November 26, 2004

The Season of Taking

By Evan Schuman, eWEEK

With the rush of holiday shoppers heading to the malls and their keyboards, Black Friday marks the start of the holiday shoplifting period. This year, online merchants are not exempt.

Friday is the much-cited Black Friday, where merchants hope the rush of holiday shoppers will push their financials into the black. But retailers know that, among those online and offline crowds, there will be thieves, taking advantage of the anonymity of crowds and the less-trained eye of seasonal workers.

The retail world today provides a textbook example of the escalation in the fight against fraud. Both sides in this battle have invested significantly in technology and personnel, and yet the percentage of successful fraud has remained roughly the same, hovering at about 1 percent of transactions, according to Gartner estimates.

When looking at fraudulent activity, there are two numbers to consider: the number of attempted frauds and the number of successful frauds. The number of attempted frauds has recently increased sharply, indicating that criminals are trying harder than ever to steal. The fact that the percentage of revenue represented by successful frauds has remained steady would at first glance seem to be a win for the retailers.

But the fact that retailers are spending so much additional money and time on fighting fraud without seeing any material reduction in its occurrence would suggest that they are losing the fight.

"The attacks are definitely on the way up. Those attacks have roughly tripled in the last year," said Avivah Litan, Gartner's vice president and research director for payments and fraud. "Certainly merchants are spending a lot more time than they should be combating fraud. Fraud should be going down with all the money being spent, but here we are, like a treadmill. The fraud detection systems can't keep up with the new scams going on out there. The [criminals] have complete information now on how to beat the fraud systems."

One survey saw the number of attempted frauds soaring from about 12 percent last year to about 73 percent this year, Litan said, adding that Gartner's figures are similar. "It's really escalated in the last year," she said.

The Merchant Risk Council—a non-profit organization of about 7,500 merchants, vendors, financial institutions and law enforcement agencies—this week released the results of their annual fraud survey and found a double-digit increase in what retailers are spending on software to fight fraud.

The group reported that retailers spent about 13 percent more than last year for fraud detection software, but—in keeping with Gartner's findings—their efforts seemed to have been matched precisely by renewed efforts by criminals. Some 60 percent of retailers polled dubbed fraudsters "more sophisticated" and most—77 percent—said that they had "experienced a fraud spike in the past 12 months" and a little more than one-fifth of those—21 percent—characterized it as "a significant fraud spike."

There are quite a few types of products intended to combat online fraud. The Merchant Risk Council suggests a comprehensive seven-product/tactic mix as its "minimum toolset." That recommended toolset consists of address verification, customer follow-up, card verification codes, negative list, real-time authorization, customizable rules and some kind of post-process fraud management.

Other popular approaches include fraud scoring and geolocation. Geolocation by IP address is a popular way of trying to determine a user's geographic latitude, longitude and, by inference, city, region and nation by comparing the user's public Internet IP address with known locations of other electronically neighboring servers and routers.

But not all retailers are created equal. Larger retailers can justify the high costs of much of this software, plus fraud detection employees to track the results and to perform manual follow-ups and intervention.

Smaller retailers often have difficulty justifying the cost, especially since some fraud is going to get through, no matter what the retailer does. If the retailer knows that current efforts will keep fraud to about 1 percent and more expensive approaches will bring it down somewhat further, it becomes a very difficult ROI argument when it comes to deciding the level of additional investment.

Naturally, those smaller, less-protected retailers are becoming the most attractive fraud targets.

Fraudsters "pick merchants who have very weak defenses in place," said Julie Fergerson, co-chair of the Merchant Risk Council. How do crooks know the retailers with the weakest defenses? "They'll run a couple of test frauds, maybe with a half-dozen orders."

The verification procedure (including manual review) will typically reject certain purchases because the transaction has too many fraud-like characteristics.

Such suspicious characteristics include having a different billing and shipping address, seeking an unusually large quantity, using a free e-mail domain or a customer coming from one of many fraud-friendly countries (the Merchant Risk Council's suspect list includes Nigeria, Ghana, the Ukraine, Macedonia, Romania, Turkey, Russia, Thailand, Brazil, Egypt, Venezuela, Vietnam, Indonesia, Israel and Turkey).

Those verification procedures can be costly. Above and beyond the time and technology costs they require, they invariably force retailers to turn down revenue from legitimate customers. Gartner's Litan estimates that about 2 to 3 percent of legitimate charges are being rejected.

A recent Cybersource report on online fraud came to the same conclusion. "It is virtually certain that some of these rejected orders are valid, but in the attempt to reduce direct fraud losses, merchants reject orders that appear suspicious," the report said. "The fact that, on average, merchants ultimately accept two-thirds of orders they manually screen seems to indicate that the proportion of valid orders they reject is significant."

Cybersource reported that for every accepted fraudulent order, "merchants reject more than three additional orders. Merchants whose direct fraud-loss rate is above 1 percent are turning away twice as many orders on average (nearly 8 percent). For merchants accepting orders originating outside of the U.S. and Canada, the rejection rate is almost 8 percent as well."

But technology defenses against fraud are certainly not limited to online.

Chris Dorsey is the CIO for the Chase-Pitkin chain of home/garden supplies, which is a division of $3.3 billion Wegmans Food Markets. Although his chain deploys a wide range of standard low-tech anti-theft devices (video cameras, undercover security guards, keeping high-theft items behind the counter, etc.), it was a software approach that he credits with cutting theft.

Chase-Pitkin deployed a software suite from SPSS—called ShowCase Suite—to track missing products in real time at the item level, thereby creating a perpetual inventory system.

"As retailers, all we used to be able to do was report at the department level, ÔHere's what your shrink is: a million dollars of shrink in this certain department.' Within that department, you can have tens of thousand of SKUs. Good luck trying to find it," Dorsey said. "So you'd make a lot of general assumptions. Now when we take a physical inventory, not only do we report it at the department level, we can report it at the category down to item level."

That's delivered quite a few surprising insights, he said. Before deployment, the store was reporting more than 2 percent of its items as missing from shrinkage. In 2003, that figure dropped to 2 percent exactly and it dropped further to 1.7 percent in 2004 and Dorsey said that he expects it to drop to 1.5 percent in 2005.

But the software made a much more significant change, he said. Of that 2 percent of shrink, Dorsey said, about 30 percent was actually missing items, such as accounting errors, vendor glitches, receivables errors, mistakes during inventory counts and even products falling behind shelves.

"The SPSS tool has helped us take this phantom loss down to less than five percent," Dorsey said. "More importantly, it removed a point of denial at the stores. Before, when store managers were confronted with the shrink, they would go into denial instead of looking for what was really going on."

One department discovered, for example, that of its 10,000 SKUs, 16 items accounted for literally half of stolen products, Dorsey said. The company now tracks those items every week—which would be impossible store-wide and certainly chain-wide.

Dorsey spoke of a battery mystery. The chain was experiencing a large amount of battery theft. The software identified the battery theft level as normal in all stores except four, which were experiencing extremely high levels of missing batteries. Trips to those stores found that those were the only stores that merchandised the batteries away from the front-end cashiers.

Once they moved them to the front, the shrink virtually went away.

"The minute we changed our merchandising position, our shrink virtually went away in those four stores. It went down to the company average," Dorsey said. "In our old environment, without the business intelligence tool, it would have taken us about three months to figure it out. Instead, the analyst had the analysis done and the recommendation into the merchandising department within a half-hour."

Another example was a $199 power tool package. Once identified, the chain repositioned cameras and discovered that customers were opening the package and also opening a package of something much less expensive (large lights). They would switch the contents and pay $19 for $199 worth of equipment. Solution: Customers must now pick up and pay for those tools at the customer service department.