Why Attractions Attract Fraudsters
Updated: September 15th, 2016 | Fraud | Share on Facebook Share on Twitter Share on LinkedIn
by Jerry Lake, Product Manager
If you sell online, your business will likely have to deal with a problem at some point: credit card fraud. And if you’re in the attractions business, you’re one of the best targets for fraudsters. Why?
Let’s first look at the traditional e-commerce transaction where the product is a physical item. If you’re buying an iPad online, obviously it needs to be shipped. Providing a valid shipping address can be problematic to a fraudster as that can create a trail right to him. Additionally, in an effort to thwart fraudulent purchases, online sellers sometimes require the credit card billing address and shipping address to match.
Now let’s look at the e-commerce model of a typical theme park. The end product is an often-anonymous general admission ticket. And for guest convenience and operational efficiency, online tickets can be delivered electronically, either through email or directly displayed in a browser, allowing the purchaser to print their own tickets at home.
In other words, the fraudster no longer needs to have a valid postal address (or can use the address that matches their stolen credit card numbers) since nothing needs to be shipped. You just need an email address.
Ever wonder why you see an email address that looks like someone bounced a tennis ball off the keyboard? It’s because the fraudsters have so many of them. They’ll cycle through their different aliases to minimize the risk of detection.
The Fraud Model
So let’s step back and look at credit card fraud. First, in the choice between online and brick-and-mortar fraud, online is the overwhelmingly favorite for several reasons. Obviously, online activity can be far more anonymous, and in terms of volume, is less time-consuming than traveling to a retailer. But the biggest reason online fraud is easier is because of what the fraudster doesn’t need: a physical credit card. It’s not that lost and stolen cards don’t happen, but they’re a drop in the bucket when compared to the most common supply source for stolen credit card information – data breaches.
In recent years, millions upon millions of pieces of Personally Identifiable Information (PII) have been stolen through data breaches. Sometimes they get payment card information, other times they get personal information such as addresses, birthdates and social security numbers. The content of the stolen information determines the hackers’ next steps. If they happen upon credit card data, it goes up for sale.
The price of an ill-gotten credit card number starts at around $10. If you want more info to go with that, such as the cardholder address and the security digits found on the back of most cards, the price goes up. By buying more information about the account, it makes the fraudulent purchase seem more legitimate.
An interesting side note – several of the major credit card brands actually monitor these darker regions of the internet, and will frequently buy their own credit card numbers from the hackers, allowing them to disable the accounts more quickly than waiting for the fraud to show up. And realistically, the cost of buying their own credit card numbers is far less than the monetary and time losses associated with fraudulent purchases.
So, you’re a fraudster, and you just bought my Visa account number online from an overseas hacker. What’s next? Well, despite what you read in books, there is often no honor among thieves. If my card number was sold to you, it was likely sold to others, and now the mad dash begins to use it before either I or my credit card company realize it’s been compromised, and the account disabled.
Armed with my credit card number and some additional PII that the fraudster purchased, it’s time to try to buy something. If the information is fresh enough, and my account hasn’t yet been disabled, chances are, the fraudster will successfully complete a transaction? Why? Well, if my account isn’t over its spending limit, hasn’t been deactivated, isn’t on fraud alert and the info seems to all match up, the payment processing company that your e-commerce solution uses has no reason to reject the transaction. They simply don’t look at enough data points to know otherwise.
Generally, it doesn’t end there. Fraudsters are rarely looking for a free day at your attraction. They’re looking to make money. So they’ll look to resell what they just fraudulently purchased. Their next hurdle is to try to unload these tickets as quickly as possible. ebay and Craigslist are notorious for this. Do a search sometime for your favorite attraction and see how many ticket hits you find. Chances are some of them are fraudulent.
In many cases, it’s an on-demand fraud model. Have you seen an ad that looks like this: “Mother-in-law broke her hip, our loss is your gain, selling my FunPark tickets for half price!” You’ll see no mention of the quantity of tickets. This is because the fraudster is waiting to be contacted, and once you tell him you need five tickets, he’ll reply that he just so happens to have exactly five tickets. Next, he’ll go online with his latest batch of stolen credit card numbers, and keep trying until one works and he’ll buy the five tickets online. Then he’ll ask to meet at some nearby public place, possibly even in the parking lot of the attraction, to sell you the tickets for cash.
From an attractions standpoint, this is doubly bad. First, someone stole from your venue with the purchase transaction (since you know that this will involve a chargeback, resulting in your not getting paid). And second, now they’ve sold the tickets to someone else who shows up at your gate. If you’re alerted to the fraud with enough notice, you can deactivate the tickets so that they don’t scan for admission, but generally, the people you’re turning away aren’t the bad people. They’re the folks who paid money to the fraudsters, and now you’ve got a guest services issue.
Your best defense against fraud is to prevent the purchase from happening in the first place.
Common Fraud Misconceptions
Isn’t EMV supposed to help me combat credit card fraud? Well, yes, but EMV only applies to cardholder present transactions, so it may cut down on in-park fraud, but if you’re like most attractions, the majority of your fraud comes from e-commerce. EMV does nothing for this type of fraud.
We don’t really have that much fraud. In many cases, those administering your sales solutions (in-park and e-commerce) are not the same people being contacted by the banks with chargebacks. In some cases, your accounting staff is simply writing off chargebacks as a cost of doing business without even alerting those in charge of the sales channels where the fraud is occurring. Don’t assume. Check with your attraction’s point of contact for your payment processing merchant account to see where you’re at with chargebacks.
We respond to chargebacks in real-time and deactivate the tickets so they can’t be used. Great, that’s a good first step. However, the fraud is usually far more real-time than the chargeback notification. If you pull up your usage history, you’ll likely find that in many cases, by the time you’re alerted to the chargeback, the tickets have already been used.
Seven Ways to Make the Fraudster’s Job Harder
- Stop selling anonymous tickets. Your e-commerce solution provider should have the ability to collect and add guest names to your tickets sold online. Add some verbiage to the ticket terms and conditions that indicates a valid ID is required with the ticket upon admission. And while for throughput reasons you may choose not to ask for ID for every guest entering your park, having a policy that supports the ability to do spot checks is a great deterrent.
- Stop providing a testing ground for online fraud. Are you a nonprofit attraction that accepts donations? If so, a very common fraud pattern is to test a card with a small purchase that’s unlikely to arouse suspicion, such as a $1 donation. If that succeeds, a bad person now knows they have good digits. Then they’ll come back to you – or a different merchant – for a much larger theft.Online donations are a great source of funding for nonprofits, but how many people do you know that will go to the trouble of filling out an online order, just to donate $1? Usually, the donation is an add-on, an upsell if you will, to other products they’ve already added to the cart. If you do accept online donations, don’t allow a donation without having some other product in the shopping cart. Another option is to set transactional floor limits (minimum purchase amounts) that would prevent these $1 “donations.”
- Talk to your e-commerce solution provider about implementing “velocity checks.” Simply put, a velocity check is measuring how often and how quickly something happens. For example, if, on average, your online shopper completes a single order and doesn’t buy again for several months, be wary of the same purchaser making multiple purchases back-to-back within a few hours or especially a few minutes. For a fraudster, every time a transaction succeeds, they’re encouraged to try again, quickly, before the cardholder or the card’s issuing bank become aware of the fraud and the card is turned off forever.
- Perform consistency checks. See if your e-commerce solution provider can provide pattern matching tools and rules that detect inconsistencies within your repeat orders. For example, the same credit card number being used three times in an hour, but with three different contact email addresses and phone numbers looks very fishy.
- Implement strong PCI guidelines. Although the bulk of fraudulent purchases are made online, the supply of stolen credit card numbers often comes from data breaches involving card-present POS systems. See if your POS solution provider supports an EMV-compliant semi-integrated payment solution, which can effectively keep all credit card data out of your environment. In the event of a breach, hackers can’t steal what was never on your servers. Although EMV is just starting to mature in the U.S., we’ve been installing EMV-compliant semi-integrated payment solutions since 2009 in other parts of the world, with great success.
- Three strikes and you’re out. Implement retry limits, limiting the number of times the payment info can be entered for the same open purchase before you cut them off. We’ve all miskeyed a digit from time to time, but usually by the second or third try, we’ve got the account number, expiration date, zip code and security digits entered correctly.When reviewing online purchase attempts, I’ve personally seen an online shopper enter 50 completely different credit card numbers (with 50 different names), in the hopes of completing an order for a few hundred dollars’ worth of tickets. It’s highly unlikely a legitimate shopper has that many credit cards in that many different names. The more likely scenario is that person just bought a block of credit card numbers from a hacker and is looking for a resellable product.
- Make data your friend. The typical authorization of a credit card involves literally only a handful of data points – your merchant ID, the purchase amount, maybe a timestamp and a transaction number, and the credit card details. Based on that, most authorization attempts succeed, which will provide immediate tickets to the buyer, even if it’s fraudulent. But there are so many other data points of an e-commerce order that could be used. IP address, contact email, phone numbers, distance from your venue and pattern matching with previous order data are all often ignored. Consult with your e-commerce solution provider to see what tools they offer to use all this extra data in your favor, to prevent the fraud from happening in the first place.
In the end, you need to realize that fraud is literally some people’s full-time job. If your venue doesn’t take fraud seriously, your defenses are down against people who are ready and willing to take advantage of you. Sadly, the fraudster community is very active and always talking to one another to find the path of least resistance. Don’t let that be your attraction. Empower yourself with the information in this article to take steps to send these fraudsters to the “unemployment” line.