Archives for : CREDIT CARDS



Thieves are preying upon consumers when they need help the most by claiming to fix their bad credit.

In the credit repair scam, con artists claim they can erase bad credit, remove bankruptcies or liens and even create a new credit history. The thieves usually ask for an upfront payment in cash.

Legitimate credit repair companies are required to provide a person’s legal rights in a written contract, give a three-day window to cancel without any charge and provide the cost of the services.


  • Check your credit history and dispute inaccurate information
  • Do not pay for services before they are rendered
  • Obtain legitimate credit counseling from a nonprofit credit repair agency or your bank or credit union

For more information, you may contact the Fair Trade Commission at and the Consumer Financial Protection Bureau at


Henry Sapiecha

How AI machine learning is confronting online retail fraud

Fraud is one of the biggest causes of lost revenue for online retailers. Fraugster and Riskified, two startups that operate in this space, share their insights and methods for safeguarding online retail.


Amazon Prime Day (APD) was a huge success, they say. At an estimate 60 percent increase in sales over 2016 and nearly $2 billion in revenue, it’s hard to argue otherwise.

If you want to talk numbers though, let’s consider this. What would you say if you were told that Amazon could lose nearly 5 percent of that revenue, or $100 million, due to fraud?

That’s a lot of money. And it’s not just Amazon on its Prime Day, it’s every online retailer that is exposed to online fraud every single day.

Retail hallmarks like APD or Christmas make things worse. What can be done to prevent this? Machine learning (ML) to the rescue. ZDNet talked to fraud prevention startups Fraugster and Riskified to get their insights.

The anatomy of fraud

According to industry blog Retail Minded, there are two main types of fraud — chargeback fraud and card-testing fraud. Chargeback fraud involves purchases that are reported as never delivered and then charged back to the merchant by the credit card company.

Card-testing fraud happens when thieves with a list of stolen card numbers essentially “play the slots” by attempting purchase after purchase from an online store with different numbers until they find a card number that succeeds. They then use this number to make fraudulent purchases at other stores.

It takes both expertise and resources to be able to identify fraud. Behemoths like Amazon may be able to deal with this in-house, but most retailers are not. And in any case, this is not something retailers would like to spend resources on.

According to a 2016 report, the average yearly financial expense attributed to fraud for retailers was 7.6 percent of annual revenue across all channels, including online and offline sales. Seven percent of that is attributable to chargebacks; 74 percent is for fraud management software, hardware and employees; and 19 percent comes from false positives — transactions erroneously rejected as fraud.

And that is on a business-as-usual day. On AMD, clients operating on Amazon have reportedly seen an increase of 150 percent in fraud attempts. Doing the math for chargebacks and false positives, we arrive at the 5 percent/$100 million figures.

Of course, the blunt of retailer spend attributed to fraud goes to fraud management software, hardware, and employees. Money well spent as far as retailers are concerned probably, since they represent resources required to minimize the impact of fraud.

This is an industry with considerable resources to spend and motivation to do so, producing and sitting on loads of data. Like any other domain with these characteristics, it seems ripe for automation by means of ML. Here is how Fraugster and Riskified approach this.

No false positives, we’re positive

Riskified is a fraud management solution for enterprise online retailers, co-founded by Eido Gal and Assaf Feldman in 2012. Assaf is an MIT graduate with 15 years of experience developing machine learning algorithms, and Gal had been working on risk and identity solutions at various startups, including Fraud Sciences, which was purchased by PayPal.

Gal says that they realized there was a gap in the way the eCommerce industry managed risk: “while most retailers were relying on third-party solutions for some parts of their online business, such as payment processing and website creation, every merchant was trying to manage fraud in-house. Fraud prevention tools available in the market at that time generally provided retailers with a risk score per transaction, and the retailer’s in-house fraud team was tasked with deciding whether to accept or reject the order.”

Gal noted that scoring tools flagged any statistically risky transaction, and fraud teams were focused on preventing losses.

This combination meant that retailers ended up turning away many legitimate customers due to suspected fraud, and losing out on significant revenue. Riskified’s vision was to outsource fraud detection to experts, allowing retailers to focus on growing revenue and improving customer service.

The company built a ML based fraud detection system, and leveraged a business model they say ensures their goals align with retailers: driving sales to good customers while avoiding fraud. Instead of providing a risk score and charging a flat fee for every transaction, Riskified offers retailers the option to approve or decline the transaction.

Riskified only charges a fee for approved orders covered by a chargeback guarantee in case of fraud. Gal says this incentivizes Riskified to approve as many good transactions as possible, while its chargeback guarantee means it takes on fraud liability for every order it approves, requiring the company to accurately identify fraud attempts.

In order for this to work, Riskified’s algorithms must either be less picky about what they approve, or more smart. Gal says that in legacy systems, each data element receives a score, which contributed to the overall risk score of the transactions.

For example, any order shipping to a re-shipper or a placed via a proxy server will be “penalized,” as these are potential indicators of fraudulent activity.

“Riskified’s ML models are far more complex, taking into account many more data points to uncover the context of the order. In this example, thanks to automatic data enrichment, our systems will have an indication that while the order is shipping to a US-based re-shipper, the item’s final destination is in China.

We know that statistically, it’s common for consumers based in China to use proxy servers when shopping online, and that to avoid high shipping costs, many good Chinese shoppers use re-shipping services. This insight is incorporated as a feature into our algorithms.

But our ML models consider many additional data points, such as the shopper’s online behavior, their digital footprint, and their past transactions with any other merchant using Riskified’s solution. Only after evaluating all the relevant data, the models reach a decision to approve or decline the transaction.

When we first launched Riskified, our entire service was identifying good orders that retailers planned to decline. We’ve since expanded our offering, and today most retailers use Riskified for their entire online volume.”

Look, mum, no rules

Fraugster, a German-Israeli payment security company founded in 2014, has its own approach here. Fraugster was founded by Max Laemmle and Chen Zamir. Laemmle says that after years of working in the payments industry, they experienced first-hand the challenges of fraud for e-commerce merchants.

He describes their vision was “to design and build an anti-fraud technology that could help create a fraud free world.” Laemmle says they found that all existing anti-fraud solutions were built on outdated technologies and could not deal with sophisticated cyber criminals:

“Existing rule-based systems as well as classical ML solutions are expensive and slow to adapt to new fraud patterns in real-time, hence inaccurate. Our team of intelligence and payment experts spent the last several years designing our proprietary technology from scratch. The result is advanced artificial intelligence (AI) technology which can not only eliminate payment fraud but also maximize revenues by reducing false positives.”

Laemmle explains their approach as follows:

“Translating intuition from rules or processes equals a human dictating to a machine how to reason. This requires a lot of manual work. What our engine does is use ML techniques that don’t substitute these things but substitute the human intuition part with which we reason.

The end result is a deterministic accurate system, trained not by a human but by a machine. Our engine requires a rich vocabulary and the capability to tie in these separate words into sentences and paragraphs that tell a narrative. We want to expand our vocabulary and continue to train the engine to choose the right vocabulary to tell the right story.”


Laemmle reports that their clients operating on Amazon saw an increase of 150 percent in fraud attempts on AMD.

“These are times when it’s easier for fraud to pass through a manual review system or classical ML system due to more transactions and fewer resources.

Not because of lack of accuracy, because of lack of scalability and the necessary speed to adapt to new fraudpatterns. A cyber criminal doesn’t generally care about sales (they plan on getting the item for free anyways) but during sales time they go through a less adverse security system.

One, because there are more transactions and it’s difficult for manual reviews to keep up and two, an item that is on sale might go through a system that is meant to look at lower priced items, think rule-based systems. Our technology is super scalable and self-learning so it can identify new fraud patterns as they emerge in real time.

All ML players have to build work arounds because they can’t process data in real-time. This means they have to pre-segmentize the data, etc. Their solutions are not fully automated / frictionless. Fraugster is not using human analysts, rules, or models. Our engine operates fully autonomously without contributing any friction in the check-out process.”

Mind the black box

Each company has its own approach and strengths, but the point here is not to compare them. The point is that these are some of the most widely influential applications of real-life big data innovation. Applications like these, even when operating in stealth as far as most of us are concerned, push the boundaries on a number of levels.

Equally important to the technical aspect are the aspects of transparency and compliance. Assaf elaborates:

“While the recent EU law requiring organizations that rely on ML for user-impacting decisions to fully explain the data that resulted in this decision, transparency into ML decisions is also a business requirement. In our industry, retailers need to know why a certain shopper’s purchase was identified as fraud and subsequently declined.

In case of a serious fraud ring attack that resulted in high chargeback rates, online merchants are held accountable by the payment gateway/processor — and need to explain why those fraudulent purchases were approved by the algorithms, and what has been done to ensure such cases are correctly identified going forward.

This has been a blindspot of the tech community, and is a key reason that many businesses are reluctant to leverage ML based tools, which they consider to be “black box” solutions. Riskified has invested significant resources into providing retailers with transparency into our ML decisions.

This was achieved by translating the tools used by Riskified data scientists when researching ML decisioning into a visualization that coherently conveys the logic behind the models’ decisions.”

As we have noted before, transparency and ML approaches seems to be at odds at present. The requirement for clarity does not only come from regulatory frameworks, but by and large it comes from business users too, as noted by many practitioners. While different approaches have been proposed to work around this issue, at this time no perfect solution seems to exist.


Henry Sapiecha

Losses from reported Australian hacking victims quadrupled in 2016: ACCC


The Australian Competition and Consumer Commission (ACCC) has reported a four-fold increase in hacking scams, with AU$2.9 million lost to such activity in 2016, up from AU$700,000 in 2015.

According to Targeting scams: Report of the ACCC on scams activity 2016, businesses bore the brunt of these scams, with over half — AU$1.7 million — being attributed to businesses.

“While the digital economy presents many opportunities and efficiencies for businesses, it also presents significant risks,” ACCC deputy chair Delia Rickard says in the report’s foreword.

“Scams targeting businesses are becoming increasingly sophisticated using modern technology to make fake emails, invoices and websites appear legitimate to even the astute business person.”

While the digital age is hitting businesses in Australia, the report [PDF] highlights that consumers are also being affected by scammers, with digitisation providing the opportunity for scammers to try new tricks.

Online scams — those executed via the internet, email, social networks, and mobile apps — outnumbered phone-based scams in 2016, with an increase of 130 percent over 2015.

Elsewhere in the report, losses to online scams accounted for 58 percent — AU$48.4 million — of total losses, while social media was a particularly busy platform used by scammers to lure victims, netting losses of AU$9.5 million in 2016 compared with AU$3.8 million in 2015.

Of the social media scams, the most prevalent were related to online dating and sextortion, a form of blackmail in which compromising images of the victim are used to extort money.

AUSTRALIA Sydney Royal Easter Show falls victim to credit card ticketing scam

Police are asking people heading to the Sydney Royal Easter Show to avoid buying tickets through unofficial sellers following reports of “significant” credit card fraud.

Two men have been arrested after a suspected stolen credit card was allegedly used to buy $800 worth of coupons and vouchers for the event, police said on Sunday.


The fraudulent tickets, coupons and vouchers were then on-sold to unsuspecting buyers through online trading sites.

“Significant fraud has been picked up through advanced electronic detection systems”, the show’s chief operating officer, Darryl Jeffrey, said.

“It is important you only purchase tickets and associated products through official channels.

“These arrests and charges early in the show prove our systems are working,” Mr Jeffrey added.

Reports of the alleged scam emerged on Friday after police contacted event organisers.

Tickets that are purchased fraudulently could be voided at the event, irrespective of whether those using them are aware they are fraudulent.

“Fraudulent transactions will be identified at entry to the Sydney Royal Easter Show and you will be denied access,” Mr Jeffrey said.

The men have been released pending further inquiries.

For more information on how to purchase official tickets to the Easter Show visit


Henry Sapiecha


How scammers use eBay as their personal ATM

When someone steals your credit card information, how do they cash it out? Increasingly, it’s through so-called ‘triangulation fraud’.

credit card id theft on line image

Once a scammer steals credit card details online, they can launder the money on eBay before too many red flags go off. Photo: Getty Images

How do fraudsters “cash out” stolen credit card data? Increasingly, they are selling in-demand but underpriced products on eBay that they don’t yet own. Once the auction is over, the auction fraudster uses stolen credit card data to buy the merchandise from an e-commerce store and have it shipped to the auction winner. Because the auction winners actually get what they bid on and unwittingly pay the fraudster, very often the only party left to dispute the charge is the legitimate cardholder.

So-called “triangulation fraud” — scammers using stolen cards to buy merchandise won at auction by other eBay members — is not a new scam. But it’s a crime that’s getting more sophisticated and automated, at least according to a victim retailer who reached out to me recently after he was walloped in one such fraud scheme.

The victim company — which spoke on condition of anonymity — has a fairly strong e-commerce presence, and is growing rapidly. For the past two years, it was among the Top 500 online retailers as ranked by

How triangulation fraud works chart image

How triangulation fraud works. Photo: eBay Enterprise

The company was hit with over 40 orders across three weeks for products that later traced back to stolen credit card data. The victimised retailer said it was able to stop a few of the fraudulent transactions before the items shipped, but most of the sales were losses that the victim firm had to absorb.

The scheme works like this: An auction fraudster sets up one (or multiple) eBay accounts and sells legitimate products.  A customer buys the item from the seller (fraudster) on eBay and the money gets deposited in the fraudster’s PayPal account.

The fraudster then takes the eBay order information to another online retailer which sells the same item, buys the item using stolen credit card data, and has the item shipped to the address of the eBay customer that is expecting the item. The fraudster then walks away with the money.

One reason this scheme is so sneaky is that the eBay customers are happy because they got their product, so they never complain or question the company that sent them the product. For the retailer, the order looks normal: The customer contact info in the order form is partially accurate: It has the customer’s correct shipping address and name, but may list a phone number that goes somewhere else — perhaps to a voicemail owned and controlled by the fraudster.

“For the retailer who ships thousands of orders every day, this fraudulent activity really doesn’t raise any red flags,” my source — we’ll call him “Bill,” — told me. “The only way they eventually find out is with a sophisticated fraud screening program, or when the ‘chargeback’ from Visa or MasterCard finally comes to them from the owner of the stolen card.”

In an emailed statement, eBay said the use of stolen or fraudulent credit card numbers to purchase goods on eBay is by no means unique to eBay.

“We believe collaboration and cooperation is the best way to combat fraud and organised retail crime of this nature, working in partnership with retailers and law enforcement,” wrote Ryan Moore, eBay’s senior manager of global corporate affairs. Detecting this type of fraud, Moore said, “relies heavily on the tools that merchants use themselves, which includes understanding their customers and implementing the correct credit card authorisation protocols.”

Moore declined to discuss the technology and approaches that eBay uses to fight triangulation fraud — saying eBay doesn’t want to tip its hand to cybercriminals. But he said the company uses internal tools and risk models to identify suspicious activity on its platform, and that it trains hundreds of retailers and law enforcement on various types of fraud, including triangulation fraud.

Quad fraud

Moore pointed to one education campaign on eBay’s site, which adds another wrinkle to this fraud scheme: Very often the people listing the item for sale on eBay are existing, long-time eBay members with good standing who get recruited to sell items via work-at-home job scams. These schemes typically advertise that the seller gets to keep a significant cut of the sale price — typically 30 per cent.

Interestingly, the guy selling carded goods stolen from Bill’s company has been on eBay for more than a decade and has a near-perfect customer feedback score. That seller is not being referenced in this story because his feedback page directly links to transactions from Bill’s company.

Bill said he believes fraudsters targeted his company because it is relatively small, and is less likely to rely on sophisticated fraud tools that can sort out fraudulent orders. In his company’s case, it wasn’t spending any money on such fraud prevention tools until all this eBay fraud started.

“It wasn’t a huge order size, just random products we sell,” Bill said. “They’re going after us as a medium-sized retailer because we’re not yet to the size where we have all the fraud software built-in.”

Tri-fraud bots

According to Bill, the company thought it had figured out a fraud pattern to help block future phony charges, which it found all came from different internet addresses at Amazon’s Elastic Compute Cloud (EC2) service. After a block was put in place, visitors coming from EC2 servers could still browse the site, but they would be blocked from placing orders.

Bill said he believes the orders may have been placed by automated “bot” programs running on instances of Amazon’s EC2 platform (instances that were also likely paid for with stolen card data).

“The fraud kept going until we put in some things that blocked his bots at Amazon EC2 from transacting with our site,” Bill said.

Bill allowed that he can’t prove it wasn’t just a human manually transacting from all those EC2 systems. However, another security measure that Bill’s company established to fight triangulation fraud lends credence to the theory that some sort of automated EC2-based bots may indeed be involved in placing the unauthorised product orders. Bill’s firm put new data fields in the part of the checkout process where customers type in their name and address. This trick uses data fields that are hidden from regular website visitors but that are still visible on the site to computers and web crawlers.

The idea is to separate orders made by humans from those entered by automated bots. Although the latter may dutifully supply some phony requested data in the new data fields, legitimate, human customers would never input data into those extra fields because they can’t see the information being requested in the first place.

‘Blocking EC2 purchases and the data fields have worked really well blocking this fraudster’s bots from spamming our email forms,” Bill said.

Bill’s company also just signed up with MaxMind, a company that gives retailers multiple clues about potentially fraudulent orders based on the geography of the order. For example, was the order placed from an internet address that is located near the shipping address?

For its part, eBay says merchants can fight triangulation fraud by focusing on the products being sold by suspect eBay accounts. “Collaborate with auction and marketplaces that are known to have fraudulent sellers,” the company said in its tri-fraud primer. “Together, you may be able to uncover additional orders that may be part of the scam to help identify fraudulent sellers and/or employers.” (8)

Henry Sapiecha

Banks should make PayWave an option to stop fraud, parliamentary committee tells government

PayWave has led to a rise in low value fraud transactions image

Cash out: New systems such as payWave have led to a rise in low value fraud transactions. Photo: Eddie Jim

Law-enforcement authorities have won a victory in their bid to stem rising fraud from increased use of contactless payment cards.

The joint federal parliamentary committee on law enforcement has accepted police recommendations that banks seek customers’ consent before activating contactless, or so-called “tap-and-go” and “payWave”, payment services on credit and debit cards.

The recommendation was contained in the committee’s report on its inquiry into financial crime in Australia tabled in parliament on Monday. The inquiry, launched March 2014, sought to detect flaws in the Commonwealth’s ability to effectively combat financial crime.

Tap-and-go payments allow consumers to make purchases up to $100 without having to supply a PIN or signature.

However, the committee heard evidence from Victoria Police that the introduction of tap-and-go payments had led to a rise in low value fraud transactions using stolen cards by up to 100 transactions per wee

Victoria Police argued that whilst banks had weighed the cost of tap-and-go fraud against convenience and found it worked in favour of their balance sheets, they had failed to adequately recognise other policing concerns.

Among them, said Victoria Police, was an increased motivation to steal credit and debit cards, which could drive and increase violent crime.

“The major banks provide a Zero Liability Policy to customers who are victims of fraudulent transactions. This policy is clearly advertised in conjunction with ‘Tap and Go’ technology. Widespread promotion of the Zero Liability Policy is expected to motivate offenders who are likely to see that the victim will not be at a personal loss,” Victoria Police told the committee.

ANZ Banks head of Financial Crime repudiated police concerns, telling the committee “at the moment with the low thresholds on (tap-and-go) I do not think it is a realistic large threat to fraud losses. I think some of the other issues we have been discussing are much bigger threats in terms of financial loss and customer inconvenience”.

Henry Sapiecha