Payment Card Fraud – The Uses and Methods of Making Fraudulent Transactions
Monday, March 22, 2010
By Marlee Rosen
Payment card fraud is a problem that will not go away; it just grows with the growth of the industry itself. Just like computer viruses and home security systems, the solutions are only as good as the last break-in. And just as the expensive home industry growth and the computer usage growth make them more attractive to the thieves, so too does the increase in payment card dependency and pervasiveness make them more attractive and worthwhile to fraudsters. Also, with the globalization of just about everything relevant, such as online shopping, international banking, IP address masking, etc., it is constantly easier for fraudsters to operate remotely, upgrade the sophistication of their activities and attract highly talented and educated computer software engineers, creating key challenges for all parties in involved in fraud prevention. It is not uncommon for the security forces trying to design systems to prevent and control the fraudulent theft to find themselves up against perpetrators who are just as educated and sophisticated as they themselves are, just as it is in home security and computer security industries. The criminal has long since been at any type of educational or experience disadvantage.
There are several types of payment card fraud. Application fraud is a form of ID theft in which payment cards are obtained via a fraudulent application process using stolen or counterfeit documents. Account takeover, also a type of ID theft, involves deceiving a financial institution, convincing them to re-issue a payment card and direct it to a different address. The most obvious and simple type is the result of the cardholder losing or having their card stolen. Counterfeit cards or the alteration of existing cards involves the ability to encode them with illegally obtained payment card account data.
Then comes the fastest growing area of payment card fraud – card not present or CNP, reaching up to 50% of all payment card fraud in some countries. This fraud is committed when using payment card account data to undertake transactions where there is no face-to-face contact between the seller and purchaser. Typically, this type of fraud is committed via telephone, Internet or mail order.
Many European countries have migrated to the “chip and PIN” technology, which replaces the magnetic strip. The motive for this stemmed from two scenarios. ATM machines and Point of Sale (POS) readers were first stolen to be analyzed and then alterations were designed that could be implemented in machines with little or no security that would read the magnetic strips, known as skimming, oftentimes transmitting the data to the perpetrators a number of ways. Some countries reported upwards of 8% of machines being stolen, with higher percentages being altered. The chip addresses that issue and requiring the customer to enter a PIN to use their credit card cut down on the physically stolen and/or counterfeit cards.
The US has not migrated to the PIN requests and during the European transition many honest but unsuspecting American tourists found themselves overseas without the ability to use their legitimate payment cards since in the US PIN entries have only been required for cash advances. In fact, most customer service personnel of payment card vendors were not only unaware of this change overseas, but insisted that PINs were only required for cash advances, even abroad, leaving the customer without the use of their card while traveling to certain countries that had changed over. These huge inconveniences were yet another by product of the entire fraud scenario.
Additionally overseas, wireless card readers/transmitters make it possible for the card to be swiped in front of the customer, let’s say at a restaurant table so that the card never leaves the customers sight. Again, this appears to be more common outside the US.
It needs to be said that there are several different scenarios reflecting who is liable for the fraudulent transaction. There’s a move in the direction of holding the merchant liable by charging different fees according to risk involved. For example, an online merchant who insists on the collecting the 3 or 4 digit security code on the back of the card as proof of card possession may pay lower merchant fees than a merchant who does not require it. This, along with fluctuating merchants rates and fees, is a motivator for merchants to justify the cost of new POS systems and card readers required to take advantage of the new technology, plus implementing the additional online technologies, such as the aforementioned security code collection for ecommerce sites. All these additional technology implentations and hardware purchases are again, another by-product of the fraud itself, all going into the price of fraud, i.e. into the price of doing business. Although it’s always agreed that the preventive measures are less costly than the fraud itself, it’s no small expenditure, especially since there have been several iterations just in the last few years.
The participants, uses and methods of fraud have grown substantially. Paul Buelens, Product Manager- Anti Fraud Solutions at EastNets (www.eastnets.com) states that, “Obtained funds are re-invested into different forms of crime, loan sharking, and extortion, prostitution traffic of arms and drugs as well as financing terrorist organizations worldwide. Additionally the focus of how to obtain track data or funds has changed. Instead of attacking or altering the payment card they have moved up to data hacking by SQL injection, installing malware or activating dormant sniffers installed over the years. This has become the biggest threat to the financial industry. Recent major cases have proven to have a big impact on both reputational risk and financial losses. (Heartland, TJ Maxx, Worldpay, Lufthansa Air, etc.) Different initiatives have been taken to reduce theft of usable data but more radical measures are eminent. PCI DSS is definitely a step in the right direction but needs more compliance follow up.”
Paul provides the following statistics as an example of the prevalence of this issue. He states, “Throughout Europe there are approximately 500,000 ATM’s installed of which only about 20% are secured in any way (anti-skimming devices, CCTV, ink staining, etc.) For example, the UK has around 55,000 ATM’s installed of which more than 4000 were attacked in 2009 having an enormous impact on fraud losses. Compared to 2008 this is a 25 % increase. Note that five European countries take up 90% of these fraud losses. (UK, Germany, Holland, Italy and Spain.) Skimming is the most used form of obtaining data; both external and internal devices are installed on the ATM with or without transmitting capabilities.”
And the issues don’t stop there. Should a merchant buy a service contract on a particular POS machine, if he’s facing the fact that a new work around will be created, causing a new technology, from perhaps a different vendor, becomes required before his service contract expires? How does a merchant amortize the hardware and software that keeps getting replaced as new forms of fraud and theft are created? How does the merchant balance these expenditures against the increase in fees if he does not implement the latest, greatest technology and how does that compare with his overall exposure and insurance?
As you can see, the list of considerations and examples can go on and on. What is important to know is the most efficient way to stay abreast of the current state of fraud, because knowing all the facts is the initial step in knowing best how to address it, as it is one of business’s fastest moving targets.