Credit card fraud
Encyclopedia
Credit card fraud is a wide-ranging term for theft
and fraud
committed using a credit card
or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also an adjunct to identity theft
. According to the Federal Trade Commission, while identity theft had been holding steady for the last few years, it saw a 21 percent increase in 2008. However, credit card fraud, that crime which most people associate with ID theft, decreased as a percentage of all ID theft complaints for the sixth year in a row.
The cost of card fraud in 2006 were 7 cents per 100 dollars worth of transactions (7 basis point
s). Due to the high volume of transactions this translates to billions of dollars. In 2006, fraud in the United Kingdom alone was estimated at £535 million, or US$750–830 million at prevailing 2006 exchange rates.
Stolen cards can be reported quickly by cardholders, but a compromised account can be hoarded by a thief for weeks or months before any fraudulent use, making it difficult to identify the source of the compromise. The cardholder may not discover fraudulent use until receiving a billing statement, which may be delivered infrequently. That is why cardholders need to check their account daily to ensure constant awareness in case there is any suspicious, unknown transactions or activities.
The only common security measure on all cards is a signature panel, but signatures are relatively easy to forge. Some merchants will demand to see a picture ID, such as a driver's license, to verify the identity of the purchaser, and some credit cards include the holder's picture on the card itself. However, the card holder has a right to refuse to show additional verification, and asking for such verification is usually a violation of the merchant's agreement with the credit card companies. Self-serve payment systems (gas stations
, kiosks, etc.) are common targets for stolen cards, as there is no way to verify the card holder's identity.
A common countermeasure is to require the user to key in some identifying information, such as the user's ZIP or postal code. This method may deter casual theft of a card found alone, but if the card holder's wallet is stolen, it may be trivial for the thief to deduce the information by looking at other items in the wallet. For instance, a U.S. driver license commonly has the holder's home address and ZIP code printed on it. Visa Inc. offers merchants lower rates on transactions if the customer provides a zip code.
In Europe, most cards are equipped with an EMV
chip which requires a 4 digit PIN to be entered in to the merchants terminal before payment will be authorised. However, a PIN isn't required for online transactions.
Requiring a customer's ZIP code is illegal in California, where the state's 1971 law prohibits merchants from requesting or requiring a card-holder's "personal identification information" as a condition of accepting the card for payment. The California Supreme Court has ruled that the ZIP code qualifies as personal identification information because it is part of the cardholder's address. Companies face fines of $250–1000 for each violation. Requiring a "personal identification number" (PIN) may also be a violation.
Card issuers have several countermeasures, including sophisticated software that can, prior to an authorized transaction, estimate the probability of fraud. For example, a large transaction occurring a great distance from the cardholder's home might seem suspicious. The merchant may be instructed to call the card issuer for verification, or to decline the transaction, or even to hold the card and refuse to return it to the customer. The customer must contact the issuer and prove who they are to get their card back (if it is not fraud and they are actually buying a product).
It is difficult for a merchant to verify that the actual cardholder is indeed authorising the purchase. Shipping companies can guarantee delivery to a location, but they are not required to check identification and they are usually not involved in processing payments for the merchandise. A common recent preventive measure for merchants is to allow shipment only to an address approved by the cardholder, and merchant banking systems offer simple methods of verifying this information. Before this and similar countermeasures were introduced, mail order carding was rampant as early as 1992. A carder would obtain the credit card information for a local resident and then intercept delivery of the illegitimately purchased merchandise at the shipping address, often by staking out the porch of the residence.
Small transactions generally undergo less scrutiny, and are less likely to be investigated by either the card issuer or the merchant. CNP merchants must take extra precaution against fraud exposure and associated losses, and they pay higher rates for the privilege of accepting cards. Fraudsters bet on the fact that many fraud prevention features are not used for small transactions.
Merchant associations have developed some prevention measures, such as single use card numbers, but these have not met with much success. Customers expect to be able to use their credit card without any hassles, and have little incentive to pursue additional security due to laws limiting customer liability in the event of fraud. Merchants can implement these prevention measures but risk losing business if the customer chooses not to use the measures.
Some merchants added a new practice to protect their consumers and their own reputation, where they ask the buyer to send a photocopy of the physical card and statement to ensure the legitimate usage of a card.
which is not present on the magnetic strip. Call centers are another area where skimming can easily occur.
Instances of skimming have been reported where the perpetrator has put a device over the card slot of an ATM (automated teller machine
), which reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a miniature camera (inconspicuously attached to the ATM) to read the user's PIN
at the same time. This method is being used very frequently in many parts of the world, including South America, Argentina Europe, the Netherlands. Another technique used is a keypad overlay that matches up with the buttons of the legitimate keypad below it and presses them when operated, but records or transmits the keylog of the PIN entered by wireless. The device or group of devices illicitly installed on an ATM are also colloquially known as a "skimmer". Recently-made ATMs now often run a picture of what the slot and keypad are supposed to look like as a background, so that consumers can identify foreign devices attached.
Skimming is difficult for the typical cardholder to detect, but given a large enough sample, it is fairly easy for the card issuer to detect. The issuer collects a list of all the cardholders who have complained about fraudulent transactions, and then uses data mining
to discover relationships among them and the merchants they use. For example, if many of the cardholders use a particular merchant, that merchant can be directly investigated. Sophisticated algorithms can also search for patterns of fraud. Merchants must ensure the physical security of their terminals, and penalties for merchants can be severe if they are compromised, ranging from large fines by the issuer to complete exclusion from the system, which can be a death blow to businesses such as restaurants where credit card transactions are the norm.
In the past, carders used computer programs called "generators" to produce a sequence of credit card numbers, and then test them to see which were valid accounts. Another variation would be to take false card numbers to a location that does not immediately process card numbers, such as a trade show or special event. However, this process is no longer viable due to widespread requirement by internet credit card processing systems for additional data such as the billing address, the 3 to 4 digit Card Security Code
and/or the card's expiration date, as well as the more prevalent use of wireless card scanners that can process transactions right away. Nowadays, carding is more typically used to verify credit card data obtained directly from the victims by skimming or phishing
.
A set of credit card details that has been verified in this way is known in fraud circles as a phish
. A carder will typically sell data files of the phish to other individuals who will carry out the actual fraud. Market price for a phish ranges from US$1.00 to US$50.00 depending on the type of card, freshness of the data and credit status of the victim.
confirming that the charges are indeed fraudulent. If the physical card is not lost or stolen, but rather just the credit card account number itself is stolen, then Federal Law guarantees card holders have zero liability to the credit card issuer.
The liability for the fraud is determined by the details of the transaction. If the merchant retrieved all the necessary pieces of information and followed all of the rules and regulations the financial institution would bear the liability for the fraud. If the merchant did not get all of the necessary information they would be required to return the funds to the financial institution. This is all determined through the credit card processory.
High-risk industries such as online shops anticipate losses and spread them over the prices that are paid by honest buyers. The FBI's Financial Report to the Public in 2007 estimated such losses to be $52.6 billion that are borne by 9.91 million US consumers. Recently several attempts have been made to amend the legislation to protect cardholders and merchants from fraud, but credit card companies are heavily resistant to such initiatives.
(amended 2006). This provides a number of protections and requirements.
Any misuse of the card, unless deliberately criminal on the part of the cardholder, must be refunded by the merchant or card issuer.
Distance Selling Regulations require goods ordered by telephone, Internet or mail order to be delivered to the cardholder's address. There is also a 7-day "cooling off period" where they can be returned without charge. The aim is more to protect people from mis-selling, but it also helps protect against fraud.
. This requires consumers to add additional information to confirm a transaction.
Often enough online merchants do not take adequate measures to protect their websites from fraud attacks, for example by being blind to sequencing. In contrast to more automated product transactions, a clerk overseeing "card present" authorization requests must approve the customer's removal of the goods from the premise in real time.
Credit card merchant associations, like Visa and MasterCard
, receive profits from transaction fees, charging between 0% and 3.25% of the purchase price plus a per transaction fee of between 0.00 USD and 40.00 USD. Cash costs more to bank up, so it is worthwhile for merchants to take cards. Issuers are thus motivated to pursue policies which increase the money transferred by their systems. Many merchants believe this pursuit of revenue reduces the incentive for credit card issuers to adopt procedures to reduce crime, particularly because the cost of investigating a fraud is usually higher than the cost of just writing it off. But in the US and Australia credit card issuers do not take these costs; they are passed on to the merchants as "chargebacks". This can results in substantial additional costs: not only has the merchant been defrauded for the amount of the transaction, he is also obliged to pay the chargeback fee, and to add insult to injury the transaction fees still stand.
Merchants have started to request changes in state and federal laws to protect themselves and their consumers from fraud, but the credit card industry has opposed many of the requests. In many cases, merchants have little ability to fight fraud, and must simply accept a proportion of fraud as a cost of doing business.
Because all card-accepting merchants and card-carrying customers are bound by civil contract law there are few criminal laws covering the fraud. Payment transfer associations enact changes to regulations, and the three parties— the issuer, the consumer, and the merchant— are all generally bound to the conditions, by a self-acceptance term in the contract that it can be changed.
which allows the call center agent to collect the credit card number and other personally identifiable information
without ever seeing or hearing it. This greatly reduces the probability of chargebacks and increases the likelihood that fraudulent chargebacks will be successfully overturned.
exposed data from more than 45.6 million credit cards. Albert Gonzalez
is accused of being the ringleader of the group responsible for the thefts.
In August 2009 Gonzalez was also indicted for the biggest known credit card theft to date — information from more than 130 million credit and debit cards was stolen at Heartland Payment Systems
, retailers 7-Eleven
and Hannaford Brothers, and two unidentified companies.
By merchants:
By card issuers:
By Governmental and Regulatory Bodies:
By cardholders:
Additional technological features:
Theft
In common usage, theft is the illegal taking of another person's property without that person's permission or consent. The word is also used as an informal shorthand term for some crimes against property, such as burglary, embezzlement, larceny, looting, robbery, shoplifting and fraud...
and fraud
Fraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...
committed using a credit card
Credit card
A credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services...
or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also an adjunct to identity theft
Identity theft
Identity theft is a form of stealing another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name...
. According to the Federal Trade Commission, while identity theft had been holding steady for the last few years, it saw a 21 percent increase in 2008. However, credit card fraud, that crime which most people associate with ID theft, decreased as a percentage of all ID theft complaints for the sixth year in a row.
The cost of card fraud in 2006 were 7 cents per 100 dollars worth of transactions (7 basis point
Basis point
A basis point is a unit equal to 1/100 of a percentage point or one part per ten thousand...
s). Due to the high volume of transactions this translates to billions of dollars. In 2006, fraud in the United Kingdom alone was estimated at £535 million, or US$750–830 million at prevailing 2006 exchange rates.
Origins
The fraud begins with either the theft of the physical card or the compromise of data associated with the account, including the card account number or other information that would routinely and necessarily be available to a merchant during a legitimate transaction. The compromise can occur by many common routes and can usually be conducted without tipping off the card holder, the merchant or the issuer, at least until the account is ultimately used for fraud. A simple example is that of a store clerk copying sales receipts for later use. The rapid growth of credit card use on the Internet has made database security lapses particularly costly; in some cases, millions of accounts have been compromised.Stolen cards can be reported quickly by cardholders, but a compromised account can be hoarded by a thief for weeks or months before any fraudulent use, making it difficult to identify the source of the compromise. The cardholder may not discover fraudulent use until receiving a billing statement, which may be delivered infrequently. That is why cardholders need to check their account daily to ensure constant awareness in case there is any suspicious, unknown transactions or activities.
Stolen cards
When a credit card is lost or stolen, it remains usable until the holder notifies the issuer that the card is lost. Most issuers have free 24-hour telephone numbers to encourage prompt reporting. Still, it is possible for a thief to make unauthorized purchases on a card until it is canceled. Without other security measures, a thief could potentially purchase thousands of dollars in merchandise or services before the cardholder or the card issuer realize that the card is in the wrong hands.The only common security measure on all cards is a signature panel, but signatures are relatively easy to forge. Some merchants will demand to see a picture ID, such as a driver's license, to verify the identity of the purchaser, and some credit cards include the holder's picture on the card itself. However, the card holder has a right to refuse to show additional verification, and asking for such verification is usually a violation of the merchant's agreement with the credit card companies. Self-serve payment systems (gas stations
Pay at the pump
Pay at the pump is a system used at some filling stations where customers can pay for their fuel by inserting a credit or debit card into a slot on the pump, bypassing the requirement to make the transaction with the station attendant or to walk away from one's vehicle.The system was introduced in...
, kiosks, etc.) are common targets for stolen cards, as there is no way to verify the card holder's identity.
A common countermeasure is to require the user to key in some identifying information, such as the user's ZIP or postal code. This method may deter casual theft of a card found alone, but if the card holder's wallet is stolen, it may be trivial for the thief to deduce the information by looking at other items in the wallet. For instance, a U.S. driver license commonly has the holder's home address and ZIP code printed on it. Visa Inc. offers merchants lower rates on transactions if the customer provides a zip code.
In Europe, most cards are equipped with an EMV
EMV
EMV stands for Europay, MasterCard and VISA, a global standard for inter-operation of integrated circuit cards and IC card capable point of sale terminals and automated teller machines , for authenticating credit and debit card transactions.It is a joint effort between Europay, MasterCard and...
chip which requires a 4 digit PIN to be entered in to the merchants terminal before payment will be authorised. However, a PIN isn't required for online transactions.
Requiring a customer's ZIP code is illegal in California, where the state's 1971 law prohibits merchants from requesting or requiring a card-holder's "personal identification information" as a condition of accepting the card for payment. The California Supreme Court has ruled that the ZIP code qualifies as personal identification information because it is part of the cardholder's address. Companies face fines of $250–1000 for each violation. Requiring a "personal identification number" (PIN) may also be a violation.
Card issuers have several countermeasures, including sophisticated software that can, prior to an authorized transaction, estimate the probability of fraud. For example, a large transaction occurring a great distance from the cardholder's home might seem suspicious. The merchant may be instructed to call the card issuer for verification, or to decline the transaction, or even to hold the card and refuse to return it to the customer. The customer must contact the issuer and prove who they are to get their card back (if it is not fraud and they are actually buying a product).
Compromised accounts
Card account information is stored in a number of formats. Account numbers – formally the Primary Account Number (PAN) – are often embossed or imprinted on the card, and a magnetic stripe on the back contains the data in machine readable format. Fields can vary, but the most common include:- Name of card holder
- Account number
- Expiration date
- Verification/CVV codeCard security codeThe card security code , sometimes called Card Verification Data , Card Verification Value , Card Verification Value Code , Card Verification Code , Verification Code , or Card Code Verification are different terms for security features for credit or debit card...
Card not present transaction
The mail and the Internet are major routes for fraud against merchants who sell and ship products, and affects legitimate mail-order and Internet merchants. If the card is not physically present (called CNP, card not present) the merchant must rely on the holder (or someone purporting to be so) presenting the information indirectly, whether by mail, telephone or over the Internet. While there are safeguards to this, it is still more risky than presenting in person, and indeed card issuers tend to charge a greater transaction rate for CNP, because of the greater risk.It is difficult for a merchant to verify that the actual cardholder is indeed authorising the purchase. Shipping companies can guarantee delivery to a location, but they are not required to check identification and they are usually not involved in processing payments for the merchandise. A common recent preventive measure for merchants is to allow shipment only to an address approved by the cardholder, and merchant banking systems offer simple methods of verifying this information. Before this and similar countermeasures were introduced, mail order carding was rampant as early as 1992. A carder would obtain the credit card information for a local resident and then intercept delivery of the illegitimately purchased merchandise at the shipping address, often by staking out the porch of the residence.
Small transactions generally undergo less scrutiny, and are less likely to be investigated by either the card issuer or the merchant. CNP merchants must take extra precaution against fraud exposure and associated losses, and they pay higher rates for the privilege of accepting cards. Fraudsters bet on the fact that many fraud prevention features are not used for small transactions.
Merchant associations have developed some prevention measures, such as single use card numbers, but these have not met with much success. Customers expect to be able to use their credit card without any hassles, and have little incentive to pursue additional security due to laws limiting customer liability in the event of fraud. Merchants can implement these prevention measures but risk losing business if the customer chooses not to use the measures.
Identity theft
Identity theft can be divided into two broad categories: Application fraud and account takeover.Application fraud
Application fraud happens when a criminal uses stolen or fake documents to open an account in someone else's name. Criminals may try to steal documents such as utility bills and bank statements to build up useful personal information. Or they may create counterfeit documents.Account takeover
Account takeover happens when a criminal tries to take over another person's account, first by gathering information about the intended victim, and then contacting their card issuer while impersonating the genuine cardholder, and asking for mail to be redirected to a new address. The criminal then reports the card lost and asks for a replacement to be sent.Some merchants added a new practice to protect their consumers and their own reputation, where they ask the buyer to send a photocopy of the physical card and statement to ensure the legitimate usage of a card.
Skimming
Skimming is the theft of credit card information used in an otherwise legitimate transaction. It is typically an "inside job" by a dishonest employee of a legitimate merchant. The thief can procure a victim's credit card number using basic methods such as photocopying receipts or more advanced methods such as using a small electronic device (skimmer) to swipe and store hundreds of victims’ credit card numbers. Common scenarios for skimming are restaurants or bars where the skimmer has possession of the victim's credit card out of their immediate view. The thief may also use a small keypad to unobtrusively transcribe the 3 or 4 digit Card Security CodeCard security code
The card security code , sometimes called Card Verification Data , Card Verification Value , Card Verification Value Code , Card Verification Code , Verification Code , or Card Code Verification are different terms for security features for credit or debit card...
which is not present on the magnetic strip. Call centers are another area where skimming can easily occur.
Instances of skimming have been reported where the perpetrator has put a device over the card slot of an ATM (automated teller machine
Automated teller machine
An automated teller machine or automatic teller machine, also known as a Cashpoint , cash machine or sometimes a hole in the wall in British English, is a computerised telecommunications device that provides the clients of a financial institution with access to financial transactions in a public...
), which reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a miniature camera (inconspicuously attached to the ATM) to read the user's PIN
Personal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
at the same time. This method is being used very frequently in many parts of the world, including South America, Argentina Europe, the Netherlands. Another technique used is a keypad overlay that matches up with the buttons of the legitimate keypad below it and presses them when operated, but records or transmits the keylog of the PIN entered by wireless. The device or group of devices illicitly installed on an ATM are also colloquially known as a "skimmer". Recently-made ATMs now often run a picture of what the slot and keypad are supposed to look like as a background, so that consumers can identify foreign devices attached.
Skimming is difficult for the typical cardholder to detect, but given a large enough sample, it is fairly easy for the card issuer to detect. The issuer collects a list of all the cardholders who have complained about fraudulent transactions, and then uses data mining
Data mining
Data mining , a relatively young and interdisciplinary field of computer science is the process of discovering new patterns from large data sets involving methods at the intersection of artificial intelligence, machine learning, statistics and database systems...
to discover relationships among them and the merchants they use. For example, if many of the cardholders use a particular merchant, that merchant can be directly investigated. Sophisticated algorithms can also search for patterns of fraud. Merchants must ensure the physical security of their terminals, and penalties for merchants can be severe if they are compromised, ranging from large fines by the issuer to complete exclusion from the system, which can be a death blow to businesses such as restaurants where credit card transactions are the norm.
Carding
Carding is a term used for a process to verify the validity of stolen card data. The thief presents the card information on a website that has real-time transaction processing. If the card is processed successfully, the thief knows that the card is still good. The specific item purchased is immaterial, and the thief does not need to purchase an actual product; a web site subscription or charitable donation would be sufficient. The purchase is usually for a small monetary amount, both to avoid using the card's credit limit, and also to avoid attracting the card issuer's attention. A website known to be susceptible to carding is known as a cardable website.In the past, carders used computer programs called "generators" to produce a sequence of credit card numbers, and then test them to see which were valid accounts. Another variation would be to take false card numbers to a location that does not immediately process card numbers, such as a trade show or special event. However, this process is no longer viable due to widespread requirement by internet credit card processing systems for additional data such as the billing address, the 3 to 4 digit Card Security Code
Card security code
The card security code , sometimes called Card Verification Data , Card Verification Value , Card Verification Value Code , Card Verification Code , Verification Code , or Card Code Verification are different terms for security features for credit or debit card...
and/or the card's expiration date, as well as the more prevalent use of wireless card scanners that can process transactions right away. Nowadays, carding is more typically used to verify credit card data obtained directly from the victims by skimming or phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
.
A set of credit card details that has been verified in this way is known in fraud circles as a phish
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
. A carder will typically sell data files of the phish to other individuals who will carry out the actual fraud. Market price for a phish ranges from US$1.00 to US$50.00 depending on the type of card, freshness of the data and credit status of the victim.
BIN attack
Credit cards are produced in BIN ranges. Where an issuer does not use random generation of the card number, it is possible for an attacker to obtain one good card number and generate valid card numbers by changing the last four numbers using a generator. The expiry date of these cards would most likely be the same as the good card.Fraudulent Charge-Back schemes
There is a class of email spam (usually sent to commercial / corporate email addresses) where the spammer makes an offer to purchase goods (usually not specifically identified) from a vendor. In the email, the spammer makes it clear that they intend to pay for the goods using a credit card. The spammer provides the shipping address for the goods, and requests a product and price-list from the vendor in the initial email. It has been speculated that this is some form of charge-back scheme, whereby the spammer is using a valid credit card but intends to request a charge-back to reverse the charge while at the same time retaining the goods that were shipped to them.Cardholder liability
In the US, federal law limits the liability of card holders to $50 in the event of theft of the actual credit card, regardless of the amount charged on the card, if reported within 60 days of receiving the statement. In practice many issuers will waive this small payment and simply remove the fraudulent charges from the customer's account if the customer signs an affidavitAffidavit
An affidavit is a written sworn statement of fact voluntarily made by an affiant or deponent under an oath or affirmation administered by a person authorized to do so by law. Such statement is witnessed as to the authenticity of the affiant's signature by a taker of oaths, such as a notary public...
confirming that the charges are indeed fraudulent. If the physical card is not lost or stolen, but rather just the credit card account number itself is stolen, then Federal Law guarantees card holders have zero liability to the credit card issuer.
Merchants
The merchants and the financial institutions bear the loss. The merchant loses the value of any goods or services sold, and any associated fees. If the financial institution does not have a chargeback right then the financial institution bears the loss and the merchant does not suffer at all. These losses incline merchants to be cautious and often they ban legitimate transactions and lose potential revenues. Online merchants can choose to apply for additional services that credit card companies offer, such as Verified by Visa and MasterCard SecureCode. However, these are fiddly for consumers so there is a trade-off of making a sale easy and making it secure.The liability for the fraud is determined by the details of the transaction. If the merchant retrieved all the necessary pieces of information and followed all of the rules and regulations the financial institution would bear the liability for the fraud. If the merchant did not get all of the necessary information they would be required to return the funds to the financial institution. This is all determined through the credit card processory.
High-risk industries such as online shops anticipate losses and spread them over the prices that are paid by honest buyers. The FBI's Financial Report to the Public in 2007 estimated such losses to be $52.6 billion that are borne by 9.91 million US consumers. Recently several attempts have been made to amend the legislation to protect cardholders and merchants from fraud, but credit card companies are heavily resistant to such initiatives.
United Kingdom
In the UK, credit cards are regulated by the Consumer Credit Act 1974Consumer Credit Act 1974
The Consumer Credit Act 1974 is an Act of the Parliament of the United Kingdom that significantly reformed the law relating to consumer credit within the United Kingdom....
(amended 2006). This provides a number of protections and requirements.
Any misuse of the card, unless deliberately criminal on the part of the cardholder, must be refunded by the merchant or card issuer.
Distance Selling Regulations require goods ordered by telephone, Internet or mail order to be delivered to the cardholder's address. There is also a 7-day "cooling off period" where they can be returned without charge. The aim is more to protect people from mis-selling, but it also helps protect against fraud.
Credit card companies
To prevent being "charged back" for fraud transactions merchants can sign up for services offered by Visa and MasterCard called Verified by Visa and MasterCard SecureCode, under the umbrella term 3-D Secure3-D Secure
3-D Secure is an XML-based protocol designed to be an added layer of security for online credit and debit card transactions. It was developed by Visa with the intention of improving the security of Internet payments and offered to customers as the Verified by Visa service...
. This requires consumers to add additional information to confirm a transaction.
Often enough online merchants do not take adequate measures to protect their websites from fraud attacks, for example by being blind to sequencing. In contrast to more automated product transactions, a clerk overseeing "card present" authorization requests must approve the customer's removal of the goods from the premise in real time.
Credit card merchant associations, like Visa and MasterCard
MasterCard
Mastercard Incorporated or MasterCard Worldwide is an American multinational financial services corporation with its headquarters in the MasterCard International Global Headquarters, Purchase, Harrison, New York, United States...
, receive profits from transaction fees, charging between 0% and 3.25% of the purchase price plus a per transaction fee of between 0.00 USD and 40.00 USD. Cash costs more to bank up, so it is worthwhile for merchants to take cards. Issuers are thus motivated to pursue policies which increase the money transferred by their systems. Many merchants believe this pursuit of revenue reduces the incentive for credit card issuers to adopt procedures to reduce crime, particularly because the cost of investigating a fraud is usually higher than the cost of just writing it off. But in the US and Australia credit card issuers do not take these costs; they are passed on to the merchants as "chargebacks". This can results in substantial additional costs: not only has the merchant been defrauded for the amount of the transaction, he is also obliged to pay the chargeback fee, and to add insult to injury the transaction fees still stand.
Merchants have started to request changes in state and federal laws to protect themselves and their consumers from fraud, but the credit card industry has opposed many of the requests. In many cases, merchants have little ability to fight fraud, and must simply accept a proportion of fraud as a cost of doing business.
Because all card-accepting merchants and card-carrying customers are bound by civil contract law there are few criminal laws covering the fraud. Payment transfer associations enact changes to regulations, and the three parties— the issuer, the consumer, and the merchant— are all generally bound to the conditions, by a self-acceptance term in the contract that it can be changed.
Merchants
The merchant loses the goods or services sold, the payment, the fees for processing the payment, any currency conversion commissions, and the amount of the chargeback penalty. For obvious reasons, many merchants take steps to avoid chargebacks—such as not accepting suspicious transactions. This may spawn collateral damage, where the merchant additionally loses legitimate sales by incorrectly blocking legitimate transactions. Mail Order/Telephone Order (MOTO) merchants are implementing Agent-assisted automationAgent-assisted automation
Agent-assisted automation is a type of call center technology that automates elements of 1) what the call center agent does with their desktop tools and/or 2) says to customers during the call...
which allows the call center agent to collect the credit card number and other personally identifiable information
Personally identifiable information
Personally Identifiable Information , as used in information security, is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual...
without ever seeing or hearing it. This greatly reduces the probability of chargebacks and increases the likelihood that fraudulent chargebacks will be successfully overturned.
Famous credit fraud attacks
Between July 2005 and mid-January 2007, a breach of systems at TJX CompaniesTJX Companies
The TJX Companies, Incorporated , is the largest international apparel and home fashions off-price department store chain in the United States. Based in Framingham, Massachusetts, the company originally evolved from the Zayre discount department store chain, founded in 1956, which opened its first...
exposed data from more than 45.6 million credit cards. Albert Gonzalez
Albert Gonzalez
Albert Gonzalez is a computer hacker and computer criminal who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 through 2007—the biggest such fraud in history.Gonzalez and his accomplices used SQL injection...
is accused of being the ringleader of the group responsible for the thefts.
In August 2009 Gonzalez was also indicted for the biggest known credit card theft to date — information from more than 130 million credit and debit cards was stolen at Heartland Payment Systems
Heartland Payment Systems
Heartland Payment Systems, Inc. provides debit, prepaid, and credit card processing, online payments, check processing, payroll services and a growing line of industry solutions for small to mid-sized merchants. Heartland Payment Systems is currently the fifth largest credit card processor in the...
, retailers 7-Eleven
7-Eleven
7-Eleven is part of an international chain of convenience stores, operating under Seven-Eleven Japan Co. Ltd, which in turn is owned by Seven & I Holdings Co...
and Hannaford Brothers, and two unidentified companies.
Countermeasures
Countermeasures to combat credit card fraud include the following.By merchants:
- PAN truncationPAN truncationPAN truncation is an anti-fraud measure available on some credit-card-processing POS terminals as part of a merchant account service."PAN" is an acronym for Primary Account Number, i.e., the "card number" on either a debit or a credit card...
– not displaying the full number on receipts - Tokenization (data security)Tokenization (data security)Tokenization is the process of replacing some piece of sensitive data with a value that is not considered sensitive in the context of the environment that consumes the token and the original sensitive data...
– not storing the full number in computer systems - Requesting additional information, such as a PIN, ZIP code, or Card Security CodeCard security codeThe card security code , sometimes called Card Verification Data , Card Verification Value , Card Verification Value Code , Card Verification Code , Verification Code , or Card Code Verification are different terms for security features for credit or debit card...
By card issuers:
- Fraud detection and prevention software that analyzes patterns of normal and unusual behavior as well as individual transactions in order to flag likely fraud. Profiles include such information as IP address
- Fraud detection and response business processes such as:
- Contacting the cardholder to request verification
- Placing preventative controls/holds on accounts which may have been victimized
- Blocking card until transactions are verified by cardholder
- Investigating fraudulent activity
- Strong Authentication measures such as:
- Multi-factor AuthenticationMulti-factor authenticationMulti-factor authentication, sometimes called strong authentication, is an extension of two-factor authentication. This is the Defense in depth approach of "Security In Layers" applied to authentication. While two-factor authentication only involves exactly two factors, multi-factor...
, verifying that the account is being accessed by the cardholder through requirement of additional information such as account number, PIN, ZIP, challenge questionsChallenge-response authenticationIn computer security, challenge-response authentication is a family of protocols in which one party presents a question and another party must provide a valid answer to be authenticated.... - Out-of-band Authentication, verifying that the transaction is being done by the cardholder through a "known" or "trusted" communication channel such as text message, phone call, or security token deviceSecurity tokenA security token may be a physical device that an authorized user of computer services is given to ease authentication...
- Industry collaboration and information sharing about known fraudsters and emerging threat vectors
By Governmental and Regulatory Bodies:
- Enacting consumer protection laws related to card fraud
- Performing regular examinations and risk assessments of credit card issuers
- Publishing standards, guidance, and guidelines for protecting cardholder information and monitoring for fraudulent activity
By cardholders:
- Reporting lost or stolen cards
- Reviewing charges regularly and reporting unauthorized transactions immediately
- Installing virus protection software on personal computers
- Using caution when using credit cards for online purchases, especially on non-trusted websites
- Keeping a record of account numbers, their expiration dates, and the phone number and address of each company in a secure place.
Additional technological features:
- EMVEMVEMV stands for Europay, MasterCard and VISA, a global standard for inter-operation of integrated circuit cards and IC card capable point of sale terminals and automated teller machines , for authenticating credit and debit card transactions.It is a joint effort between Europay, MasterCard and...
- 3-D Secure3-D Secure3-D Secure is an XML-based protocol designed to be an added layer of security for online credit and debit card transactions. It was developed by Visa with the intention of improving the security of Internet payments and offered to customers as the Verified by Visa service...
See also
- Chargeback insuranceChargeback insuranceChargeback insurance refers to insurance coverage protects merchants who accepts credit cards. The coverage protects the merchant against fraud in a transaction where the use of the credit card was unauthorized, and covers claims arising out of the merchant’s liability to the service bank.This...
- Credit card hijackingCredit card hijackingCredit card hijacking is a form of credit card fraud and the term is used when a person’s credit card is used by some unauthorized person to buy goods or services...
- Financial crimesFinancial crimesFinancial crimes are crime against property, involving the unlawful conversion of the ownership of property to one's own personal use and benefit...
- Friendly FraudFriendly FraudFriendly fraud, also known as friendly fraud chargeback, is a credit card industry term used to describe a consumer who makes an Internet purchase with his/her own credit card and then issues a chargeback through his/her card provider after receiving the goods or services...
- Identity theftIdentity theftIdentity theft is a form of stealing another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name...
- Internet fraudInternet fraudInternet fraud refers to the use of Internet services to present fraudulent solicitations to prospective victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to financial institutions or to others connected with the scheme....
- PhishingPhishingPhishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
- Predictive analyticsPredictive analyticsPredictive analytics encompasses a variety of statistical techniques from modeling, machine learning, data mining and game theory that analyze current and historical facts to make predictions about future events....
- ReimbursementReimbursementReimbursement is the act of compensating someone for an expense . Often, a person is reimbursed for out-of-pocket expenses when the person incurs those expenses through employment or in an account of carrying out the duties for another party or member....
- Traffic analysisTraffic analysisTraffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and...
- White-collar crimeWhite-collar crimeWithin the field of criminology, white-collar crime has been defined by Edwin Sutherland as "a crime committed by a person of respectability and high social status in the course of his occupation" . Sutherland was a proponent of Symbolic Interactionism, and believed that criminal behavior was...
- International credit card data theft
External links
- Federal Financial Institutions Examination Council (FFIEC) IT Booklets » Information Security » Appendix C: Laws, Regulations, and Guidance
- Visa's fraud control basics for merchants
- Mastercard's merchant training support
- The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime CenterNational White Collar Crime CenterThe National White Collar Crime Center also known as NW3C is a congressionally funded non-profit corporation that trains state and local law enforcement agencies in how to combat emerging economic and cyber crime problems. NW3C provides information and research to the general public in the...
(NW3C). - Security and your Credit Card at Simon Fraser UniversitySimon Fraser UniversitySimon Fraser University is a Canadian public research university in British Columbia with its main campus on Burnaby Mountain in Burnaby, and satellite campuses in Vancouver and Surrey. The main campus in Burnaby, located from downtown Vancouver, was established in 1965 and has more than 34,000...
- Internet Fraud, with a section "Avoiding Credit Card Fraud", at the Federal Bureau of InvestigationFederal Bureau of InvestigationThe Federal Bureau of Investigation is an agency of the United States Department of Justice that serves as both a federal criminal investigative body and an internal intelligence agency . The FBI has investigative jurisdiction over violations of more than 200 categories of federal crime...
website - Counterfeiting and Credit Card Fraud at the Royal Canadian Mounted PoliceRoyal Canadian Mounted PoliceThe Royal Canadian Mounted Police , literally ‘Royal Gendarmerie of Canada’; colloquially known as The Mounties, and internally as ‘The Force’) is the national police force of Canada, and one of the most recognized of its kind in the world. It is unique in the world as a national, federal,...
website - Avoiding Credit and Charge Card Fraud at U.S. Federal Trade CommissionFederal Trade CommissionThe Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...
- Credit Card Fraud: Prevention and Cures Idaho Office of Attorney General
- US Federal Trade Commission Consumer Sentinel Network Report
- Making Business a Little Less Risky - Fraud and Risk Blog