Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also an adjunct to identity theft. According to the Federal Trade Commission, while identity theft had been holding steady for the last few years, it saw a 21 percent increase in 2008. However, credit card fraud, that crime which most people associate with ID theft, decreased as a percentage of all ID theft complaints for the sixth year in a row.
The cost of card fraud in 2006 were 7 cents per 100 dollars worth of transactions. Due to the high volume of transactions this translates to billions of dollars. In 2006, fraud in the United Kingdom alone was estimated at £535 million, or US$750–830 million at prevailing 2006 exchange rates.
The fraud begins with either the theft of the physical card or the compromise of data associated with the account, including the card account number or other information that would routinely and necessarily be available to a merchant during a legitimate transaction. The compromise can occur by many common routes and can usually be conducted without tipping off the card holder, the merchant or the issuer, at least until the account is ultimately used for fraud. A simple example is that of a store clerk copying sales receipts for later use. The rapid growth of credit card use on the Internet has made database security lapses particularly costly; in some cases, millions of accounts have been compromised.
Stolen cards can be reported quickly by cardholders, but a compromised account can be hoarded by a thief for weeks or months before any fraudulent use, making it difficult to identify the source of the compromise. The cardholder may not discover fraudulent use until receiving a billing statement, which may be delivered infrequently. Cardholders can mitigate against this fraud risk by checking their account frequently to ensure constant awareness in case there are any suspicious, unknown transactions or activities.
Credit card security relies on the physical security of the plastic card as well as the privacy of the credit card number. Therefore, whenever a person other than the card owner has access to the card or its number, security is potentially compromised. Once, merchants would often accept credit card numbers without additional verification for mail order purchases. It's now common practice to only ship to confirmed addresses as a security measure to minimise fraudulent purchases. Some merchants will accept a credit card number for in-store purchases, whereupon access to the number allows easy fraud, but many require the card itself to be present, and require a signature. A lost or stolen card can be cancelled, and if this is done quickly, will greatly limit the fraud that can take place in this way. European banks can require a cardholder's security PIN be entered for in-person purchases with the card.
The PCI DSS is the security standard issued by The PCI SSC (Payment Card Industry Security Standards Council). This data security standard is used by acquiring banks to impose cardholder data security measures upon their merchants.
A smart card, combining credit card and debit card properties. The 3 by 5 mm security chip embedded in the card is shown enlarged in the inset. The contact pads on the card enable electronic access to the chip.
The goal of the credit card companies is not to eliminate fraud, but to "reduce it to manageable levels". This implies that high-cost low-return fraud prevention measures will not be used if their cost exceeds the potential gains from fraud reduction - as would be expected from organizations whose goal is profit maximization.
Internet fraud may be by claiming a chargeback which is not justified ("friendly fraud"), or carried out by the use of credit card information which can be stolen in many ways, the simplest being copying information from retailers, either online or offline. Despite efforts to improve security for remote purchases using credit cards, security breaches are usually the result of poor practice by merchants. For example, a website that safely uses SSL to encrypt card data from a client may then email the data, unencrypted, from the webserver to the merchant; or the merchant may store unencrypted details in a way that allows them to be accessed over the Internet or by a rogue employee; unencrypted card details are always a security risk. Even encryption data may be cracked.
Controlled Payment Numbers which are used by various banks such as Citibank (Virtual Account Numbers), Discover (Secure Online Account Numbers, Bank of America (Shop Safe), 5 banks using eCarte Bleue and CMB's Virtualis in France, and Swedbank of Sweden's eKort product are another option for protecting against credit card fraud. These are generally one-time use numbers that front one's actual account (debit/credit) number, and are generated as one shops on-line. They can be valid for a relatively short time, for the actual amount of the purchase, or for a price limit set by the user. Their use can be limited to one merchant. If the number given to the merchant is compromised, it will be rejected if an attempt is made to use it again.
A similar system of controls can be used on physical cards. Technology provides the option for banks to support many other controls too that can be turned on and off and varied by the credit card owner in real time as circumstances change (i.e., they can change temporal, numerical, geographical and many other parameters on their primary and subsidiary cards). Apart from the obvious benefits of such controls: from a security perspective this means that a customer can have a Chip and PIN card secured for the real world, and limited for use in the home country. In this eventuality a thief stealing the details will be prevented from using these overseas in non chip and pin EMV countries. Similarly the real card can be restricted from use on-line so that stolen details will be declined if this tried. Then when card users shop online they can use virtual account numbers. In both circumstances an alert system can be built in notifying a user that a fraudulent attempt has been made which breaches their parameters, and can provide data on this in real time. This is the optimal method of security for credit cards, as it provides very high levels of security, control and awareness in the real and virtual world.
Additionally, there are security features present on the physical card itself in order to prevent counterfeiting. For example, most modern credit cards have a watermark that will fluoresce under ultraviolet light. A Visa card has a letter V superimposed over the regular Visa logo and a Master card has the letters MC across the front of the card. Older Visa cards have a bald eagle or dove across the front. In the aforementioned cases, the security features are only visible under ultraviolet light and are invisible in normal light.
The Federal Bureau of Investigation and U.S. Postal Inspection Service are responsible for prosecuting criminals who engage in credit card fraud in the United States, but they do not have the resources to pursue all criminals. In general, federal officials only prosecute cases exceeding US$5,000. Three improvements to card security have been introduced to the more common credit card networks but none has proven to help reduce credit card fraud so far. First, the on-line verification system used by merchants is being enhanced to require a 4 digit Personal Identification Number (PIN) known only to the card holder. Second, the cards themselves are being replaced with similar-looking tamper-resistant smart cards which are intended to make forgery more difficult. The majority of smart card (IC card) based credit cards comply with the EMV (Europay MasterCard Visa) standard. Third, an additional 3 or 4 digit Card Security Code (CSC) is now present on the back of most cards, for use in card not present transactions. Stakeholders at all levels in electronic payment have recognized the need to develop consistent global standards for security that account for and integrate both current and emerging security technologies. They have begun to address these needs through organizations such as PCI DSS and the Secure POS Vendor Alliance.
Post a Comment