The Retail Quagmire Of Virtual Goods Fraud

How should retailers deal with virtual goods when it comes to fraud? When the product is music, video, gift cards, news stories (such as the one you're now reading), applications or anything else lacking a box that can be signed for, the issue of proving the item's delivery becomes much more treacherous. And that's a vulnerability some fraudsters are not shy about trying to exploit.

Case in point: Apple's customers love Apple. They love iTunes. And Apple would love to make iTunes something more than just a way to sell music, movies, apps and gift cards. In fact, Apple wants to be a major M-Commerce payment player, especially for other retailers selling virtual goods.

But Apple has a problem: recurring complaints from customers who say someone has fraudulently made purchases through their iTunes accounts. And when it comes to fraud, Apple treats its virtual-goods business exactly as if it were shipping physical hardware. Its approach has generated ill will toward Apple that is probably much greater than the actual fraud problem. And that customer unhappiness could easily spill over to any other E-tailer handing off payments (and the handling of payment fraud) to iTunes.

On its face, Apple's official statement on iTunes fraud is conventional enough: "If your credit card or iTunes password is stolen and used on iTunes, we recommend that you contact your financial institution and inquire about canceling the card and issuing a chargeback for any unauthorized transactions. We also recommend that you change your iTunes account password immediately."

There's an irony here. Apple's customers expect simplicity and elegance. They believe Apple's products will "just work." When an iTunes customer's account is used fraudulently, that customer see it as an iTunes failure. Security didn't "just work."

And then when the customer faces the traditional process of challenging the credit-card charge, that makes him feel like he is being required to do the work for what he sees as a security failure on Apple's part. There's also a valid question: Does it make any sense at all for Apple to treat virtual-goods fraud the old-fashioned way? After all, when a customer claims fraud, a standard question in the card-issuer's investigation is whether the merchant can prove the goods were delivered to the customer.

With virtual goods, that's practically impossible. "Merchants always eat it," said Gartner security analyst Avivah Litan. "There's no method to prove delivery that the banks will accept. Digital merchants are screwed."

But if Apple and other E-tailers of virtual goods are always bound to lose, why make customers jump through conventional charge-challenging hoops? That question gets more pointed when it's paired with another question: Why do thieves go after virtual goods in the first place? Most virtual goods--movies, TV shows, music and e-books--are secured with DRM. They are impractical to resell. Why go through the substantial trouble to steal them in the first place?But apparently someone does. When customers complain publicly about fraudulent iTunes charges, a frequent feature is that movies and full seasons of TV shows have been purchased. Those clearly aren't likely candidates for resale, because the TV shows will be delivered to a particular computer. Maybe thieves just want to be entertained. Or perhaps some enterprising thieves are selling iTunes movies or full-season TV shows at a discount price, then using hacked credentials to provide a way to download them.

There is a notable exception among all-digital goods sold by Apple and other E-tailers: gift cards, which are easy to convert to cash by selling them online. But if a gift card is purchased using fraudulent credentials, an E-tailer can easily identify it when it is used. When a full season of a TV show is fraudulently purchased through a hijacked customer account, the E-tailer could identify and block delivery of the virtual goods.

That can only happen, however, if the E-tailer launches a fraud investigation quickly. In the weeks or months it takes for the card-issuing bank to bill for the fraudulent charge, for the customer to challenge the charge and for the bank to complete its own investigation, the likelihood of stopping virtual-goods delivery evaporates.

So why would Apple throw away its opportunity to fight fraud and at the same time irritate its customers by telling them to deal with the problem themselves? Why doesn't Apple handle this problem differently? Because Apple is going to eat the charge at the end of the card company's investigation, why doesn't it just resolve the claim out front and get a jump on stopping the fraud? Maybe Apple hopes some customers will just give up on the process and eat the loss themselves. That's certainly the conclusion of some irritated customers.

It's also possible that Apple views iTunes fraud as negligible and figures angering a very small number of customers is worth the trouble of avoiding a different kind of fraud. If it's easy for a customer to get a fraud claim resolved, the number of phony fraud claims might skyrocket. Or it might be that Apple wants the card-issuing banks to handle fraud investigation because that way Apple won't have to give customers bad news.

Still another possibility: Apple isn't actually eating the cost of virtual goods. Depending on its contracts with music, movie and TV production companies, Apple may be charging back fraudulent sales to them. Because the incremental unit cost of digital goods is zero, the downside for producers is a sale not made--not a manufactured product stolen.

That also makes sense if producers are concerned the theft of virtual goods might be impossible to prosecute as a crime. Is this theft, or is it unauthorized copying? In that case, copyright law kicks in. In the U.S., that could mean a music or movie producer might collect anywhere from $750 to $150,000 per case of copyright infringement.

Which of these possibilities motivates Apple's straight-out-of-the-physical-goods-world approach to dealing with payment fraud? Apple won't say. The company refused to comment beyond its official policy. But those are all things that E-tailers of virtual goods need to consider. And they are especially important before an E-tailer hands off its payment systems to iTunes--or anyone else.

When it comes to fraud and virtual goods, Apple isn't the only E-tailer that may have to "think different."