The problem of security of card payments
Card fraud refers to deliberate deceptive actions of a certain party based on the use of Bank card technology and aimed at unauthorized acquisition of financial funds placed on the “card” accounts of Bank card holders or due to a merchant for card transactions.
Card fraud is often called fraud (from the English. fraud — fraud, deception).
Fraud is usually divided into two groups: fraud on the part of issuing cards and fraud on the part of servicing them. The first group includes fraud related to unauthorized use of the Issuer’s cards (stolen / lost cards, fake cards, non-received cards, cards obtained from the Bank dishonestly as a result of the use of stolen identification data / documents of a “reliable” person, etc.). the second group includes fraud initiated by a merchant (fake/distorted slips, repeated entry of transactions, etc.).
As an indicator of the level of fraud, the ratio of the amount of financial losses incurred as a result of card fraud to the total volume of sales made on plastic cards (F/S, or Fraud/Sales) is considered. The unit of measurement for the f/S coefficient is considered to be the basis point. One basic point is the level of fraud, which is 0.01% of the total turnover on Bank cards. In other words, a fraud rate equal to one basis point (abbreviated as bp) corresponds to a loss of 1 cent for every $100 of card turnover.
Acuteness of the problem of security of operations using plastic cards
Over the past 10 years, the average Bank losses from plastic card transactions are 7-12 cents per $100 of card turnover (7-12 bp). This is significantly less than the banks ‘ losses related to customer lending, amounting to $3-4 for every $100 of loans issued. However, banks and payment systems pay increased attention to the problem of security of plastic card transactions. This is due to the fact that the nature of the risks is different in the cases under consideration. In the case of card fraud, the customer suffers. Even if the losses caused by fraud are borne by the Issuer, the moral damage associated with inconveniences for the cardholder is palpable. The possibility of fraud seriously undermines the confidence of Bank customers in the card technology as a whole.
To illustrate this, let’s make a simple analysis. The average person in the West uses their card for non-cash payments on average about 40 times a year with a typical card usage coefficient of 0.1 per day. At the current level of fraud, equal to about 10 bp, the probability that the next operation on the card of the chosen gentleman will end in fraud is p = 0.001. In reality, this probability is lower, because several fraudulent transactions are performed on a compromised card in one way or another, and, in addition, the average size of the fraudulent transaction is higher than the usual one. However, to illustrate the “scale of the disaster”, this assessment of the probability that the cardholder’s transaction is fraudulent is quite appropriate.
Then for 10 years of using cards, our master will make N = 400 non-cash purchases and the probability that he will suffer from card fraud is equal to PF = 1 – (1-p)N , and at the current level of fraud is close to 0.33. in Other words, about one in three of those who use cards for more than 10 years, at the current level of fraud, has suffered from card fraud over the past decade.
The card holder we selected for the illustration does not live in an airless space. He is surrounded by family, friends, and colleagues. If we calculate that the cardholder’s inner circle consists of 10 people, then it follows that the probability that at least one person from this environment has suffered from card fraud over the past decade is greater than 0.98 (N = 4000).
In other words, most of us know about card fraud not only from books and magazines, but also from personal experience. Of course, such a close acquaintance with card fraud will not encourage you to use your plastic card more intensively.
Therefore, the security of plastic card transactions is a cornerstone of the development of the card industry, and this problem is given serious attention by payment systems and banks. Still, payment systems play the first fiddle here. They are the ones who have the necessary resources and authority to improve Bank card technology, making card transactions more and more secure. Banks, however, mainly follow the path of payment systems and struggle with their own financial and reputational losses.
The absolute size of card fraud can be estimated very roughly as follows. In 2007, based on the 2007 Nilson report, the turnover of transactions in the leading payment systems VISA, MasterCard, American Express, Diners Club, and JCB was approximately
$5.9 trillion (VISA and MasterCard account for 85% of the total global turnover on Bank cards). Taking into account the level of fraud (8-10 bp), it is easy to get that the absolute size of card fraud in 2007 was about $5-6 billion.
According to the 2007 Nilson Report, banks ‘ losses from fraud totaled $5.5 billion, which indicates that our method of estimating the volume of card fraud is fairly accurate.
However, this is only the visible part of the iceberg called “card fraud”. As experience shows, a significant proportion of fraud does not get into the reports of payment systems, because banks, trying to protect their reputation, often do not report the fraud to the payment systems. According to estimates by Frost & Sullivan, losses from Bank card fraud in 2008 reached approximately $15.5 billion, which is more than twice the projected value ($6-7 billion).
In addition to direct financial losses from card fraud, banks incur indirect losses: customer departures and reduced inflows of funds due to a blow to the Bank’s reputation (loss of confidence in the Bank’s financial products / services), the cost of maintaining security personnel, equipment upgrades, and so on.
In the world, more than 20,000 banks issue cards. Almost all of them have a division that deals with card security. Even if we assume that the average budget of such a division is $50,000 a year, banks spend about a billion dollars annually on staff engaged in card security.
It is difficult to accurately estimate the cost of information systems purchased for security (network protection systems, operation monitoring, HSM modules, terminal security elements, equipment for card personalization zones and PC, etc., etc.). In order, it is several billion dollars, if we assume that the Bank spends about 100 thousand dollars on the purchase of such systems. Taking into account the depreciation period of information systems for about 10 years, the annual cost is several hundred million dollars. As a result, the total annual losses from the consequences of card fraud, together with the costs of banks to reduce these losses, are significantly higher than the estimates given by payment systems.
The characteristic features of card fraud should be attributed:
in the new Millennium, the average level of card fraud in the world fluctuates in the range of 7-12 basis points. However, the level of fraud can vary significantly from country to country. This applies even to established markets such as Europe. For example, in France, the fraud rate for the past 15 years has not exceeded the bar of five basis points, and in the UK, even after the end of migration to the chip, it is around the mark of 14 basis points;
fraudsters use the most modern hardware and software due to their availability, in particular, due to the natural fall in the cost of these funds. In accordance with Moore’s law, the doubling of computer performance, memory capacity, and bandwidth of communication channels occurs every 18, 12, and 9 months, respectively. Recently, it was reported about an amendment to Moore’s law in terms of evaluating the speed of computer performance growth: the doubling of productivity occurs today in 24 months;
migration of banks to microprocessor technology: at the end of the first quarter of 2009, approximately every fifth card (22%) and every third POS terminal (37%) supported the EMV standard; in Europe, every second card (50%) and about 2/3 of POS terminals (68%) were hybrid (support magnetic stripe cards and microprocessor cards). In the world and Europe, respectively, 19% and 54% of ATMs are EMV-compliant;
high professional level of criminal structures (their ranks often include former employees of banks, processing centers, suppliers of card solutions, who are well aware of technological processes, software and equipment used). An example of malicious software installed on ATMs at the beginning of 2009, designed to steal magnetic stripe data and PIN-code — is an excellent confirmation of this thesis;
international character and good organization of criminal gangs in the field of card fraud — strict hierarchy, clear distribution of functions, control over the work of individual links, payment by result;
constant search for new opportunities to implement fraud, including” ringing “cards and constant “testing” for the strength of banks ‘ processing systems. Such testing includes checking whether the Bank has a transaction monitoring system,
analysis of algorithms test individual card details are secure database of card details, etc.;
high flexibility and efficiency of criminal organizations: since the discovery of weaknesses in the protection of the Bank before the sale of a massive attack is just a few days;
fraud is concentrated on three main types: CNP transactions, fake cards, and stolen/lost cards. Other types of card fraud account for no more than 6-8% of losses (!);
migration of fraud (especially in EMV regions) from one type to another. There is an obvious migration towards CNP fraud (in the UK in 2007, it accounted for 54% of all fraud committed on cards of English banks), fraud on fake cards through ATMs (ATM Fraud), fraud using cards obtained from stolen documents (ID Theft) from such types of fraud as fake cards in POS terminals, stolen/lost cards, non-received cards. All the types of fraud listed here will be described below;
rapid growth of CNP fraud (about 20% per year) in EMV regions;
growth of cross-channel fraud, when data leaks from one customer service delivery channel are used to perform fraud using another channel;
the growth of fraud and skimming via ATMs (false ATMs, false keyboard / micro-camera / dispensers, malware, Lebanese loop, use of technical problems on the side of the servicing Bank/ATM, information leakage from the PC, peeping from behind the shoulder, etc.). according to EAST (European ATM Security Team), the size of skimming via ATM in Europe in 2008 increased by 43%(!);
about 80% of all card fraud occurs in online transactions. This is due to the desire of fraudsters to quickly empty the cardholder’s account (for this purpose, transactions for large amounts are performed in real time) and means that the online nature of transaction processing is not an effective means of combating fraud when using magnetic stripe card technology;
credit cards (more precisely, Pay Later cards) are the main target of fraudsters. Special attention is paid to” gold”,” platinum ” and other preferred cards. The data shown in the table shows that the level of fraud on credit cards is about four times higher than on debit cards (see the table);
Product Fraud, % Sales, % F/S, %
Credit cards 85 58 0.12
Debit cards 15 42 0.03
Payment systems divide the area of their presence into geographical regions, national markets within which have common features at least due to their geographical and cultural proximity. It turns out that the domestic level of fraud is the lowest, while the inter — regional level is the highest. The data below illustrates this. For EMV regions, there is a migration of fraud towards interregional operations: in the UK, fraud from abroad increased by 250% in the three years from 2006 to 2008! The source of fraud is the cloning of the magnetic stripe and PIN code of the Bank of England card and the use of a fake card made on “white” plastic, for example, in Malaysia or Thailand (countries with a very high level of fraud on the part of the card service).
Distribution of sales volumes by traffic type
Intra-country operations (domestic) Intraregional operations
(intra-regional) Interregional operations
(inter-regional)
96% 3% 1%
Distribution of fraud volumes by traffic type
Intra-country operations
Intra regional operations Interregional operations
70% 21% 9%
Distribution of F/S by traffic type
with an average fraud rate of 7-10 bp
Intra-country operations intra-Regional operations Interregional operations
5-7 bp 50-70 bp 60-90 bp
Main types of fraud
Fraud is usually divided into two groups: fraud on the part of card issuance and fraud on the part of card servicing. The main types of fraud of the first group (on the part of the issue):
stolen/lost cards (Lost/Stolen Cards or L / S)
non-received cards (Not Received Items, NRI);
fake cards (Counterfeit);
Card Not Present-fraud (CNP-fraud);
cards obtained by fraudsters using stolen documents / personal data (ID Theft).
Stolen / lost cards
The oldest and most natural type of fraud — people have lost, are losing and will lose cards. Sometimes cards are stolen. In Russia, according to the National Agency for financial research (NAFI), about 19.8% of cardholders have ever lost their cards. It takes time until the card is found missing and blocked in the system, which is used by fraudsters who have the card in their hands.
Until the Bank is notified of the loss of the card, as a result of which the Issuer blocks the card, the cardholder is usually responsible for this type of fraud.
For a long time, this type of fraud was one of the most popular: in the mid-90s, it accounted for about 50% of fraud, and at the very beginning of this century — 25-30% of all fraud. In 2007, in Europe, according to leading payment systems, lost / stolen cards accounted for 14-16% of all card fraud, and this share continued to decrease with the expansion of migration to Chip&PIN technology. According to MasterCard data for the second quarter of 2009, lost / stolen cards accounted for 12.16% of all card fraud in Europe and 19.14% in the world.
In the UK, due to the almost universal implementation of the Chip&PIN program, the share of this type of fraud has fallen from 27.7% in 2001. (before the introduction of Chip&PIN) up to 10.5% in 2007 At the same time, the level of fraud of the Lost/Stolen Cards type has fallen by more than four times from 5.07 bp to 1.24 bp (the level of fraud is calculated from the total turnover on plastic cards)!
Non-received cards
Cards stolen while being sent from the Bank to the customer. All responsibility for fraud in this case lies with the Issuer. According to leading payment systems, this type of fraud accounts for 1-3% of the total amount of fraud. In particular, according to MasterCard data for the second quarter of 2009, non-received cards accounted for 1.1% of all card fraud in Europe and 2.33% in the world.
In the UK, due to the introduction of the Chip&PIN program, the share of this type of fraud in the period from 2006 to 2008 did not exceed 2%.
Fake cards
Fraudsters make a fake card that is personalized based on previously stolen real card details (usually the contents of the card’s magnetic stripe are stolen) and perform operations with the fake card, passing it off as a real card.
Card forgery began with the technology of cutting off the card numbers and rearranging them in places on the map panel. Then he began to practice peremeshivanie card number. With the advent and spread of electronic terminals, the main method of card forgery has become skimming — copying the magnetic stripe data of a real card. The copied data is later transferred to another card, which fraudsters make using blank cards purchased in different ways (using bonus cards from various retail chains, real Bank cards with a recoded magnetic stripe, white plastic painted on a printer, blanks stolen from factories and banks).
Fraudsters get real card data using:
unscrupulous store staff who imperceptibly copy the contents of the card’s magnetic track using a special device (skimmer) that has a magnetic stripe reader and can store information about several dozen cards;
ATM skimming (using an overhead reader and an overhead keyboard / miniature video cameras, or malware installed in the ATM software that stores magnetic stripe data and PIN code values);
skimming in POS terminals;
theft of data from the database of processing centers and retail enterprises;
interception of data when it is transmitted over communication channels;
virus attacks aimed at stealing personal data (spyware, Trojans, worms);
phishing and vishing used by fraudsters to extract personal information from Bank customers.
As recently as 2004, fake cards were the most common type of fraud. In Europe, they accounted for 35-37% of the total amount of fraud. Due to migration to microprocessor cards, the level of this fraud fell, and it lost the lead to a fraud of the Card Not Present type. According to MasterCard data for the second quarter of 2009, counterfeit cards accounted for 33.14% of all card fraud in Europe and 36.3% in the world.
In the UK, according to 2008 data, fake cards accounted for about 27% of all fraud.
Due to the migration to the chip, there is a clearly faster growth in the use of counterfeit cards (especially European cards) in ATMs in comparison with POS-terminals. Given that many countries migrate using the Chip&PIN program, it has become easier to copy the magnetic stripe and PIN data and then use this data to issue cards on “white” plastic.
Card Not Present-fraud
There are three main types of CNP transactions: Mail Order/Telephone Order (MO/TO)-transactions, e-Commerce transactions (EC) and recurrent payments (the cardholder enters into a contract with the merchant for regular periodic non-acceptance debiting funds from his account for services received from the merchant using a plastic card).
EC operations account for approximately 60% of all CNP fraud, MO/ TO transactions-30%, and recurring payments-the remaining 10%.
The growth rate of EC volumes in the world at the beginning of the new Millennium is about 25% per year, in Europe — 40% per year. It is expected that by 2011, the volume of B2C in the world will reach 407 billion euros.
The EC market in Russia has been growing by an average of 30% annually since 2006. According to the National Association of e-Commerce participants (NAUET), the market volume in 2007 was $7.9 billion. NAUET estimates that it exceeded $11 billion in 2008. The main market share in Russia traditionally falls on the B2C sector. The B2G (Business-toGovernment) sector, which reflects transactions for fulfilling government orders, has been growing at a rate of only about 4% per year since 2006.
Experts associate the further development of the Russian EC market with the development of the B2B segment. According to NAUET, its volume in 2007 increased by 32% compared to 2006 and amounted to almost $2.3 billion.
The dynamics of EC growth in Russia (turnover expressed in millions of dollars) is shown in the table below.
In Europe, the rate of growth of fraud in EC is about 20% per year.
According to MasterCard data for the second quarter of 2009, CNP fraud accounted for 49.75% of all card fraud in Europe and 38.36% in the world.
In the UK, CNP fraud increased from 23.26% in 2001 to 54.28% in 2007. At the same time, the level of CNP fraud over the same period increased from 4,256 bp to 6,4 bp, i.e. by 1.5 times (the level of fraud is considered to be from the total turnover on plastic cards).
The level of fraud in e-Commerce operations in Europe in 2008 was approximately 40 basis points (calculated from turnover only for e-Commerce operations).
To commit fraud in the case of a CNP transaction, it is enough to know the simplest card details — the card number, its expiration date, and possibly the CVC2/CVV2 value. Therefore, all CNP transactions are necessarily performed in real time, and payment systems assign responsibility for fraud on such transactions to the servicing banks. An exception is the case when serving banks and their online stores use the secure EC Protocol, known as 3D Secure and used in leading payment systems under the brands MasterCard SecureCode and Verified by VISA.
According to MasterCard, in 2008 in Europe, approximately 40% of all EC transactions were made from online stores that support the 3D Secure Protocol. In 60% of these operations, the cardholder was authenticated (Full Authentication).
Cards obtained from stolen documents or personal data (ID Theft)
To implement this type of fraud, two fraud schemes are mainly used: fraudulent applications and account interception.
Fraudulent Applications: a fraudster uses someone else’s identity card (found/stolen/forged) to apply for a credit card with an address where the card can be easily and safely obtained.
Account Takeover: the fraudster receives information about the card/account details, for example, from the Bank statements of the cardholder that were at his disposal, then calls the Bank and informs about the change of his address, and later requests a new card with delivery to the “new” address.
In 2007, ID Theft accounted for about 4% of all fraud. According to MasterCard data for the second quarter of 2009, ID Theft accounted for 3.74% of all card fraud in Europe and 3.77% in the world.
The growth rate of ID Theft in the UK in 2008 was 39% (47.4 million pounds, or 7.77% of the total fraud)!
ATM fraud
Transactions through ATMs have traditionally been characterized by increased security, since their authorization is carried out by the Issuer online with mandatory verification of the cardholder’s personal ID (PIN). The fact of increased security of operations through ATMs was also confirmed by statistics — the volume of fraud through ATMs was an order of magnitude less than the same indicator for trading.
However, since the beginning of the new Millennium, ATM fraud has started to grow rapidly. In 2004, the losses of UK banks alone from ATM fraud amounted to £75 million (about 15% of all card fraud in the country). According to the European ATM Security Team, in 2008 the amount of losses only from ATM skimming of European issuers amounted to 485 million euros!
ATM fraud is not an independent type of fraud and is considered separately here due to the specifics of its implementation. The following cases of ATM fraud usually fall into one of two types of counterfeit cards or stolen card.
Most ATM fraud is related to the type of “fake cards”. Due to the migration to the chip, there is a clear increase in the use of fake cards (especially in EMV regions) in ATMs instead of POS terminals. This trend (migration of “fake cards” fraud from POS terminals to ATMs) is the main factor for the growth of ATM fraud.
Until recently, there were several known ways to use an ATM to commit fraud. Let’s briefly describe them.
Unfortunately, despite numerous explanations, many cardholders still record the values of their PIN code on the card. According to information published by the English Association APACS (Association for Payment Clearing Services) in 2006, 8% of English cardholders cannot remember the value of their PIN code and therefore write it down. According to a survey by NAFI, 11.6% of Russians keep their PIN code with their card. In Moscow, this figure is 13.8%. It is obvious that in case of theft/loss of the card, the thief has everything that is required to commit fraud — both the card and the PIN code.
This type of ATM fraud obviously refers to the type of”stolen cards”.
Another method of ATM fraud is the so-called “friendly” fraud. The essence of it is that once the card along with the PIN code was given to a family member or friend to perform an operation through an ATM. Later, the same card was used at an ATM without the authorization of its holder.
Obviously, this type of ATM fraud refers to the type of “stolen cards”.
“Look over your shoulder.” A person standing behind the cardholder can see the PIN code value they entered. After the fraudster receives the PIN-code value, the card can either be stolen from its holder, or when using the card, an unauthorized copy of its magnetic stripe can be made in order to produce a fake card in the future (it can be made on “white plastic”).
This type of ATM fraud is referred to as “fake cards”.
“The Lebanese loop”. Almost a circus method of fraud, in which an unsuspecting cardholder shoved it into a pre – “processed” ATM fraudster. The essence of the” processing ” of the ATM was that a piece of photographic film was inserted into the slot of the ATM card reader, the ends of which were imperceptibly fixed on the outside of the ATM. The camera film after the operation did not allow the card to exit the card reader. The fraudster was nearby and offered to help the cardholder. He recommended that the customer re-enter their PIN code, and when this did not work out, he entered it himself from the words of the holder, claiming that he had already seen such cases before and when re-entering the PIN code, the card should exit the ATM. The card was not returned, of course, and the fraudster advised the cardholder to come to the Bank the next day (the fraud was carried out during the hours when the Bank branch was no longer working), and then the card will be returned to him. After the cardholder left, the fraudster removed the film along with the card from the ATM and emptied the cardholder’s account.
This type of ATM fraud is referred to as “stolen cards”.
Fake ATMs. Fraudsters used specially made devices that emulate ATMs and are designed to read information about the magnetic stripe of the card and the PIN code of its holder.
This type of ATM fraud is referred to as “fake cards”.
ATM skimming. Recently, fraudsters are actively using additional equipment installed on ATMs to carry out fraud. This equipment includes an overhead card reader and a micro-camera. Sometimes an overhead keyboard is used instead of a micro-camera.
An overhead card reader is a device attached to the top of an ATM card reader and used to read information from the magnetic stripe of the card. It is invisible to the cardholder, inexperienced in knowing the details of the appearance of ATMs, and is able to either remember the information they read about the magnetic stripe of the card, or transmit this information to fraudsters over a radio channel (for example, over a GSM channel).
A micro-camera is an optical camera installed next to an ATM and aimed at the ATM’s keyboard in order to record the sequence of digits entered by the customer when entering a PIN code.
An alternative to a micro-camera is a keyboard that is superimposed on top of the usual ATM keyboard and stores or transmits the values of the entered PIN codes over the radio channel.
Thus, with the help of additional equipment, fraudsters get all the information necessary for fraud: the magnetic stripe data and the PIN code value. With this data, the fraudster is able to personalize the so-called” white plastic ” (a blank card that does not contain any design elements of an ordinary card on its surface) and use it to withdraw cash from the account of an unsuspecting holder of a compromised card.
Recently, scammers have come up with an alternative to the overhead keyboard and reader. It was a malicious program (malware) that was installed by fraudsters in the ATM software without authorization. This malware copies and remembers the magnetic stripe data and in some cases (with the appropriate configuration of the ATM’s EPP keyboard) also saves the PIN-code values of cardholders.
This type of ATM fraud is referred to as “fake cards”.
There are other types of ATM fraud that use the specifics of ATM operation:
change in the processing center of the nominal value of cassettes and / or the exchange rate of currencies for client accounts;
installing an overlay on the currency issuance window in order to delay it and then extract it by fraudsters (Cash Trapping);
“pinching”, when the fraudster does not take the entire amount from the ATM tray, but the ATM, upon discovering this fact, returns the entire amount intended for issuing to the fraudster’s account, and so on.
Here are the main types of fraud in the second group (by a merchant):
re-entering operations (Multiple Impressions, Electronic Data Capture Fraud, including PAN Key Entry transactions).
changing the content of the slip (Altered Sales Drafts).
interception of the store’s account (Account Takeover);
using the reporting of a legally existing trading company (Laundering).
Repeat slips (Multiple Impressions) and / or change the content of the slips (Altered Sales Drafts)
Unscrupulous employees of a merchant make more than one card print on the imprinter, using them later to generate new payment documents, or change the value of the transaction size after the customer has signed the slip.
Electronic Data Capture Fraud
The electronic version of Multiple Impressions fraud, when an electronic copy of the completed operation obtained using a POS terminal is used instead of the card’s fingerprints. The PAN Key Entry method is particularly common, in which the card’s magnetic track information is not provided in the authorization request to the Issuer (only the card number, expiration date, and possibly the CVV2/ CVC2 value are provided).
Account interception
“Interception” of the store’s account (Merchant Account Takeover). Scammers have all the necessary store data (name, names of managers, Merchant ID, etc.) and possibly trade slips. Next, a letter / call to the Bank notifying of changes to the merchant’s current account. As a result, refunds for transactions performed in a real trading company are credited to the fraudsters ‘ accounts. According to VISA, the average Bank losses from such fraud are approximately $100,000.
Using the reporting of a legally existing trading company (Laundering)
In this case, store A of a certain payment system allows store B, which does not have an agreement with any Bank to accept cards of this payment system, to accept cards of this payment system, usually for a certain percentage. At the same time, if B is a fraudster, then A after some time remains one-on-one with payment refusals that came from transactions allegedly made in store B. According to VISA, the loss of A store at an average of about $500 000.
Protection methods in projection for certain types of fraud
Countering card fraud is the subject of a separate conversation and another book. The purpose of this section is to show the reader that the technology of cards with a magnetic stripe has largely exhausted its capabilities in terms of protecting card transactions. Despite the variety of methods used by banks to protect transactions with magnetic stripe cards, there is no effective universal approach.
The system for protecting the Issuer of magnetic stripe cards from card fraud uses the following elements:
the card issue policy approved by the Bank’s management. The issue policy should define the card products offered by the Bank, their consumers and acceptable risks, procedures for processing customer applications, delivery and issuance of cards to the Bank’s customers, hardware and software tools and systems for protecting the Bank from fraud, the distribution of responsibility between the Bank’s divisions, and the actions of the Bank’s staff and managers in the event of an attack;
approved procedures for accepting / processing customer applications( Application Processing), delivering and issuing cards and PIN envelopes to Bank customers, reissuing cards, and destroying unclaimed cards;
secure card personalization;
installation of necessary checks of the card parameters, its holder and operations in the Bank’s transaction authorization systems;
the lock and reissue compromised cards issued by the Bank;
use of modern technological solutions to improve the reliability of the cardholder authentication procedure: microprocessor cards, 2-factor authentication of the cardholder (card and PIN), 3D Secure Protocol on the side of the cardholder and its Issuer;
transaction monitoring systems that help identify transactions that are suspicious from the point of view of card fraud;
SMS notification of the cardholder about operations performed on their account;
using the mobile banking functionality that allows you to unblock the card before performing a card transaction and re-block it after using the card. This mechanism is an extremely effective tool to combat card fraud and has not yet been properly evaluated by the banking community. At the same time, it should be recognized that the mass implementation of mobile banking is still far away and it will take a long time before this protection mechanism becomes popular;
reporting fraud on Bank cards to the payment system;
the training of Bank employees on the topic of payment card security;
work with clients of the Bank;
insurance of cardholders ‘ funds.
The work of servicing banks with commercial enterprises is also of great importance for the fight against fraud.
Let’s look at how the listed Bank security elements help to deal with card fraud.
Stolen / lost cards
To combat this type of fraud, the following security elements are used:
blocking a stolen / lost card in the Issuer’s system with the issuance of a response code to an authorization request to capture the card; this method is effective for debit cards, transactions on which occur in real time;
inclusion of the stolen / lost card in the stop lists of the payment system and the backup authorization system of the payment system; this method is only necessary if the stolen card is a credit card and it can be used for offline authorization;
placing a photo of its holder on the back of Bank cards; this element of protection is based on the use of a psychological factor — the fraudster feels discomfort when handling such a card to a merchant, realizing that the cashier in the most favorable case for the fraudster may ask why someone else’s photo is placed on the card;
use of transaction monitoring tools that allow you to determine changes in the” pattern ” of transactions on the affected customer’s cards (in order to circumvent the Issuer’s possible means of combating card theft, the fraudster tries to quickly use the card and withdraw the funds on it) and contact the customer for clarification of the reasons for the changes;
SMS notification of the cardholder about operations performed on their account;
more intensive use of online authorizations (for example, using the appropriate service code for certain Bank card products);
using the mobile banking functionality that allows you to unblock the card before performing a card transaction and re-block it after performing the operation.
It is obvious that all these methods taken together do not provide a 100% guarantee that fraud will be avoided. This is due to the fact that some operations can be performed offline, as well as the fact that from the moment of detection of this type of fraud to the moment of “enabling” certain security elements (for example, including the card in stop lists), it takes several days, which is enough to empty the stolen/lost card.
Incomplete cards
To combat this type of fraud, the following security elements are used:
issuing cards in the blocked state with the new card status and unblocking them by customers either in branches and ATMs using a special unblocking operation that requires the customer to know the PIN code, or through phone calls
to the Bank by a code word (for example, the mother’s maiden name). If you attempt to use a blocked card the card Issuer issues a response code indicating that the card must be captured;
issuing cards through the branches closest to the customer (reduces the probability of intercepting the card on the way to the customer);
using specialized courier services instead of regular mail;
the inclusion of loss of the card in the stop-lists; this method is only used for credit cards, which can authorize transactions in offline mode;
placing a photo of the card holder on the back of the card;
using transaction monitoring tools;
SMS notification of the cardholder about operations performed on their account;
using the mobile banking functionality that allows you to unblock the card before performing a card transaction and re-block it after performing the operation;
more intensive use of online authorizations.
Issuing cards in a blocked form and using the mobile Bank’s card blocking/unblocking functionality are the most effective methods of combating this type of fraud.
Fake cards
There are two ways to fake cards. The first method consists of fraudsters selecting a set of card details that match the details of one of the cards issued by the Bank. A set of Bank details can consist of the card number, its expiration date, and the values CVC/CVV, CVC2/CVV2. In this case, the following security elements are effective:
generating card numbers by random law;
an extended review of the validity of the card;
verification of CVV/CVC, CVV2/CVC2 values in the Issuer’s system.