A new report by Stripe identifies tell-tale times, amounts, cards and other potential signs of fraudulent transactions.
As previously reported, 78 percent of Australian card fraud involves card-not-present transactions. These are largely online, but also include phone-based transactions.
The widespread adoption of chip-and-PIN has made it harder for criminals to make larger transactions when presenting the card, although contactless payments (“tap and go”) make it quick and easy to use a stolen or found card for transactions below $100.
On average, every $1 of fraudulent orders costs online stores an additional $2.62 in associated costs, so it’s not just the value of the goods or services supplied but not paid for that must be taken into consideration.
Payment service provider Stripe has analysed a year’s worth of transactions to identify some patterns around fraudulent card transactions.
The most susceptible cards
Cards from certain countries – Argentina, Brazil, India, Malaysia, Mexico and Turkey – are particularly likely to be used fraudulently, but because the fraudulent transactions are such a small percentage of the total Stripe suggests wholesale blocking is not appropriate. Rather, more sophisticated but still geography-based rules may work, such as insisting on full addresses for orders from high-risk countries.
Fraud rates for Australian cards are similar to those in the US and China.
Tell-tale times and amounts
Interestingly, fraud rates increase at times when most people aren't shopping, such as on Christmas Day and late at night. Fraud peaks occur around 1am or 2am local time, even though the trough for all transactions occurs between 1am and 4am.
So Stripe suggests additional scrutiny for transactions performed outside normal hours, whether that is done through more stringent filters or manual review.
In some countries such as Finland and Singapore, the distribution of transaction amounts is significantly different from genuine ones – for example, the most common fraudulent transaction amount is noticeably higher than the most common genuine amount. But in Australia, the UK and the US the patterns are very similar, making it harder to use transaction value as an indicator of fraud.
Perhaps Stripe’s most surprising finding was that fraudsters have a tendency to make multiple purchases from the same merchant in a short period of time.
“One lesson here for businesses is to be cautious with many rapid-fire transactions from the same credit card – though, as always, it is important not to block good transactions with blanket rules.”
In addition, some types of business are more likely to be targeted than others. “The most appealing services are performed immediately before the charge has any chance of being detected and invalidated,” said the report.
Michael Manapat, Stripe engineering manager for payments intelligence and experience, added: “While there are some consistent patterns to fraudster behaviour – for example, their high-purchase velocity, their propensity to work late at night, and their desire for cheap or immediately deliverable goods – we’ve found that the predictive strength of these patterns varies widely depending on the location of the business and the fraudster.
“Because of this, we recommend using anti-fraud tools based on machine learning trained on large amounts of data to ensure businesses are making the right tradeoffs between battling fraud and maximising profits.”
Stripe's Radar is a machine learning-based fraud detection service that Stripe merchants can opt into. It includes a mechanism for setting custom filters, and provides for manual review of suspicious transactions.
Stripe's report on online fraud trends is available as a free download (PDF).