One check with credit card issuers confirmed his fear: As in the brick-and-mortar world, if he shipped goods to a crook, he'd be financially responsibleââ,¬"even if the card issuer had given him a verbal OK on the transaction. Reeves, president of Falcon Northwest Computer Systems in Oregon, immediately put a hold on his e-commerce plans.
"It's taking us forever to get our ecommerce site up and running," Reeves said. "The credit card companies didn't have a whole lot of answers for us when we asked how to protect ourselves. ... How do we cover our butts?"
Reeves is smart to be asking the question before launching a site. Seeing only the monetary sparkle of the holiday buying season, many companies have accelerated their e-commerce efforts without preparing for the threat posed by increasing levels of online fraud.
The most vulnerable enterprises are small and medium-size businesses, particularly if they sell big-ticket items or items such as software than can be delivered over the Internet. Such companies often can't afford expensive fraud detection products and services any more than they can big losses due to fraud.
Therefore, like Reeves, they should develop an anti-fraud strategy before they launch, experts say. Fortunately, there are techniques that can help cut losses.
Meanwhile, vendors of anti-fraud services are beginning to market lower-priced products specifically for smaller ecommerce companies.
Help is coming none too soon. By year's end, online credit card fraud is expected to cost merchants US$400 million, according to a report released this month by Meridien Research. Overall online consumer fraud ââ,¬" including consumers falsely claiming they never ordered items ââ,¬" is expected to cost online merchants US$1.5 billion this year, the report says. Financial experts expect online fraud to get worse: Meridien predicts that by 2001, online credit card fraud could cost merchants US$9 billion a year, and that by 2003 the cost could reach US$15 billion (see chart, below). Fraud rates can reach 30 percent for sites selling certain types of merchandise, such as software, online merchants report.
"It's difficult for the merchant not to be left in the middle holding the bag," said Marcelo Halpern, a partner at the Chicago law firm of Gordon & Glickson LLC and an expert on e-commerce law. "It's a question of contractual leverage. The consumer ultimately dictates the terms, and Visa is Visa, and you, the merchant, are not."
The problem is not that credit card companies put more financial pressure on ecommerce companies than brick-and-mortar businesses. The problem, experts say, is that fraud is more likely to take place online. Less than 1 percent of credit card transactions initiated in brick-and-mortar stores today are fraudulent, according to Meridien's research and card issuers such as Visa International. But on average, nearly 10 percent of all Internet transactions are fraudulent, according to Meridien.
"Fraud is not really a bigger issue online except in the sense that online crooks may be fundamentally braver" than those in the offline world, Gordon & Glickson's Halpern said.
And going to court ââ,¬" provided you can figure out whom to sue ââ,¬" is almost guaranteed to fail, one expert said.
"You can certainly try to sue, but any attorney will tell you that in most cases there's almost no remedy," said Mark Grossman, head of the Computer and E-Commerce Law Group at the Miami law firm of Becker & Poliakoff P.A. "The merchant ends up the loser."
The reason more online transactions are fraudulent is that they are all what is called "card-not-present" transactions. In a "card-present" transaction, a clerk can at least compare the signature on the back of the credit card with the signature obtained on the sales slip at the time of the transaction. That protection is not available in card-not-present transactions.
For those transactions, credit card companies and their partners force merchants to pay higher premiums for processing orders. And when a sale turns out to be fraudulent, the card issuer withdraws the funds from the merchant's bank account automatically. The true cardholder is only liable for US$50 worth of transactions on his or her stolen card. The merchant typically eats the rest.
As fraudulent transactions pile up, the merchant's costs increase. For the behemoths of ecommerce, such as Dell Computer, experts say this isn't as crucial an issue as it is for "mom-and-pop" Web stores. Dell, which runs one of the largest stores on the Web, may experience much more fraud than smaller vendors, but it also does much more business. And credit experts say banks and credit card companies are less likely to be strict about collecting fees from the big guys.
Compounding the problem is that so few startup ecommerce vendors are taking significant precautions to guard against fraud, said Meredith Hickman, an analyst at Meridien.
"We've found very few merchants with advanced fraud detection systems in place," such as neural network systems that compare new transactions against profiles of fraudulent ones, Hickman said. Only 2 percent to 4 percent of Web merchants use such systems today, mainly because of their cost, Meridien's research shows. Providers of such fraud detection services typically charge one-time fees of tens of thousands of dollars on top of per-transaction fees. That has put these services out of the reach of many ecommerce enterprises.
"The dot-com startups have no money for this. They're spending it on marketing," Hickman said.
But online store owners can take heart, analysts say, because new technology is starting to appear to help large and small Web businesses cut their fraud risks.
In the absence of affordable tools, some online merchants have had to go to greatââ,¬"and expensiveââ,¬"lengths to combat e-fraud. Beyond.com Corp, a Californian online software and hardware vendor, for example, was forced to develop its own fraud detection software or risk going out of business shortly after launching in 1995. About six months after launching the Web site, company officials discovered that more than half the products moving off its virtual shelves were being stolen.
"People were stealing vast, vast amounts of software," even obscure programs, "simply because they could," said Beyond.com's chief technology officer, John Pettitt.
Finding no relief from credit card companies and faced with financial losses that were poised to put the company out of business, Beyond.com developed its own fraud detection system. In 1997, Beyond.com spun out its fraud detection unit, launching CyberSource.
"We realised there was no solution out there, so we grew our own," Pettitt said. Fraud losses were cut "drastically" after Beyond.com instituted the system that became the basis for CyberSource's product line, he said, although he would not specify how much credit card fraud the company experiences now.
Of course, most online merchants won't be able to do what Beyond.com did. But there are quick, inexpensive steps they can take while they ponder the small, but growing, selection of fraud detection services now available. For many, the answer is to extend to the ecommerce world the same fraud-prevention techniques developed for telephone-based transactions. Falcon Northwest Computer Systems, the gaming system company, for example, has kept telesales fraud rates low by teaching its sales staff how to detect certain types of would-be thieves by asking a series of questions during the telephone ordering and billing process.
"We average an hour on the phone with each customer. If it's less than that, it's a red flag," Reeves said. Originally, salespeople would simply take card numbers and expiration dates and get the authorisation from the issuing bank. But some stolen and "false" cards (created using bank identification numbers and modular mathematics) can still slip through this system. After being taken advantage of one too many times, Falcon Northwest added new precautions.
"Now we ask for the 800-number listed on the back of the card, along with the last four digits of the customer's Social Security number or their mother's maiden name," he said. "It makes some people nervous, but they provide it. If they hang up, we're pretty sure it would have been a fraudulent transaction."
Experts such as Halpern said that applying similar techniques to online sales can cut out a chunk of credit card fraud.
"You can make it harder and harder for somebody to commit fraud by couching it as a customer service issue," Halpern advised. "Call the customer back and say: 'We're just verifying that this is really what you ordered.' Do multiple checks of the customer's e-mail, phone numbers and addresses." If the home phone number can't be independently verified as registered to the name on the credit card, that's a tip-off to a potentially fraudulent transaction, experts say.
Merchants can also help themselves by reading up on how contracts work between online store owners, banks and credit card companies, experts say.
"Anybody setting up shop online must carefully read the credit card agreement with the merchant bank," said Michael Littenberg, a partner with the New York law firm of Schulte, Roth & Zabel LLP and an expert in ecommerce law. "You need to understand how the contract works because, once you ship the product, you're never going to see it again" if the transaction turns out to be fraudulent, Littenberg said.
Good customer service is also a valuable tool, since a certain portion of any merchant's charge-back fees is due to disputed credit card charges, another expert said.
The deck may be stacked against smaller merchants when it comes to protecting against fraud, but that's not going to keep them away from ecommerce. Falcon Northwest, for example, most likely will launch its site within the next few months, selling a new line of less expensive machines, averaging around US$1,600. Reeves expects the lower price to boost sales volumes. That may even make the expected higher fraud levels palatable.
"Hopefully, at the end of the day, the Net allows you to reach so many customers that that should cancel out the fraud," said Meridien's Hickman.
There is another type of Fraud, misrepresentation. I ordered Ugg Boots from Australian Company called Vikstarboots.com. I got really low quality shipskin boots that were a knock off. When compamny was contacted they told me to send it for refund. However there was no return address on package itself and web site was shut down. I finally e mailed about 3 or 4 times, finally a threat of legal action Victoria answered saying by the way we have a new website sambella.com. Funny enough they no longer advertise as Ugg Boots. Must have gotten tons of complaint. As I live in Los Angeles, The postgae alone is over $50. So bascially I lost $50 on this and lots of time trying to locate company etc. Yo know the company is not even apologizing. They do not care. They are OK, they made some money on infalted postage charge.