The credit card fraud

The credit card fraud is a generic term which refers to a multitude of criminal endeavors undertaken by criminals looking to exploit the use of credit cards as payment instruments in order to gain illicit access to funds or engage in illicit transactions. Due to the nature of the credit card fraud, it is often very hard to acquire enough physical proof to condemn a fraudster. Moreover, the majority of large-scale credit card fraud is perpetrated internationally, by multinational gangs of criminals with access to top-of-the-class technology and operating almost as veritable crime syndicates.

One aspect which is often closely associated with the credit card fraud is identity theft – in other words, a fraudster impersonating a credit cardholder in order to make illicit charges on the latter’s card. This can be done in a variety of ways. For instance, the fraudster can effectively take possession of the actual credit card and use as if it were his own in order to make purchases either in stores, online or via telephone order. However, most such instances of credit card frauds are opportunistic – in order to gain access to an actual credit card, a fraudster either has to steal it himself (or purchase it from someone who has stolen it) or else take advantage of the cardholder misplacing or losing the card. With penalties for credit card fraud on the rise and consumers aware of such tactics, lost or stolen card fraud levels have been dropping constantly over the past years. Moreover, even though a stolen credit card remains active until the holder has become aware of the theft or loss and has notified the issuer, most issuers have free 24-hour telephone lines in place whose purpose is precisely to stop the credit card fraud before it occurs. If affected cardholders report credit card fraud attempts in good time, the issuer can block the holder’s account until such time that a new credit card is issued.

One separate side of the credit card fraud is the so-called card not present (CNP) fraud, which mostly affects merchants who operate via mail order or via the internet. This type of fraud does not involve the fraudster stealing the actual card, but rather taking hold of the genuine card details, which are subsequently employed to make purchases via a remote channel such as the telephone, fax, mail order or the internet. Such channels do not require the actual, physical presence of the card or of the cardholder at the point of sale. Retailers are thus forced to rely on the data provided to them by the cardholder – or the person pretending to be the cardholder – in order to receive the necessary payment information and complete the sale. This may prove very difficult, and fraudsters have a large number of scenarios at their disposal to pose as the genuine cardholder and authorize a fraudulent purchase. Security details, such as the three-digit number on the back of a card, passwords (offered for online purchases by MasterCard’s SecureCode and Visa’s Verified by Visa schemes), as well as regular checking of credit reports can assist merchants and cardholders in fighting card not present fraud. However, due to the large risks (and liabilities) involved, most merchants will charge high rates for accepting remote credit card payments for telephone or mail orders.

One of the main advantages of owning a credit card is convenience – the convenience of being able to make quick purchases in-store or online. Consumers who wish to use their credit cards to pay online or via remote channels such as the telephone expect the transactions to occur quickly, and are often reluctant to employ additional security measures – such as single use card numbers, for instance. This is an aspect fraudsters gladly exploit, and often consumers realize something has gone wrong only when they receive their monthly credit card statements.

Another widespread type of credit card fraud is known as skimming – and it occurs when a fraudster gets a hold of credit card information employed in an otherwise legitimate transaction. This sometimes occurs with the complicity of one or more „inside men”, dishonest employees typically working in bars or restaurants, where it is customary for clients to hand over their cards to staff in order to pay for their meals, drinks, etc. Skimming requires the use of a small electronic device (skimming device) which records credit card numbers; some skimming devices can also clone the information stored on a card’s magnetic stripe. Another scenario that is favorable to skimming as a type of credit card fraud involves the so-called rigging of ATMs. The fraudster will install a device over the machine’s card slot to read and store the information on the card’s magnetic stripe as the card is inserted into the ATM. Since ATMs request cardholders to input their PINs, skimmers will also sometimes install miniature cameras to read users’ PINs. This type of ATM skimming fraud is usually perpetrated by larger gangs of cybercriminals and may be qualified as a form or organized crime. Once credit card information has been obtained via skimming, the criminals will clone the original cards and use them to make purchases either online or at actual merchant locations.

The credit card fraud

The credit card fraud can occur on a very large scale if the fraudsters are well organized and target not individual cardholders, but rather locations such as merchant premises where huge numbers of transactions occur every day. Two classic (by now) credit card fraud cases have affected discount retailer of apparel and home fashion TJX in 2007 and Heartland Payment Systems (HPS), one of the largest payment processors and payroll service bureaus in the US in 2008. In both cases, hackers used extremely advanced technology and strategies. In TJX’s case, hackers aimed a telescope-shaped antenna at the store and employed a laptop to intercept and steal credit card data transmitted between hand-held price-checking devices, cash registers and the store’s computers. To date, TJX has acknowledged that at least 45.7 million credit and debit cards were stolen over an 18-month interval, exposing millions of cardholders to identity fraud. The Heartland breach was even more daring, as fraudsters chose to target an actual credit card processor. Fraudsters installed malicious software inside the company’s computer system and stole huge amounts of data as it was processed by the company’s network. Up to 100 million cards from more than 650 financial services companies are estimated to have been compromised as a result of the breach, making this the largest-ever breach of card data. Albert Gonzalez was indicted in August 2009 and charged with credit card fraud after masterminding the Heartland attack.

A rather controversial aspect of credit card fraud has to do with fraud liability. In addition to the actual losses caused by the fraud itself, many other charges also occur when the credit card fraud has been perpetrated: banks must re-issue compromised cards, merchants must sometimes refund customers, or else deploy additional, costly fraud prevention systems. Overall, the credit card fraud is very bad for business, as it significantly impacts consumer confidence and damages customer experiences, sometimes irretrievably. So – who incurs the extra charges? Depending on legislation, sometimes it’s the merchant (this occurs in the US), sometimes the cardholder, and sometimes the card issuer (bank or other financial services provider).

As far as issuers are concerned, a conflict of interests may sometimes intervene involving consumer security, on the one hand, and credit card companies on the other hand. It often happens – as we mentioned above – that the credit card fraud policies may cause consumer inconvenience due to added security protocols that must be enforced in order to make a transaction more secure. However, consumers are rarely willing to relinquish convenience, even in favor of extra security. Additionally, extra security measures may drive down the number of transactions and cumulative transaction volumes registered by banks and credit card companies like Visa and MasterCard – who derive profit from such transactions. So, on the one hand issuers and credit card companies must enforce anti-credit card fraud mechanisms, while all the time making sure that transaction volumes stay up, which may prove to be quite a fine line to walk. In any case, credit card fraud protection remains an issue which is widely debated across the world, and it will be a while before a unanimous view on the matter is reached – both with regard to credit card fraud liability and with regard to the best tactics that are likely to stop fraud in its tracks.