
• Rules to enforce business rules or weed out bluntly fraudulent
transactions
• Real-time Authorisation to validate credit card number
• Statistical Model to evaluate the overall risk
• Rules to determine whether to Accept, Reject or Review the order
(Scutt, 2001:24).
• The overall return on investment (ROI) depends on many factors:
o Overall fraud rates
o Total volume of transactions
o Margin on transactions
o Cost to review order
o In-house risk management expertise.
• A multi-tool (hybrid) solution typically leads to the highest ROI because
better screening reduces the volume of orders to be reviewed (Scutt,
2001:24).
E-business was hailed as the great equaliser a few years ago as it enabled
small merchants to compete on an equal footing with large multi-nationals
selling to a potential international client base. With regard to e-fraud and the
prevention of e-fraud the statistics and numbers above have shown that it is
becoming very difficult for smaller e-merchants to survive and remain
profitable if they cannot afford to subscribe to available fraud prevention
services that would allow more accurate screening of transactions.
36

37. 4 THE FUNDAMENTALS OF PREDICTIVE FORENSIC PROFILING
4.1 THE PARETO PRINCIPLE
It is nearly a century since Vilfredo Pareto (1848 - 1923) defined what became
known as the Pareto principle (cf. Pareto 1906). Commonly known as the
80/20 rule, the Pareto principle describes the distribution of wealth in that, in
any population that contributes to a common effect, relatively few of the
contributors account for the bulk of the effect.
JM Juran was the first person to generalise the Pareto principle and apply it to
all areas of business as a means of focusing on the real problems or issues.
Juran, the father of quality control, coined the phrase 'the vital few and the
trivial many' that is regularly used to describe the Pareto principle. The Pareto
principle is generally used in conjunction with the Lorenz curve (and the Gini
Index) as a graphical representation of the actual deviation from an equal
distribution situation (cf. Lorenz, 1905.)
More recent research confirms that the Pareto principle is surprisingly
accurate in almost all industry verticals. The following trends can be found at
the bottom end of the customer base:
• On average, 20% of a company’s customers contribute up to 85% of the
profits whilst 40-50% of customers eliminate 50% of the profits
• 50-60% of all customers are marginal or unprofitable
• Unprofitable customers account for 35-45% of activity costs
• Unprofitable customers consume 25-55% of total resources
• Very small unprofitable customers consume more resources than all
profitable customers combined (cf. Buttle, 1999: 5; Caufield, 1999:4;
Hales, 1995:30; Humbarger, 2002:5; Reichheld & Sasser, 1990:108).
The Pareto principle can be applied to three scenarios as far as the smaller e-
merchant is concerned:
• 1. Reduce the number of good transactions rejected as a
precaution. In an attempt to minimise fraud, e-merchants are refusing
suspicious transactions worth between 5% and 7% of total turnover.
Research indicates that, of those rejected, the fraudulent transactions
amount to between 2% and 3% of total turnover. This leaves
transactions to the value of 3% to 4% of total turnover that are actually
good customers that were rejected as a precaution.
o If 20% of the good customers that were rejected are responsible
for 80% of the lost turnover, identifying only 0.4% to 0.6% of the
rejected customers could add 2.5% to 4% of total turnover to the
bottom line.
• 2. Reduce the impact of the most damaging fraudsters. If 80% of
fraud related losses can be ascribed to 20% of fraudulent customers,
fraud rates could be dramatically reduced if we could reduce the
amount of transactions from customers that fall into the 20% of
fraudulent transactions category.
37

38. o If we could find a way to reject orders from three quarters of the
20% most damaging customers, fraud related losses could be
reduced by 60%. If the fraud related losses of the average e-
merchant are 7% of total turnover that would lead to an increase
of 4.2% in total turnover.
• 3. Increase the impact of the best customers. If 20% of good
customers are responsible for 80% of total turnover, the early
identification of such customers will help us to serve them faster and
better, which will lead to greater customer satisfaction and sales
revenue from this vital 20% of the customer base.
If we do not take into account the benefit of serving the 20% of customers that
account for 80% of turnover better, and only focus on reducing the amount of
good orders that are rejected as well as reducing the impact of the worst 20%
of fraudsters, the impact on an average e-merchant’s business could be the
following:
Small e-Merchant with annual turnover of 300,000.00
Scenario 1: Current Situation
Income 300,000.00
Sales 300,000.00
Expenditure 321,000.00
Staff 60,000.00
Stock 150,000.00
Shipping 40,000.00
IT, Hosting, etc. 60,000.00
Merchant Fees & Bank Charges 11,000.00
Profit (-
Loss) -21,000.00
Scenario 2: Situation after Improvements
Income 322,350.00
Sales 300,000.00
Improvements 22,350.00
Reduce amount of good transactions that 9,750.00
were rejected as a precaution @ 3.25% of
turnover
Reduce the impact of the most damaging 12,600.00
fraudsters @ 4.2% of turnover
Expenditure 321,000.00
Staff 60,000.00
Stock 150,000.00
Shipping 40,000.00
38

39. IT, Hosting, etc. 60,000.00
Merchant Fees & Bank Charges 11,000.00
Profit (-
Loss) 1,350.00
Table 8: Practical Example based on a Small e-Merchant Scenario
39

40. 4.2 A DEFINITION OF PREDICTIVE FORENSIC PROFILING
In order to achieve the improvements as per the two scenarios in Table 8
above, and assuming that the small e-merchant cannot afford any
sophisticated fraud prevention services or software, the following actions
could be taken:
Reduce the number of good transactions that were rejected as a
precaution at an average 3.25% of turnover
Establish a profile of good clients Forensic
Establish a profile of all fraud attacks Forensic
Use industry trends and research to refine fraudulent
Predictive
transaction risk profile
Reduce the impact of the most damaging fraudsters at 4.2% of turnover
Establish a profile of the top 20 most damaging fraudulent
Forensic
transactions and compare with the profile of all fraud attacks
Three of the four activities identified above can be classified as forensic
profiling activities. Forensic profiling can be defined as retrospectively
analysing behavioural data in order to come up with a profile that could help
with the early identification of a similar profile in future. Predictive profiling
can be defined as creating a predicted model or profile, based on external
data that could help with the early identification of an instance of the predicted
model or profile in future.
Combining the two forms of profiling in the four activities above should be able
to give the small e-merchant some protection against e-fraud. It is vital to
note, however, that the fraudsters’ modus operandi changes and that any
profile created should be kept up to date to remain accurate.
In the next section, some practical steps a small e-merchant could take are
discussed.
40

41. 5 THE PRACTICAL APPLICATIONS OF PREDICTIVE FORENSIC PROFILING
If it is indeed possible to achieve the improvements as per table 5 above, it
may indeed be viable for the smaller e-merchant to introduce a simple yet
effective fraud reduction strategy.
Combining predictive rules based on international statistics with a merchant’s
own forensic data could have a marked impact on a smaller merchant’s
profitability and turnover. The following strategy may be of help to smaller e-
merchants.
5.1 VERIFICATION PROVIDED BY CREDIT CARD COMPANY
Credit card companies are developing more and more products designed to
protect against losses relating to NCP transactions.
Note that verification differs in terms of its extent, and the e-merchant should
be careful to understand the exact features and extent of the verification
service offered by the credit card company. Verification can range from the
most basic algorithm check (i.e. only checking whether the card number is
theoretically possible so that fraudulently generated card numbers would be
verified) to sophisticated verification services that will verify that a number
exists and that the details supplied (e.g. expiry date, billing address) are
correct. In most cases verifications do not protect the merchant in the event
of a charge back.
Where available (and affordable), the smaller e-merchant should subscribe to
services such as real-time verification (where all details are verified with the
credit card company in real-time – while the order is being processed).
5.2 RULES / EXCEPTIONS
A red flag, rules based “early warning system” can be effortlessly put in place
by most e-merchants. A simple Excel spreadsheet with a drop down
questionnaire or a simple access database could allow employees processing
orders to identify and escalate potentially fraudulent orders.
A predictive example of rules, based on current e-fraud statistics, could be:
Is this an overseas order? Yes
If Yes, which continent? Africa
If Yes, which country? Algeria
If No, which province?
Does the credit card issuer country correspond with the Yes
delivery and billing address? (i.e. Someone living in
Johannesburg is unlikely to use a CC issued by an American
bank.)
Has the customer ever ordered before? Yes
41