Credit card fraud is the biggest risk for the e-merchants. While all businesses accepting credit cards face this, the Internet merchant is even more exposed.
Brick-and-mortar businesses can verify a signature to prove the authenticity of the payment, but there is no such protection for businesses on the Internet. Due to this increased risk, the credit card banks hold Internet merchants 100% liable for the losses and expenses incurred as a result of credit card fraud. The defrauded merchants not only suffer because of the loss of product or services, but they are expected to pay a charge to defray the expenses the
bank incurred from dealing with the fraud.
The amount of money lost to online credit card fraud is staggering.
One market report estimated that more than $230 million in losses were
suffered by Internet businesses in 1999 as a result. (See http://www.verifyfraud.com/merchantsite/highercost.asp for more information.) In a Forbes magazine report, the estimate for 2000 was over $600 million.(See See http://www.forbes.com/2000/06/21/mu6.html for more information.). Another report states that in the UK, 9 out of 10 e-businesses were hit by online credit card fraud. Judging from these figures, estimates are that about $18 billion will be lost in 2002.
Internet businesses hardest hit by credit card fraud include computer suppliers (hardware and software), electronics, and music/game Web sites. This is primarily due to the products' popularity , the ease of resale, and the speed with which a criminal can dispose of them and turn a profit. With the increase in e-commerce business, it's certain that the amount of money lost to fraud will increase exponentially.
The main reason credit card fraud is so high for Internet businesses is due to the anonymity of the entire transaction. A "fraudster" makes purchases without presenting an actual credit card, signing a receipt, or being seen. Additionally, if physical goods are involved, the criminal will most often use a temporary address to receive shipment. These factors make it very difficult for a small- or medium-sized e-enterprise to track down even a fairly novice online culprit.
Proactive Solutions
While it is difficult to prevent credit card fraud, large e-commerce companies have begun to build systems that proactively check parameters entered on an order form while it's being processed. Many footprints of glaring information can identify a transaction as a fraudulent one. For example, a survey of
more than 200 companies performed by the Saint Hamilton Group shows 163-plus companies reported seeing vulgar words entered as either a first name, a last
name, or part of an address in an online order form. The same survey also reports that companies linked directly to their bank processors in realtime via the Web were most susceptible to online credit card fraud. Therefore, I decided to develop a solution that would cut down on such incidences and created a component called SC Profanity Check.
SC Profanity Check
SC Profanity Check is meant to check data form fields for
profanity. If profanity is found, it notifies the end user that
the system has detected a potential fraud. Note that such an approach often tells the culprit they've been detected, thus scaring the
hacker into either aborting the transaction or submitting their real
information. You can download the component
here.
Now look at how a few lines of code can help prevent
credit card fraud.
<HTML>
<HEAD>
<TITLE>SC Profanity Check Demo</TITLE>
</HEAD>
<BODY>
<%
testword = Request.Form ("textfield")
Set test = Server.CreateObject ("scprofanitycheck.profanity")
if test.IsProfanity (testword) = "True" then
Response.Write "SC Profanity Check identified at least one profanity entered."
else
if test.IsProfanity(testword) = "False" then
Response.Write "No profanity"
end if
end if
%>
</BODY>
</HTML>
About the Author
Michael Chiam is the CEO of Saint Hamilton Group, a leading credit
card fraud detection and risk-management company. He has been
programming in C/C++ since 1993. His areas of expertise include
Visual C++, C++, C, Java, Visual Basic, ASP, XML, SQL Server and
other expert systems. He's an expert in credit card fraud detection and credit card processing systems. In his spare time, Michael Chiam is also a venture capitalist and angel investor. He can be reached at michaelchiam@sainthamilton.com.
Built around the Microsoft CryptoAPI, AspEncrypt helps you harness all major encryption and hashing algorithms such as DES, Triple-DES, RC2, RC4, RSA, MD5 and SHA1 in just a few lines of code. The component can be used in tandem with AspEmail to send encrypted and signed mail in the industry-standard S/MIME format, or with AspUpload to encrypt files as they are being uploaded. AspEncrypt can also be used to issue and manage X.509 digital certificates.
AspPDF is an ASP/ASP.NET component which enables generation and management of documents in PDF format. Features include advanced text formatting, font embedding, form fill-in, images, tables, content and page extraction, document stitching, encryption, digital signatures, and more.
In many web applications it is desirable for both intranet users and external parties to be able to seamlessly log onto the system. The problem this raises is that it is not easy to allow intranet users to log in via Windows integrated authentication while also allowing external parties to log in to the same application using standard forms authentication. This article will show you one way to achieve the best of both worlds when it comes to authentication. [Read This Article][Top]
In this article, Michele Leroux Bustamante discusses authentication, authorization and role-based security in .NET. Along the way, he provides some best practices for implementing role-based security in some typical .NET application scenarios including rich clients, Web applications, and Web services. [Read This Article][Top]
When implementing custom components that require access to restricted resources, implicit impersonation must be used. Jay Nathan shows how to create a class that makes using .NET Impersonation a snap. [Read This Article][Top]
Learn about the execution process of CLR-based programs and how to protect your applications from being easily disassembled back into source code. [Read This Article][Top]
Businesses that utilize encrypted e-mail may find Secure Multipurpose Internet Mail Extensions (S/MIME) to be somewhat restrictive. This article shows how to use security features in PDF as an alternative to S/MIME. [Read This Article][Top]
Bill Gates, in a recent interview, predicted the end of spam by 2006. One of the methods he mentioned involved a challenge only a real live person could handle. Adnan Masood shows how to use AI and .NET to create a user verification scheme that incorporates similar concepts Gates alluded to.
[Read This Article][Top]
Code Access Security (CAS) is the .NET Framework security model that grants
code permission to resources based on "evidence" pertaining to the
encapsulating assembly. In this article, David Myers examines CAS
and explains different configuration methods. [Read This Article][Top]
Zhenlei Cai combines an open source C++ encryption library with SQL Server
extended stored procedures to create a platform neutral, transparent
encryption solution that resides at the database layer. [Read This Article][Top]
Christopher Spann offers a .NET configuration tip that should help ease system administrators' fears of security compromise and thus assuage growing developer demand for a .NET environment. [Read This Article][Top]
You don't have to be a cryptography expert or spend lots of money on third-party components to secure sensitive data in .NET. In this article, Wayne Plourde shows just how easy it is to encrypt cookie data using encryption classes in the .NET System.Security.Cryptography namespace. [Read This Article][Top]
Mailing List
Want to receive email when the next article is published? Just Click Here to sign up.
