What happens when a fraudster barrages a merchant with bogus PayPal-funded transactions? In Part One, we saw that in one real-life example, the merchant's account was restricted for 2 weeks. Understandably, he told us that he was frustrated that his account was restricted through no fault of his own. Although he was proactive in reporting the fraudulent payments to his account, and spent many hours working with PayPal's customer support team, his online business came to a standstill because he was not able to accept payments via PayPal.
In this case, PayPal's public relations team was able to give us some information, but it's unlikely merchants typically receive much follow-up after they have been involved in an attack, which can add to a merchant's sense of helplessness.
PayPal spokesperson Sara Gorman said the company's fraud models caught the fraud, but said it was a new case they hadn't dealt with before. They were doing things behind the scenes, which might also explain why it took time to resolve it. "We're sorry the customer was frustrated," she said.
Gorman said that she could not provide all the details about the case because PayPal does not want people to try it. However, she said that while their system ask shoppers for CVV numbers, the fraudsters were able to get around that. PayPal has since closed that workaround, she said.
The problem of fraud is a classic arms race, Gorman said. "We do a good job of staying on top of it, but there is no system that has zero fraud risk. There are people all over the world trying to do this." Gorman said there are very sophisticated fraudsters hitting payment systems all the time.
Fraud Filters
In our previous article, we explained how merchants could control account setting that gives them the option of accepting transactions from consumers who do not have a PayPal account but are using a guest pass. Merchants who use PayPal Website Payments Pro and Virtual Terminal have the option to upgrade to Advanced Risk Filters for an additional monthly fee. This allows them to tighten or loosen the fraud filters on their accounts. PayPal's Gorman said some merchants actually tell them that they think PayPal's fraud filters are too strict and like the ability to control their own settings.
We spoke to an expert in online fraud who previously worked at PayPal and now works for another firm to get some context. Cory Siddens is Senior Product Manager of Risk at CyberSource, which provides payment solutions to large and small businesses and operates the Authorize.Net payment gateway.
Siddens said it is typical that merchants are allowed to tighten or loosen fraud controls, and agreed that merchants prefer to choose their own level of fraud risk. For instance, a merchant can put controls on the volume coming through in a certain time period. However, "Any time you put an impediment, you have the possibility of lost customers," he said. "That customer may never come back again."
He also said that gateways are limited in the amount of data they have to work with - there is matching against billing address, for example, but not the cardholder name.
What Was in It for the Fraudster?
What baffled both merchants and payment processors was why this flood of fraudulent funds was being sent to this merchant's account. The only time this type of activity is seen is for "card testing" after fraudsters have purchased stolen credit card information on the black market and need to test the cards to see if they are still active. However, usually scammers test cards on low-priced items.
CyberSource's Siddens said that he hadn't heard of a case exactly like the one outlined, though he'd seen cases where honest buyers make purchases from scammers who then used stolen credit cards to fulfill the order. The victim is unaware he's handed over his money to a fraudster and is happy to receive his order - until the retailer identifies the fraudulent payment and reports the victim to law enforcement agencies.
The only inkling of why the fraudsters may have processed the payments in this case was PayPal's admission that this was a new type of fraud, so it may have been a test of PayPal's fraud detection.
How Can Sellers Protect Themselves
Sellers should understand the options they have available to them in setting their level of fraud risk. PayPal merchants can learn more about fraud management filters here. For standard accounts, merchants can filter for maximum transaction amounts and country of origin. And this page explains the account settings available to PayPal merchants, including the option of whether to accept transactions from consumers who do not have a PayPal account but are using a guest pass.
Merchants who use PayPal Website Payments Pro and Virtual Terminal have the option to upgrade to Advanced Risk Filters for an additional monthly fee that allows them to screen for 17 additional criteria.
As the merchant in this story found out, it's good to have a backup plan and accept multiple types of electronic payment. He quickly put Google Checkout on his website to replace PayPal. While he didn't know how long he would be without PayPal, he knew every day without any payment method on his site was costing him money.
Finally, higher-volume sellers or those in high-risk categories should consider advanced features and shop around for solutions. John Stevens of Litle & Co., a company whose expertise is in card-not-present transactions, said merchants often don't understand where fraud breakdowns can occur, and it can get more complicated as they integrate payment services with third-party shopping carts. Cory Siddens said merchant training and education is a big issue when it comes to fraud prevention. Merchants must weigh the costs of investing in more expensive services and training because, ultimately, it appears all sellers are vulnerable to online fraud.
You can comment on this case on the AuctionBytes Blog
