Oracle ATG

Expand all | Collapse all

Online Fraud Detection

  • 1.  Online Fraud Detection

    Posted 08-20-2018 14:47
    TBC has just introduced their first true e-commerce solution for buy online, ship direct to consumer. Until now everything has been B2B against customer accounts and buy online, complete order in the stores.

    Because of this, we are facing online credit card fraud for this first time and I'm looking to lean on those who have been dealing with this for years on how they have tackled this huge issue.

    What products is everyone using for online fraud detection, if any, and what other processes have been put in place to combat this growing trend?

    ------------------------------
    Chad Taylor
    TBC Corporation / Tire America
    Palm Beach Gardens FL
    ------------------------------


  • 2.  RE: Online Fraud Detection

    Posted 08-20-2018 15:07
    Hi Chad,

    There are a few options. Most payment gateways provide an integration to fraud services which you can add to your existing payment services. In many cases, these are white-labeled versions of the Kount (Kount.com) fraud detection solution. Some of our clients have used the solution bundled with the gateway, and others have built a direct integration with Kount. The direct integration with Kount provides the most flexibility.

    Commerce Architects built an Oracle Validated Integration to simplify integrating directly with Kount if you want to go that route: Kount Complete - Oracle Validated Integration for Oracle Commerce v11 The validated integration includes an ATG module with code/configs for calling out to Kount for device fingerprinting before checkout as well as pipeline processors for calling Kount during checkout, and flagging an order based on the response if necessary. The module is packaged just like an out-of-the-box ATG module and has SQL as well as sample code for calling back to Kount to alert them of final order disposition. You can download and use the integration code for free from Oracle, or let us know and we can send it over. Oracle validated the integration for both 10.x and 11.x, so we have both versions, but only the 11.x version is available on the Oracle site.

    Joe

    ------------------------------
    Joe Conaty
    VP, Business Development
    Commerce Architects
    Spokane WA
    ------------------------------



  • 3.  RE: Online Fraud Detection

    Posted 08-20-2018 15:22
    Fraud detection is a complex subject which often needs to be tailored to individual businesses.  A lot of the payment providers allow you to create rules to catch potential fraud but in most cases you need to define what those rules are.

    Things you can do to mitigate the risk of fraud:
    • Store the X-forwarded-for header against the order (this contains a list of the IP Address(es) used to place the order).  Use a geo-ip location service to then cross reference these with the shipping and billing address and flag orders where there are anomalies e.g. an ip address from Russia shipping to the Washington DC might be fine if you are the president, but probably not ok for most businesses ;-)
    • Store the Geo-location of where the order was placed (if available).  Again cross reference this with billing and shipping addresses and flag orders where there are anomalies
    • For B2C implement strict Address Verification (AVS) checks for orders placed
    • Review orders where the shipping address differs from the billing address
    • Do not allow shipping to freight forwarder or PO Box addresses (or force the customer to include the final destination address)
    • Consider implementing email verification (My email address was recently used to commit fraud for Buy Online Pickup In Store order with a well known retailer - they found out when I called their help center explaining that I did not place those orders.  Turns out the fraudster had a credit card with my name on it)
    • Look for suspicious order placement patterns e.g. if someone places 5 orders in a row for high value items in a very short space of time these orders should probably be reviewed.
    • Set a limit on the order amount and dont allow users to circumvent by placing multiple orders using the same card etc
    • Consider only allowing registered users to place these types of orders

    I know that Cybersource has Decision Manager built in which allows you to define rules which put an order on hold pending a manual review.

    Hope some of the above is helpful.

    ------------------------------
    Gerald Heath
    Executive Director,
    Pipeline Pros
    ------------------------------



  • 4.  RE: Online Fraud Detection

    Posted 08-20-2018 16:48
    to add some more information. We do have a security gateway provider in place, but they don't have a fraud detection offering.

    We are requiring CVV checks and doing AVS against the billing address. We also do flag all transactions initiated from foreign locations for approval since at this time we are a US based business.

    Our biggest issue is our businesses desire to ship to alternate addresses from the main billing address and the fact that we are a big ticket business which apparently sees much higher fraud than small ticket venues.

    The fraudsters are entering valid CVV and billing information and then shipping to a pickup location. Because of the nature of our business, we often have this behavior occur with valid transactions and the business is concerned about limiting shipping to addresses associated with the card and to our certified installer network only. Often individuals will ship the tires to their offices, non-certified installers, friends, children at college, etc.

    We are looking for tools that assess the risk based on multiple datapoints like IP, cookie, remarketing, previous transactions, fraud history, darkweb data, etc.

    ------------------------------
    Chad Taylor
    TBC Corporation
    Palm Beach Gardens FL
    ------------------------------



  • 5.  RE: Online Fraud Detection

    Posted 08-20-2018 16:54
    Side note: We need to add edit post functionality.

    I forgot to cover that we can't require registered users only as 90% of our customers choose to not register because of the infrequent purchases and thus relationship we deal with in the tire industry. The average customer is only going to buy tires 1 and a half times a year. Thus, they aren't looking to establish a relationship with us in most cases. We are discussing things to address this situation in the future, but that is our customer behavior right now.

    We do require an email address and flag and hold suspicious looking email addresses. I know with some fraud detection providers they store known email addresses related to cards and add some risk when the address used isn't associated with the card.

    ------------------------------
    Chad Taylor
    TBC Corporation
    Palm Beach Gardens FL
    ------------------------------



  • 6.  RE: Online Fraud Detection

    Posted 08-20-2018 17:04
    To add more to this discussion. We have already reached out to two 3rd party solution providers in this area; Cybersource and ThreatMetrix.

    We are wanting to make sure their aren't other players we should be talking to that may have specific offerings for ATG (we are adding Kount based on Joe's suggestion earlier) and whether others choose to go a whole other direction (like using solutions provided by their payment gateway that our gateway doesn't provide, etc) before we start running in a certain direction.

    Pause, and learn from others before we learn the hard way on our own. (Thus, Pipeline Pros)

    ------------------------------
    Chad Taylor
    TBC Corporation
    Palm Beach Gardens FL
    ------------------------------



  • 7.  RE: Online Fraud Detection

    Posted 08-31-2018 00:27
    Hi Chad,

    You may also want to check with these solutions

    clear.sale
    accertify.com
    nofraud.com

    some of them already integrated with other ecommerce solutions




    ------------------------------
    Thanks
    Daison
    Principal Consultant
    Cubits Tech
    ------------------------------