Credit card fraud
Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card.[1] The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard (PCI DSS) is the data security standard created to help financial institutions process card payments securely and reduce card fraud.[2]
This article is about all types of credit card fraud. For organised trade and laundering of credit card information, see Carding (fraud).
Credit card fraud can be authorised, where the genuine customer themselves processes payment to another account which is controlled by a criminal, or unauthorised, where the account holder does not provide authorisation for the payment to proceed and the transaction is carried out by a third party. In 2018, unauthorised financial fraud losses across payment cards and remote banking totalled £844.8 million in the United Kingdom. Whereas banks and card companies prevented £1.66 billion in unauthorised fraud in 2018. That is the equivalent to £2 in every £3 of attempted fraud being stopped.[3]
Credit card fraud can occur when unauthorized users gain access to an individual's credit card information in order to make purchases, other transactions, or open new accounts. A few examples of credit card fraud include account takeover fraud, new account fraud, cloned cards, and cards-not-present schemes. This unauthorized access occurs through phishing, skimming, and information sharing by a user, oftentimes unknowingly. However, this type of fraud can be detected through means of artificial intelligence and machine learning as well as prevented by issuers, institutions, and individual cardholders. According to a 2021 annual report, about 50% of all Americans have experienced a fraudulent charge on their credit or debit cards, and more than one in three credit or debit card holders have experienced fraud multiple times. This amounts to 127 million people in the US that have been victims of credit card theft at least once.
Regulators, card providers and banks take considerable time and effort to collaborate with investigators worldwide with the goal of ensuring fraudsters are not successful. Cardholders' money is usually protected from scammers with regulations that make the card provider and bank accountable. The technology and security measures behind credit cards are continuously advancing, adding barriers for fraudsters attempting to steal money.[4]
Means of payment card fraud[edit]
There are two kinds of card fraud: card-present fraud (not so common nowadays) and card-not-present fraud (more common). The compromise can occur in a number of ways and can usually occur without the knowledge of the cardholder. The internet has made database security lapses particularly costly, in some cases, millions of accounts have been compromised.[5]
Stolen cards can be reported quickly by cardholders, but a compromised account's details may be held by a fraudster for months before any theft, making it difficult to identify the source of the compromise. The cardholder may not discover fraudulent use until receiving a statement. Cardholders can mitigate this fraud risk by checking their account frequently to ensure there are not any suspicious or unknown transactions.[6]
When a credit card is lost or stolen, it may be used for illegal purchases until the holder notifies the issuing bank and the bank puts a block on the account. Most banks have free 24-hour telephone numbers to encourage prompt reporting. Still, it is possible for a thief to make unauthorized purchases on a card before the card is cancelled.
Prevention of payment card fraud[edit]
Card information is stored in a number of formats. Card numbers – formally the Primary Account Number (PAN) – are often embossed or imprinted on the card, and a magnetic stripe on the back contains the data in a machine-readable format. Fields can vary, but the most common include the Name of the cardholder; Card number; Expiration date; and Verification CVV code.
In Europe and Canada, most cards are equipped with an EMV chip which requires a 4 to 6 digit PIN to be entered into the merchant's terminal before payment will be authorized. However, a PIN is not required for online transactions. In some European countries, buyers using a card without a chip may be asked for photo ID at the point of sale.
In some countries, a credit card holder can make a contactless payment for goods or services by tapping their card against a RFID or NFC reader without the need for a PIN or signature if the cost falls under a pre-determined limit. However, a stolen credit or debit card could be used for a number of smaller transactions prior to the fraudulent activity being flagged.
Card issuers maintain several countermeasures, including software that can estimate the probability of fraud. For example, a large transaction occurring a great distance from the cardholder's home might seem suspicious. The merchant may be instructed to call the card issuer for verification or to decline the transaction, or even to hold the card and refuse to return it to the customer.[7]
Detecting credit card fraud using technology[edit]
Artificial and Computational intelligence[edit]
Given the immense difficulty of detecting credit card fraud, artificial and computational intelligence was developed in order to make machines attempt tasks in which humans are already doing well. Computation intelligence is simply a subset of AI enabling intelligence in a changing environment. Due to advances in both artificial and computational intelligence, the most commonly used and suggested ways to detect credit card fraud are rule induction techniques, decision trees, neural networks, Support Vector Machines, logistic regression, and meta heuristics. There are many different approaches that may be used to detect credit card fraud. For example, some "suggest a framework which can be applied real time where first an outlier analysis is made separately for each customer using self-organizing maps and then a predictive algorithm is utilized to classify the abnormal looking transactions." Some problems that arise when detecting credit card fraud through computational intelligence is the idea of misclassifications such as false negatives/positives, as well as detecting fraud on a credit card having a larger available limit is much more prominent than detecting a fraud with a smaller available limit. One algorithm that helps detect these sorts of issues is determined as the MBO Algorithm. This is a search technique that brings upon improvement by its "neighbor solutions". Another algorithm that assists with these issues is the GASS algorithm. In GASS, it is a hybrid of genetic algorithms and a scatter search.[8]
Machine learning[edit]
Touching a little more on the difficulties of credit card fraud detection, even with more advances in learning and technology every day, companies refuse to share their algorithms and techniques to outsiders. Additionally, fraud transactions are only about 0.01–0.05% of daily transactions, making it even more difficult to spot. Machine learning is similar to artificial intelligence where it is a sub field of AI where statistics is a subdivision of mathematics. With regards to machine learning, the goal is to find a model that yields that highest level without overfitting at the same time. Overfitting means that the computer system memorized the data and if a new transaction differs in the training set in any way, it will most likely be misclassified, leading to an irritated cardholder or a victim of fraud that was not detected. The most popular programming used in machine learning are Python, R, and MatLab. At the same time, SAS is becoming an increasing competitor as well. Through these programs, the easiest method used in this industry is the Support Vector Machine. R has a package with the SVM function already programmed into it. When Support Vector Machines are employed, it is an efficient way to extract data. SVM is considered active research and successfully solves classification issues as well. Playing a major role in machine learning, it has "excellent generalization performance in a wide range of learning problems, such as handwritten digit recognition, classification of web pages and face detection." SVM is also a successful method because it lowers the possibility of overfitting and dimensionality.[9]
Types of payment card fraud[edit]
Application fraud[edit]
Application fraud takes place when a person uses stolen or fake documents to open an account in another person's name. Criminals may steal or fake documents such as utility bills and bank statements to build up a personal profile. When an account is opened using fake or stolen documents, the fraudster could then withdraw cash or obtain credit in the victim's name.[10]
Application fraud can also occur using a synthetic identity which is similar to the fake documents mentioned above. A synthetic identity is personal information gathered from many different identities to create one fake identity.[11] Once the identity and the account is established, the fraudster has a few different options to take advantage of the bank. They can maximize their credit card spending by spending as much money as possible on their new credit card. Many fraudsters will use the new credit card to purchase items that have a high resale value so they can turn it into cash.[12]
Account takeover[edit]
An account takeover refers to the act by which fraudsters will attempt to assume control of a customer's account (i.e. credit cards, email, banks, SIM card and more). Control at the account level offers high returns for fraudsters. According to Forrester, risk-based authentication (RBA) plays a key role in risk mitigation.[13]
A fraudster uses parts of the victim's identity such as an email address to gain access to financial accounts. This individual then intercepts communication about the account to keep the victim blind to any threats. Victims are often the first to detect account takeover when they discover charges on monthly statements they did not authorize or multiple questionable withdrawals.[14] There has been an increase in the number of account takeovers since the adoption of EMV technology, which makes it more difficult for fraudsters to clone physical credit cards.[15]
Among some of the most common methods by which a fraudster will commit an account, takeover includes proxy-based "checker" one-click apps, brute-force botnet attacks, phishing,[16] and malware. Other methods include dumpster diving to find personal information in discarded mail, and outright buying lists of 'Fullz', a slang term for full packages of identifying information sold on the black market.[17]
Once logged in, fraudsters have access to the account and can make purchases and withdraw money from bank accounts.[18] They have access to any information that is tied to the account, they can steal credit card numbers along with social security numbers. They can change the passwords to prevent the victim from accessing their account. Cybercriminals have the opportunity to open other accounts, utilize rewards and benefits from the account, and sell this information to other hackers.[19]
Social engineering fraud[edit]
Social engineering fraud can occur when a criminal poses as someone else which results in a voluntary transfer of money or information to the fraudster.[20] Fraudsters are turning to more sophisticated methods of scamming people and businesses out of money. A common tactic is sending spoof emails impersonating a senior member of staff and trying to deceive employees into transferring money to a fraudulent bank account.[21]
Fraudsters may use a variety of techniques in order to solicit personal information by pretending to be a bank or payment processor. Telephone phishing is the most common social engineering technique to gain the trust of the victim.
Businesses can protect themselves with a dual authorisation process for the transfer of funds that requires authorisation from at least two persons, and a call-back procedure to a previously established contact number, rather than any contact information included with the payment request. The bank must refund any unauthorised payment; however, they can refuse a refund if they can prove the customer authorised the transaction, or it can prove the customer is at fault because they acted deliberately, or failed to protect details that allowed the transaction.[22]
Regulation and governance[edit]
Vendors vs merchants[edit]
To prevent vendors from being "charged back" for fraud transactions, merchants can sign up for services offered by Visa and MasterCard called Verified by Visa and MasterCard SecureCode, under the umbrella term 3-D Secure. This requires consumers to add additional information to confirm a transaction.
Often enough online merchants do not take adequate measures to protect their websites from fraud attacks, for example by being blind to sequencing. In contrast to more automated product transactions, a clerk overseeing "card present" authorization requests must approve the customer's removal of the goods from the premises in real time.
If the merchant loses the payment, the fees for processing the payment, any currency conversion commissions, and the amount of the chargeback penalty. For obvious reasons, many merchants take steps to avoid chargebacks – such as not accepting suspicious transactions. This may spawn collateral damage, where the merchant additionally loses legitimate sales by incorrectly blocking legitimate transactions. Mail Order/Telephone Order (MOTO) merchants are implementing agent-assisted automation which allows the call center agent to collect the credit card number and other personally identifiable information without ever seeing or hearing it. This greatly reduces the probability of chargebacks and increases the likelihood that fraudulent chargebacks will be overturned.[41]
Famous credit fraud attacks[edit]
Between July 2005 and mid-January 2007, a breach of systems at TJX Companies exposed data from more than 45.6 million credit cards. Albert Gonzalez is accused of being the ringleader of the group responsible for the thefts.[42] In August 2009 Gonzalez was also indicted for the biggest known credit card theft to date – information from more than 130 million credit and debit cards was stolen at Heartland Payment Systems, retailers 7-Eleven and Hannaford Brothers, and two unidentified companies.[43]
In 2012, about 40 million sets of payment card information were compromised by a hack of Adobe Systems.[44] The information compromised included customer names, encrypted payment card numbers, expiration dates, and information relating to orders, Chief Security Officer Brad Arkin said.[45]
In July 2013, press reports indicated four Russians and a Ukrainian were indicted in the U.S. state of New Jersey for what was called "the largest hacking and data breach scheme ever prosecuted in the United States."[46] Albert Gonzalez was also cited as a co-conspirator of the attack, which saw at least 160 million credit card losses and excess of $300 million in losses. The attack affected both American and European companies including Citigroup, Nasdaq OMX Group, PNC Financial Services Group, Visa licensee Visa Jordan, Carrefour, JCPenney and JetBlue Airways.[47]
Between 27 November 2013 and 15 December 2013, a breach of systems at Target Corporation exposed data from about 40 million credit cards. The information stolen included names, account numbers, expiry dates, and card security codes.[48]
From 16 July to 30 October 2013, a hacking attack compromised about a million sets of payment card data stored on computers at Neiman-Marcus.[44][49] A malware system, designed to hook into cash registers and monitor the credit card authorisation process (RAM-scraping malware), infiltrated Target's systems and exposed information from as many as 110 million customers.[50]
On 8 September 2014, The Home Depot confirmed that their payment systems were compromised. They later released a statement saying that the hackers obtained a total of 56 million credit card numbers as a result of the breach.[51]
On 15 May 2016, in a coordinated attack, a group of around 100 individuals used the data of 1600 South African credit cards to steal US$12.7 million from 1400 convenience stores in Tokyo within three hours. By acting on a Sunday and in another country than the bank which issued the cards, they are believed to have won enough time to leave Japan before the heist was discovered.[52]