Times are tough -- even for cybercriminals. Online merchants in the U.S. and Canada report a dramatic 18 percent drop in fraud, down from $4 billion in 2008 to $3.3 billion this year, according to a survey by the security firm CyberSource. Meanwhile, the fraud rate of 1.2 percent of all sales is the lowest in the 11-year history of the survey. Even among international orders, traditionally the bane of Web sites, fraud rates plummeted by 50 percent.
The news comes just in time for Web shoppers who are pulling out their credit cards and wondering about the safety and security of online holiday gift shopping.
"We were surprised," said Doug Schwegman, CyberSource's director of market and customer intelligence. "Internally people were thinking that with the recession, fraud would go up, that there would be more people out there with technical skills who needed to put food on the table. But it looks like the merchants stepped up to the plate and got their act together."
Schwegman said the recession may actually have helped Web site fraud departments in two ways: prompting online firms to implement tighter fraud controls to chase down every dollar during the tough economy and giving computer security professionals at these Web sites a chance to catch their breath.
"They've been dealing with double-digit growth for years and when the market slowed down they were able to catch up a little bit," he said.
But new technologies undoubtedly contributed to the fight against fraud. This year, a relatively new technique called device fingerprinting, which can make life very difficult for would-be credit card thieves, took hold in the marketplace.
Device fingerprinting goes far beyond cookies and IP addresses to identify users, employing software to examine a variety of unique identifiers on computers used to order products. These range from the version of Flash software stored on a computer to the time and date stamp of the installed Web browser and the version of BIOS used inside the machine. Combining these characteristics, the software can positively identify computers with accident rates as low as one in 1 million, Schwegman said.
The technique is chiefly used to identify criminals who are placing numerous orders with multiple credit cards using a single computer. Traditionally, criminals could use proxy servers or other evasive techniques to place multiple fraud orders when using a cache of stolen cards. Now, it's relatively easy for Web sites to spot multiple orders coming from the same machine.
Other anti-fraud techniques are common too, including geo-location, which uses IP address to determine a customer's location (used by 52 percent of large merchants); telephone number reverse look-up (33 percent); and shared "negative lists" of attempted frauds among merchants (23 percent).
Despite the apparent success, there's little cause for celebration, Schwegman warned. This year's cybercrime dip could be an anomaly.
"It's kind of an arms race. It could be things will bounce back next year (for criminals)," he said.
And there is another more discouraging explanation for lower e-commerce fraud rates: Serious computer criminals have moved beyond basic credit card fraud to more sophisticated account creation fraud that allows them to steal money directly from banks. So-called "new account fraud is not counted in the CyberSource survey, Schwegman said.
Kevin Haley, director at Symantec Security Response, said this migration could explain why merchant fraud was down but overall cybercrime activity spiked, according to Symantec research. Clearly, he said, cybercriminals haven't gone away.
"In general we're seeing 2009 as a pretty bad year from a security standpoint," he said. "Record levels of spam, a nine fold increase in malware sent through e-mail. The rises we saw in the things we track are astronomical."
The price of stolen credit cards in the underground economy was flat, however, supporting CyberSource's research that that Web site fraud is no longer the sexy part of cybercrime.
And there's more sobering news -- fraud rates remain abysmal among online electronics, Schwegman said. Electronics sellers still turn down one order of every 18 they receive, the CyberSource survey found, a rate that's consistent with past years and double that of other merchants. Turning away fraud is good, of course. But with high order rejection rates, there’s always some babies thrown out with the bath water – the more rejections, the more legitimate orders and the more lost sales.
Meanwhile, heavy losses also hurt consumers, in two ways: through higher prices and more hassles at the checkout counter. When a site suffers fraud, it conducts more "manual reviews" of orders, which can slow down the purchasing process. Consumers who wish to buy Christmas gifts and have them shipped to the recipient can find they face far more questions when the shipping address and credit card billing address don't match.
Still, despite the caveats, the drop in overall fraud is meaningful, Schwegman said.
"The fraud rate was stable for so long, and we are very careful with the methodology, so we think it's significant," he said. "This isn't a battle that can ever be won outright. But we're certainly going to make life difficult for the bad guys."
The CyberSource survey involves both customers and non-customers of CyberSource security products; it involved 352 responses from Web sites representing more than $60 billion in annual online sales, and was conducted by Mindwave Research.
RED TAPE WRESTLING TIPS
Consumers shopping online for the holidays should be heartened by survey results, as it appears online Web sites are gaining ground on criminals. If it becomes harder to use stolen credit cards, criminals will steal them less often.
But that doesn't mean shoppers don't have to be vigilant. The security gap between well-known, large e-commerce sites and niche sites continues to widen. So those surfing and buying at smaller Web sites should consider using old-fashioned purchasing tools, Schwegman said.
"If I'm shopping for a unique gift at a smaller site, that's when I would tend to use more secure payment methods, or maybe even place the order over the phone," he said.
Symantec's Haley pointed out that, despite years of work battling the problem, phishing remains the number one threat to consumers during the holiday season. The frequency of e-mails from retailers offering consumers receipts or shipping status updates creates a fertile ground for hackers to send fake e-mails soliciting personal information.
"We'll see things around the Christmas seasons, like e-mails that claim to be from a department store they may really be doing business with," he said. "Users can be tricked to click on a link and give up their credentials. People should be more wary of that kind of attack during this season."