By necessity, all e-Commerce companies are constantly on guard against card not present (CNP) fraud. Aside from the financial losses incurred from the refunded amounts, chargeback fees, and merchandise replacement costs, there is also the looming threat of losing the ability to do business — payment processors will stop working with a merchant if the chargeback rate exceeds a certain threshold.
Those on the front lines of this ongoing war against fraudsters are the analysts tasked with screening out the fraudulent transactions. They have to satisfy conflicting requirements: brief turnaround time for order accept/decline decisions, minimizing chargeback losses, and keeping the total cost of fraud prevention low. These fraud management teams are the Rodney Dangerfields of e-Commerce, since they usually don’t get much respect from senior management, who often view their department as a cost center rather than a revenue protector.
It’s no surprise that merchants are quick to adopt and hesitant to abandon tools that are simple, quick, cheap, and seem to do a good job of rejecting fraudulent orders while accepting the legitimate ones. This is how we ended up with e-Commerce fraud prevention tools like blacklists.
Here’s how blacklists work: When merchants approve an order that results in a chargeback, they add that order’s details (like the shipping address or name) to a list, so when another order comes in that has the same address or customer name, it’s automatically rejected, thwarting both repeat abusers of the chargeback process (i.e. “friendly fraud”) and criminals using stolen card info.
In theory, blacklists sound like an effective tool, similar to how some email spam filters work (mark an email as spam and both that sender and all similar emails are permanently blocked). That analogy actually uncovers the main shortcomings of blacklists. Simple spam filters based on blacklists of keywords or sender names are terrible at blocking spam. Spammers are able to bypass them just by slightly misspelling the products or “deals” they’re pitching.
Better Tech Results With Better Fraud Prevention
The spam filters that actually work use more advanced techniques — like Bayesian filtering — to perform a deeper analysis of the email as a whole and then determine the probability of it being a normal or spam message.
Ditto for e-Commerce fraud prevention. The solutions that actually work use much more sophisticated methods than simply finding matches between an order and a blacklist. Industry standard tools include things like device fingerprinting, behavioral analytics and machine learning. These technologies work together to reconstruct two possible scenarios behind each order — one in which the order was made by a real customer and one in which a fraudster is behind the transaction — and then use accurate and constantly fine-tuned statistical models to determine which of those stories is most likely true.
This difference between fraud blacklists and the current state-of-the-art tools really shows when it comes to orders from shipping addresses that are shared by several (think an apartment building) or several dozen (like a university dorm). Just think of how many students shift in and out of one of those dorms in any given year. If any one of those students ever placed an order that was approved but later resulted in a chargeback, that dorm’s shipping address would be blacklisted, and every other student living there now and in the future would be falsely declined from that same brand. This problem only gets worse when shared blacklists are used.
Without further digging and consideration, like discovering what type of building belongs to that shipping address before decling the transaction, blacklists are an incredibly imprecise and unsuitable tool for fraud prevention. But of course, any further analysis defeats the whole point of relying on blacklists in the first place: they were meant to give quick and clear fraudulent order rejection, saving analysts time by automating some of their work.
Automation is indeed the answer to the growing problem of CNP fraud, but despite being widely used by online merchants, blacklists fail to deliver. New technologies leveraging machine learning and big data are mature enough to provide speed, accuracy and adaptability. No lists required.
Debbie Fletcher is an enthusiastic, experienced writer who has written for a range of different magazines and news publications over the years. Graduating from City University London specializing in English Literature, Fletcher’s passion for writing has since grown. She loves anything and everything technology and exploring different cultures across the world. She’s currently looking towards starting her Masters in Comparative Literature in the next few years.