Ideate

An inside look at e-commerce fraud in South Africa

by Andrew on 16/09/08 at 11:34 am
21 comments

In the movies crime is usually high-tech, stealthy and professional. In your neighbourhood crime is usually opportunistic, low-tech and unprofessional – someone jumps over your wall, steals a bicycle, and pawns it for a few Rand.

The same is true for most e-commerce crime. A list of credit card numbers is bought over the internet and then used to buy goods online which are delivered and then resold. It’s not rocket-science, but it’s rife, and very little is being done about it. Here is what happened when we played along with one of these fraudsters and recorded the journey.

On Thursday the 11th of September an order was placed on our site under the name of “FS” (name shortened to prevent search engine spidering). Based on various criteria that we have developed it was immediately flagged as being suspicious. Four payment attempts were made with credit cards from banks originating in the United States, The Netherlands and the United Kingdom, and all failed, with an electronic message from the bank saying, “Do not honour – if not hostile, keep the card”. This case looked pretty cut and dry.

The fifth credit card, this time from Austria, managed to authorise, and FS thought he was in business. That evening he used the live chat on our site to follow up on his order. Here is the slightly shortened, but unedited transcript. I started off harshly, but then changed tack when I decided to play along with this one…

FS:
my order no is XXXXX whats the progress
Andrew:
Hi. Let me have a look.
FS:
ok
Andrew:
I’m interested to know where you got your credit card numbers from?
FS:
what do u mean
Andrew:
You’re obviously quite an international traveller.
FS:
are you chekink for my order or what
Andrew:
Do you mind sending in a copy of your ID?
FS:
what do u want my id for. do u wana use it for scam?
Andrew:
We just need it for our records. In case there are any problems with the banks. Are you able to fax it, or e-mail a copy? Sorry for the inconvenience.
FS:
i cant sent u my id for security reasons and if you dont want then i will cancell the order
Andrew:
What security reasons?
FS:
then what security reasons are u asking for also. why must you ask if iam an iternational traveller then agian questioning me? i am very offended and thus i do not seem to trust your company
Andrew:
Sorry about that. Sometimes the banks ask us to verify the cardholder.
FS:
so i will have to ask u to cancell my order okay? thats my card and either you deliver my oder or i call to cancel. i gat no problem with that. i thought you sell quality stuff but am begining to thought
Andrew:
I’m just reading what it says on my system. Sorry to doubt you. The system says the card is from Austria. I was just trying to be friendly when I mentioned you were an international traveller. Our system says if the credit card is from outside South Africa we need to ask for ID.
FS:
so what has that got to do with ur questions has the payment not approved or must my card come from absa or standard before am qualified for an online purchase
Andrew:
No, not neccessarily, but foreign cards have an extra step in the security process. As I’m sure you know, there is a lot of fraud online, and innocent people like yourself sometimes suffer because of it.
FS:
well like i said i dont have any reason to do that cos i had a similar problem last year in p e. so if you insist then i will have tocancell the order besides i should have known that ealier
Andrew:
Perhaps just a photo of yourself would be good enough for my boss.
FS:
well i dont have any photo for this. am not being rude but believe me, i cant waist time on this small transaction. okay, pls just cancell the order and refund the cash back to the card. thanks
Andrew:
Is there a bank account I can transfer the money to? We can’t refund to a credit card.
FS:
no there is no any bank account. how can i have a bank account when i am from vienna. can i chart with you boss
Andrew:
He’s not on the live chat, but you could phone the office tomorrow. Or we could call you, if you have a landline?
FS:
i do have a cell no
Andrew:
So how do we sort this out? I have to have some sort of ID for my records.
FS:
i did purchase a penis enlargment cream last year from india and same senario hapened. ok fax it tommorow but i would not take it lightly if i should c my identity being used elsewhere in south africa
Andrew:
Of course. We would keep it confidential.
FS:
very good. i will try
are you an austrian, how do you confirm my id or pass
Andrew:
I don’t think it matters. It is just something for our records.
FS:
ok then give me the fax no once again
Andrew:
XXXXXXXX
FS:
ok thanks

True to his word, FS faxed through a passport later that night:

What would you do if you needed to fake an Austrian passport? Probably the same thing that FS did – search Google Images for Austria Passport. Here is what we found on page 1:

FS hoped that, like Google Images, we wouldn’t know the difference between an Australian passport and an Austrian one. It’s amazing what a bit of Photoshopping and a blurry fax will cover up, and scary that I recently opened a bank account entirely with faxed documentation. I bet that if we had asked for a “certified copy” he would have organised that in a few minutes of copying and pasting.

On Friday we gave FS a phonecall to confirm the delivery address, and then on Monday we instructed our fake courier guy to look for a white Australian from Austria, with an Afrikaans name and a French-African accent. We recorded the phonecalls and edited them into this clip:

Click here for the Youtube version

We had one final live chat conversation a few minutes later. We wanted to end this and move on, but he still wasn’t getting the hint!

FS:
why the hussle for my consingment
Andrew:
Hi Frank
FS:
why did i ask the courier to deliver my parcel to my host mr XXXX and he is proving sturbon
Andrew:
Yes, the courier company called us and told us about the problems. I checked with the bank, and there is a problem with your paymet, so I have asked the courier to return the parcel. The bank has told me to cancel the order.
FS:
can u ask him 2 deliver it to XXXXX my host cos am at holiday inn garden court for it. why can the bank tou that
Andrew:
Before the credit card from Austria went through, apparently there were 4 attempts using credit cards from the United States, and Netherlands, and all of the numbers had been reported stolen. Do you know why that is the case?
FS:
ok i will call my bank then i will personally come collect this oedre

Most simple e-commerce crime follows this pattern:

• A Yahoo, Hotmail or other free e-mail service is used.
• A cellphone number is given that usually goes straight to voicemail. It will undoubtably be a pay-as-you-go number. There is almost never a landline available.
• Products that are easily resellable are targetted, such as appliances and gift vouchers.
• The delivery address often doesn’t exist, or is not reachable. The courier will then phone the recipient, who will arrange to meet at a public venue, or offer to collect from the courier’s depot.
• The physical credit card is almost never available for verification, and it is unlikely that there will be matching identity documents.
• If the person receiving the parcel is ever questioned, they claim they are collecting it for someone else, and the so-called other person vanishes.

So why didn’t we call in the police and bust this team? We went through the entire process last year with a similar case, working with the commercial crimes unit to organise for the criminal to be arrested when he arrived at the depot to collect his package. When he appeared before a magistrate he claimed he was sent by someone else, and the case was dismissed. There are currently no procedures for e-commerce merchants to follow in order to ensure a successful arrest and prosecution, and so we’ve given up and resorted to trying our best to protect ourselves.

Here are our recommendations for what needs to happen to strengthen e-commerce in South Africa:

1) Verification of credit cards
In South Africa there is currently no way for us as merchants to verify a credit card purchase. We cannot even check whether the name that the customer provides matches the name associated with the credit card, and we certainly can’t check the delivery address against the bank’s records. Our bank’s merchant department claims this is not possible due to international banking systems, but we have often used international e-commerce sites where the billing address has been required to match the credit card owner’s.

A lot of work needs to be done at the local banks to bring them up to speed. The usual response we get when we phone the merchant department is, “Do you have the signed credit card slip?”, to which we respond, “No, we’re an online store”. There is a pause on the other side as this information sinks in and fails to register.

We’ve given up phoning.

2) Guidelines from the South African Police on how to obtain prosecutions
It must be possible for the state prosecutors, the lawmakers, the banks and online merchants to sit down together and work out a procedure that will increase the odds of prosecution. Do we need to record phonecalls? Do we need a signature before we make the arrest? Can the IP address be traced? We’re shooting in the dark and wasting our time.

3) Courier companies
The default service of most courier companies is anything but secure. Anyone can sign for a package and the delivery address can easily be changed by the receiver. There are more expensive options, but this would ultimately penalise the 99.9% of our customers who aren’t fraudulant. We believe most of the problems could be solved with basic training of the drivers, and we are certain that other innovative solutions can be developed that don’t make a secure delivery cost double or triple the price.

4) Cooperation between online merchants
Even though a Yahoo e-mail address is free, and a pay-as-you-go cellphone number is pretty close to free, it would be a serious inconvenience for a fraudster to create new contact details for every attempted purchase, particularly as most attempts fail. If a failed attempt is made on one of our sites, we have no way of passing those contact details on to all the other sites in South Africa. Someone needs to develop a simple repository that merchants can register for, and send fraudulant details to via an API. Each new transaction can then be checked against that repository. It is not a major problem if an honest shopper’s details get into the repository by mistake, as it would only be a system for “flagging” transactions for manual follow-up, rather than a black-list.

The banks and the payment gateways would be obvious candidates for developing this, but unfortunately they don’t like sharing information with non-clients, so it would create silos of information.

Anyone keen on collaborating with us to develop this?

5) Consumer education
Despite the shortfalls in the e-commerce industry, purchasing online remains completely safe to honest shoppers who buy from reputable stores. Your credit card is safer with most online shops than it is in the hands of your local resturant waiter or shoe store. And remember, check your credit card statement when it arrives to make sure all the transactions belong to you, and phone your bank to query anything suspicious and it will be refunded to you. Who is telling the public this?

The best thing that can happen to e-commerce in South Africa is for more customers to adopt online as a convenient, safe and cost-effective means of shopping. That will hasten the maturing of this industry, and everyone will benefit.

Except for FS and his crew…

Andrew Smith is the pedantic systems guy behind Live Alchemy, a SA e-commerce company. Andrew writes for Ideate in an attempt to make the world a more efficient place. View more articles by Andrew.

Related Articles

• Why is iTunes not available in South Africa?
• E-commerce Update
• Credit card confusion is ruining the industry
• Is e-commerce alive in South Africa?
• How to save a quick buck