Tag Archives: credit card fraud

Fraud Targets Charities and Small Businesses – Here’s Why

When cyber criminals steal credit cards or buy stolen credit cards, they are buying somewhat of an unknown.

Small time crooks test small numbers of cards by trying to use them at self service gas pumps in the middle of the night, but that doesn’t scale up and you run the risk of getting caught.

In addition, what if all the data isn’t there.  Maybe an address is missing.  Or a zip code.  Maybe the crook didn’t get the CVV code.

So what is a better way to do that?

You run a small dollar transaction on a small business or small charity web site.  These businesses don’t have the fancy anti-fraud measures that Amazon or The Home Depot have.

Sometimes new businesses haven’t learned their lessons yet either.

Let’s assume that the crook make a $5 contribution to a small charity.  The web site asks for a zip code that you don’t have so you start guessing.  The web site isn’t smart enough to stop you after 5 tries.  Or a hundred tries or any number of tries.  It turns out that the merchant’s credit card front end doesn’t stop you either.  Eventually you get the right zip code and the person who’s card was stolen gets hit with a $5 charge.

However because this is online and no one is watching, the crooks automate the process.  A “bot” can test all 99,999 zipcodes in a few seconds – as fast as the web site can respond.  There are only 999 possible CVV numbers for a Mastercard or Visa card, so that goes even quicker.

Now here is the rub.

When the person who’s card was stolen disputes the charge, the bank charges the merchant or the charity back for the $5.  BUT, they also charge the merchant or charity a chargeback fee of maybe $100.

For a small business, if they get hit with a dozen $5 charges and those get reversed, they lose $60.  But, they might also get hit with a thousand dollars (or more) in charge-back fees.

If instead of a dozen cards, it is a hundred cards, then the charge-back fees can be in the many thousands.

Some things that merchants can do –

Limit the number of attempts to complete a charge – after say 3 or 4 tries the entire transaction gets wiped and the crook has to start over.  A limited number of failed transactions from a single IP address in a period of time also helps.  Anything to slow the crooks down.

If there are multiple transactions (more than say, 2 or 3) from the same computer from different people in a short period of time, that is another red flag.

I have even seen web sites that don’t even ask for the card verification number.

Another possibility is to outsource the fraud detection process to experts.

This is a rapidly evolving world and small businesses are a target just because they think they are not a target.  What works to protect you today may not protect you tomorrow.

Information for this post came from Small Biz Daily.

Facebooktwitterredditlinkedinmailby feather

Expect Dramatic Fraud IncreaseThis Year in Virtual World

If the US is anything like Europe, you can expect that “Card Not Present” or CNP fraud will increase significantly in 2016.

We will have to wait and see, but some things are likely.

  1. Chip and signature – the alternative to chip and PIN that most US banks and almost no international banks chose – will do nothing to protect against stolen credit cards.  Of course, you cannot steal a credit card from half way around the world, so this type of attack only works if you are near the victim.  AND, the victim is much more likely to notice that their wallet has been stolen and cancel the card, so my guess is that this is not going to be a significant source of fraud in 2016.
  2. Service providers (anything from Uber to Etsy to Amazon) who match buyers and sellers are likely to see a significant rise in fraud.  Online marketplaces such as Uber never see the customer and the representative (like the Uber driver) never see the credit card.  Even service providers like AirBnB, where someone may talk to you, doesn’t have any information about the credit card used and likely does not ask you for ID.  Even if they do, that ID could easily be fake.
  3. Even online product providers like Amazon are likely to see increases in attempted fraud.  The fraudsters hire mules to provide their addresses and then get the products from the mules some other way, including via reshipping.  If the mule gets caught, they don’t know very much about the fraudsters operation.

Merchants not only lose the amount of the fraudulent transaction, but also the cost of dealing with the fraud.  According to Lexis-Nexis, merchants spend over $3.00 for every $1.00 in fraudulent transactions.

According to Lexis-Nexis, fraud as a percentage of revenue for all merchants, increased from 0.51% to 0.68% between 2013 and 2014.  For merchants accepting payments via mobile (phones) the fraud rate went up from 0.8% to 1.36% – more than a 50% increase.  I guess we know one place where fraudsters are going.

A couple more interesting stats from Lexis-Nexis.  Merchants say that the number of prevented fraudulent transactions is up by more than 60% – meaning that the card services are doing a good job of detecting fraud, but the number of successful fraudulent transactions is also up – by around 45%.  Merchants say that the dollar value of fraudulent transactions that are caught is equal to fraudulent transactions that are successful.  Said a different way, by dollar value, only 50% of the credit card fraud is caught.

What is clear to me is that trying to get solid data is very hard.  For example, in the Lexis-Nexis report, it says that merchants say that credit card fraud is down, but Lexis-Nexis says this is because merchants are accepting more payment types and that this is not a real decline – the fraud is spread across more channels.

This means that merchants need to continue to up their game in fraud detection.  The Dark Reading article has several suggestions of things that merchants can do.  The goal, of course,  is to do as much as you can without scaring off the consumer.  Jumio uses the camera in your phone to compare ID documents against a live image of the buyer to reduce fraud.  While this is NOT an example of something that happens behind the scenes, companies like AirBnB are using it with minimal customer pushback.  This is likely true because the average AirBnB customer only does a couple of transactions a year.   But, I am sure, the crooks will also learn to improve their techniques.  For example, if you compare a buyer’s actual face to a drivers license, how do you know that the picture on the drivers license is real.  Still, you do have a picture of the fraudster and that can’t be all bad.

Businesses that accept credit cards will be fighting a cat and mouse game with fraudsters for the foreseeable future – they just need to make sure they don’t let their guard down.

Information for this post came from Dark Reading and Lexis-Nexis.

Facebooktwitterredditlinkedinmailby feather

Apple Pay – A Credit Card Thief’s Dream

When I wrote a couple of weeks ago about the issues with Apple Pay security problems (see post), I didn’t really understand the scope of what I was writing about.  Thanks to Brian Krebs (see his post), I now  understand the problem is bigger than I thought.

Let’s assume that you are a crook and you bought a bunch of credit card numbers on the dark web.  How do you monetize this.  One way is to go to some web site and buy some stuff with the stolen credit card numbers that you have.  Now you need someone stupid enough to be your mule to accept the delivery and give you the merchandise.  And that assumes that the merchant does not verify that the delivery address is one that is set up for that card.  That also gives the merchant and credit card company a starting point to track you down.

Alternatively, you could go into a store and use the credit card.  No one asks for ID, and you don’t have to give a name and address, so that should be safe.  Oh, wait, you don’t have a card – just numbers.  You could get the equipment – credit card printer and embosser, mag stripe writer.  The big guys do that, but it is expensive and you have to know how do that.  Also, the price for the information needed to burn a fake card is way more than just the numbers.

You think for a minute.  POOF – APPLE TO THE RESCUE.

You take the stolen credit card numbers and your handy iphone that you bought earlier with another stolen credit card.  You either create a bogus itunes account or buy a hacked one for $8 retail.  You now tie your stolen credit card data to your hot iphone and voila, you have a virtual credit card.  No fuss, no muss, no bother. You can now go into any store that accepts Apple Pay (like the Apple Store) and buy stuff just like you had the real credit card.  You then turn around and sell the stuff for cash.

All of this only works because, as I wrote about in the earlier post, banks don’t do a very good job of validating people prior to linking their account to a phone.   They are so worried about offending a customer and missing out on the Apple Pay hysteria, that they wind up with a very high level of fraud – right now about 6%, which is, as I said in my earlier post, a great way to go broke since the bank’s fees are no where near 6% (more like 2%).

And the bad news is that you don’t even need to be an Apple user to be a victim of this kind of fraud.  If your credit card bank supports Apple Pay, there currently is no way to say that I do not want my cards to be linked to an Apple Pay.

Apple and the banks will eventually figure this out, but in the mean time, the crooks are making a LOT of money.

Mitch

Facebooktwitterredditlinkedinmailby feather

Reduce Your Credit Card Fraud Exposure

Here is a really, really simple tip for you to reduce (not eliminate) your exposure to credit card fraud.

This is for you as a credit card user  – not as a business accepting credit cards.

I use it and I can tell you from personal experience, it works.

Most banks offer the option to send you a text message EVERY SINGLE TIME your credit or debit card is used.  If yours doesn’t, whine at them till they do or change banks.  It happens in real time.  Here is how I use it.

If I go to a restaurant, for example, and pay by credit card, the server takes the card and runs it through the restaurant’s POS terminal.  Literally, before the server gets back to the table with the receipt for me to sign, I have gotten a text message that tells me the name of the establishment running the charge and the amount.

If I am somewhere and I get a text from my bank, and I don’t recognize the merchant, it has my interest.  In my case, since some of my cards are shared with my wife, I call or text her and ask if this was her.  If she says no, I am on the phone with my bank.  Not later.  Not tomorrow.  Now!  Shut down the card, get a new one.  The new one is free.  For most banks, if you press them, they will Overnight Express the new card to you.  For many banks, even that is free.

I had a charge pop up a few months ago from Babies R Us in Philadelphia for about $300.  Since I have not been in Philly in ten years and we don’t have any little kids, I called my wife to see if, maybe, she bought a gift for someone.  Nope.  Not the case.  On the phone with Wells (in this case) and poof that card was toast.  In a day or two we had new cards.

I am sure the crook was disappointed, but I don’t care and the bank is actually happy that you did it.

If you have cards with a spouse or kid and the cards have different numbers on them, you can have the text messages go to each family member.  If the cards all have the same number, then there is no way to split them out.  In my family, I watch the charges, so I get all the text messages.

To me, it seems simple.  You reduce your pain and anguish.  You don’t have to review the bank statements which would give the crook 30 days of play time.  You don’t have to keep logging on to your bank’s web site or app to check for charges.

And, it reduces your exposure to one charge.  Which the bank will eat anyway.

Free and simple.  Which I like.

Mitch

 

Facebooktwitterredditlinkedinmailby feather