Credit card fraud

Credit card fraud


Credit card fraud is one of many forms of fraud involving credit cards, charge cards, debit cards, or prepaid cards.

Credit card fraud is a kind of fraud where a merchant (business, service provider, seller, etc.) is "tricked" into releasing merchandise or rendering services, believing that a credit card account will provide payment for goods/services. The merchant later learns that they will not be paid, or the payment they received will be reclaimed by the card's issuing bank.



Typically, the fraudster causes a credit card of another person to be charged for a purchase. Today, half of all credit card fraud is conducted online, meaning that the fraudsters make online purchases with the credit card details of other people.



Types of Fraud



Mail Non-Receipt Fraud



Mail non-receipt fraud occurs when a thief intercepts a replacement card sent to the legitimate cardholder and uses it. However, many banks increasingly send out inactive cards that cannot be used until the legitimate account holder confirms his or her identity to the bank using Social Security number, home address, mother's maiden name, and the number on the card.



Chargeback Fraud



Chargebacks occur when a cardholder's credit card details are used to purchase items without their authorization. This generally involves online companies, who often cannot verify that the person entering the details on their site is the actual cardholder (i.e. Card-Not-Present activity). When the cardholder becomes aware of the activity they usually notify their bank, who are likely to refund almost all of the costs. These costs are then passed back to the company involved as a "chargeback", effectively a penalty for accepting the transaction without proper verification of the purchasers identity.



Another type of chargeback occurs when a legitimate cardholder uses the card to purchase goods, or a service, and then when the statement comes, claims that they never authorised the transaction, or they never received goods or service ordered. This is also known as Cybershoplifting or first-party fraud.



Skimming



Skimming occurs when an unscrupulous employee at a legitimate merchant takes a second copy of the card details on the magnetic strip before processing the payment through the official EPOS terminal. This copy of card details is sold on the black market to fraudsters who clone the cards.




  • skimming of magnetic stripe details has become slightly less prevalent since the introduction of CVV or CVS codes, which are not encoded on the magnetic strip, but are printed on the card — normally on the reverse of the card.

  • skimming of magnetic stripe details together with recording of PIN numbers entered into ATMs has been seen, where a small skimmer device that reads the magnetic stripe is attached to the card slot of an ATM, together with various devices to monitor the keypad, either by attaching a fake keypad over the genuine one, or by remote-controlled spy camera.



Skimming is impossible with new EMV cards that have a small computer chip which is read by POS terminals. A new chip reader/writer has now appeared on the market for less than $1200. It captures the data and the writes it on another, known as a clone. Also PIN nember capturing pads are now available, so watch out where you use your pin with your card.



Fraud Prevention



Card-Present



Merchants should remember to obtain a signed sales docket, and confirm the signature matches the signature on the back of the customer's card. Asking to see the customers identification (ie... Drivers License, State, Government, or Military ID) should in most cases protect against fraud provided that the identification card is valid. Requesting additional identification, however, is forbidden by Visa, MasterCard, and American Express merchant agreements. This method's effectiveness is reduced due to the availability of false/fake identification cards which are readily available to criminals.



A common technique to prevent 'non-matching plastic' (credit cards which have been re-encoded with a different skimmed dump) which is employed by many companies, is to confirm that the last four digits embossed on the card match those on the magstripe (and therefore the sales receipt). This is called 'checking last four'.



Merchants should also obtain proof that the customer's card was present at the point of sale. They can obtain this proof either by electronically reading and submitting certain data present on the card's magnetic stripe, which is done automatically by most point-of-sale systems, by creating a manual imprint of the raised digits and symbols on the card with a manual card imprinter, or by reading the card's smart chip if it has one. See EMV.



In Europe, PIN verification is also used widely whereby the cardholder enters his or her PIN into a point-of-sale terminal and it is checked against the correct PIN over the usual phone or internet authorization systems.



In the United States of America, PIN verification is rarely used for credit cards, although it is used with some debit cards and is referred to as "Debit Card Verification" either with a local bank card or a card with the Visa logo.



Card-Not-Present



When a credit card order is received by phone, the merchant can require the customer to also fax copies of both sides of the credit card. This at least provides proof that the customer has possession of the credit card at the time of the order. Some merchants also require a copy of their state-issued ID, or driver's license. It also provides additional proof the person authorized the purchase, preventing a chargeback.



The problem with this method of fraud detection is that an amateur graphic artist can make a realistic 'scan' of a credit card and driver's licence to fool the unwary company. Many fraudsters have pre-made templates (Adobe Photoshop typically being the tool of choice) which simply require a quick 2 minute change to the credit card number, expiration date, name on card, etc.



The Card Security Code can also be requested. As this number is printed on the card's signature strip or front but stored nowhere on the card, it can be used to verify that the customer has the card in his or her possession and that the card was not stolen by a "skimming" process.



Call the Customer



Calling customers is not only an excellent way to detect fraud, but it can also be a valuable part of customer service.



Sometimes the fraudster will submit the actual phone number of the person whose card was stolen. If the card holder did not authorize the charge, suggest that they call their credit card company to report their card as stolen.



A merchant may call telephone numbers on the same day you receive approved orders, and be told that the telephone number has been disconnected, or the number has been changed. This should certainly send up some red flags for filling an order that was made without the card present.



This method of fraud detection is less than optimal because of anonymous pre-paid cell phone numbers or redirection service number such as Skype, and the lack of companies which readily check that the given telephone number matches the billing telephone number, often because they do not possess the ability to check such information. Indeed, in the European Union, there is no way provided to check the information without violating data privacy laws.



Telephone Authorization Service Based on VoIP



The main problem in combating credit card fraud is to verify whether card details entered by e-shop’s client are in fact client’s details. Implementing a simple script provided by company specializing in offering such services (e.g. Proveout.com) in shopping cart of almost any online shop, allows merchant to initiate a VoIP call to merchant’s client within payment routine.



Implemented script generates a random number and shows it to merchant’s client and instantly initiates VoIP call to client’s phone number that he or she entered while going through the payment routine. When connected, client prompted to enter number that he or she sees on display using telephone keypad. By entering correct number, client proves that phone number provided in payment routine is in fact his or her phone number.



This simple routine takes no more than one minute and allows merchant to make sure that details entered by his client are correct, therefore making it impossible for card fraudsters to use merchant’s payment routine. Here we can face a situation described above - fraudsters can get hold of anonymous phone (cell phone, Skype etc.) number and provide it in merchant’s payment routine. But we must remember that city code of this phone number must correspond with client’s address and with client’s IP geographical location. Also, client’s telephone number can be checked against special telephone database that identifies phone number type. Depending on merchant’s preferences such phone numbers can be declined or marked as potentially fraudulent.



Additional terminology used with credit card fraud are:




  • Chargeback

  • Arbitration

  • On-us transactions

  • Not On-us transactions

  • Retrieval Requests

  • Compliance

  • Pre-compliance

  • Pre-arbitration

  • Representment



Credit Card Crime Profits, Losses & Punishment



Losses



U.S. Federal Law can hold the cardholder victim responsible for up to $50, but the merchant victim is held responsible for 100% plus research and investigation fees levied by the banks. Merchants risk losing their merchandise or services, as well as the research and investigation fees charged by the banks. Merchants in high-risk industries, like unattended automated fuel pumps or Internet sales, anticipate a certain amount of credit card fraud, and set prices accordingly. These higher costs are passed onto the consumer.



Credit Card Companies



In 2003 the Wall Street Journal estimated that the credit card industry generated $500,000,000 in annual revenue in research and investigation fees paid by consumers and businesses. This additional revenue offsets some of the costs incurred by credit card issuing and processing companies' when investigating chargeback claims. Some merchants believe the high revenue generation by the banks from the crime victims, reduce the incentive for the credit card banks to implement procedures to reduce credit card crime. However, the companies which collect these fees are not capable of dictating fraud prevention policies to the rest of the world. Payment transfer associations, like Visa and Mastercard, receive profit from transaction fees calculated as a percentage of the amount of money they transfer. These associations are motivated to enact policies which increase the amount of money transferred by their systems. Credit card fraud has a chilling effect on merchant acceptance of credit cards, motivating merchants to not accept credit card payments to mitigate their risk of loss. These payment transfer associations are therefore motivated to enact policies and enforce regulations which reduce credit card fraud.



Merchants have begun to request changes in State and Federal Laws to protect consumers and merchants from fraud, but the credit card industry has opposed many of the requested laws.



Because all card-accepting merchants and card-carrying customers are bound by contract law, according to the agreements they sign with their processing / issuing banks, respectively, State and Federal law has a smaller role in preventing merchants from being tricked. Payment transfer associations enact regulatory changes, and issuing / acquiring banks, merchants, and cardholders are contractually bound to these new regulations.



The Criminals



Persons that commit credit card crime largely go unpunished and repeatedly victimize consumers and businesses. The Secret Service handles crimes involving the US money supply, they have a limit of $2,000 before investigating each crime. Most credit card criminals know this and keep purchases from any one business below $2,000. With credit card crime occurring across state lines, criminals often are never prosecuted because the dollar amounts are too low for local law enforcement to pay for extradition.




1 Comment:

i've always wondered, with all these advances in the abilities to process credit card transactions, why haven't there been the same technological advancements on protecting the card and the consumer? makes me curious...