An example of risk in the field

Rohit Khare (
Fri, 8 Mar 96 17:34:36 -0500

Date: Sun, 03 Mar 1996 19:09:51 -0800
To: Dick Brooks <>,
From: John Pettitt <>
Subject: Re: Electronic Commerce Risk

I (John Pettitt) wrote:

>>Further it's my experience that a) the velocity based fraud screens used by
>>most card issuers don't trigger until way to late in this world and b) card
>>data is so freely available that it can almost be considered a one time pad
>>by the bad guys.

At 05:29 PM 3/3/96 -0600, Dick Brooks wrote in reply:
>This presents another opportunity for SET to add value to the process. What if
>SET protocols included statistical monitoring and evasive manuvering techniques
>like the ones used to detect suspicious behavior (fraud) in the clearing
>systems. Imagine if this functionality was built into the Merchants transaction
>processing system. By having fraud detection schemes built into Merchant
>the banks could effectively help the merchant guard against loss due to fraud.

For what it's worth we have already built and installed a fraud screen in
the server. We track a whole bunch of stuff including velocity
by card, originating IP, originating email address and domain. We also
screen on time of day and transaction value. The result it we turn down
about 2% of our orders and reduced our fraud rate from 15% plus (yes 15) to
less and 0.01%.

The bad guys out there on the net now are a different crowd to the
'professional' card thieves. Most of them are kids, most scam card by
social engineering and most are looking for either porn or software (I had
two arrested last year - although most get away).

The FBI, Secret Service et al are simply not interested if the $ value is
less than 25K and the local police generally don't know what to do when we
are in California, the card holder is in New York and the bad guy is in Florida.

For example, we have a case now where a user on MSN has tried to use 9 or 10
sets of credit data to scam us - we have locked him out - but I can't get
anybody in law enforcement to listen!

Do I sound frustrated? Well I am! The big issue that *everybody* keeps
ignoring is fraud on merchants. Protocols like SET make it *worse* by
hiding the card number from me.

How do Visa/MasterCard intend to get SET adopted? There is zero incentive
for merchants to use it.

John Pettitt
email: (home)