A very scary word for anyone to hear ¿Credit card fraud¿. This term brings thought of theft and fraud committed using a credit card for payments. Goods, services or obtaining funds are the cause of credit card fraud. Identity theft can also be equated to credit card fraud. In the last few years, the percentage of identity theft has been steady wail credit card fraud has been increasing 21 percent, according to the Federal Trade Commission. People often associate credit card fraud with ID theft; however, percentages of all ID theft complaints have decreased for the sixth year in a row.
In the year 2006, for every $100 dollars spent $.07 where fraud. This comes up to billions of dollars. In the United Kingdom, fraud was estimated at £535 million, which is equivalent to $703 million US.
It all begins
Card Fraud begins with either the physical theft of the theft of the data associated with the account (card number) or other information. Most thefts occur without the knowledge of the card holder, the merchant or the card issuer, until the account is used for fraud. For example: A store clerk copying sales receipts for later use. With the rapid growth of credit card use on the Internet has made database security much more costly and more needed.
A Stolen card can be reported quickly by cardholders, but a stolen account can be held by a thief for weeks or months before any fraudulent use, making it difficult to identify the source of the theft. In this instant the cardholder may not discover fraudulent use until receiving a billing statement.
Once your credit card has been lost or stolen, it is still usable until your notify the credit card company. Most credit card companies have free 24-hour toll-free phone numbers for reporting. It is still possible for the thief to make unauthorized purchases on your card until you have canceled it. Unlit then the thief could purchase thousands of dollars in merchandise or services before the cardholder or the card issuer realize that it has been stolen.
The most common security measure on all cards is a sig pan (signature panel), but signatures can be forge or merchants don¿t check. The way merchants protect themselves, they ask to see a picture ID, to verify the identity of the purchaser. Also some credit cards include a picture of the card holder. Self-serve payment systems such as gas stations, ATM, kiosks, etc. are common targets for stolen cards, as there is no way to verify the there identity. A common countermeasure is to require the user to key in some identifying information, such as the user's ZIP or postal code. This method may deter casual theft of a card found alone, but if the card holder's wallet is stolen, it may be trivial for the thief to deduce the information by looking at other items in the wallet. For instance, a U.S. driver license commonly has the holder's home address and ZIP code printed on it.
Card issuers have several countermeasures, including sophisticated software that can, before a transaction is authorized, estimate the probability of fraud. For example, a large transaction occurring a great distance from the cardholder's home might seem suspicious. The merchant may be instructed to call the card issuer for verification, or to decline the transaction, or even to hold the card and refuse to return it to the customer. The customer must contact the issuer and prove who they are to get their card back (if it is not fraud and they are actually buying a product).
Card account information is stored in a number of formats. Account numbers are often embossed or imprinted on the card, and a magnetic stripe on the back contains the data in machine readable format. Fields can vary, but the most common include:
- Name of card holder
- Account number
- Expiration date
- Verification/ CVV code
Card not Present
The mail and the Internet are major routes for fraud against merchants who sell and ship products, and impacts legitimate mail-order and Internet merchants. If the card is not physically present (called CNP Card Not Present) the merchant must rely on the holder (or someone purporting to be so) presenting the information indirectly, whether by mail, telephone or over the Internet. While there are safeguards to this, it is still more risky than presenting in person, and indeed card issuers tend to charge a greater transaction rate for CNP, because of the greater risk. To many people's surprise, telephone ordering is the most risky, far more risky than the Internet.
It is difficult for a merchant to verify that the actual cardholder is indeed authorizing the purchase. Shipping companies can guarantee delivery to a location, but they are not required to check identification and they are usually not involved in processing payments for the merchandise. A common recent preventive measure for merchants is to allow shipment only to an address approved by the cardholder, and merchant banking systems offer simple methods of verifying this information. Before this and similar methods were introduced, mail order carding was rampant as early as 1992, using a method in which the carder obtains the credit card information for a local resident and intercepts expensive computer equipment he ordered using the stolen card and shipped to the address, often by staking out the porch of the residence.
Small transactions generally undergo less scrutiny, and are less likely to be investigated by either the card issuer or the merchant. CNP merchants must take extra precaution against fraud exposure and associated losses, and they pay higher rates for the privilege of accepting cards. Fraudsters bet on the fact that many fraud prevention features are not used for small transactions.
Merchant associations have developed some prevention measures, such as single use card numbers, but these have not met with much success. Customers expect to be able to use their credit card without any hassles, and have little incentive to pursue additional security due to laws limiting customer liability in the event of fraud. Merchants can implement these prevention measures but risk losing business if the customer chooses not to use the measures.
Identity theft can be divided into two broad categories: Application fraud and account takeover.
Application fraud happens when a criminal uses stolen or fake documents to open an account in someone else's name. Criminals may try to steal documents such as utility bills and bank statements to build up useful personal information. Or they may create counterfeit documents.
Account takeover happens when a criminal tries to take over another person's account, first by gathering information about the intended victim, then contacting their card issuer masquerading as the genuine cardholder, and asking for mail to be redirected to a new address. The criminal then reports the card lost and asks for a replacement to be sent.
Some merchants added a new practice to protect their consumers and their own reputation, where they ask the buyer to send a photocopy of the physical card and statement to ensure the legitimate usage of a card.
Electronic-type credit card skimming
Skimming is the theft of credit card information used in an otherwise legitimate transaction. It is typically an "inside job" by a dishonest employee of a legitimate merchant. The thief can procure a victim¿s credit card number using basic methods such as photocopying receipts or more advanced methods such as using a small electronic device (skimmer) to swipe and store hundreds of victims¿ credit card numbers. Common scenarios for skimming are restaurants or bars where the skimmer has possession of the victim's credit card out of their immediate view. The thief may also use a small keypad to unobtrusively transcribe the 3 or 4 digits Card Security Code which is not present on the magnetic strip.
Instances of skimming have been reported where the perpetrator has put a device over the card slot of an ATM (automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a pinhole camera to read the user's PIN at the same time.
Skimming is difficult for the typical cardholder to detect, but given a large enough sample, it is fairly easy for the card issuer to detect. The issuer collects a list of all the cardholders who have complained about fraudulent transactions, and then uses data mining to discover relationships among them and the merchants they use. For example, if many of the cardholders use a particular merchant, that merchant can be directly investigated. Sophisticated algorithms can also search for patterns of fraud. Merchants must ensure the physical security of their terminals, and penalties for merchants can be severe if they are compromised, ranging from large fines by the issuer to complete exclusion from the system, which can be a death blow to businesses such as restaurants where credit card transactions are the norm.
Carding is a term used for a process to verify the validity of stolen card data. The thief presents the card information on a website that has real-time transaction processing. If the card is processed successfully, the thief knows that the card is still good. The specific item purchased is immaterial, and the thief does not need to purchase an actual product; a Web site subscription or charitable donation would be sufficient. The purchase is usually for a small monetary amount, both to avoid using the card's credit limit, and also to avoid attracting the card issuer's attention. A website known to be susceptible to carding is known as a cardable website.
In the past, carders used computer programs called "generators" to produce a sequence of credit card numbers, and then test them to see which valid accounts were. Another variation would be to take false card numbers to a location that does not immediately process card numbers, such as a trade show or special event. However, this process is no longer viable due to widespread requirement by internet credit card processing systems for additional data such as the billing address, the 3 to 4 digit Card Security Code and/or the card's expiration date, as well as the more prevalent use of wireless card scanners that can process transactions right away. Nowadays, carding is more typically used to verify credit card data obtained directly from the victims by skimming or phishing.
A set of credit card details that has been verified in this way is known in fraud circles as a phish. A carder will typically sell data files of the phish to other individuals who will carry out the actual fraud. Market price for a phish ranges from US$1.00 to US$50.00 depending on the type of card, freshness of the data and credit status of the victim.
Profits, losses and punishment
Who pays for credit card fraud? In the US the short answer is the merchant; in other countries it is the card issuer, and in others the cardholder.
But even if the cardholder does not lose money, the inconvenience can be quite costly and tiring. And credit card companies have to pay for preventing fraud while maintaining a good customer experience.
Credit card companies like Visa and MasterCard receive revenue from every transaction, typically 2% to 4% depending on the payment method. So they are motivated to increase total volume of transactions, consequently pursue policies to increase number of transactions. This creates conflict of interest for the credit card companies. On one hand they are obliged to fight credit card fraud, but on the other hand policies against credit fraud may impose certain restrictions that may negatively affect number of transactions and cumulative transaction volume. Besides fraud investigation costs tend to be higher than costs of write-off.
In the US, federal law limits the liability of card holders to $50 in the event of theft of the actual credit card, regardless of the amount charged on the card. In practice many issuers will waive this small payment and simply remove the fraudulent charges from the customer's account if the customer signs an affidavit confirming that the charges are indeed fraudulent. If the physical card is not lost or stolen, but rather just the credit card account number itself is stolen, then Federal Law guarantees card holders have zero liability to the credit card issuer.
The merchant bears the loss. The merchant loses the value of any goods or services sold, and any associated fees. These losses incline merchants to be cautious and often they ban legitimate transactions and lose potential revenues. Online merchants can choose to apply for additional services that credit card company¿s offer, such as Verified by Visa and MasterCard Secure Code. However, these are fiddly for consumers so there is a trade-off of making a sale easy and making it secure.
The liability for fraud lies on the merchant, not the credit card company. The merchant must pay the full cost of the fraud plus a chargeback fee (unless the merchant's chargeback insurance covers it).
Current legislation is extremely hurtful to merchants, since in most of the cases they can not protect themselves from credit fraud and have to accept losses as just part of doing business. High-risk industries such as online shops anticipate losses and spread them over the prices that are paid by honest buyers. The FBI's Financial Report to the Public in 2007 estimated such losses to be $52.6 billion that are borne by 9.91 million US consumers. Recently several attempts have been made to amend the legislation to protect cardholders and merchants from fraud, but credit card companies are heavily resistant to such initiatives.
Detection and Punishment
In the US, people that commit credit card crime largely go unpunished and repeatedly victimize consumers and businesses. The Secret Service handles crimes involving the U.S. money supply; they have a limit of $150,000 before investigating each crime. Most credit card criminals know this and keep purchases from any one business below $150,000. Credit card fraud can be reported to the Federal Trade Commission (FTC) and to local and regional authorities. It is the standing policy of the FTC not to investigate reports where the value of fraud does not exceed $2,000. Local law enforcement may or may not further investigate a credit card fraud, depending on the amount, type of fraud, and where the fraud originated from.
In the UK, credit cards are regulated by the Consumer Credit Act 1974 (amended 2006). This provides a number of protections and requirements.
Both the merchant and the credit company are jointly and severally liable for the sale. If there is any fault, the cardholder can go to either. In practice, this means that most card issuers automatically provide protection against faulty sales and will chase up merchants that sell faulty goods (indeed, will remove their facility if it is habitual).
In the UK, an offered price (either standard or discounted) is an invitation to treat. There is no obligation on either side to accept the offer, or indeed give or take it at that price. Disputes can arise where an advertised price is different from the actual price charged.
Any misuse of the card, unless deliberately criminal, must be refunded by the merchant or card issuer.
Distance Selling Regulations require goods ordered by 'phone, Internet or mail order to be delivered to the cardholder's address. There is also a 7-day "cooling off period" where they can be returned without charge. The aim is more to protect people from mis-selling, but it also helps protect against fraud.
Credit card companies
To prevent being "charged back" for fraud transactions Merchants can sign up for services offered by Visa and MasterCard called Verified by visa and MasterCard Secure Code. This requires consumers to add additional information to confirm a transaction.
Often enough online merchants do not take adequate measures to protect their websites from fraud attacks, for example by being blind to sequencing. In contrast to more automated product transactions, a clerk overseeing "card present" authorization requests must approve the customer's removal of the goods from the premise in real time.
Credit card merchant associations, like Visa and MasterCard, receive profit from transaction fees, charging between 2% and 4% on each transaction. Cash costs more to bank up, so it is worthwhile for merchants to take cards. Issuers are thus motivated to pursue policies which increase the money transferred by their systems. Many merchants believe this pursuit of revenue reduces the incentive for credit card issuers to adopt procedures to reduce crime, particularly because the cost of investigating a fraud is usually higher than the cost of just writing it off. But in the US credit card issuers do not take these costs; they are passed on to the merchants as "chargeback¿s". This can results in substantial additional costs: not only has the merchant been defrauded for the amount of the transaction, he is also obliged to pay the chargeback fee, and to add insult to injury the transaction fees still stand.
Merchants have started to request changes in state and federal laws to protect themselves and their consumers from fraud, but the credit card industry has opposed many of the requests. In many cases, merchants have little ability to fight fraud, and must simply accept a proportion of fraud as a cost of doing business.
Because all card-accepting merchants and card-carrying customers are bound by civil contract law there are few criminal laws covering the fraud. Payment transfer associations enact changes to regulations, and the three parties¿ the issuer, the consumer, and the merchant¿ are all generally bound to the conditions, by a self-acceptance term in the contract that it can be changed.
The merchant loses the goods or services sold, the payment, the fees for processing the payment, any currency conversion commissions, and the chargeback penalty. For obvious reasons, many merchants take steps to avoid chargeback¿s¿such as not accepting suspicious transactions. This may spawn collateral damage, where the merchant additionally loses legitimate sales by incorrectly blocking legitimate transactions.
Famous credit fraud attacks
Between July 2005 and mid-January 2007 a breach on stores owned by TJX Companies exposed data from more than 45.6 million credit cards. Albert Gonzalez is accused of being the alleged ringleader responsible for the theft.
In August 2009 Albert Gonzalez was also indicted for the biggest credit card theft to date. Information from more than 130 million credit and debit cards were stolen at Heartland Payment Systems, retailers 7-Eleven and Hannaford Brothers, and two unidentified companies.
Payment & Security
Your payment information is processed securely. We do not store credit card details nor have access to your credit card information.