Tim Potvin has always enjoyed what he calls the “cat and mouse” game of Merchant Fraud Prevention. An ecommerce fraud veteran who takes online fraud personally, he moved from his first job working on McDonald’s “faster than cash” payment initiative, through online fraud prevention solutions positions at companies including Accertify/American Express and CyberSource/Visa, and finally landed at Signifyd, where he oversees customer success managers.
Along the way, he became frustrated that the focus on preventing attacks on specific merchants’ sites did little to discourage fraud perpetrators more broadly.
“They just move down the line to the next, less-defended website,” he says. His jobs helped him see this big picture, in which fraudsters move smoothly from one website to the next. But each company was preoccupied with running a fast-moving business and struggled to prioritize helping law enforcement build a case that would stop the fraud entirely.
The IAFCI connects fraud fighters with law enforcement
“I wish more people in the online fraud prevention solution space would go the extra step and build relationships with law enforcement to actually make a difference,” he says.
Potvin recently found a way to work toward this goal when he was elected to a two-year term as vice president of the International Association of Financial Crimes Investigators (IAFCI), a leading professional group that connects fraud fighters with law enforcement. The group helps ecommerce merchants, payment card companies, and local and federal law enforcement work together to stop fraud, with the goal of having fraudsters arrested or fraud rings broken up. As vice president, Potvin is in charge of training for group members.
“The IAFCI doesn’t just talk about fraud, and wish it away. They actively go after the folks behind the activities and work with both local and federal law enforcement,” he says.
Members help each other with the nuts and bolts of stopping fraud rings. If law enforcement needs to subpoena records from a company, for example, they need to know exactly where to deliver it and the specific language they should use to get the information they want. Members help each other with questions like this.
The true cost of fraud is no small thing
One of Potvin’s motivations is the fact that online fraud is expensive, adding costs in addition to hassles for everyone affected.
“Ecommerce fraud is really expensive,” Potvin says. “The fraudsters communicate better than we do. Once they figure out a vulnerability, they will exploit it and tell their friends.”
For example, if a $20 shirt is ordered fraudulently and shipped, the problem is not just that the merchant loses the shirt and a $20 sale. The merchant will have to pay shipping costs, plus a chargeback fee to the credit card company due to the fraudulent transaction. It will cost money to pay a staff member to fill out the paperwork and send it to the credit card company. That’s why merchants look to companies like Signifyd to take responsibility for stopping fraudulent transactions.
And “once the word gets out that you can get that $20 shirt for free, the fraudsters attack that website,” Potvin says. “One t-shirt turns into 100 shirts in a month.”
The true cost of fraud, then, is not as simple as the cost of the item that is lost.
Pursuing criminal consequences for fraud is not a simple matter
Tackling ecommerce fraud can raise delicate issues.
To begin with, Potvin says, “fraud is not something anybody wants to talk about – somebody is stealing from you.” Even though the fraud is the fault of the perpetrator and not the victim, companies – and the people who run them – don’t enjoy admitting that their defenses were not good enough to prevent it.
“A lot of people are very proud of what they’re doing, and to say ‘I failed here’ is not a great conversation starter,” Potvin says.
The subject of sharing data with law enforcement is also understandably a touchy subject. There are laws against disclosing purchasers’ PII, or personally identifiable information, without a court order. Some merchants want aggressive action taken against fraud rings, and they may authorize the disclosure of anonymized data to law enforcement. Others, particularly those based outside the United States, may not want any data shared.
To address these concerns, Signifyd always defers to its customers’ preference and it relies on a narrow-scope approach when it comes to data sharing.
Finally, for some ecommerce professionals, there is a fear that sophisticated friendly fraud prevention techniques could automate so many processes that jobs are threatened. However, it has become clear that humans are still a valuable part of the equation — so although jobs may change, preventing fraud will still require people.
Looking to the future
Both Potvin’s job and his role with the IAFCI require him to look ahead – to see the future of fraud.
One current worrisome trend: so-called Mule Fraud. The perpetrator forms a relationship with the victim, for example via a dating site. The fraudster then has the victim use their credit card and address to order goods and forward them, often out of the country. The fraudster says the goods weren’t received, effectively stealing the goods while ruining the victim’s credit.
“Mule Fraud is a nightmare,” Potvin says. With other types of fraud, people – or automated systems – can check to be sure the buyer’s name and address match the credit card number, for example. “With Mule Fraud, everything matches: name, delivery and billing addresses, email, credit card, IP address.”
Signifyd’s network provides some protection against this because it can use data from thousands of merchants to determine people’s buying habits.
“We can see when their normal behavior changes, and we have our model react,” Potvin says. “But you need a lot of data to have that in place.”
To help cut down on fraud, Potvin would like to see the United States adopt technologies such as chip and PIN – perhaps in an updated version that, for example, requires an updated PIN, or personal identification number, daily.
When chip and PIN technology was adopted in Europe, “it drove more fraud to online channels but prevented a ton in bricks and mortar,” he says. “The U.S. did not adopt it and did not see any of the benefits.”
Fraud fighters won’t be taking a break any time soon
Does Potvin think the fraud prevention industry will ever defeat the fraudsters for good?
“No,” he says. Fraud prevention experts will continue to put obstacles in the way of fraud rings, and the fraud rings will eventually find ways around each one. The only way to stop them would be for the consequences to become much more severe – something that would take a multinational effort to be effective.
“There will always be the folks that want to take the shortcut and not put in the time to honestly work for a living,” he says. “So the fraudsters will always be there looking for the easy way out.”