Credit Card Fraud

Credit Card Fraud is one of the major threats to all businesses nowadays. To fight the fraud efficiently, you need to understand the mechanisms for performing a fraud. Credit card swindlers use a large number of techniques to commit fraud.

By definition, Credit Card Fraud is action when a person uses someone else’s credit card for personal use while the card owner and the bank are not aware that the card info has been used.

Credit card frauds are usually treated as:

- A criminal deception (intentional harm) by use of the unauthorized account and personal information.

- Misuse of account information to get goods and services.

Although it is widely accepted that the customers are primary victims, businesses are far more prone to credit card frauds than the cardholders. The cardholders can have issues to get the money back, but the businesses can lose their basic income, payback fees, and may face the risk of closure of their sales account.

The exact amount of losses due to fraud actions on cards is unknown, but according to Business Wire analyst reports - for the year 2015 the amount probably exceeds $16.3 billion.

Although lost (or stolen) card is the most frequent type of fraud, other types of credit card frauds may include identity theft, skimming, counterfeit card, mail intercept fraud and others.

1. Card-related Frauds

Lost/ Stolen Cards

The card is lost/ stolen if the genuine account holder has a card and loses it, or the card is stolen for criminal purposes. This type of fraud is the easiest way for a swindler to get hold of other individual's credit cards without applying sophisticated technology means. It is also perhaps the toughest form of traditional credit card fraud to undertake.

Application Fraud

Application fraud can be done in 3 ways:

- Not-received card, also known as postal intercept - when the postal service steals a card before it arrives at owner’s destination.

- Fake identity, when a person illegally obtains personal information of someone else and opens accounts in her name, using partially legal information.

- Financial fraud, when a person provides false information about his financial status to ask for credit.

Account Takeover

This type of fraud occurs when a swindler illegally gets a valid customers’ personal information. The fraudster takes control of (takes over) a regular account by either providing the customer’s account number or the card number. The fraudster then contacts the card issuer, hiding as the genuine cardholder, to ask that mail is redirected to a new address. The fraudster then reports the card lost and asks for a replacement to be sent to the new address.

Fake and Copied Cards

Making of copied (false) cards, aside from the stolen (lost) cards, is the largest threat in credit card frauds. Swindlers always find new and more creative ways to create false cards. Some of the techniques used for creating false (duplicate) cards are:

1. Creating a fake card: A swindler can create a fake card from scratch using modern machines. This is very frequent type of fraud, although the false cards need a lot of effort and skill to produce. Modern cards have many security features - dedicated to make it difficult for swindlers to make good quality falsification. Today, many card issuers implement holograms in their design, which are difficult to falsify.

2. Changing card details: A swindler can change cards by either re-creating them — by applying heat and pressure to the information originally embedded on the card by an official card issuer or by re-encoding them using computer software that encodes the magnetic stripe data on the card.

3. Removing the magnetic strip: A swindler can alter an existing card that has been taken illegally by erasing the metallic strip with a powerful electromagnet. The swindler then enters the details on the card so that they match the particulars of a valid card, which they may have gained, e.g., from a stolen box roll. When the swindler starts using the card, the cashier will swipe the card through the terminal several times, before recognizing that the metallic strip does not work. The cashier will then proceed to input the card details manually into the terminal.

4. Skimming: Many cases of falsifying fraud include skimming, a process where original data on a card’s magnetic strip is electronically copied into other. Today, skimming is accepted as the most popular form of credit card fraud. There are shop employees that have been found to carry pocket skimming devices, a battery-operated electronic, magnetic stripe reader, with which they swipe customer's cards to get hold of customer’s card details. Skimming takes place unknown to the cardholder and is thus very difficult, if not impossible to trace.

5. White plastic: A white plastic is a card-size piece of plastic that a swindler uses to create and encode genuine magnetic stripe data for illegal transactions. This card looks like a regular door key but contains genuine magnetic stripe data that fraudsters can use at POS terminals that do not require card validation or verification (for example, petrol pumps and ATMs).

2. Merchant-initiated Frauds

Merchant-initiated frauds originate either from owners of the merchant shop, or from their employees. These types of frauds are usually as follows:

Merchant Deceit

This type of deceit occurs when merchant owners and/or their employees collude to commit fraud using their customers’ (cardholder) accounts and/or personal information. Merchant owners and/or their employees pass on the information about cardholders to swindlers.

Triangulation

In this type of fraud, the swindler operates from a website. The fake site looks like regular auction or a traditional sales site. When placing orders online - the buyer provides information such as name, address and valid credit card details to the site. When the swindler gets this info, he uses the credit card details to re-order items from a regular website to the client. Then swindler continues to purchase other items using the credit card details of the customer.

3. Internet-related Frauds

The Internet is an ideal environment for fraudsters to commit credit card deceit in a straightforward manner. The most commonly used techniques in internet deceit are:

1. Credit card generators: Credit card number generators are computer programs that generate valid credit card numbers and expiry dates. These generators work by creating lists of credit card account numbers from a single account number. The software works by applying the math algorithm that card issuers use to create other valid card number combinations.

2. Website cloning: Site cloning means that swindlers duplicate an entire site or just subpages from which the client makes his order. Customers believe they are dealing with the trustful company to purchase items from, because the pages that they are viewing are identical to those of the real site. The cloned or duplicate site will receive these details and send the client a confirmation of the transaction via email just as the real company would.

3. False online stores: These sites often offer the clients very cheap deals. The website asks for complete client credit card details, such as name and address in return for access to the content of the site. The sites themselves never charge individuals for the services they provide. These sites are usually part of a large criminal network that either uses the details it collects to raise earnings, or sells valid credit card details to small swindlers.

4. Fraud Prevention Techniques

Fraud prevention methods enable companies and banks to execute broad automated scanning of initiated transactions and to mark cautious transactions. These tools and technologies are not enough to eliminate fraud, but each method provides separate value in terms of detection ability. The various fraud prevention techniques are given as follows.

False Businesses and Cards lists

Both MasterCard and Visa publish a list of companies that have been involved in deceitful transactions in the past. These lists (NMAS - from Visa and MATCH - from MasterCard) could provide useful information to claimants - right at the time of merchant recruitment, preventing potential fraudulent transactions. Also, the card numbers that have been fraudulent in the past are stored in a blacklist to avoid further deceit. The companies can have black lists based on billing names, street addresses, emails and internet protocols (IPs) that have resulted in fraud or attempted fraud, effectively blocking any further attempts.

Website and Transport Security

All e-commerce sites should implement application and transport layer security (SSL, SSH, TLS protocols). Before their launch - they must pass PCI (Payment Card Industry) vulnerability scans. The customers can ensure that the website is secure if its URL starts with ‘https’. Another sign that can help clients to identify the security page is called padlock - a small padlock or key icon which is located at the idea entered into the search engine (see figure). It indicates that the data page is encrypted, and that means assured. The certificate is a third way that you can ensure safety website.

Manual Scans

In this approach - an operator manually scans every transaction for signs of deceit activity and involves a very intensive human involvement. So, this is an expensive method, as well as time consuming. Also, the manual scan is unable to detect some of the most frequent patterns of deceit, such as the use of a single credit card multiple times on multiple locations (physical or web sites) in a short interval.

Address Verification System

This method is applicable in card-not-present scenarios. Address Verification System (AVS) matches the first few digits of the street address and the ZIP code information given for delivery/pay the order to the corresponding information on record with the card issuers. A code that represents the level of match between these addresses is returned to the merchant. AVS is not very useful in case of international transactions.

Payer Authentication

Payer authentication is a rising technology that intends to create a new level of security to business-to-consumer Internet transactions. This method is based on a Personal Identification Number (PIN) associated with the card, similar to those used with ATM cards, and a secure direct authentication channel between the customer and the bank. The PIN is issued by the bank when the cardholder enrolls the card with the program and will be used only to authorize online transactions. When the password is verified, the online store can complete the transaction.

Card Verification Methods

The Card Verification Method (CVM) consists of a 3- or 4-digit numeric code printed on the card but is not embossed on the card and is not available in the magnetic stripe. The merchant can request the cardholder to provide this numeric code in case of card-not-present transaction and submit it with authorization. The purpose of CVM is to ensure that the person submitting the transaction is in possession of the actual card.

Lockout Mechanisms

Automatic card number generators apply one of the new advanced tools frequently utilized by swindlers. These programs, easily downloadable from the Web, are able to generate thousands of ‘valid’ credit card numbers. The traits of these frauds are: large number of declines and - multiple transactions with similar card numbers (e.g. same Bank Identification Number (BIN)). Affiliated banks/ online stores can activate prevention mechanisms in order to detect number generator attacks.

#learning #finance #creditcard