In today’s era of online ecommerce, international sales represent a huge potential market for US vendors. According to research firm eMarketer, international sales represent three-quarters of a nearly US $2 trillion retail ecommerce market, nearly half of which comes from China alone. And much of this vast market is only a click away.

On the other hand, cross-border sales remain one of the greatest risks for fraud, with a rate that was more than twice that of domestic fraud through 2012, and despite recent improvements in data quality technology this rate is still 28% higher as of 2015. And one digital commerce site notes that while retailers are making progress at managing fraudulent transaction rates, they are doing so at the expense of turning away good customers – people who, in turn, may never patronize these sites again.

So how do you exploit a rich and growing potential market while mitigating your risk for fraud? The answer might surprise you. While nearly everyone preaches the importance of a fraud protection strategy for ecommerce, and suggestions abound in areas that range from credit card verification to IP geolocation, the head of ecommerce at industry giant LexisNexis points to one area above all: address verification.

In a recent interview with Multichannel Merchant, LexisNexis ecommerce chief Aaron Press points out that the biggest problem with international addresses is a lack of addressing standards between countries. “Postal codes have different formats, where you put the number, how the street is formatted. Normalizing all of that down to a set of parameters that can be published on an API is a huge challenge.”

This means that you need robust capabilities in any third-party solution that you choose to help verify international addresses. Some of the key things to look for include:

• How many countries does the vendor support address formats for, and does this list include all of the countries where you do business?
• Can the application handle multiple or nested municipality formats? For example, a customer may list the same location in Brazil correctly as Rio, Rio de Janeiro, Município do Rio de Janeiro – or even the sub-municipality of Guanabara Bay.
• Will the application handle different spellings or translations for common areas? In the address above, for example, the country may be spelled as Brazil or Brasil. Likewise, the United Kingdom may also be referred to as England, British Isles, Karalyste, Birtaniya, United Kingdom of Great Britain and Northern Ireland, or even 英国 (Chinese for the United Kingdom, literally “England Kingdom”).
• Can these capabilities can be implemented as an API within your ordering application? Or can it process addresses externally through batch processing?

In general, cross-border fraud prevention requires a multi-pronged effort involving all of the potential stress points in an international transaction, including international address verification, email validation, credit card BIN validation, IP address verification – even name validation, so you can flag orders addressed to Vladimir Putin or Homer Simpson. These are clearly capabilities that you outsource to a vendor, unless you happen to be sitting on hundreds of millions of global addresses and their country-specific formats. The good news is that in an era of inexpensive cloud-based applications, strong fraud protection is easily implemented nowadays as part of your normal order processing strategy.

In a world where millions of customer and contact records are commonly stolen, how do you keep your data safe?  First, lock the door to your office.  Now you’re good, right?  Oh wait, you are still connected to the internet. Disconnect from the internet.  Now you’re good, right?  What if someone sneaks into the office and accesses your computer?  Unplug your computer completely.  You know what, while you are at it, pack your computer into some plain boxes to disguise it.   Oh wait, this is crazy, not very practical and only somewhat secure.

The point is, as we try to determine what kind of security we need, we also have to find a balance between functionality and security.  A lot of this depends on the type of data we are trying to protect.  Is it financial, healthcare, government related, or is it personal, like pictures from the last family camping trip.  All of these will have different requirements and many of them are our clients’ requirements. As a company dealing with such diverse clientele, Service Objects needs to be ready to handle data and keep it as secure as possible, in all the different states that digital data can exist.

So what are the states that digital data can exist in?  There are a number of states and understanding them should be considered when determining a data security strategy.  For the most part, the data exists in three states; Data in Motion/transit, Data at Rest/Endpoint and Data in Use and are defined as:

Data in Motion/transit

“…meaning it moves through the network to the outside world via email, instant messaging, peer-to-peer (P2P), FTP, or other communication mechanisms.” – http://csrc.nist.gov/groups/SNS/rbac/documents/data-loss.pdf

Data at Rest/Endpoint

“data at rest, meaning it resides in files systems, distributed desktops and large centralized data stores, databases, or other storage centers” – http://csrc.nist.gov/groups/SNS/rbac/documents/data-loss.pdf

“data at the endpoint, meaning it resides at network endpoints such as laptops, USB devices, external drives, CD/DVDs, archived tapes, MP3 players, iPhones, or other highly mobile devices” – http://csrc.nist.gov/groups/SNS/rbac/documents/data-loss.pdf

Data in Use

“Data in use is an information technology term referring to active data which is stored in a non-persistent digital state typically in computer random access memory (RAM), CPU caches, or CPU registers. Data in use is used as a complement to the terms data in transit and data at rest which together define the three states of digital data.” – https://en.wikipedia.org/wiki/Data_in_use

How Service Objects balances functionality and security with respect to our clients’ data, which is at rest in our automated batch processing, is the focus of this discussion.  Our automated batch process consists of this basic flow:

• Our client transfers a file to a file structure in our systems using our secure ftp. [This is an example of Data in Motion/Transit]
• The file waits momentarily before an automated process picks it up. [This is an example of Data at Rest]
• Once our system detects a new file; [The data is now in the state of Data in Use]
  • It opens and processes the file.
  • The results are written into an output file and saved to our secure ftp location.
• Input and output files remain in the secure ftp location until client retrieves them. [Data at Rest]
• Client retrieves the output file. [Data in Motion/Transit]
  • Client can immediately choose to delete all, some or no files as per their needs.
• Five days after processing, if any files exist, the automated system encrypts (minimum 256 bit encryption) the files and moves them off of the secure ftp to another secure location. Any non-encrypted version is no longer present.  [Data at Rest and Data in Motion/Transit]
  • This delay gives clients time to retrieve the results.
• 30 days after processing, the encrypted version is completely purged.
  • This provides a last chance, in the event of an error or emergency, to retrieve the data.

We encrypt files five days after processing but what is the strategy for keeping the files secure prior to the five day expiration?  First off, we determined that the five and 30 day rules were the best balance between functionality and security. But we also added flexibility to this.

If clients always picked up their files right when they were completed, we really wouldn’t need to think too much about security as the files sat on the secure ftp.  But this is real life, people get busy, they have long weekends, go on vacation, simply forget, whatever the reason, Service Objects couldn’t immediately encrypt and move the data.  If we did, clients would become frustrated trying to coordinate the retrieval of their data.  So we built in the five and 30 day rule but we also added the ability to change these grace periods and customize them to our clients’ needs.  This doesn’t prevent anyone from purging their data sooner than any predefined thresholds and in fact, we encourage it.

When we are setting up the automated batch process for a client, we look at the type of data coming in, and if appropriate, we suggest to the client that they may want to send the file to us encrypted. For many companies this is standard practice.  Whenever we see any data that could be deemed sensitive, we let our client know.

When it is established that files need to be encrypted at rest, we use industry standard encryption/decryption methods.  When a file comes in and processing begins, the data is now in use, so the file is decrypted.  After processing, any decrypted file is purged and what remains is the encrypted version of the input and output files.

Not all clients are concerned or require this level of security but Service Objects treats all data the same, with the utmost care and the highest levels of security reasonable.  We simply take no chances and always encourage strong data security.

Online commerce is huge nowadays – to the tune of over $400 billion dollars a year in the United States alone in 2017, at a growth rate up to three times that of retail in general. Barriers to entry are lower than ever, ecommerce platforms have become simpler to use and less expensive than ever, and the convenience of e-commerce has grown to encompass businesses of every size. Above all, purchasing goods online has become ubiquitous among today’s consumers.

Whether you are looking to launch a simple shopping cart using platforms like WordPress’ WooCommerce, Shopify or Magento, or an enterprise solution like Microsoft’s Commerce Server or IBM’s WebSphere Commerce, it can still be a minefield for the uninitiated. Here are some of the risks that every online seller takes every day:

Fraud. Filling orders from fraudulent sources costs you both revenue and time – and according to Javelin Research, identity fraud alone totals over $18 billion per year in the US. And the bad guys particularly love to target novice sellers.

Fulfillment. Every online order starts a chain of activities – from billing to shipment – that depend on the quality of your contact data. Credit card processing often requires accurate address data, and one misdirected shipment can wipe out the profit margin of many other sales – not to mention the reputational damage it can do.

Marketing. According to the Harvard Business Review, the cost of acquiring a new customer ranges from 5 to 25 times the cost of selling to an existing customer. This means that your contact database is the key to follow-on sales, brand awareness and long-term profitability. Which also means that bad contact data – and the rate at which this contact data decays– cuts straight to your bottom line.

Tax issues. Did you know that tax rates can vary from one side of a street to the other? Or that some states have passed or are considering an “internet tax” out-of-state sellers? Tax compliance, and avoiding the penalties that come with incorrect sales tax rates, is a fact of life for any online business.

The common denominator between each of these issues? Data quality. And thankfully, these problems can all be mitigated inexpensively nowadays, with tools that fit right in with your current contact management strategy. Some of the solutions available today from Service Objects include:

• A suite of tools for fraud prevention, including address, email and telephone verification, lead validation that scores prospects on a scale of 0-100, credit card validation, and IP address validation – so you know when an order for a customer in Utah is placed from Uzbekistan.
• Shipping address validation tools that verify addresses against up-to-date real-time data from the USPS and Canada Post, to make sure your products go to the right place every time.
• Email verification capabilities that perform over 50 tests, including auto-correcting common domain errors and yielding an overall quality score – improving your marketing effectiveness AND preventing your mail servers from being blacklisted.
• Real-time tax rate assessment that validates your addresses, and then provides accurate sales and use tax rates at any jurisdictional level.

Each of these capabilities are available in several convenient formats, ranging from APIs for your applications to batch processing of contact lists. Whichever form you choose, automated data tools can quickly make the most common problems of online commerce a thing of the past.

“In the era of big data and software as a service, we are witnessing a major industry transformation. In order to stay competitive, businesses have reduced the time it takes to deploy a new application from months to minutes.” – Geoff Grow, Founder and CEO, Service Objects

The big data revolution has ushered in a major change in the way we develop software, with applications webified and big data tools woven in. Until recently data quality tools that ensure data is genuine have not kept pace. As a result, developers have had little choice but to leave out data validation in their applications.

In this video, Geoff will show you why data validation is critical to reducing waste, identifying fraud, and maximizing operation efficiency – and how on-demand tools are the best way to ensure that this data is genuine, accurate, and up-to-date. If you develop applications with IP connectivity, watch this video and discover what 2,400 other organizations have learned about building data quality right into their software.

Using a blacklist to block malicious users and bots that would cause you aggravation and harm is one of the most common and oldest methods around (according to Wikipedia the first DNS based blacklist was introduced in 1997).

There are various types of blacklists available. Blacklists exist for IP addresses, domains, email addresses and user names. The majority of the time these lists will concentrate on identifying known spammers. Other lists will serve a more specific purpose, such as IP lists that help identify known proxies, TORs and VPNs or email lists of known honey pots or lists of disposable domains.

There are many different types of malicious activity that occur on the internet and there are various types of lists out there to help identify and prevent it; however, there are also various problems with lists.

The problem with Lists:

In order to first identify a malicious activity with a list, the malicious activity must first occur and then be reported and propagated. It is not uncommon for the malicious activity to stop by the time it has been reported and propagated. Not all malicious activities are reported. If you encounter the malicious activity before it is reported then you won’t be able to preemptively act on it.

IPs, Domains, Email Addresses and Usernames are dynamic and disposable. If a malicious user/bot gets blocked then they can easily switch to a different IP, domain etc.

Some lists offer warnings that blocking an IP address could affect thousands of users who depend on it in order to obtain crucial information that they would otherwise not have access to. So block responsibly.

Aggregating data to more effectively identify malicious activity:

Instead of looking at one list to perform a simple straightforward lookup, we can take advantage of multiple datasets to uncover patterns and relationships between seemingly disparate values. A simple example would be, relating user names to email addresses, email addresses to domains and domains to IP addresses, which allows us to view the activity of one value and compare it to behavior of other values. Using complex algorithms with machine learning to process large samples of data we can intelligently discern if a value is directly or indirectly related to a malicious activity.

How Service Objects keeps it simple for the user:

The DOTS IP Address Validation service currently has two flags to help its user deal with malicious IPs, ‘MaliciousIP’ and ‘PotentiallyMaliciousIP’. The ‘MaliciousIP’ flag indicates that the IP address recently displayed malicious activity and should be treated as such. The ‘PotentiallyMaliciousIP’’ flag indicates that the IP address recently displayed one or more strong relationships to a malicious activity and that it has a high likelihood of being malicious. Both flags should be treated as warnings with the ‘MalciousIP’ flag being scrutinized more severely.

The warning signs of online fraud are out there, but you need a means of discovering them. Our IP Validation service encompasses many of the identification strategies necessary to make split second decisions on would be attackers before any harm is done.

Fraud comes in many forms whether through misrepresentation, concealment or intent to deceive. Traditional methods of identifying and fighting fraud have relied on data analysis to detect anomalies which signal a fraud event has taken place. Detecting anomalies falls into two categories; known and unknown.

Known Fraud Schemes

Known fraud schemes can be easy to identify. They have been committed in the past and thus recognizably fit a pattern. Common known fraud schemes over the web include purchase fraud, internet marketing, and retail fraud. Methods to identify patterns for these types of fraud include tracking user activity, location, and behavior. One example for tracking location might be through IP, determining whether a user is concealing their identity, or is executing a transaction from a high-risk international location. A correlation can be made based on location if it is determined to be High Risk. Another case for location tracking is a physical address. In the past, fraudsters have used unoccupied addresses to accept delivered goods purchased through online and retail stores. Identifying an unoccupied address through DOTS Address Validation DPV notes provides real-time notification of vacant addresses which can be considered a red flag.

Identifying the Unknown

Unknown fraud schemes, on the other hand, are much more difficult to identify. They do not fall into known patterns making detection more challenging. This is starting to change with the paradigm shift from reactive to proactive fraud detection made possible through Big Data technologies. With Big Data, the viewpoint becomes much larger, analyzing each individual event vs sampling random events to attempt to identify an anomaly.

So What is Big Data?

Big Data is generally defined as datasets which are larger or more complex than traditional data processing applications ability to handle them. Big Data can be described by the following characteristics: Volume, Variety, Velocity, Variability, and Veracity.

Volume: The quantity of generated and stored data.

Variety: The type and nature of the data.

Velocity: The speed at which data is generated and processed.

Variability: Inconsistency of the data set.

Veracity: The quality of captured data varies.

Tackling Big Data

With the advent of distributed computing tools such as Hadoop, wrangling these datasets into manageable workloads has become a reality. Spreading the workload across a cluster of nodes provides the throughput and storage space necessary to process such large datasets within an acceptable timeframe. Cloud hosting providers such as Amazon provide an affordable means to provision an already configured cluster; perform data processing tasks, and immediately shut down, reducing infrastructure costs and leveraging the vast hardware resources available through Amazon’s network.

Service Objects Joins the Fight

More recently, Service Objects has been employing Big Data techniques to mine through datasets in the hundreds of terabytes range, collecting information and analyzing results to improve fraud detection in our various services. This ambitious project will provide an industry leading advantage in the sheer amount of data collected, validating identity, location and a host of attributes for businesses. Stay tuned for more updates about this exciting project.

Cyber Monday shattered previous online sales records and set a new all-time high, with consumers opening their wallets and spending $3.45 billion, marking a 12.1% jump over last year’s figure and earning its place in retail history.

The data, compiled by Adobe Digital Insights, surpassed initial estimates and dismissed fears that consumer shopping during the Thanksgiving weekend would hurt sales on Cyber Monday, which is historically the busiest day of the year for internet shopping. Adobe’s data measured 80 percent of all online transactions from the top 100 U.S. retailers.

The record-breaking online shopping put retailers’ data quality at the top of their priority list. Many smart retailers turned to Service Objects to help them make informed decisions about their customers, relying on Service Objects to validate over 1 million of their online transactions on Cyber Monday.

An increase in order volume impacts everything from a store’s inventory levels to brand reputation. By implementing data quality solutions like the ones Service Objects offers allows retailers to:

• Greatly reduce the number of fraudulent orders by validating that a consumer is really who they say they are;
• Ensure customers’ orders are delivered to the correct location, heading off customer service nightmares and stopping harmful customer horror stories from going viral on social media;
• Save significant money by eliminating bad or incorrect address data and increase the percentage of successful package deliveries;
• Eliminate the headache of dealing with credit card chargebacks caused by missed shipments; and
• Gain a competitive advantage over the competition and increase customer loyalty.

Using a data quality solution is fundamental to turning your customer data into a strategic asset. Read more about the different business challenges that data quality can solve.

Good news – someone wants to place a large online order for one of your company’s products, shipped to their business in the United States. But in reality, this person is a scammer from some boiler room halfway around the world. They are using a spoofed phone number, an address for an anonymous drop shipment point, and a stolen credit card number that will eventually get charged back to you.

Fraudsters can leverage the anonymity of the web to do everything from transferring money to purchasing valuable goods for resale on the black market. And the growth of online commerce and card-not-present (CNP) transactions has fueled online fraud as a lucrative industry. According to an annual report from CyberSource, as of 2016 companies lose nearly one percent (0.8%) of their revenues to fraud. It occurs almost equally across companies of all sizes, and 83% of them conduct manual reviews of orders to try and combat this fraud.

It is this latter area – manual verification – that often becomes a tough choice for businesses. Do you tighten up your screening process, and risk rejecting valid orders and losing customers? Or do you become more of an easy target for criminals? Either way, this manual verification, which can take several minutes per transaction checked, represents a substantial cost on top of any losses or chargebacks you endure because of fraud.

One of the key criteria for fraudulent transactions is the location of the purchaser. Common red flags for problem transactions can include.

• A purchaser whose IP address is far from their delivery address – for example, someone in Asia orders something to be shipped to a business in Indiana
• Anonymous or so-called “dark web” IP addresses designed to mask the user’s location, including proxy servers and virtual private networks (VPNs)
• Orders from multiple locations over a short period of time

On the other hand, simple screening criteria such as rejecting orders from VPNs, proxy servers and distant locations are blunt instruments that can exclude legitimate customers, such as people traveling on business. Moreover, manual verification of these orders represents a substantial transactional cost that affects your organization’s margins.

This is where automated geolocation tools can make a real difference in fraud prevention. Using continually updated databases, and often working as an API directly from your web processes, these tools can automatically validate and cross-reference criteria such as mailing addresses, phone numbers and IP addresses for legitimacy. They can also validate the credit card itself, by using BIN number validation. More important, bundled tools for lead or order generation can perform multi-function verifications using composite criteria, returning a 0-100 quality score on the overall validity and authenticity of the customer.

Held up against the financial, merchandise and time losses associated with fraud, not to mention the potential loss of goodwill and market share among existing customers, automated geolocation tools can be an extremely cost-effective solution for a universal problem among businesses. Unfortunately fraud will always be with us, thanks to human nature, and these tools help you and your business stay one step ahead of the problem.

With the holiday season upon us, online sales surge with customers seeking to place orders with retailers. But not all orders, form submissions, and lead generation efforts are legitimate. Building fraud identification systems which can properly identify cases that are illegitimate can range from simple to complex, with the latter using such methods as tracking user behavior and performing complex authentication methods. Most, if not all, fraud identification strategies incorporate a fundamental step in identifying fraud which is through IP Validation.

IP Validation identifies the origin of an IP which is crucial for assessing whether an IP is legitimate or is considered High Risk. An IP is categorized as High Risk based on multiple factors including whether the IP origin is from a TOR Network exit node, behind an Anonymous/Elite proxy, has been blacklisted for suspicious/spam activity, or whether the IP origin is in a country that is considered High Risk for fraudulent activity.

Anonymous Proxies

A typical http request includes necessary header information which describes the origin of the request to return information to. Requests which emanate from an anonymous proxy hide the origin IP and only include the proxy IP. Anonymous proxies are available through either SOCKS or HTTP protocol. HTTP protocol is used for general HTTP/HTTPS requests as well as FTP in some cases, while SOCKS proxy provides support for any type of network protocol.

TOR Network

While detecting whether an http request was issued from behind a proxy may be detectable based on header information, this is not the case with a request emanating from a TOR client. TOR networks route requests through a series of participating nodes anonymizing where the origin of the request came from.

VPN Service

VPN or Virtual Private Network offers another method for fraudsters to conceal their identity. A VPN service provides a secure tunnel for users to connect to another host machine and execute requests appearing as though the requests are emanating from the VPN host machine.   VPN adds the additional security of encrypting traffic between the user and VPN host.

IP Blacklist

IP Reputation services and DNS-based blacklists track and monitor suspicious and spamming activities. Users which violate website /domain owner’s terms of service can have their IP blacklisted which terminates future activity from that IP. Website owners will check their own provided IP to ensure their website has not been used in spamming attacks or suspicious activities which could restrict their ability to operate. Accepting messages from an IP which has been blacklisted should be considered high risk.

BotNet

A Botnet is another method fraudsters can use to conceal identity. A botnet is a network of machines that are under control by the attacker. Hackers frequently use botnets for large scale attacks where a high number of concurrent requests are issued to take down a system. Botnets can originate from any network connected device. This was evidenced by a recent attack on a major DNS system provider which was executed by a network of connected home devices.

How to Protect Yourself

With all of the different methods of concealing identity available to fraudsters, the picture becomes much larger of the task to thwart would-be thieves from disrupting your systems. Thankfully DOTS IP Validation encompasses many of the identification strategies necessary to make split second decisions on would be attackers before any harm is done. From IP origin to Proxy/ TOR node detection, DOTS IP Validation has you covered.

Have you ever been to gamil.com? Or gmial.com? Or gmali.com? Well, many of your prospects and customers have, without even knowing it. These are just a few of the misspellings of “Gmail” alone that pop up regularly when people enter their email addresses on your squeeze pages and signup forms – in fact, according to one direct marketer, Lucidchart.com, roughly three percent of their leads provided addresses that bounced. (Believe it or not, many people don’t even spell “.com” correctly!)

Unfortunately, losses like these can be just the tip of the iceberg. When you follow your human nature and ask potential leads to try and validate their own addresses by re-typing them – or worse, ask them to respond to a validation email – many people will simply throw up their hands and not bother, with no way of tracking these losses. According to Lucidchart’s Derrick Isaacson, the more bandwidth you add to your signup process, the less likely someone is to complete it. And the one lead you can never sell to is the one who doesn’t respond in the first place.

Then there are people who intentionally try to game the system. For example, you are offering a free gift to potential qualified prospects, and someone wants to get the goodie without receiving the sales pitch. So they enter a bogus address directed to nowhere, or perhaps to Spongebob Squarepants. Or worse, your next customer transaction is a scam artist trying to defraud your company.

Is there any way around this lose-lose scenario? Yes. And it is simpler and less expensive than you might think – particularly when held up against the cost of lost leads, data errors and fraud. The answer is real-time email validation. By using an API that plugs right into your email data entry process on the Web, you create a smoother experience for customers and prospects while gaining several built-in benefits:

Accurate address verification: A real-time email verification service can leverage numerous criteria to ensure the validity of a specific address. For example, Service Objects’ email validation API performs over 50 specific verification tests to determine email address authenticity, accuracy, and deliverability.

Auto-correction: The right interface not only catches typical spelling and syntax errors but can also suggest a corrected address.

Improved lead quality: The very best tools not only check email address validity but can calculate a composite quality score based on its assessment criteria, which in turn lets you accept or reject a specific address.

Less human intervention: The cost of processing an incorrect or fraudulent email address goes far beyond lost sales or revenue. The time you spend pursuing unattainable leads and processing bad data in your sales process add up to a real, tangible human cost that affects your profit margin.

Blacklist protection: Automated email validation protects your mail servers from being blacklisted by verifying authentic email addresses while filtering out spammers, vulgar or bogus email addresses, and erroneous data.

Real-world numbers bear out the value of using automated email validation. For example, Lucidchart.com’s Isaacson noted that an A-B test showed a 34% increase in product re-use and a 44% increase in paid customers among the automated validation group. On top of sales results like these, you can also add in the cost savings from reduced database maintenance, manual processing, and fraud when you deploy these tools across each of your prospect and customer touch points.

We now live in an e-commerce world that competes on making the prospect and customer’s experience as easy as possible. Automated email validation helps you compete better by reducing their bandwidth and your costs at the same time. It is a win-win situation for everyone, as well as your bottom line.