Security
Solutions by Market | Current Issue | Blogs
  Home
  Magazine
  Subscribe
  Subscription Customer Service
  Archives
  The Security 500
  Top Guarding Companies
  Online
  SEC Newswire
  eNewsletter
  Product of the Month
  Multimedia
  Webinars
  eCards
  Showrooms
  Video Archives
  Resources
  Jobs
  Classified
  Industry Events Calendar
  Annual Buyers Guide
  White Paper
  Events
  iSecurity Virtual Show
  Security 500
  Securing New Ground
  SEC Info
  Contact Us
  List Rental
  Advertise
  Security Media Group
  SmartHome Magazine
  SDM Magazine
Search in: EditorialProductsCompanies
Credit Card & Transaction Fraud Schemes
by Bill Zalud
June 18, 2008

ARTICLE TOOLS
EmailEmailPrintPrintReprintsReprintsshareShare



Mail/Internet Order Fraud

The mail and the Internet are major routes for fraud against merchants who sell and ship products, as well as Internet merchants who provide online services. The industry term for catalog order and similar transactions is “Card Not Present” (CNP), meaning that the card is not physically available for the merchant to inspect. The merchant must rely on the holder (or someone purporting to be the holder) to present the information on the card by indirect means, whether by mail, telephone or over the Internet when the cardholder is not present at the point of sale.


Account Takeover

There are two types of fraud within the identity theft category, application fraud and account takeover. Application fraud occurs when criminals use stolen or fake documents to open a business or bank account in someone else’s name.

Account takeover involves a criminal trying to take over another person’s account, first by gathering information about the intended victim, then contacting their bank or credit issuer — masquerading as the genuine cardholder — asking for mail to be redirected to a new address. The criminal then reports the card lost and asks for a replacement to be sent. The replacement card is then used fraudulently.

Some merchants added a new practice to protect consumers and self reputation, where they ask the buyer to send a copy of the physical card and statement to ensure the legitimate use.


Skimming

Skimming is the theft of credit card information used in an otherwise legitimate transaction. It is typically an “inside job” by a dishonest employee of a legitimate business, and can be as simple as photocopying of receipts. Common scenarios for skimming are restaurants or bars where the skimmer has possession of the victim’s credit card out of their immediate view. Instances of skimming have been reported where the perpetrator has put a device over the card slot of a public cash machine (automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it.


Carding

Carding is a term used for a process to verify the validity of stolen card data. The thief presents the card information on a Web site that has real-time transaction processing. If the card is processed successfully, the thief knows that the card is still good. In the past, carders used computer programs called “generators” to produce a sequence of credit card numbers, and then test them to see which were valid accounts. Another variation would be to take false card numbers to a location that does not immediately process card numbers, such as a trade show or special event. However, this process is no longer viable due to widespread requirement by Internet credit card processing systems for additional data such as the billing address, the 3 to 4 digit card security code and/or the card’s expiry date, as well as the more prevalent use of wireless card scanners that can process transactions right away.

The Payment Card Industry Data Security Standard is a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data.

The PCI Data Security Standard requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. The core requirements are organized in six categories:

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.

Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.

Maintain an Information Security Policy
12. Maintain a policy that addresses information security.

Bill Zalud
zaludb@bnpmedia.com
Bill is the Editor Emeritus of Security Magazine, and he can be reached at (773) 929-6859.

|PrintEmail

Did you enjoy this article? Click here to subscribe to the magazine.
Sponsors 

Home Security Systems

Resources + Guides

Buyers GuideBuyers Guide
Your Complete Industry Resource.

Click for digital Buyers Guide
eNewsletterseNews Signups
Subscribe to our free eNewsletters.

Security 500 RankingSecurity 500 Ranking
See Security’s biggest and best.








© 2010 BNP Media. All rights reserved. | Privacy Policy