Credit Card & Transaction Fraud Schemes

June 18, 2008

Mail/Internet Order Fraud

The mail and the Internet are major routes for fraud against merchants who sell and ship products, as well as Internet merchants who provide online services. The industry term for catalog order and similar transactions is “Card Not Present” (CNP), meaning that the card is not physically available for the merchant to inspect. The merchant must rely on the holder (or someone purporting to be the holder) to present the information on the card by indirect means, whether by mail, telephone or over the Internet when the cardholder is not present at the point of sale.

Account Takeover

There are two types of fraud within the identity theft category, application fraud and account takeover. Application fraud occurs when criminals use stolen or fake documents to open a business or bank account in someone else’s name.

Account takeover involves a criminal trying to take over another person’s account, first by gathering information about the intended victim, then contacting their bank or credit issuer — masquerading as the genuine cardholder — asking for mail to be redirected to a new address. The criminal then reports the card lost and asks for a replacement to be sent. The replacement card is then used fraudulently.

Some merchants added a new practice to protect consumers and self reputation, where they ask the buyer to send a copy of the physical card and statement to ensure the legitimate use.

Skimming

Skimming is the theft of credit card information used in an otherwise legitimate transaction. It is typically an “inside job” by a dishonest employee of a legitimate business, and can be as simple as photocopying of receipts. Common scenarios for skimming are restaurants or bars where the skimmer has possession of the victim’s credit card out of their immediate view. Instances of skimming have been reported where the perpetrator has put a device over the card slot of a public cash machine (automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it.

Carding

Carding is a term used for a process to verify the validity of stolen card data. The thief presents the card information on a Web site that has real-time transaction processing. If the card is processed successfully, the thief knows that the card is still good. In the past, carders used computer programs called “generators” to produce a sequence of credit card numbers, and then test them to see which were valid accounts. Another variation would be to take false card numbers to a location that does not immediately process card numbers, such as a trade show or special event. However, this process is no longer viable due to widespread requirement by Internet credit card processing systems for additional data such as the billing address, the 3 to 4 digit card security code and/or the card’s expiry date, as well as the more prevalent use of wireless card scanners that can process transactions right away.

The Payment Card Industry Data Security Standard is a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data.

The PCI Data Security Standard requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. The core requirements are organized in six categories:

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.

Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.

Maintain an Information Security Policy
12. Maintain a policy that addresses information security.

Bill is the editor emeritus of Security Magazine, and he can be reached at (773) 929-6859.

How can you advance your career in the security industry with the skills and competencies necessary to benefit your organization? What will the security executive and the security function of the future look like? Join us as we hear from veterans in the security industry about their experiences, their lessons learned, and best practices for advancing their careers.