Professional Documents
Culture Documents
Credit Card Fraud
Credit Card Fraud
Credit Cards
- Frauds & Preventions
Ravi Mehra
01/15/16
This report is prepared for FAFP course, Batch 40, conducted by the Institute of Chartered Accountants
of India, in coordination with Bahrain Chapter of the Institute of Chartered Accountants of India.
Credit Cards - Frauds & Preventions
INDEX
o By card issuers 10
o By cardholders 11
I. INTRODUCTION
Credit Card Fraud is the fraudulent use of a payment card account, such as a credit card or debit
card, through the theft of the account holder's card number, card details and personal
information, through a wide variety of methods in order to perform unauthorized transactions
from the compromised account. The purpose may be to obtain goods without paying, or to obtain
unauthorized funds from an account.
Although incidence of credit card fraud is limited to about 0.1% of all card transactions, credit
card fraud is rife across the world, with criminals operating many different scams and techniques
to get hold of the victim’s details. This has resulted in huge financial losses as the fraudulent
transactions have been large value transactions.
Fraud losses incurred by banks and merchants on all credit, debit, and prepaid general purpose
and private label payment cards issued worldwide reached $16.31 billion last year when global
card volume totaled $28.844 trillion. This means that for every $100 in volume, 5.65¢ was
fraudulent. Fraud, which grew by 19%, outpaced volume, which grew by 15%. When measuring
only the global general purpose brands — UnionPay, Visa, MasterCard, JCB, Discover/Diners,
and American Express, total volume was $23.777 trillion, up 14.8%, and fraud losses were
$15.45 billion, up 18.5%. The U.S. accounted for 48.2% or $7.86 billion of gross card fraud
losses worldwide, while generating only 21.4% or $6.187 trillion of total volume. U.S. fraud
losses equaled 12.75¢ for every $100 in total volume last year. Fraud in all other regions
combined was only 3.73¢ per $100.
Of the total $16.31 billion lost to fraud last year, card issuers worldwide absorbed 62%.
Merchants accounted for the other 38%. In the U.S., card issuers lost $4.91 billion and
merchants lost $2.95 billion. Those losses do not include related costs issuers and merchants
incur.
For 2015 through 2020, card fraud worldwide is expected to total $183.29 billion. In 2020,
global card fraud is expected to exceed $35.54 billion. Losses in cents per every $100 in total
volume will rise to 5.74¢ in 2015 before falling to 5.26¢ in 2020.
Below pic summarizes the overall growth in Card fraud from 1993 to 2014.
Annual cost of Card Frauds to US Retailers and its classification by Fraud types is shown in the
next page.
12 Bank Muscat prepaid Travel Cards were compromised on February 20, 2013. The gross
value of transactions on these cards, which were compromised outside of Oman, was RO 15
million.
Between July 2005 and mid-January 2007, a breach of systems at TJX Companies exposed
data from more than 45.6 million credit cards. Albert Gonzalez is accused of being the
ringleader of the group responsible for the thefts.
In August 2009 Gonzalez was also indicted for the biggest known credit card theft to date —
information from more than 130 million credit and debit cards was stolen at Heartland
Payment Systems, retailers 7-Eleven and Hannaford Brothers, and two unidentified
companies.
In 2012, about 40 million sets of payment card information were compromised by a hack of
Adobe Systems.
In July 2013, press reports indicated four Russians and a Ukrainian were indicted in New
Jersey for what was called “the largest hacking and data breach scheme ever prosecuted in
the United States.”
Multiple factors contributed to Card Fraud. Fraud losses occurred from card counterfeiting, card
not present (CNP), fraudulent application, lost & stolen, card not received, and other much
smaller categories according to ‘The Nilson Report’, the top trade newsletter covering the card
and mobile payment industries.
‘Card not present’ (CNP) fraud occurs when neither the cardholder nor the card are present
during a transaction. The mail and the Internet are major routes for fraud against merchants who
sell and ship products, and affects legitimate mail-order and Internet merchants. If the card is not
physically present (called CNP, card not present) the merchant must rely on the holder (or
someone purporting to be so) presenting the information indirectly, whether by mail, telephone
or over the Internet. While there are safeguards to this, it is still more risky than presenting in
person. In the recent years, CNP has been the biggest areas of card fraud losses worldwide, and
card issuers tend to charge a greater transaction rate for CNP, because of the greater risk.
It is difficult for a merchant to verify that the actual cardholder is indeed authorizing the
purchase. Shipping companies can guarantee delivery to a location, but they are not required to
check identification and they are usually not involved in processing payments for the
merchandise. A common recent preventive measure for merchants is to allow shipment only to
an address approved by the cardholder, and merchant banking systems offer simple methods of
verifying this information.
Small transactions generally undergo less scrutiny, and are less likely to be investigated by either
the card issuer or the merchant. CNP merchants must take extra precaution against fraud
exposure and associated losses, and they pay higher rates for the privilege of accepting cards.
Fraudsters bet on the fact that many fraud prevention features are not used for small transactions.
Merchant associations have developed some prevention measures, such as single use card
numbers, but these have not met with much success. Customers expect to be able to use their
credit card without any hassles, and have little incentive to pursue additional security due to laws
limiting customer liability in the event of fraud. Merchants can implement these prevention
measures but risk losing business if the customer chooses not to use them.
The MasterCard SecureCode and ‘Verified by Visa’ schemes add security to any card by
allowing the holder to set up an additional password when paying for anything online. This
makes it much harder for anyone trying to pay with a card that isn’t theirs.
1. Save all your credit card receipts to check against monthly statements.
2. Contact your credit card company immediately about any unusual payments.
3. Once you have viewed your statement make sure you shred them.
4. Keep all bills and credit cards ina a safe place away from any 3rd party’s access.
Counterfeit credit cards are fakes that have real account information stolen from victims. Often,
the victims still have their real cards, so they don't know a crime has occurred. The cards appear
legitimate, with issuers' logos and encoded magnetic strips. Criminals use stolen account
information to create counterfeit cards or to charge items over the phone or the Internet.
Counterfeit cards often are used just a few times and abandoned before the victim becomes
aware and reports their misuse.
Credit card skimming refers to thieves making an illegal copy of a credit card or a bank card
using a device that reads and duplicates the information from the original card. Dishonest
business employees use small machines called "skimmers" to read numbers and other
information from credit cards and capture and resell it to criminals, who create counterfeit cards
or charge items over the phone or the Internet.
Skimming is the theft of payment card information used in an otherwise legitimate transaction.
The thief can procure a victim's card number using basic methods such as photocopying receipts
or more advanced methods such as using a small electronic device (skimmer) to swipe and store
hundreds of victims’ card numbers. Common scenarios for skimming are restaurants or bars
where the skimmer has possession of the victim's payment card out of their immediate view.
The thief may also use a small keypad to unobtrusively transcribe the 3 or 4 digit Card Security
Code, which is not present on the magnetic strip. Call centers are another area where skimming
can easily occur. Skimming can also occur at merchants such as gas stations when a third-party
card-reading device is installed either outside or inside a fuel dispenser or other card-swiping
terminal. This device allows a thief to capture a customer’s card information, including their
PIN, with each card swipe.
Instances of skimming have been reported where the perpetrator has put over the card slot of an
ATM (automated teller machine) a device that reads the magnetic strip as the user unknowingly
passes their card through it. These devices are often used in conjunction with a miniature camera
(inconspicuously attached to the ATM) to read the user's PIN at the same time. This method is
being used in many parts of the world, including South America, Argentina, and Europe.
Another technique used is a keypad overlay that matches up with the buttons of the legitimate
keypad below it and presses them when operated, but records or wirelessly transmits the keylog
of the PIN entered. The device or groups of devices illicitly installed on an ATM are also
colloquially known as a "skimmer". Recently made ATMs now often run a picture of what the
slot and keypad are supposed to look like as a background, so that consumers can identify
foreign devices attached.
Skimming is difficult for the typical cardholder to detect, but given a large enough sample, it is
fairly easy for the card issuer to detect. The issuer collects a list of all the cardholders who have
complained about fraudulent transactions, and then uses data mining to discover relationships
among them and the merchants they use. For example, if many of the cardholders use a particular
merchant, that merchant can be directly investigated. Sophisticated algorithms can also search
for patterns of fraud. Merchants must ensure the physical security of their terminals, and
penalties for merchants can be severe if they are compromised, ranging from large fines by the
issuer to complete exclusion from the system, which can be a death blow to businesses such as
restaurants where credit card transactions are the norm.
1. Whenever you pay for something with your card, make sure you can see it at all times.
2. Don’t be distracted when handing over or using your card.
3. Try to check for any fake attachments or cameras on ATMs and report anything suspicious.
4. Always check your statements and report any unusual payments.
3. Phishing
Phishing is an online technique used by scammers to acquire the credit card information.
Phishing is a crime that starts with deceptive e-mails being sent to consumers. These messages
are made to look as if they come from the person's bank, in an effort to get the intended victim to
reveal personal information, such as bank account numbers and online passwords. Phishing has
become a widespread practice of criminals, who have succeeded in stealing personal information
from many people. The crime succeeds because the e-mails look legitimate, with realistic bank
logos and web site addresses (URLs) that are very similar to the bank URLs.
Account holders who respond to such e-mail messages are directed to a fake web site where they
are asked to type in account numbers, passwords and other personal banking or credit card
information. Then, in a matter of hours, the criminals can drain your bank accounts, using your
passwords to authorize the electronic transfer of funds to accounts they control.
"Any unsolicited phone call, email, text or social media message could be a phishing attempt,"
says Erik Mueller, vice president of payment system integrity at MasterCard Worldwide. "Be
skeptical of these messages, especially if they request credit or debit card data or personal
information, or link to another website or Web page." With the right data, a phisher will quickly
find a way to commit credit card fraud.
If you think the message might be legitimate or you have concerns about fraud, contact your
issuer directly using the customer service phone number on the back of your debit or credit card.
When a credit card is lost or stolen, it may be used for illegal purchases until the holder notifies
the issuing bank and the bank puts a block on the account. Most banks have free 24-hour
telephone numbers to encourage prompt reporting. Still, it is possible for a thief to make
unauthorized purchases on a card before the card is cancelled. Without other security measures, a
thief could potentially purchase thousands of dollars in merchandise or services before the
cardholder or the card issuer realizes that the card has been compromised.
In Australia, there is a service called "Paypass" or more colloquially known as "tap and go". This
is where a person can purchase goods or services and can just tap the credit (or debit) card on the
card reader. If the transaction is less than Aud$100.00, no PIN or signature is required. A stolen
credit or debit card could be used for a significant amount of these transactions before the true
owner can have the account cancelled.
Immediately report Losses and Fraud. Call the card issuer as soon as you realize your card
has been lost or stolen. Many companies have toll-free numbers and 24 hour service to deal
with this. Once you report the loss or theft, the law says you have no additional responsibility
for charges you didn’t make; in any case, your liability for each card lost or stolen is $50. If
you suspect that the card was used fraudulently, you may have to sign a statement under oath
that you didn’t make the purchases in question
A common countermeasure is to require the user to key in some identifying information,
such as the user's ZIP or postal code. This method may deter casual theft of a card found
alone.
Card issuers have several countermeasures, including sophisticated software that can, prior to
an authorized transaction, estimate the probability of fraud. For example, a large transaction
occurring a great distance from the cardholder's home might seem suspicious. The merchant
may be instructed to call the card issuer for verification, or to decline the transaction, or even
to hold the card and refuse to return it to the customer. The customer must contact the issuer
and prove who they are to get their card back (if it is not fraud and they are actually buying a
product).
1. By merchants:
2. By card issuers:
Fraud detection and prevention softwares that analyzes patterns of normal and unusual
behavior as well as individual transactions in order to flag likely fraud. Profiles include
such information as IP address. Technologies have existed since the early 1990s to detect
potential fraud. Leading software solutions for card fraud include Actimize, SAS, BAE
Systems Detica, and IBM.
4. By cardholders:
EMV
3-D Secure
Strong authentication
BillGuard - a personal finance security app
True Link
Point to Point Encryption.
In conclusion, incorporating a few practices into your daily routine can help keep your cards and
account numbers safe. For example, keep a record of your account numbers, their expiration
dates and the phone number to report fraud for each company in a secure place. Don’t lend your
card to anyone, even your kids or roommates, and don’t leave your cards, receipts, or statements
around your home or office. When you no longer need them, shred them before throwing them
away.