The Rippleshot Data Breach Blog

"Ship To" Address Changes: A Growing Concern For e-Commerce Fraud

Written by Zach Walker | Dec 3, 2015 9:30:00 PM

 

Pat yourself on the back, we survived Black Friday and Cyber Monday. For consumers that did not fight the crowds at their favorite retailer or visit their respective websites, holiday shopping for 2015 is underway. 

As we get closer to the holidays, more and more consumers are receiving their new EMV credit and debit cards , promoting more secure transactions at brick-and-mortar locations.  Fraudsters on the other hand, have been eagerly awaiting for this time of year, and will utilize a variety of tactics in order to maximize their profits at our expense. One of these tactics has been widely used for several years, and yet consumers fall victim to this type of fraudulent activity.

What Is The Issue                                                                

A change in a customer’s shipping address after an online transaction has been completed is recognized as one of the key signs that indicate a criminal’s intent to commit fraud. Before any of this takes place, let’s look at what type of sensitive data fraudsters are stealing and how they are able to do so.

With traditional payment cards, there are at least two tracks of data encoded on the magnetic stripe. While most point-of-sale (POS) terminals are programmed to read both tracks, each individual track holds sufficient payment data to process a transaction. Everything from the account holder’s name and primary account number to their card’s expiration date and PINs are stored in these tracks. On the other hand,  e-commerce transactions provide far less sensitive information which prevents any stolen card data to be used in a card-present (CP) transaction.

For card-present transactions, track data is generally stolen in two primary places – at the storefront POS terminals, or at a centralized back of house server. And for card-not-present (CNP) transactions, the data is most often stolen from an application server where customer information is being stored. 

Account Take-Over

During a Rippleshot conversation with a major card network, an instance of this fraud tactic had been committed after targeting a consumer's transaction at a global retailer. After this consumer made a purchase online from an IP address in Utah, said retailer received a call from a fraudster attempting to change the “ship to” address to an address in Florida. While the majority of retailers flag transactions with different billing and shipping addresses for manual review, as these transactions can often indicate an account takeover. Fraudsters have even thought of a work-around to this verification by changing the victim's billing address to match the shipping address.

With nearly 700 publicly announced data breaches in 2015 alone, there is a colossal amount of stolen personal identifying information (PII) available to fraudsters. Thanks to the payment technology housed within the chip-embedded payment cards, it is more difficult for fraudsters to steal payment card data at the POS. The next best option is for fraudsters to get the payment cards directly from the bank, by either stealing an identity and applying for a new account, or taking over an existing account and getting a new card mailed directly to them. As the UK continued its nationwide rollout of chip-and-PIN cards in 2005, losses from card identity theft rose 51%, from £31M in 2005 to £47M in 2008.

With online spending in the U.S. expected to rise from $262B in 2013 to $440B by 2017, a compounded annual growth rate of 13.8%, the U.S. should prepare for a spike in CNP fraud losses and instances of fraudulent new account or account takeover. Driven largely by the anticipated increase in e-commerce transactions, CNP fraud is expected to be nearly 4 times greater than POS fraud in 2018.

What Can We Do To Curtail This?

For e-commerce merchants that are determined to limit their fraudulent online transactions, using a transaction-based scoring system can help identify potential fraudulent transactions. However, there a few scenarios that could indicate online card fraud. One scenario of this would include a series of transactions that are shipped to a single address, but are purchased with various cards.  In another scenario, merchants would be wise to flag transactions where a customer offers multiple payment cards, in quick succession, when the previously entered cards are declined. These are just two scenarios that can involve e-commerce fraud that affect merchants on a daily basis. 

Learn more about e-commerce fraud projections post-EMV adoption by downloading our white paper below: