Patrick Lambert looks at the vulnerable area of online payment fraud. Is there a way to make payment forms both convenient and secure?
If you purchase through online stores on a regular basis, you probably know the pain that online forms can be. They typically ask for a lot of information in order to process your payment, just like the example portrayed here.
You may be asked for your full name, address, phone number, card number, type, expiration and security code. Then of course there is the captcha entry and you typically have to confirm an email address and create an account on the site. In a word, this is a pain. But why is it that online payment forms are so complex? Various reasons can be brought up, such as the attempt by a site to gain as much information about you as possible, but the typical excuse is that this is for fraud prevention. Yet, how hard is it, really, to design a payment form that is safe from fraud and easy for users to use?
Payment forms are just like any other UI element of a site. They have to be well-designed, and marketers spend a lot of time tweaking, testing, and redesigning in order to get the highest possible conversion of paying customers. So it is no surprise that the marketing department is usually not happy with the security people who tell them that their form will require 15 input fields. The longer the form, the more time people will have to take to fill them in, which means many will give up. By making it harder for users to send you money, you inherently reduce your conversion rate and your total profit. This is why PayPal has become such a popular way to send money and receive payments, and why so many other solutions have been attempted and failed to gain traction. Once most of the online world has a PayPal account, and many sites accept money that way, then it becomes trivial to process payments. All you need to do is login to your PayPal account and click on the Buy button.
Some people think that long forms are not necessary in order to fight fraud. There are firms like Sift Science, which monitors online fraud, who recently claimed that you only need two fields or 20 characters in order to take online payments, far less than what almost every site asks for. The problem, of course, is that unless your fraud detection intelligence is bullet proof, you have no recourse should something bad happen, and you make it much easier for fraudsters to use your site. The black market for stolen credit cards is vast, and right now, people can buy stolen details for less than a dollar per account. Fortunately, there are many ways to combat this, and if you intend to implement your own online payment system for your business or site, then these are things you may want to know.
The first method is called AVS, or address verification service. This is the reason why every credit card form asks for your full address. This allows your shopping cart system to link the address entered by the user with what the credit card company has on file. This is a fairly weak method because finding someone's address is very easy, and most stolen credit cards come with the holder's address. Another method is called CVV, and that is the security number printed at the back of the card. Again, this will help stop some frauds, but these CVV numbers are also fairly easy to get in the Internet underground. According to a study, asking for the full address and CVV number will decrease your conversion rate by up to 40%, which is huge. So this is always a balance between what you want to ask in order to reduce fraud, what you need to ask because of compliance reasons, and how much business you will likely lose because of it.
Large online retailers have become masters in fraud prevention, and the bad guys know it. This is why when people deal with stolen financial data, they won't go to Amazon or NewEgg. Instead they will browse the web, looking for a small business, a site that accepts payments but may not have the same security -- a site like yours. This type of event happens all the time, and just last week a small indie game developer lost over $30,000 in chargeback claims because 1,341 digital codes were purchased using stolen credit cards, all within days of their game's release. For the thieves, this process is really simple, especially because everything here is digital. They buy stolen financial data for less than a buck a piece, buy a bunch of game codes, then set up fake stores where they sell these codes at a lower rate. People buy them using real credit cards, and the thieves run away with the money. Once the people who had their cards stolen file a chargeback claim, the developer is the one in the red.
How to prevent fraud on online payments
So how can you increase your security while still having a good user experience? In this particular case, it seems like those codes were bought in large numbers from a single region of the world. Any modern shopping cart system should be able to track user behavior. Is the user browsing through the site and then heading to the checkout page, or are you seeing a bunch of automated bots going straight to the checkout page without ever going to any other page? This should be a red flag that something fishy is going on. Sites like Amazon, eBay or PayPal all use advanced IP and geo tracking information as well. If your IP is from Romania and you buy using a card from Canada, then that is obviously another red flag. Same thing if you try to ship the item to another country, or if you log into your account from another IP. There are online services that offer all kinds of geo tracking technologies along with databases of locations that developers can use in their own systems.
The bottom line is that fraud prevention is hard, and the only way companies are successful at it is by using a number of factors, each of which may be an inconvenience for users. You can use IP tracking, geolocation, browser user agent, intelligence tracking, proxy and Tor detection, CCV, AVS, DRM, and so on. Which method you use is up to you, and the more you do, the less likely your business or site will have to suffer from fraudulent activities, but the more it may impact your conversion rate as well. In the end most small businesses can't properly handle all of that, and they either decide to outsource the process to someone else by using something like PayPal, CCbill, or Google Checkout, accepting the fact that they will have to pay a transaction fee for the convenience, or they try and implement their own process and quickly find themselves on the hackers' most prefered sites to defraud list. The choice is up to you.