FRAUDCC.TXT COPYRIGHT American Society for Industrial Security 1989 ---------------------------------------------------------------------- Title-> Protecting the plastic. (credit card fraud; includes related article) Authors-> Goldstein, Jack ---------------------------------------------------------------------- Subjects-> Credit card fraud_prevention Fraud investigation_practice Article #-> 08326979 ---------------------------------------------------------------------- PROTECTING THE PLASTIC IN THE 20 YEARS SINCE THE BEGINNING of the credit card boom, plastic money has become a worldwide-accepted means of buying goods and services - and equally a worldwide means of fraud. In some cases, the frauds have been spectacular. Just over a year ago, for example, nearly $13 million was stolen in a simple operation involving gangs cooperating in Marseilles, France, and Madrid, Spain. The interleaving carbon papers from credit card payment slips were retrieved from trash bins outside restaurants (they'd been carelessly thrown away intact rather than ripped up). Containing, as they do, all the card information plus a specimen of the authorized user's signature, the carbons were sent to Madrid where many duplicate fake cards were made. In a military-style operation, the cards were then used simultaneously to gain goods and cash - and within a month $13 million had gone. The surprising thing about this is that payment slips containing carbons are still in use. And while many restaurants, shops, and hotels now instruct staff to tear up carbons in front of customers, there are still many outlets that remain ignorant of this type of fraud and take no actions to guard against it. The fairly casual granting of credit via credit cards in the late 1960s marked a surprising departure in banks' formally miserly ways of granting overdraft or credit rights. This was particularly marked in the United States at that time. Literally millions of unsolicited credit cards were mailed out to people, mainly from VISA and MasterCard, who were entering the field and vying with the established companies such as American Express and Diners Club. This move so alarmed the US Congress that legislation followed making it illegal to send an unsolicited credit card to anyone. To a degree, the proliferation of cards was curtailed as the majority of issuing companies placed annual user fees on them - now a norm in the United States. Cardholders who held many cards then cut back to those they used most. But the pattern of use had been established by then, and the frauds grew up with them. The major types of fraud are as follows: Stolen cards. These cards commonly have a useful life of about two weeks, after which time they begin to show up on warning lists distributed to merchants by credit card firms. Of course if the cardholder immediately reports the card missing or stolen, the card is blocked at once. Thus purchases above the floor limit requiring direct authorization and purchases in which transaction phones are used for all credit operations reveal the stolen cards. In stores with security personnel on the premises, an arrest can follow. More typically, however, delays in reporting the loss of a card commonly occur. In cases where cards are stolen from the mail, cardholders don't notice the thefts until the bills arrive a month or so later. Cards are also often stolen or lost at restaurants and gas stations; customers may not be aware until a later date that their card were not returned. There's a current fraud operation where a group goes into health clubs, athletic clubs, fitness centers, or the like, opens lockers, takes credit cards out of wallets, puts the wallets back, and relocks the lockers. Cardholders leave the premises with no idea their cards are missing. This scheme gives the culprits the same advantage as stealing a card from the mail - without the prospects of a postal theft criminal charge if caught. Counterfeit credit cards. There are several levels of counterfeiting, varying from exact replicas (which one group was able to make by virtue of having obtained the same machinery as that used by the legitimate embossing companies) down to rather crude replicas. It may seem unbelievable, but statistics show less sophisticated counterfeits are readily accepted by lackadaisical clerks. Schemes using counterfeit cards take time to detect as the charges are interspersed in a customer's bill with legitimate charges. In one case of an organized counterfeit credit card operation, an underworld figure stated his group made a rule of throwing away such cards after a three-week usage. White plastic schemes. These schemes require the cooperation of an authorized merchant. A card is made up of white plastic having embossed on it only what appears on the sales draft. The merchant thus has imprinted on the sales draft what would be on any credit card transaction. Though no service or merchandise is involved, the merchant submits the fraudulent sales draft to the bank for credit. Shave-and-paste schemes. The culprit in this scheme shaves legitimate numbers off the credit card and replaces them with other numbers by pasting them onto the card. Here the defrauders are playing the law of averages by hoping that the new number is a current, existing credit card number. This scam is also known as the altered card scheme. Fraudulent application. In this type of scheme, individuals file applications with several financial institutions with the hope that a few will issue them credit cards. Upon receipt of their cards they use them as fast as possible - usually using post office boxes or addresses of convenience - and almost all information, including their name, is false. The following are some less common schemes: * Merchants run through a second charge slip and submit it for credit. * Cardholders report lost or stolen cards and continue to use them. * Family members use credit cards without the knowledge of the cardholders. There are many solutions to counter the problems of credit card fraud, but there is a monetary limitation as to what financial institutions will spend to minimize fraud-related losses. Competition has also led to security laxness. For example, financial institutions signing up merchants should thoroughly investigate the credibility and legitimacy of each and every merchant - an action many institutions fail to carry out adequately. In the initial stages of VISA's and MasterCard's entrance to the credit card field, for instance, there was fierce competition to sign up new merchants throughout the United States and no concerted effort to investigate these merchants. The result was the signing up of many unscrupulous merchants and the inevitable large fraud losses by the credit card companies. When many of the card issuers began to establish separate fraud or security departments in their credit card operations, these merchants were closed out. This action, due almost entirely to the work of investigative personnel, resulted in the total losses due to fraud being drastically reduced for a considerable period. Later, however, when the number of issuing banks increased and they became able to issue more than one type of credit card, the surfacing of fraudulent merchants increased again. These merchants could obtain merchant credit card status from institutions outside the region where they were located, and they were sent the embossing machines on request! The only effective way to defeat this type of fraud is by a thorough investigation and an on-site inspection of every merchant who requests to be signed up. Unusually high fraud activity by a merchant should be monitored and scrutinized. When a merchant is signed up, it is agreed that either party may terminate the agreement when desired. If a merchant has a high incidence of fraud, it's advisable to close that business out. If it's possible to prove fraud on the business's part, criminal prosecution should be sought. There have been many cases of prosecution for merchant fraud, and these all entail determined and painstaking investigation on the part of a law enforcement agency and the credit card fraud investigators. Issuing card companies must have a department that thoroughly checks out every applicant for a credit card. Fraudulent applications can be kept to a minimum if the issuing institutions have competent staff reviewing each application. In the United States, as mentioned earlier, a 1970 federal law bans unsolicited issuance of credit cards. It also generally limits a cardholder's liability for unauthorized use to $50. There must, therefore, be an active advertising campaign to keep cardholders alert. They must be made aware of their responsibility to protect cards from being lost or stolen and, if a card should disappear, to report the loss immediately. One of the most effective means of preventing credit card fraud is the immediate blocking of a lost card by the issuing institution. Future cards may use modern, sophisticated technology, such as microchips, making the cards difficult to counterfeit. But what about now? On a simpler level, there's the mailing of credit cards using registered mail, but most institutions who use this service have terminated it on cost grounds. Innovations such as photographs and fingerprints on cards have been considered but abandoned, often without test runs, on the grounds they might meet with hostility from customers. Early attempts at using a photograph on the card were abandoned due to the difficulty of getting the customer to come in for a second photograph at re-issue time for the card. Fraud departments try to get store clerks to compare signatures on payments slips with signatures on cards. Fraud departments try to get them to check cards against the time-honored warning list. And those departments give clerks numerous other pointers on stolen and fake credit cards. The fraud department is the most important aspect and means of combating fraud. Every issuing organization should have a separate credit card fraud department. Fraud investigators need to be in contact with the various law enforcement officials who have jurisdiction in such matters - in the United States this means federal, state, and local law enforcement agencies (the individual case determines which agency). The credit card fraud investigator should have at least 10 years of investigative experience in either the private or public sector. Being a member of a law enforcement agency in a capacity not directly involved in investigations would not meet the qualifications. There cannot be millions of credit cards distributed throughout the world without a fraud investigate operation. Some financial institutions involved in the credit card business initially did not establish a fraud department, but they quickly - and realistically - learned the necessity for one. One can never really measure prevention, but one can readily realize what the total credit card fraud would be otherwise. The policy of criminal prosecution must be adhered to on the part of the fraud investigator. If the apprehended credit card fraudster or thief is allowed any avenue of restitution prior to going to criminal court, it would drastically reduce the cooperation of law enforcement officials. If the judge in the criminal court proceedings orders restitution as part of the sentence, that's all well and good, but not under any other circumstances. This part of the policy must be made known to the public in general and, in particular, to the participants in any type of credit card fraud. Spotting Fake Credit Cards SECURITY FEATURES ARE ADDED TO credit and bank guarantee cards at infrequent intervals, but users and merchants need to keep up to date with them - especially where they're likely to run into cards from overseas. In checking for fake cards, follow the five-point plan. 1. Physical appearance. When any credit card is presented to you, carefully examine it - take a good look at the card! Look for anything out of place such as embossed data (name, card, etc.) that is crooked or improperly spaced. Look at the colors of the card. Are the colors too light or too dull? Darker in some parts and lighter in others? Beware of any credit card that doesn't look right, as it may be counterfeit. 2. Check expiration date. Always check the credit card's expiration date to make sure the card has not expired. Also, carefully check the expiration date (embossed numbering) for any evidence of alteration or tampering. Beware - expiration dates are frequently altered to give new life to an expired card. 3. Feel the card. Carefully feel the credit card. Does the card feel too heavy or too light? Does the card feel too lumpy or rough on the surface or edge? Beware - any card possessing these abnormalities could be a counterfeit. 4. Examine name. Carefully examine the name to which the credit card is issued. Beware of any irregularities in the lettering or spacing of the name. Professional counterfeiters are able to shave off or iron down the names and numbers on credit cards and then emboss new ones. These newly embossed names and numbers are used by credit card criminals to make stolen cards appear valid. 5. Examine back of card. All cards contain a special magnetic strip on the back. They also contain a signature block on the back. Beware - any charge card without a magnetic strip and signature block may be counterfeit. And finally, triple check signatures. Always ask the customer to sign the credit card sales draft in your presence. Then carefully compare the signature on the sales draft to the signature on the back of the credit card. Then compare the signature on the ID. Triple check the signatures by comparing the ID signatures to the signature on the sales draft. Beware of any discrepancies in signatures. You should also obtain authorization. Know your company policy regarding credit card transaction authorization. Follow its procedure to the letter. Fully cooperate with the authorization center in any security measures or procedures it requests. About the Author . . . Jack Goldstein is special investigator in bank card security for State Street Bank in Boston, MA. He is a member of ASIS. edures it requests. About the Author . . . Jack Goldstein is special investigator in bank card security for State Street Bank in Boston, MA. He is a member of ASIS.