Help (new window) Logout | Monash Email Help | ————————————————- Top of Form Bottom of Form * Basic * Advanced * Topics * Publications * My Research 0 marked items| ————————————————- Top of Form Interface language:| | | Bottom of Form| Databases selected: Multiple databases… | ————————————————- Top of Form Document View| | |
Print | Email | Copy link | Cite this | Mark Document| Translate document from: | Other available formats: Abstract Full Text – PDF (90 K) Credit card fraud: awareness and prevention Katherine J. Barker, Jackie D’Amato, Paul Sheridon. Journal of Financial Crime. London: 2008. Vol. 15, Iss. 4; pg. 398 Abstract (Summary) To make readers aware of the pervasiveness of credit card fraud and how it affects credit card companies, merchants and consumers.
A range of recent publications in journals and information from internet web sites provide corroboration and details of how fraudsters are using credit cards to steal billions of dollars each year. Numerous schemes and techniques are described in addition to recommendations as to how to help control this growing type of fraud. Credit card fraud is a healthy and growing means of stealing billions of dollars from credit card companies, merchants and consumers. This paper offers current information to help understand the techniques used by fraudsters and how to avoid falling prey to them.
This fraud relies on technology currently available and the easy ability to obtain machinery to steal individual identities and account information, and to produce fraudulent credit cards. Information cited is current but could change radically as technological breakthroughs occur. The changing nature of technology also affects the recommendations made to control this fraud. » Jump to indexing (document details) Full Text (6328 words)| Copyright Emerald Group Publishing Limited 2008 Skimming equipment: $300 Counterfeit card equipment: $5,000
Using a fake credit card: Priceless Credit card fraud has been a world-wide problem for years. The effect of this fraud hits not only the victims, but also the credit card companies and merchants. Perpetrators of this type of fraud are successful by implementing various schemes, but only three will be discussed in great detail: skimming, counterfeit cards and phishing. To deter credit card fraud, credit card companies and merchants have put into place various programs. Physical features of the cards have become more elaborate to eliminate counterfeit cards.
Prevention programs such as the card verification code (CVC), advanced authorization, and card activation procedures have helped to decrease the effects of fraud. Merchants are also implementing programs to help deter credit card fraud. However, more steps need to be taken to prevent credit card fraud. This paper concludes with four recommendations for credit card companies, merchants and victims. If implemented, these recommendations will help to further reduce the losses caused by credit card fraud. Identifying credit card fraud There are alarming statistics relating to credit card fraud within the USA.
The number of victims and extent of losses continue to grow, and it has become a major concern for all consumers who are fair game for these fraudsters. Certain industries are more susceptible to fraud than others, and we discuss those industries below. The individual who falls prey to credit card fraud has a lot to lose. In many cases, it takes years to restore the damage done to an individual’s credit ruined through fraud, not to mention the unwelcome amounts of time spent to regain a good credit standing. Unsuspecting merchants become victims of fraud and suffer monetary osses as well. Fraud can occur in many ways, either through the loss of a credit card or through other fraudulent applications by the perpetrator. We also describe the perpetrators along with some characteristics common to fraudsters. The hope in this paper is to build more awareness to the reader about this growing problem and to offer insight which will aid individuals and merchants from becoming victims of credit card fraud. Statistics from the Association of Certified Fraud Examiners (ACFE) show that credit card fraud has reached the $1 billion mark and is growing.
By the end of 2007, it is expected to reach the $3 billion mark in the US alone ( ACFE, 2007, p. 1. 104). The availability of shopping over the internet has raised new concerns. Internet shopping continues to grow and there has been a 22 percent increase in spending in 2005 as compared to spending in 2004 ( ACFE, 2007, p. 1. 104). Total internet spending has reached $143. 2 billion in 2005 and surveys have shown that about 90 percent of all internet purchases are paid online with a credit card. Fraud occurs on approximately 5 percent of all internet purchases.
What makes the internet so susceptible to fraud is the lack of face-to-face interaction with the fraudster, which allows for more anonymity and makes prevention and detection more difficult. During 2006, there were 207,492 complaints filed online with the Internet Crime Complaint Center –  IC3 (2006, p. 3). During 2006, internet auction fraud was by far the most reported offense, comprising 44. 9 percent of referred crime complaints. However, credit card fraud, which also includes debit card fraud, represented about 9. 8 percent of the complaints received by the IC3. The median loss associated with credit and debit card fraud was $427. 0. There are many different types of credit card schemes and applications, but one of the more simple methods involves the unauthorized use of a lost or stolen card. According to MasterCard International, while credit card fraud through the use of stolen cards comprises 22. 4 percent, fraud through the use of lost cards comprises 16. 4 percent. Together, they comprise 38. 8 percent of all credit card fraud. Fraudulent activity normally occurs within hours of a card being lost or stolen. At times, the discovery does not even become evident until the victim receives the monthly statement and then realizes the fraudulent use or occurrence.
It is extremely important that the victim report the loss or theft of the credit card within three days of its disappearance. During this three-day period, the victim is not held responsible for any charges occurred through fraudulent activity. It is imperative that credit card users know the location of their cards at all times. Another form of credit card fraud is commonly known as non-receipt fraud. This occurs when the credit card is stolen while in transit between the credit issuer and the authorized account holder. There was a time that this was a big problem.
In fact, cartels infiltrated the postal system and paid letter sorters and carriers “big bucks” to steal the cards before they even arrived at the mailbox. It was estimated that several groups alone in southern California were responsible for two-thirds of credit card fraud occurring in the USA ( Arend, 1993, p. 91). The decline in this type of fraud can be attributed to the use of “card activation” programs whereby the cardholder must activate the card by calling the financial institution and confirming their identity and receipt of the card. Never received credit card fraud comprises 13. percent of all credit card fraud. One other type of credit card fraud involves counterfeit credit cards, which has become one the fastest growing types of fraud. Commonly known as “white plastic” cards, this scheme utilizes credit card-sized plastic with account numbers and names embossed on the cards. In many instances, a counterfeit crime ring will recruit waiters and waitresses from restaurants to get the necessary information from customers through the use of skimming and apply the information from the magnetic strip to the counterfeit card.
Counterfeiters have grown into large international crime rings. These counterfeiters specialize in producing the real thing through the use of counterfeit holograms, numbers, logos and magnetic strips that appear on most cards in use today. These rings base their operations out of Asia and distribute their cards throughout the USA and Canada. Producing these types of cards involves the use of embossers and laminators. The hardest part of the process involves the reproduction of the hologram. True holograms use a “lenticular refraction” ( ACFE, 2007, p. 1. 018) process that is fixed into the plastic of the card, while counterfeit cards use only foil with an image stamped on it. Legitimate holograms change in color when viewed from various angles, but counterfeit holograms will not change in color. Despite holograms and other physical deterrents, counterfeit credit cards have become one of the most damaging types of credit card fraud. International boundaries are irrelevant to internet criminals. The representations described herein include the demographics of fraud perpetrators in relation to internet fraud as a whole.
The statistics may seem vague and incomplete, but they highlight the anonymous nature of the internet and the reason for concern. About 75. 2 percent of perpetrators were male and over half resided in one of the following states: California, New York, Florida, Texas, Illinois, Pennsylvania, and Tennessee ( IC3, 2006, p. 9). Perpetrators have also been identified as residing in the UK, Nigeria, Canada, Romania, and Italy. What is important to remember here is that a particular sketch describing perpetrators cannot be drawn, but certain characteristics or red flags that accompany a particular kind of fraud can be seen.
It is imperative that merchants become familiar with the characteristics present during fraudulent transactions since they are in contact with the perpetrator at the point-of-sale (POS). A merchant should be aware of certain details including customers who, for example, take a card from their pocket instead of a wallet or purse; sign the sales draft slowly and awkwardly; rush the merchant; or are argumentative with the merchant while waiting for the transaction to be completed. These are only a few examples, but identification of characteristics serves to aid in the prevention of credit card fraud. Skimming
Skimming involves stealing information off a credit card during a legitimate transaction. This type of scheme usually occurs in businesses where the patron’s credit card is taken out of sight while the transaction is processed. The fraudster will swipe the card through an electronic device known as a “wedge” or skimming device, which records all information contained on the magnetic strip ( ACFE, 2007, p. 1. 104). The device stores the name, number, and expiration date along with an encrypted verification code. This encrypted code is used to confirm that a card is valid during a POS transaction ( Shannon, 2000).
The fraudster will then sell the credit card information and a counterfeit card will be made, or he will make his own fake cards ( ACFE, 2007, p. 1. 104). This type of scheme is widespread in Europe, Asia and Latin America and is becoming a growing problem in the USA ( Lazarony, 2002). Skimming is typically an “inside” job performed by a dishonest employee ( Wikipedia, 2007). One scheme involved waiters at 40 different restaurants and involved up to $3 million of illegal purchases. The scheme was organized by leaders who recruited and managed people working as waiters in New York, Florida, New Hampshire, New Jersey and Connecticut.
The waiters were given skimming devices to record the credit card information of innocent customers. The leaders collected each of the devices and paid the waiters $35-$50 for the information from each credit card ( Associated Press, 2007). The stolen information was used to make counterfeit credit cards, which were then used to make fraudulent purchases. Wedges or skimming devices are either circuit boards or hand-held wireless units ( Pereira, 2007) that are about the size of a Palm Pilot. The original skimmers were approximately the size of a book and required AC power.
A separate computer or laptop was needed to store the information. Skimmers were first discovered under gas station counters, where the fraudster could easily hide the equipment. Beginning in 1999, there was a surge of skimming schemes due to the emergence of small, hand-held devices with a memory chip that can store the information of up to 300 credit cards ( Shannon, 2000). The stolen data can then be easily downloaded to a computer and e-mailed anywhere in the world ( Lazarony, 2002). What is so disturbing about skimming is how easily the devices can be purchased.
There are several web sites where criminals can view side-by-side features of different types of skimmers. Some web sites are: www. tyner. com; www. incodenet. com; www. hackershomepage. com; http://bcdata. com; and www. mag-stripe. com. The prices range from $200 to $599, depending on the many features each has including storage space, size, weight, etc. At hackershomepage. com, anyone can purchase a skimmer that can also create counterfeit cards. The information on a stolen card can be decoded and new information re-coded on the same card ( HackersHomePage. om, 2007). Another web site, http://camelspit. org/handyswipe/, describes how to make a skimmer for as little as $20. Skimming devices can also be installed on certain POS terminals, which are computerized cash registers. They can easily be installed at night when the stores are closed ( Pereira, 2007) by using a master key to unlock the dispenser service door and inserting a cigarette-sized device that captures the data ( Reid, 2006). One example of this fraud occurred at a gas station in San Mateo, California in 2002.
One of the clerks, who was a distant relative to the owner, installed skimmers on the POS terminals. A few days after one customer used her card at the gas station, approximately $1,800 was withdrawn from her account. A total of 80 customers in all were scammed, without the knowledge of the owner. It was estimated that $200,000 in total was stolen from the victims ( CBS News, 2002). As of 2007, it is estimated that $1 billion is lost to skimming in the USA on an annual basis. The growing losses are due to the fact that it is hard to track, detect or prevent ( Casey, 2004).
Skimming is hard to catch since the fraud goes unnoticed until the victim receives his credit card statement 30 or 60 days after the fraud has occurred ( Shannon, 2000). Counterfeit cards As the fastest growing type of credit card fraud, this scheme makes up 37 percent of funds lost through credit card fraud ( Spam Laws , 2005). This type of fraud occurs when the criminal steals legitimate credit card information, through skimming or other methods, and makes a fake card. The production of counterfeit cards has become easier with advances in technology.
The processes used to produce the card, along with the production of holograms, have allowed counterfeit cards to look more accurate and legitimate ( ACFE, 2007, p. 1. 104). The victim rarely knows they are being taken advantage of because they still have the real card in their possession. A fraudster can purchase the equipment to make counterfeit cards for about $5,000-$10,000. However, a factory in the Far East can easily and willingly make as many as 5,000 cards a night, which can then be shipped wherever the fraudster wishes ( Lazarony, 2002).
A few attributes like holograms, fine-line printing and ultra-violet ink are being added to credit cards to make them more difficult to counterfeit and alter. Unfortunately, holograms are becoming easier to reproduce, making them less of a challenge for the fraudster. Fine-line printing is a repeated pattern of the card company name set as the background for the company’s logo. Ultra-violet ink is visible only under ultra-violet light and will show the credit card company’s logo ( Federal Reserve Bank of San Francisco, 2007).
A crime ring in Miami performed an elaborate and lucrative scam that compromised the credit card information of about 45 million people ( Washkuch, 2007). The credit card information was stolen from retailer TJX, which operates T. J. Maxx, Marshalls, HomeGoods, A. J. Wright and HomeSense in Canada and T. K. Maxx in Britain ( CBS News, 2007). The stolen information was used to make counterfeit cards, which were then used to purchase Wal-Mart gift cards. Hackers broke into the system that handles credit and debit card transactions for customers in the USA and Puerto Rico during 2003 and 2006 ( CBS News, 2007).
The scheme was carried out by using a “telephone-shaped antenna” and laptop. These two pieces of equipment were used to decode data moving among Marshalls store scanning devices, cash registers and PCs that were using wireless LAN connectivity. As of January 2007 almost 60 banks had been contacted by credit and debit card companies about the compromised card information ( CBS News, 2007). The counterfeit cards were used to purchase many gift cards, which were then used to buy big-ticket items from Sam’s Club ( Acohido and Swartz, 2007).
The amount spent on the gift cards and goods added to approximately $3 million ( Washkuch, 2007) and losses from Wal-Mart and the banks issuing the credit cards totaled more than $8 million ( Hines, 2007). This massive scheme caused TJX large financial losses. TJX reported a large decrease in its second quarter income from $138 million in 2006 to $59 million in the same period in 2007 ( Washkuch, 2007). In many cases, skimming and counterfeit cards go hand-in-hand.
Criminals work together, one skimming the card information and the other making the counterfeit cards with the stolen information. All it takes is a small investment and a need to beat the system, and counterfeit cards can easily be made. Because the required equipment is so inexpensive and easy it is to get, counterfeit cards are going to continue to be a growing problem. Only a few states make it illegal to possess the equipment and there have not been any laws or legislation put in place against the skimming and counterfeit card devices ( Merchant Account Blog, 2006).
Phishing Phishing occurs when a web page is designed to look like a legitimate site where victims enter in personal information such as user names, passwords, and credit card details ( Kenney, 2007). The fraudsters (fishermen) send out a large amount of emails (the “bait”) directing the victims to their phony web sites. The e-mails appear to be from organizations like banks, eBay, AOL and PayPal asking the victim to enter their personal information to clear up a “problem” ( MillerSmiles, 2004).
These sites are easy to set up and even if a small number of victims fall for the scheme, the fraudster can profit by stealing the victim’s identities and then stealing their money ( Tonsing, 2006). Not only do these scams hurt the victims, they also hurt internet businesses, but also causing customers to lose trust in online transactions, thinking they may become a victim of fraud ( Drake et al. , 2007). Some phishing emails look very real and professional ( MillerSmiles, 2004). For these emails to trick the victims, fraudsters spend time to ensure they appear legitimate.
They target a reputable company that the victim is comfortable with and will use the legitimate company’s branding image, using their logos, fonts and color schemes ( Drake et al. , 2007). The most common phishing e-mail will tell the victim there is a problem with his account, which needs verification so that the account will stay open ( MillerSmiles, 2004). The emails could also claim that there has been fraudulent activity with the account, which needs to be confirmed. This is just one way that the fraudster uses the victim’s fear of fraud to defraud them ( Drake et al. 2007). The victim is asked to either enter in their information or click on a link to the web site. The web site is also a phony, but will look professional ( MillerSmiles, 2004). Since phony sites have a short-life span, the fraudsters need quick responses to carry out the desired fraud activity. Sites stay online for an average of 3. 8 days and no more than 30 days ( Hilley, 2007). Technology has helped the fraudsters carry out phishing schemes. A new “plug-and-play” phishing kit is available that speeds up the process of making phishing sites.
Before the phishing kits were available, fraudulent sites required installation of various files on the server where the attack is hosted. Individual files included the bank logo, HTML pages, etc. The files would each be loaded on the server individually. Although the entire process was simple and took a short amount of time, the fraudster would need to access the server multiple times to upload each file ( Hilley, 2007). The phishing kit requires only one file and one upload to create the entire site, which takes approximately two seconds.
With only one upload to the server, the fraudster needs to access the server once, which leaves less time to determine the identity of the fraudster by network security systems. The simplified process allows the fraudster to create more of these sites ( Hilley, 2007). Banks are victim to 70 percent of all phishing activities. A total of 205 financial institutions were attacked in December 2006 ( Hilley, 2007), and as of September 2007, Regions Bank had 318 phishing sites, National City had 282 and Bank of America had 195 ( ” PC Magazine “, 2007).
In May 2007, there were 438 unique phishing sites recorded ( Hilley, 2007). Approximately, 3. 5 million Americans fell into phisher’s traps in 2006, an 84 percent increase from 2005. Losses in 2006 amounted to $2. 8 billion ( McMillan, 2007). Antifraud measures Credit and debit cards are rapidly replacing cash and check transactions for many businesses. According to a study sponsored by the American Bankers Association, between 2004 and 2006, 45 percent of US consumers reported using less cash ( Smith, 2007).
With the change in financial flexibility and control, a new opportunity is presented for exploitation. This section describes what financial institutions are doing in response to credit card fraud and unique card features common to MasterCard, Visa, and American Express, which are used to mitigate the risks of fraud. Financial institutions and merchants are also doing their part to protect their customers from fraud by educating them about safeguarding their identity. Educating consumers will aid toward prevention and could save consumers the hassles and burden of destroyed credit.
Features unique to Visa include the following: the first four digits of the account number are preprinted above the embossed number; the account number always begins with a 4 and contains 13 or 16 digits; micro-printing appears around the Visa logo; a large dove is visible under ultraviolet light. Features unique to MasterCard include: the account number always begins with a 5 and contains 16 digits; a unique security feature character “MC” appears next to the expiration date; the account number is indent-printed in reverse italics on the signature panel; a large “MC” is visible under ultraviolet light.
American Express has a few features that are unique as well. Under ultraviolet light, the letters “AMEX” can be detected. The account number usually begins with 37 and contains 15 digits ( ACFE, 2007, p. 1. 1027). Over the last two decades, efforts have been under way by financial institutions and technology vendors to reduce the problems associated with credit card fraud. Visa and MasterCard launched programs geared toward verifying card ownership at the point when the cards are used. In 1993, Visa launched its card verification value (CVV) program. Within the magnetic strip of the card, an encrypted numeric value is encoded.
When the cardholder uses the card to make a purchase at the POS, the terminal reads the CVV code and transmits it to the issuing bank, where the code is verified. Within the first two months of instituting this program, Visa estimated that it prevented $3. 4 million in fraudulent transactions. MasterCard instituted the same technology but also included a CVC on the signature panel following the account number ( Day, 1993, p. 30). The downside of CVV is that it can only protect transactions attributable to fake magnetic stripes. It does not protect against skimming.
What is important with the CVV code is that the merchant has the opportunity to halt the transaction for further exploration along with the opportunity to prevent the possibility of allowing a fraudulent transaction. Visa recently developed a technology for analyzing card transactions both individually and collectively for possible fraud across its transaction process network. The technology, “Advanced authorization,” is estimated to prevent $164 million in fraud losses over the next five years ( Marlin, 2005, p. 32). The technology instantly rates a credit card transaction’s fraud potential for the card-issuing financial institution.
To combat non-receipt fraud, financial institutions are now using credit card activation programs to thwart fraud by perpetrators using the postal system. The institutions do not activate the cards until the customer contacts the credit card company and asks the customer for personal information known only to the cardholder. Once the information has been provided, the card is activated for use. Card activation programs are relatively inexpensive to implement and can dramatically reduce the risk of the card being used by unauthorized persons ( Arend, 1993, p. 91). Bottom of Form