New Web Geography Technology Combats Online Fraud

By Marie Alexander

Bank robbery is still big business in America. From Jesse James to John Dillinger and Willie Sutton, bank robbers have always been among America’s most glamorously infamous figures, and holdups still make the evening news every time. But most attempted heists these days are doomed to failure. Surveillance cameras, guards, alarms, dye packs and cooperative law enforcement efforts stack the odds very high against any aspiring robber who walks into a bank.

IF he walks in.

That’s the very expensive problem – bank robbery no longer requires the actual presence of the thief. Thanks to Internet banking and the advent of high-tech credit card fraud, it is now possible to anonymously steal large amounts of money from a financial institution by remote control. It’s happening all over the world:

• Italian police broke up a Mafia scheme to “clone” an online branch of the Banco di Sicilia and siphon hundreds of millions of dollars from an account belonging to the Sicilian regional government. The gang used stolen computer files, codes and passwords to penetrate the bank’s systems – with inside help from two bank employees and a couple of Telecom Italia technicians.
• Three Englishmen were caught attempting to defraud the prominent Internet financial services group Egg by submitting multiple phony applications for online loans and savings accounts. British police found evidence the thieves had previously robbed two other online banks undetected.
• A New Orleans bank employee stole thousands of dollars via dozens of Internet bank and credit card accounts he opened under the names of prominent local citizens by accessing their personal information on the bank’s computer.

Perhaps the most vulnerable part of any financial services enterprise is the credit card division, which, among other functions, fields online card applications. The U.S. Secret Service calls credit card fraud “the bank robbery of the future” because criminals have realized that banking and card systems are easy pickings.

Statistics vary wildly, but a recent study by the Internet Fraud Prevention Advisory Council estimated that online fraud, as a percentage of business revenues, may be as much 40 times higher than “real world” fraud. Online credit card fraud cost businesses an estimated $9 billion in 2001, and that figure could reach $60 billion by 2005, according to Financial Insights – and that’s not including the labor and fees incurred in the course of fraud investigations, particularly in identity-theft cases involving new credit cards.

There’s no one answer to online security, of course. For banks and other institutions, the “best practice” approach to fraud prevention is to deploy an arsenal of screening tools to detect a wide variety of theft techniques – and find the perpetrators.

Find the perpetrators? On the Internet?

Yes, thanks to some of the same technology that makes online commerce possible. Welcome to the world of web geography, technically known as geolocation – the science of determining where in the world an Internet user is when he clicks into a Web site. Geolocation technology instantly pinpoints the visitor’s location – down to the metro area level, if desired – by identifying the Internet protocol (IP) domain of origin.

So how does geolocation serve as a security measure?  Well, one of the online robber’s best weapons is geographic anonymity – the targeted institution doesn’t know where in the world the heist is coming from. But geolocation can provide the same sort of information used by financial institutions and card issuers to flag potential fraud in the real world.

For example, a credit application listing a home address in Utah that arrives in an envelope from Ukraine would undoubtedly raise eyebrows in the card division. Geolocation can flag potential online fraud in the same way for online credit apps – a valuable capability, given the incidence of international scams.

Overseas-based transactions represent nearly half of all credit card chargebacks. Studies by ClearCommerce have identified a short list of 15 nations that produce some 60% of all fraudulent transactions. In the latter half of 2002, more than 10% of the transactions originating from Yugoslavia, Nigeria, and Romania turned out to be scams, and Pakistan, Indonesia and Bulgaria were all over 8%. (By comparison, the U.S. fraud rate is under 1%, and the rate in Switzerland, Japan and France is less than a tenth of that.)  Automatically flagging transactions from just those nations could sharply reduce fraud losses.

Identifying the originating IP domain provides even more specific fraud alerts – even within fraud-prone nations, particular domains are especially suspect. A ClearCommerce study last year found that a stunning 38% of the transactions originating from one domain in Indonesia – and 34% from another in Pakistan – turned out to be fraudulent.

Geolocation offers other businesses benefits – targeted marketing and regulatory compliance, to name two. Localized advertising and regionally targeted promotions can be delivered to specific regions. And some financial products are legally enjoined in some geographic locations, so only the appropriate products will be offered to the online customer. Also, in an era of ever-tightening IT budgets, geolocation technology can be deployed quickly at low cost – and without raising the privacy concerns of customers, since no cookies, registration or click-stream data are used.

But the overriding priority for the banking world right now, the priority directly addressed by geolocation technology, is fraud protection. Every industry survey shows that the biggest concern for online financial services customers is the safety and security of their money, account information, and transactions – small wonder, when customers read every day about frauds perpetrated through stolen online accounts or credit card numbers. And the banks will soon bear an even larger financial responsibility for online crime. Both MasterCard and Visa are rolling out new verification programs that shift online credit card fraud liability from merchants, who currently foot the bill, to the issuing banks. 

“This is a massive change for the banking and financial services industry,” says technology author and e-commerce guru Rick Broadhead, a consultant to the “Verified by Visa” program. “Credibility is everything to a financial institution. Consumers must have absolute faith that their banks and credit providers are exercising the very best fraud prevention practices available, or the trust that is so vital to the relationship can be irreparably damaged.”

Geolocation is clearly assuming its place among the best-practices security techniques for the
21st-century financial services enterprise. In criminal hands, the computer mouse is now a far greater threat to the bank customer’s account than the gun. And geolocation is a technical mousetrap that every online financial institution should consider.

Marie Alexander is President and CEO of Quova Inc., a Silicon Valley provider  and developer of Web geography services and geolocation technologies, (650) 528-3700, <www.Quova.com>