Most recently, CEO Pat Phelan has taken to the company blog to expose what he sees as the extent of potential credit card fraud arising out of events like the Target security breach. Phelan puts his own spin on this topic saying:
The real interesting piece to this story is that this information was stolen between Nov. 27 and mid-December, its now almost 2 months later and it looks as if most of these cards are out in the wild. Target’s attempt to protect its own reputation had left hundreds of thousands of online merchants vulnerable to attack.
In one of the most bizarre moves today Target offered personal credit monitoring to its customers, this is of no use whatsoever, the customers relationship is with their credit card issuers and they are fully protected by this.
More interesting though are some stats the company used to support its position (see image below)
At Trustev, we’re already seeing inflated fraud attempts from our global merchants but especially with our USA based customers. Many of these attempts are coming from behind fake IP and other forged credentials which in normal cases would be accepted on the basis of the payment method (in this case, the stolen card numbers) being valid. Fortunately for Trustev’s customers our platform looks beyond this and works to identity the person making the transaction, weeding out this type of fraud. Our solution sits ahead of the checkout monitoring what’s going on, stopping the fraud before the card details are even entered.
I was particularly interested in understanding what the stats mean because while on the surface they look impressive, a good understanding places them in context. I was especially interested in the 9.4% number. This seems very high when compared to broadly held but not admitted credit card fraud which usually falls in the 3-3.5% range.
Note: For the sale of clarity, there are no widely available or agreed statistics on this topic. My number is based upon a variety of data on credit fraud, losses and provisions seen in accounts over a number of years. Some stats going back to 2011 suggest the loss runs at 2.7%. Regardless, it is a cost we all end up paying.
First thing to understand is this is a sample of real data taken during December, 2013. The next thing to understand is that 'browsing behavior analyzed' is a composite measure that reflects all the interactions tracked by Trustev. Now to the 9.4%. This is how the company explained the number via email:
Of those, 9.4% total (sessions, browsing events and transactions) scored high indicating fraud regardless of whether it ended in a transaction or not hence a high 9.4%. We would expect fraud figures to be low %'s however what this indicates is that there is a significant portion of on-line activity associated suspicious/fraudulent behaviour before the fraud transaction is made...
...Not all sessions ended with a transaction therefore the score is higher than expected as a result of suspicious browsing activity. The high rate is also impacted by our current profile of customer and inclusion of test/trial data in the figures.
The value of transactions represents the value of transactions completed and the value of identified fraud speak for themselves.
Credit card fraud in all its guises is a major problem. Services like Trustev and the company blog usefully highlight the topic.
This is the first time I have seen specific figures highlighting the extent of a known problem. I encourage Trustev to continue sharing these data because while events like the Target data theft are important, it is the impact that really matters.
Trustev can help analysts and others get a better understanding by ensuring that the definitions they use are easy to understand and remain consistent over time.
It would not surprise me if Trustev has much more insight than it is sharing today into the types of activity leading to potential fraud. I would for example be interested in knowing how rates of suspicious behavior change over time and whether they correlate to events like the Target breach.
Trustev will need to be careful that they don't inadvertently trigger high levels of false/positives or over report on suspicious activity. There's awareness and there's over-emphasis.
Credit card companies regularly block cards where they don't understand transactions, even when they are innocent. While inconvenient, most consumers would prefer to believe they are being actively protected. Services like Trustev are a valuable addition to the weapons being deployed against the dishonest. This is one to watch.
Featured image: Andy Piper