Back to Fraud Information Articles
© May/June 2004
Association of Certified Fraud Examiners
Credit Card Fraud:
Your Card in Their Hands
By
Michael
Linnitt,
CFE
C
redit card fraud continues to be a menace especially in developing countries. But credit card companies and issuing banks
are working to stay one step ahead of large global syndicates.
During a recent investigation into a crime syndicate that was dealing in a large volume of counterfeit credit cards, I was
surprised to find that the Kingpin’s lair in Jakarta, Indonesia, was a dingy apartment crammed full of computers. Here his
faithful staff gambled online 24 hours a day working their way through hundreds of credit cards and lists of credit card details
until the cards finally were blocked and no longer accepted. They wired their winnings to banks in offshore jurisdictions as
laundered funds through legitimate accounts. An avid gambler, the Kingpin enjoyed his work.
Being without the use of the plastic cards, for even a short time, can be extremely inconvenient. There was a time when the
customer, if astute enough, could take the credit card carbon paper copy from the shop assistant and rest easy. No longer.
Credit card fraud – a professional, international business run by resourceful syndicates with industry insiders on their payrolls
– was estimated by The Nilson Report as costing USD$3.8 billion globally in 2002.
For a fraud examiner, understanding the extent and types of this fraud, as with any other fraud, increases professional
knowledge. But for those investigating fraud in financial institutions, it’s essential.
Credit Card System Rudiments
A credit card bears the brand name and logo of a company that controls and regulates the cards. A bank, which is required to
meet the standards set by the credit card company, actually issues the card. The credit card company raises funds from
charges to the bank. These charges include fines for malpractice. When a customer incurs a loss due to fraud, the credit card
company underwrites it, but it reclaims the money from the issuing bank.
This relationship is important because although the customer takes solace from seeing the credit card company symbol on
their card, the responsibility of “caring” for them actually befalls the issuing bank.
Furthermore, when a customer makes a purchase at a retailer, the issuing bank may not have a credit card terminal in the
retail outlet. Of course, banks share facilities and so any card reader will be able to process the transaction. However, this
means that the transaction is entrusted to the processes of yet another bank.
In any country the security of card information relies on the bank’s protocols, systems, and general security levels. While
investigating fraud in Asia, I’ve seen that many banks have woefully poor security measures because of lack of funds or
understanding of the risks.
Increasingly, the onus is on the card issuer rather than the card user to prevent fraud. One of the banks’ main tools is fraud
detection software that looks for unusual patterns and anomalies. Another is robust security measures over the control of the
card readers. However, the banking sector outside of the United States and Europe seldom uses these detection methods.
Counterfeit Card Fraud
A counterfeit card is one that’s been either printed, embossed, or encoded without permission from the issuer, or one that has
been validly issued and then altered or re-coded. Cards can be reprogrammed with the details of any card with a small and
cheap magnetic strip reader and writer apparatus available at computer and electronic shops. (Small businesses use the
machines to make ID cards, access cards, gym membership cards, etc.)
Most counterfeit fraud cases involve skimming – the fraudster electronically copies the genuine data on a card’s magnetic
stripe onto another without the legitimate cardholder’s knowledge.
Skimming normally occurs at retail outlets – particularly bars and restaurants – where a corrupt employee swipes a customer’s
card through a small card reader concealed on their clothing or sometimes “double swipes” through the legitimate terminal
before handing it back to the customer. They then sell the recorded information to a contact higher up the criminal ladder
where the card is cloned. The details obtained by skimming can also be used to carry out fraudulent “card-not-present”
transactions. (See page 29.) Often the cardholder is unaware of the fraud until a statement arrives showing purchases they
didn’t make.
More worryingly, card details can also be obtained by “chipping” a card reader at a legitimate point of sale. Card readers need
to be serviced and repaired on occasion. A bogus engineer arrives saying he has to service the reader but instead inserts a
chip that records card transaction information. A month later, the “service engineer” returns and removes the chip, which now
contains hundreds of card details including the Card Verification Value (CVV). A three- or four-digit CVV number is embossed
on each card and can be used by a cardholder to verify the account over the telephone or Internet. Another CVV is encoded on
the magnetic stripe and can only be read electronically. With these numbers, a fraudster can use the card details freely. Newer
versions of the card security codes include the CVV2 (Card Verification Value), the CVC2 (Card Validation Code) and CID (Card
Identification number).
The counterfeit card syndicate normally has three levels. The skimmers sell the collected numbers to middle men who test the
accounts to confirm they are usable. These usable numbers are then sold to the card counterfeiters for about $150 per card
details (for Gold and Platinum cards). The counterfeiters then emboss or create physical cards that their team of shoppers uses
to purchase luxury goods.
These syndicates are very sophisticated. They cross borders to reduce their overall exposure to being caught and layer the
syndicate to detach themselves from the street-level individuals who are more easily detected.
In a recent case, card details obtained in Singapore were tested in Malaysia, the cards were embossed in Hong Kong, and the
shopping was done in Japan, Korea, Russia, and Italy.
This table illustrates a typical snapshot of one country’s increasing fraud rate.
United Kingdom Card Fraud Losses, 2000 - 2001 (Sterling Millions) by Category
Category
2000
2001
% Change
Counterfeit
107.1
160.3
+50
Card-not-present
72.9
95.7
+31
101.9
114.0
+12
Intercepted in post
17.7
26.7
+51
Fraudulent application
10.5
6.6
+37
Lost/stolen card
Other
6.9
8.0
+15
Totals
317.0
411.4
+30
Source: APACS (Association for Payment Clearing Services), March 2002
Point-of-sale Fraud and Ghost Terminals
A retail outlet qualifies for card-reader installation by meeting certain criteria and passing basic security checks. But the criteria
and checks are often basic and conducted during just one site visit. So a fraudster can easily set up a fake or ghost operation
by leasing a shop for a short time with cash, installing a reader that gives false details, and quickly gathering scores of false
transactions with compromised data and counterfeit cards in a short time. A fraudster also can do this by buying out a failing
business that already has a legitimate reader installed and thus avoid any security checks.
With a little banking knowledge, a fraudster can create a ghost terminal by obtaining a reader from a failed business and
initiate it using completely false details via an automated telephone system. When the credit card company discovers the high
volume of fraudulent transactions the trail will lead nowhere.
Countries with less sophisticated banking sectors, such as those in Asia and Africa, that don’t employ fraud monitoring
software to monitor ongoing transactions, are particularly susceptible to this scheme. The target often is the unsuspecting
tourist or business traveler. (See page 48.)
Card-not-present Fraud
This crime doesn’t require an actual card but just stolen card details to make a purchase usually over the telephone or on the
Internet. Again, the legitimate cardholder may not be aware of the fraud until he or she receives a statement.
Investigators have caught criminals who had information that they apparently collected from bank data. One such fraudster,
detained at a retail outlet in a popular Asian tourist spot, had a list of several thousand card numbers, some of which were
printed from a computer. This information can be obtained by hacking into an insecure bank database or by paying off bank
staff. Again, this happens in less mature jurisdictions.
While reviewing a bank’s card center operations in one Asian country, I found that the computer used to handle all card and
cardholder details was in an insecure open office area and connected to the Internet. Hackers could easily have invaded the
database or unscrupulous employees could have emailed data offsite.
Fraudsters can gather not only credit card details from Internet chat rooms but also programs that generate the details,
including the CVV numbers, based on number- generating algorithms banks use to generate genuine cards.
Some mail-order retailers reject orders from certain countries such as Indonesia because the addresses given are false or the
individual can’t be traced. However, fraudsters have realized that they can give an address of “Jakarta, Australia,” and the
reliable Australian postal service will deliver it to the fraudsters in neighboring Indonesia.
Internet Fraud
Most Internet fraudsters use card details illegally obtained in the real world to make card-not-present transactions in the
virtual world. Card companies report relatively low incidence of Internet fraud but as indicated in the following table of
projected figures, fraud is likely to balloon as online e-commerce increases.
Estimated US Online Credit Card Fraud, 2002 - 2007
Year
USD billion
2002
1.8
2003
2.3
2004
2.6
2005
2.7
2006
3.0
2007
3.2
Source: Celent Communications January 2003
Though retail Web site security is effective, savvy fraudsters undoubtedly are working to crack the codes. However, most
perpetrators are still gathering the low-hanging fruit of traditional sources.
Lost or Stolen Cards
Most fraud due to lost or stolen cards takes place at retail outlets before the cardholder has reported the loss. Otherwise,
fraudsters use card details from these cards to make card-not-present transactions.
Though this is still a small category of fraud, there has been in the last two years a significant increase at least in countries
that have reliable statistics. This shows that criminals constantly look for new areas to exploit as fraud prevention initiatives
drive them away from their usual methods.
Identity Theft
Although evidence of identity theft on card accounts is currently minimal, there is the possibility it may increase as new
security measures such as microchip cards are introduced, which could drive criminals to look for different ways to perpetrate
fraud. The main motive for committing identity theft is to facilitate credit card fraud. The U.S. Federal Trade Commission
recorded 214,905 cases of identity theft in 2003.
Fraudsters will steal documents from the trash and mail to obtain enough details about people to apply for new credit cards in
those individuals’ names. Another common method is to gather résumés via bogus job ads in newspapers or compromised or
false recruitment agencies. Also, criminals take over individuals’ accounts, by gathering victims’ information, and then
contacting the card issuers, masquerading as the genuine cardholders, to ask that mail be redirected to new addresses. They
simply report the lost cards and ask for replacements.
ATM Fraud
Most ATM fraud cases occur when a legitimate cardholder has written down his or her Personal Identification Number (PIN) and
kept it with the card in a purse or wallet that’s stolen. An increasingly common problem is shoulder surfing: criminals peer over
a cash machine user’s shoulder to watch them enter their PIN, and then steal the card using distraction techniques or pick
pocketing.
Fraudsters in Western countries are using ATM card-trapping devices. A simple plastic sleeve, inserted by the fraudster in the
ATM slot, holds the user’s card in the machine as they are trying to make a transaction. The criminal approaches the victim
pretending to help and tricks him into re-entering the PIN several times. After the cardholder gives up and leaves, the criminal
removes the device containing the card and withdraws cash.
Expatriates and Tourists Targeted
Expatriates’ and tourists’ credit cards are rich pickings for fraudsters in Asia and Africa. Our friend in the opening case, the
Kingpen from Indonesia, gathered details from cards owned by people from wealthier countries who used them in Indonesia.
The first four digits of the card number identify the overseas bank origin. They generally have higher daily and overall
spending limits than locally issued cards and more diverse spending patterns that make fraud more difficult to detect.
Syndicates will send cards created with these details to countries where they can be most efficiently used. Currently, Taiwan
and Japan are the favorites in Asia for the purchase of luxury goods. The syndicates also seek local Gold and Platinum cards
for the same reasons.
This chart helps illustrate how Asian countries are still dominated by counterfeit card fraud.
Credit Card Fraud in Japan, 2000 - Q2, 2002
Category
2000
2001
Q2 2002
Total Fraud (¥ billion)
30.87
27.57
13.62
Fraud as a % of purchases
0.142
n/a
n/a
Counterfeiting/Forgery (¥ billion)
14.02
14.64
8.14
Counterfeiting as % of total fraud
45.4%
53.1%
59.8%
Source: Japan Credit Card Industry Association.
Thing of the Past
To combat plastic card crime, two facts need to be established at the time of a transaction – that the card is the genuine item
and that the person using it is the true owner. The technology to do this already exists.
The introduction of highly secure chip cards in countries such as the United Kingdom (which began in May 2003) meets the
first of these objectives by confirming that a card is not a counterfeit. The UK is the first country to meet the global standard
known as EMV (Europay/Mastercard/Visa) which aims to tackle the global problem of credit card fraud in the coming years.
Chip cards also open up new possibilities for tackling the second objective for fraud prevention – identifying the cardholder.
To fulfill this second part, all face-to-face credit and debit card transactions will eventually be authorized by the customer
keying in their PIN rather than by signing a receipt. This method has been used successfully in France for the past 10 years,
but due to the extensive investment needed in the card system infrastructure, it will take some time to be used in the rest of
the world.
Kingpins Abound
As long as we continue to use little plastic cards embedded with valuable information, there will be Kingpins holed up in dingy
apartments with their minions exploiting cracks in credit card companies’ defenses. But fraud examiners of all stripes, who
continually add to their knowledge of credit card fraud, will help limit this intricate global menace. •
Michael Linnitt, CFE, is the commercial enquiries division manager, Hong Kong, with the Asia-based Hill and Associates Security Consultants. His
email address is: michael.linnitt@hill-assoc.com.
The Association of Certified Fraud Examiners assumes sole copyright of any article published in Fraud Magazine. Fraud
Magazine follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or
reproduced. Requests for reprinting an article in any form must be e-mailed to: FraudMagazine@ACFE.com.