Understanding Credit Card Frauds

Cards Business Review#2003–01Understanding CreditCard FraudsTej Paul Bhatla, Vikram Prabhu &Amit DuaJune 2003 Tata Consultancy Services 2002. All rights reserved.

CONTENTSOVERVIEW .1INTRODUCTION.1PURPOSE OF THIS PAPER.1CURRENT STATE OF THE INDUSTRY .2HOW FRAUD IS COMMITTED WORLDWIDE? .2FRAUD TECHNIQUES .3CARD RELATED FRAUDS .4APPLICATION FRAUD . 4LOST/ STOLEN CARDS . 4ACCOUNT TAKEOVER . 4FAKE AND COUNTERFEIT CARDS . 4MERCHANT RELATED FRAUDS .5MERCHANT COLLUSION. 5TRIANGULATION . 5INTERNET RELATED FRAUDS .5IMPACT OF CREDIT CARD FRAUDS .6IMPACT OF FRAUD ON CARDHOLDERS.6IMPACT OF FRAUD ON MERCHANTS .7IMPACT OF FRAUD ON BANKS (ISSUER/ACQUIRER) .7FRAUD PREVENTION AND MANAGEMENT.8FRAUD PREVENTION TECHNOLOGIES .8MANUAL REVIEW . 8ADDRESS VERIFICATION SYSTEM. 8CARD VERIFICATION METHODS . 9NEGATIVE AND POSITIVE LISTS . 9PAYER AUTHENTICATION . 9LOCKOUT MECHANISMS . 10FRAUDULENT MERCHANTS. 10RECENT DEVELOPMENTS IN FRAUD MANAGEMENT .10SIMPLE RULE SYSTEMS . 10RISK SCORING TECHNOLOGIES. 11NEURAL NETWORK TECHNOLOGIES . 11BIOMETRICS. 11SMART CARDS . 12MANAGING THE TOTAL COST OF FRAUD.13CONCLUSION.14REFERENCES .15

Understanding Credit Card FraudsOVERVIEWIntroductionCredit Card Fraud is one of the biggest threats to business establishments today.However, to combat the fraud effectively, it is important to first understand themechanisms of executing a fraud. Credit card fraudsters employ a large number ofmodus operandi to commit fraud. In simple terms, Credit Card Fraud is defined as:When an individual uses another individuals’ credit card for personal reasons while theowner of the card and the card issuer are not aware of the fact that the card is beingused. Further, the individual using the card has no connection with the cardholder orissuer, and has no intention of either contacting the owner of the card or makingrepayments for the purchases made.Credit card frauds are committed in the following ways: An act of criminal deception (mislead with intent) by use of unauthorized accountand/or personal informationIllegal or unauthorized use of account for personal gainMisrepresentation of account information to obtain goods and/or services.Contrary to popular belief, merchants are far more at risk from credit card fraud than thecardholders. While consumers may face trouble trying to get a fraudulent chargereversed, merchants lose the cost of the product sold, pay chargeback fees, and fearfrom the risk of having their merchant account closed.Increasingly, the card not present scenario, such as shopping on the internet poses agreater threat as the merchant (the web site) is no longer protected with advantages ofphysical verification such as signature check, photo identification, etc. In fact, it is almostimpossible to perform any of the ‘physical world’ checks necessary to detect who is at theother end of the transaction. This makes the internet extremely attractive to fraudperpetrators. According to a recent survey, the rate at which internet fraud occurs is 12to 15 times higher than ‘physical world’ fraud. However, recent technical developmentsare showing some promise to check fraud in the card not present scenario.Purpose of this PaperThe purpose of this white paper is to study:State of the credit card industry,Different types of frauds,How fraudsters attempt to take advantage of loopholes,Impact of credit card fraud on card holders, merchants, issuers,How a comprehensive fraud detection system could help maintain the cost ofdetecting fraud, and Losses due to fraud, i.e., the total cost of fraud, under manageable levels.While the focus of the document will be mostly on Visa and MasterCard type transactions,the concepts and ideas generally prove valid with other credit cards such as American Page 1 of 1

Understanding Credit Card FraudsExpress and Discover also.Current State of the IndustryWhile the exact amount of losses due to fraudulent activities on cards is unknown,various research analyst reports concur that the figure for year 2002 probably exceeds 2.5 billion. Further, as the overall e-commerce volumes continue to grow and fraudstersadopt more complex schemes, the projected figure for losses to internet merchants in theUS alone is expected to be in the range of 5–15 billion by the year 20051. This again isdependent on how rapidly fraud prevention technology will be adopted by the industry.The incidence of fraud for credit card transactions taking place over the internet isaccording to Garner G22, nearly 15 times higher than face-to-face transactions.The increased likelihood of fraud, in conjunction with the full economic liability for fraudlosses makes risk management one of the most important challenges for Internetmerchants worldwide.How Fraud is Committed Worldwide?While lost or stolen card is the most common type of fraud, others include identity theft,skimming, counterfeit card, mail intercept fraud and others. Table 1 summarises themodus operandi for credit card frauds and their percentage of occurrence.MethodPercentageLost or stolen card48%Identity theft15%Skimming (or cloning)14%Counterfeit card12%Mail intercept fraud6%Other5%Table 1: Methods of Credit Card Fraud and their percentage of occurrenceSource: Celent Communications, January 2003Amongst the high risk countries facing Credit Card Fraud menace, Ukraine tops the listwith staggering 19% fraud rate closely followed by Indonesia at 18.3% fraud rate. Also inthe list of high risk countries are Yugoslavia (17.8%), Turkey (9%) and Malaysia (5.9%).Surprisingly United States, with its high number Credit Card transactions, has a minimumfraud rate.Over the last few years, the credit card industry in UK was subjected to maximum threatfrom increasing fraud losses. Table 2 shows the worrying trend in volume of credit cardfrauds in UK over the last few years.1Source: Fighting Fraud on the Internet: An Advanced Approach, Meridian Research, September 19992Source: Online Transaction Fraud and Prevention Get More Sophisticated, Garner G2, January 2002Page 2 of 2

Understanding Credit Card FraudsFraud Category20002001% ChangeCounterfeit107.1160.3 50Card-not-present72.995.7 31Lost/stolen card101.9114.0 12Intercepted in post17.726.7 51Fraudulent application10.56.6 37Other6.98.0 15Totals317.0411.4 30Losses as % of turnover0.1620.183 13Table 2: Trend of fraud categories in UK for 2000–2001 (in Pound Sterling millions)Source: APACS, March 2002Stolen and counterfeit cards together contribute to more than 60% of fraud lossesaccording to figures published by both MasterCard and Visa in Figure 1.Figure 1: Visa & MasterCard accounts by fraud types for year 2001 (January to May)Source: APACS, March 2002FRAUD TECHNIQUESAs indicated above, there are many ways in which fraudsters execute a credit card fraud.As technology changes, so do the technology of fraudsters, and thus the way in whichthey go about carrying out fraudulent activities. Frauds can be broadly classified intothree categories, i.e., traditional card related frauds, merchant related frauds andinternet frauds. The different types of methods for committing credit card frauds aredescribed below:Page 3 of 3

Understanding Credit Card FraudsCard Related FraudsAPPLICATION FRAUDThis type of fraud occurs when a person falsifies an application to acquire a credit card.Application fraud can be committed in three ways: Assumed identity, where an individual illegally obtains personal information ofanother individual and opens accounts in his or her name, using partially legitimateinformation. Financial fraud, where an individual provides false information about his or herfinancial status to acquire credit. Not-received items (NRIs) also called postal intercepts occur when a card is stolenfrom the postal service before it reaches its owner’s destination.LOST/ STOLEN CARDSA card is lost/stolen when a legitimate account holder receives a card and loses it orsomeone steals the card for criminal purposes. This type of fraud is in essence the easiestway for a fraudster to get hold of other individual's credit cards without investment intechnology. It is also perhaps the hardest form of traditional credit card fraud to tackle.ACCOUNT TAKEOVERThis type of fraud occurs when a fraudster illegally obtains a valid customers’ personalinformation. The fraudster takes control of (takeover) a legitimate account by eitherproviding the customers account number or the card number. The fraudster then contactsthe card issuer, masquerading as the genuine cardholder, to ask that mail be redirectedto a new address. The fraudster reports card lost and asks for a replacement to be sent.FAKE AND COUNTERFEIT CARDSThe creation of counterfeit cards, together with lost / stolen cards pose highest threat incredit card frauds. Fraudsters are constantly finding new and more innovative ways tocreate counterfeit cards. Some of the techniques used for creating false and counterfeitcards are listed below:1. Erasing the magnetic strip: A fraudster can tamper an existing card that has beenacquired illegally by erasing the metallic strip with a powerful electro-magnet. Thefraudster then tampers with the details on the card so that they match the details of avalid card, which they may have attained, e.g., from a stolen till roll. When thefraudster begins to use the card, the cashier will swipe the card through the terminalseveral times, before realizing that the metallic strip does not work. The cashier willthen proceed to manually input the card details into the terminal.This form of fraud has high risk because the cashier will be looking at the card closelyto read the numbers. Doctored cards are, as with many of the traditional methods ofcredit card fraud, becoming an outdated method of illicit accumulation of either fundsor goods.2. Creating a fake card: A fraudster can create a fake card from scratch usingsophisticated machines. This is the most common type of fraud though fake cardsrequire a lot of effort and skill to produce. Modern cards have many security featuresall designed to make it difficult for fraudsters to make good quality forgeries.Holograms have been introduced in almost all credit cards and are very difficult toPage 4 of 4

2. Creating a fake card: A fraudster can create a fake card from scratch using sophisticated machines. This is the most common type of fraud though fake cards require a lot of effort and skill to produce. Modern cards have many security features all designed to make it