This is part four of a planned six-part series on the credit card in- dustry. It will be helpful if you have read parts one through three, as I use a lot of terminology here that was introduced earlier. Enjoy. WARNING This installment describes various methods of perpetrating fraud against credit and charge card issuers, acquirers, and cardholders. Le- gal penalties for using these methods to commit fraud are severe. The reason for sharing this information is so that consumers will be aware of the importance of security and be aware of the procedures used by financial institutions to protect against fraud. Neither I nor my em- ployer advocate use of the fraudulent methods described herein. All the information here is publicly available from other sources. Un- necessary detail is purposely not included, particularly as it applies to detection and prevention of fraud. CARDHOLDER FRAUD ---------- ----- The most common type of fraud against credit cards is cardholders fal- sifying applications to get higher credit limits than they can afford to pay, or to get multiple cards that they cannot afford to pay off. Sometimes this is done with intent to defraud, but most often it is done out of desperation or sheer financial ineptitude. Those who in- tend to defraud generally use the multiple-card approach. They give false names and financial data on several (sometimes as many as hun- dreds) of applications. Often, the address of a vacant house that the crook has access to is given, making it difficult to track the crook's real identity. Once cards start showing up, the crook uses them for cash advances or charges merchandise that is easy to sell, like con- sumer electronics. The crook will run all the cards up to the limit immediately, and will generally move on by the time the bills start ar- riving. This type of fraud is not applicable to debit cards, since they require an available account balance equal to or greater than any purchases or withdrawals. Protecting against this type of fraud, either intentional or otherwise, is exactly the purpose of credit bureaus such as TRW. Issuers have be- come more aware of the need for careful screening of applications, and are using better techniques for detecting similar applications sent to multiple issuers. More sophisticated velocity file screening can also be used to detect possibly fraudulent usage patterns. Since this is a method of fraud that can be used to gain really large amounts of money, it is a high priority with issuers' security departments. A variant of this scheme is much like check kiting. Can you use your VISA to pay your MasterCard? Well, you might be able to manage it, but if you're doing it with intent to defraud, you can be prosecuted. Kit- ing schemes typically don't last long, have a low payoff, and are very easy to detect. Another type of cardholder fraud is simply contesting legitimate charges. Most often, retrieving the documents gives pretty convincing proof. Frequently, a family member will be found to have used the card without the cardholder's permission. Such cases are usually pretty easy to resolve. In the case of an ATM card, cameras are often placed at ATMs (sometimes hidden) to record users of the machine. The camera is usually tied to the ATM, so that a single retrieval stamp can be placed on the film and the ATM log. If a withdrawal is contested, the bank can then retrieve the picture of the person standing at the ma- chine, and conclusively tie that picture to the transaction. A type of cardholder fraud that is endemic only to ATMs is making false deposits. You could, theoretically, tell the ATM that you are deposit- ing a large amount of money, and put in an empty envelope. Most banks will not let you withdraw amounts deposited into an ATM until the de- posit has been verified, but some will allow part of the deposit to be withdrawn. Typically, you can't get away with much. If you have any money actually in your account, the bank has easy, legal recourse to seize those funds. Most banks have no sense of humor about such things, and will remove ATM card privileges after the first offense. THIRD-PARTY FRAUD ----------- ----- The simplest way for a third party to commit fraud is for them to get their hands on a legitimate card. There is a large black market for credit cards obtained from hold-ups, break-ins and muggings. Perhaps one of the cruelest methods of getting a card is a "Good Samaritan" scam. In such a scam, credit cards are stolen by pick-pockets, purse-snatchers, etc. That same day, someone looks up your number in the phone book and calls you up. "I just found your wallet. All the money is gone, but the credit cards and your driver's license are still here. It just happens that I'll be in your neighborhood next Wednesday and I'll drop it off then." Since the cards are found, you don't re- port them stolen, and the crooks get until next Wednesday before you're even suspicious. If such a thing happens to you, ask if you can come and pick the cards up immediately. A true good samaritan won't mind, but a crook will stall you. If you can't get your hands on the cards immediately, report them as stolen. Most issuers will be able to get you a new card by next Wednesday, anyway. Often stolen cards will be used for a time exactly as is. The best tool for preventing this is verification of the signature, but this is ineffective because most merchants don't consistently check signatures and some people don't even sign their cards. (I guess these people figure that all purse snatchers are accomplished forgers as well.) Many cards will eventually be modified as the various security schemes start catching up. It is a very easy matter, for example, to re-encode a different number on the magnetic stripe. Since the card still looks fine, a merchant will accept it and run it through the POS terminal, completely ignorant of the fact that the number read off the back is not the same as that on the front. Although the number on the front would fail a negative file check, the number on the back is one that hasn't been reported yet. A card can be re-encoded almost any number of times, as long as you can keep coming up with new valid PANs. To protect against this, some merchants purposely avoid using the magnetic stripe. Others have terminals that display the number read from the stripe, so the cashier can compare it to the number on the card. Some issuers are experiment- ing with special encoding schemes, to make re-encoding difficult, but most of these schemes would require replacing the entire embedded base of POS terminals. An interesting approach I've seen (it's probably patented) uses a laser to burn off the parts of the magnetic stripe where zeroes are encoded, leaving only the ones. This severely limits the changes you can make to the card number. Some issuers use the "discretionary data" field to encode data unique to the card, that a crook would not be able to guess, to combat this type of fraud. Since an ATM doesn't have a human looking at the card, it is especially susceptible to re-encoding fraud. A crook could get a number from a discarded receipt and encode it on a white card blank, which is easy to obtain legally. Many people use PINs that are easy to guess, and the crook has an easy job of it. Most ATMs will not give you your card back if you don't enter a correct PIN, and will only give you a few tries to get it right, to prevent this type of fraud. Velocity file checks are also important in detecting this. You should always take your ATM receipts with you, pick a non-obvious PIN, and make sure that nobody sees you enter it. One place that a crook can get valid PANs to encode on credit cards is from dumpsters outside of stores and restaurants. The credit slip typically is a multipart form, with one copy for you, one for the mer- chant, and one for the issuer (ultimately). If carbon paper is used, and the carbons are discarded intact, it's pretty easy to read the num- bers off of them. Carbonless paper and forms that either rip the car- bons in half or attach them to the cardholder copy automatically are used to prevent this. There are a lot of scams for getting people to tell their credit card numbers over the phone. Never give your card number to anyone unless you are buying something from them, and make sure that it is a le- gitimate business you are buying from. "Incredible deal!! Diamond jewelry at half price!! Call now with your VISA number, and we'll rush you your necklace!!" When you don't get the necklace for four weeks, you might start to wonder. When you get your credit card bill, you'll stop wondering. There are other, more sophisticated ways to modify a credit card. If you're skillful, you can change the embossing on the card and even the signature on the back. For most purposes, these techniques are more trouble than they're worth, since it's not difficult to come up with a new stolen card, or fake ID to match the existing card. MERCHANT FRAUD -------- ----- There are many urban rumors of merchants imprinting a card multiple times while the cardholder isn't looking, and then running through a bunch of charges after the cardholder leaves. I don't know of any case where this is an official policy of a merchant, but this is certainly one technique a dishonest cashier could use. The cashier can then take home a bunch of merchandise charged to your account. Although some people are afraid of this happening in a restaurant, where a waiter takes your card away for a while, it's actually less likely there, since there isn't anything the waiter can charge against your card and take home. A merchant could also make copies of charge slips, to sell the PANs to other crooks. (See above for use of PANs.) Most credit card investi- gation departments are sensitive to this possibility, and catch on real fast if it's happening just by looking at usage history of cards with fraudulent charges. A merchant is also in a position to create many false charges against bogus numbers, to attempt to defraud the acquirer or issuer. These schemes are usually not too effective, since acquirers generally re- spond very quickly to an unusual number of fraudulent transactions by tightening restrictions on the merchant. ACQUIRER AND ISSUER FRAUD -------- --- ------ ----- The place to make really big bucks in fraud is at the acquirer or is- suer, since this is where you can get access to large amounts of money. Fortunately, it's also fairly easy to control things here with audit procedures and dual control. People working in the back offices, pro- cessing credit slips, bills, etc. have a big opportunity to "lose" things, introduce false things, artificially delay things, and tempo- rarily divert things. Most of the control is standard banking stuff, and has been proven effective for decades, so this isn't a big problem. A bigger potential problem to the consumer is the possibility of an em- ployee at the issuer or acquirer selling PANs to crooks. This would be very hard to track down, and could compromise a large part of the card base. I know of no cases where this has happened. Programmers, in particular, are very dangerous because they know where the data is, how to get it, and what to do with it. In most shops, de- velopment is done on completely separate facilities from the production system. Certification and installation are done by non-developers, and developers are not allowed any access to the production facilities. Operations and maintenance staff are monitored very carefully as well, since they typically have access to the entire system as part of their jobs. Another type of fraud that is possible here is diversion of materials, such as printed, but not embossed or encoded, card blanks. Such mate- rials are typically controlled using processes similar to those used at U.S. mints. Since most of the cards issued in the United States are actually manufactured by only a handful of companies, it's not too hard to keep things under control. There are many types of fraud that can be perpetrated by tapping data communication lines, and using protocol analyzers or computers to in- tercept or introduce data. These types of fraud are not widespread, mainly because of the need for physical access and because sophisti- cated computer techniques are required. There are message authentica- tion, encryption, and key management techniques that are available to combat this type of fraud, but currently these techniques are far more costly than the minimal fraud they could prevent. About the only such security technique that is in widespread use is encryption of PINs. The next episode will be devoted to debit cards, and the final episode will talk about the networks that make all this magic happen. Joe Ziegler att!lznv!ziegler