The problem of security of card transactions
Card fraud is understood as deliberate deceptive actions of some party based on the use of plastic card technology and aimed at unauthorized acquisition of financial resources placed on the “card” accounts of clients of banks that issue plastic cards or owed to a merchant for card transactions.
Card fraud is often called fraud (from the English. fraud— fraud, deception).
Fraud is usually divided into two groups: fraud from the point of view of issuing cards and fraud from the point of view of servicing cards. The first group includes fraud related to unauthorized use of the Issuer’s cards (stolen card, fake card, theft of cardholder IDs, etc.). The second group includes fraud initiated by a merchant (fake / distorted slips, re-entry of transactions, etc.).
As an indicator of the level of fraud, the ratio of the amount of financial losses incurred to the total volume of sales made on plastic cards (F/S, or Fraud/ Sales) is considered. Thus, the level of fraud is estimated only for transactions in commercial enterprises. The unit of measurement of the f/S coefficient is considered to be the basis point. A single reference point refers to the level of fraud, which is 0.01% of the total trading turnover on cards. In other words, the level of fraud equal to one base point (abbreviated as BP) corresponds to the loss of 1 cent for every 100 dollars of trading turnover on cards.
In the last 10 years, banks ‘ losses from plastic card transactions amount to 7-11 cents per 100 dollars of card turnover (7-11 BP). This is significantly less than the banks ‘ losses associated with client lending, which is $ 3-4 for every $ 100 of loans issued. However, banks and payment systems pay special attention to the problem of security of plastic card transactions. This is due to the fact that the nature of the risks in these cases is different. In the case of card fraud, the customer suffers. Even if the losses caused by fraud are incurred by the Issuer, which is not always the case, the moral damage associated with the inconveniences that arise for the cardholder is palpable. The possibility of fraud undermines the confidence of Bank customers in card technology in General.
To illustrate this, let’s perform a simple analysis. The average person in the West uses their card for non-cash payments on average about 40 times a year, with a typical value of the card usage coefficient equal to one PER day. With today’s
at a fraud level of approximately 10 BP, the probability that the next transaction on the card of the selected gentleman will end with fraud is p = 0.001. In fact, this probability is lower, since several operations are performed on a compromised card in one way or another, and, in addition, the average size of a fraudulent transaction is higher than the usual one. However, for illustration purposes, this estimate of the probability that the operation performed turns out to be fraudulent is quite appropriate.
Then for 10 years of using the cards, the cardholder will make N = 400 non-cash purchases and the probability that this person will suffer from card fraud at the current level of fraud is PF= 1- (1-p)N, close to 0.33. In other words, about one in three of those who have been using cards for 10 years will suffer from card fraud at the current level of fraud.
The card holder we chose to study does not live in an airless space. He is surrounded by family, friends, and colleagues. If we calculate that the cardholder’s inner circle consists of 10 people, then it follows that the probability that at least one person from the environment will suffer is greater than 0.98 (L/ = 4000).
In other words, most of us know about card fraud not from books and magazines, but from our own lives. Of course, such a close acquaintance with card fraud will not encourage You to use your plastic card more intensively.
Therefore, the security of plastic card transactions is a cornerstone of the development of the card industry, and this problem is given considerable attention by payment systems and banks.
The absolute size of card fraud can be estimated very roughly as follows. In 2003, the turnover of trade operations in the VISA and MasterCard payment systems was 2.5 and 1.3 trillion dollars, respectively. Since these two leading payment systems account for 85% of the total global trade in plastic cards, this turnover is approximately $ 4 trillion. Taking into account the level of fraud (7-11 BP), it is easy to get that the absolute size of the card fraud is about 3-4 billion dollars a year.
However, this is only the visible part of the fraud. As experience shows, a significant proportion of fraud does not get into the reports of payment systems, because banks, trying to protect their reputation, often do not report the fraud to payment systems.
In addition to direct financial losses, banks incur indirect losses (customer departures, reduced turnover, and reduced inflows due to a blow to the Bank’s reputation-the Bank’s financial products lose credibility). More than 20 thousand banks issue cards in the world. Each of them has a Department that deals with card security. Even if the average budget of one such Department is $ 60,000 a year, banks spend more than a billion dollars annually on maintaining such departments.
We are not talking about the cost of banks to buy special software, cryptographic modules, communication costs (in the absence of fraud, all transactions could be performed offline), etc.
As a result, the total annual losses from the consequences of card fraud and the costs of reducing these losses for banks are significantly higher than the above estimate.
The characteristic features of card fraud include:
fraudsters use the most modern hardware and software due to their availability and the natural drop in the cost of these funds. In accordance with Moore’s law, the doubling of computer performance, memory, and communication channel bandwidth occurs every 18, 12, and 9 months, respectively. Recently, an amendment to Moore’s law was reported in terms of evaluating the speed of computer performance growth: performance doubles in 24 months;
high professional level of criminal structures (they often include former employees of banks and processing centers);
international character of criminal gangs in the field of card fraud-gangs have their offices in many countries of the world;
constant search for new opportunities to implement fraud, including constant “testing” for the strength of banks ‘ processing systems. Such testing includes checking whether the Bank has a transaction monitoring system, analyzing the algorithm for checking individual card details, evaluating the reliability of card details database protection, and so on.;
high flexibility and efficiency of criminal structures: quick response to detection of a hole in the Bank’s security system. From the moment the vulnerability is detected to the moment the attack is implemented, it takes several days to focus on a small number of issuers whose composition is constantly changing. In everyday language, this means using an attack on a Bank when large groups of Bank customers become the target of fraud. The attack is implemented using a discovered vulnerability in the Bank’s transaction processing system. For fraudsters, an attack is the most effective means of achieving the goal, since during the time from the moment of detection of the attack to the moment of its elimination, when using the Bank’s customer base in large quantities, fraudsters can get a good result for themselves-
distribution of fraud in several main categories (the four most common types of fraud, which will be discussed below, account for about 96% of the total fraud);
migration of fraud types from one market to another. Once an effective means of countering a particular type of fraud is found in one market, fraudsters start using it in other markets; about 80% of all fraud occurs in online transactions. This is due to the desire of fraudsters to “empty” the cardholder’s account rather (for this purpose, operations for large amounts are processed in real time) and means that the online nature of the operation is not an effective means of combating fraud;
increase in the number of cases of fraud through ATMs;
- credit cards are the main target of fraudsters. Special attention is paid to “gold”, “platinum” and other preferred cards. The data shown in the table shows that the level of fraud on credit cards is about 4 times higher than on debit cards:
- payment systems divide the area of their presence into geographical regions, whose national markets have common features, at least because of their geographical proximity. It turns out that the intra — country (domestic) level of fraud is the lowest, and the interregional level is the highest. The data below illustrates this.
As noted at the beginning, fraud is usually divided into two groups: fraud from the point of view of issuing cards and fraud from the point of view of servicing cards. Main types of fraud of the first group (from the point of view of issue):
stolen/lost card (Lost/Stolen Cards);
not received cards (not Received Items, NRI);
counterfeit cards (Counterfeit); - Card Not Present-fraud;
theft of cardholder’s personal data (ID Theft).
Stolen / the oldest and most natural type of fraud — the card holder loses the card himself or it is stolen from him. Until the moment of detection of the loss and blocking of the card in the system, time passes, which is used by scammers who have the card in their hands.
For a long time, this type of fraud was the most popular. Now in Europe, according to the largest payment systems, it accounts for 27-30% of the total volume of fraud.
Cards stolen during their transfer from the Bank to the customer. All responsibility for fraud in this case lies with the Issuer. According to the largest payment systems, this type of fraud accounts for 3-5. 5% of the total volume of fraud.
This type of fraud consists in the fact that the fraudster manages to produce a card with details that match the details of a real card (a card issued by an authorized Issuer) so that operations can be performed on a fake card, passing it off as a real card.
Card forgery began with the technology of cutting off the card numbers and rearranging them in places. Then it began to practice Reem-bossing the card number. With the advent and spread of electronic terminals, the main way to fake cards has become skimming (skimming) – transferring data from the magnetic stripe of a real card to another card that fraudsters make themselves or get as a result of theft of card blanks in a Bank or a company that produces card blanks.
Fraudsters get real card data using unscrupulous store staff, who imperceptibly copies the contents of the card’s magnetic track from the card holder’s computer.
using a special device that has a magnetic stripe reader and can store information about several dozen cards.
Today, in Europe, card fraud is the most common type of fraud, which according to the largest payment systems accounts for 34-37% of the total amount of fraud.
There are two main types of CNP-TRANS-Card Not Present-stock fraud: MO/TO and e-Commerce transactions (EC). In Europe, e-Commerce transactions account for 40% of all CNP transactions.
The level of fraud in CNP transactions is 25-35 BP, which is several times higher than the average for the card business.
To commit fraud in the case of a CNP transaction, it is enough to know the simplest card details — the card number, its validity period, and possibly the CVC2/CVV2 value. Therefore, all CNP transactions must be performed in real time, and payment systems assign responsibility for fraud on such transactions to servicing banks, except for the case when servicing banks and their online stores use secure EC protocols.
The EC has a very high level of latency: according to the world Bank, up to 80% of all fraud is not declared. The share of the EC accounts for 6-8% of all card transactions to “Buy”. EC turnover growth is 30-35% per year.
Currently, this type of fraud accounts for about 25-27% of all card fraud in Europe, according to the largest payment systems.
Theft of clients ‘ personal data from TSE-Theft of personal data for their use in card fraud data (ID Theft)
there are the following types of niches: fraudulent applications, account interception, Phishing, information leakage from processing centers, data interception during their transmission over networks. In other words, when using this type of fraud, the theft of data sufficient to carry out card fraud is performed without the direct use of the card (data is not stolen from the card, as in the case of skimming).
Fraudulent Applications: a fraudster uses someone else’s identity card (found/stolen/ forged) to submit an application for a credit card with an address where the card can be easily and safely obtained.
Account takeover: the fraudster receives information about the card/account details, for example, from the cardholder’s Bank statements that are at his disposal, then calls the Bank and informs about the change in his address, and later requests a new card with delivery to the ” new ” address.
Phishing and virus attacks (for the purpose of obtaining customers ‘personal data): attackers send e-mail requests to credit card holders, allegedly from banks, asking them to confirm or update customers’ personal information related to cards.
Data theft on online shopping sites on the Internet.
Information leakage through unscrupulous employees of processing centers and banks. According to statistics, the source of 20% of all Bank financial losses is dishonest employees, 10% – offended employees, 55% – staff negligence, and only 9% — external attacks.
Interception of data during transmission (wireless connections, connection of fraudsters to dedicated communication lines). This method of stealing personal data is quite rare today, because its effectiveness is low (the high cost of stealing data from one client). Another method of “electronic” theft of personal data is the use of special spyware. Such programs are able to read, write and delete files on the client’s personal computer, change computer settings, including those responsible for network access to the computer, thereby opening hackers access to the information contained in it. Spyware can reformat a computer disk, scan changes in files, and monitor data typed on the keyboard in order to steal passwords. During computer network sessions, these programs transmit the information they collect to the party that is interested in it.
Forms of existence of spyware are diverse. These are small additional programs (adware) used by vendors in their software for marketing purposes (for this purpose, entire adware networks are created), Trojan horses, Internet cookies, etc.
Here are the main types of fraud in the second group (by a merchant):
re-entering operations (Multiple Impressions, Electronic Data Capture Fraud, including PAN Key Entry transactions);
changing the content of slips (Altered Sales Drafts);
interception of the store’s account (account Takeover);
using the reporting of a legally existing commercial enterprise (Laundering).
Repeating slips (Multiple impressions) and / or changing the contents of slips (Altered Sales Drafts)
Unscrupulous employees of a merchant make more than one card print on the imprinter, using them later to generate new payment documents, or change the transaction size values after the client has signed the slip.
Electronic Data Capture Fraud
The same as Multiple impressions, only using electronic POS terminals. The PAN Key Entry method is particularly common, in which the card’s magnetic track information is not provided in the authorization request to the Issuer (only the card number, its validity period, and possibly the CW2/CVC2 value are presented).
“Interception” of the store’s account (Merchant Account interception of the account
Takeover). Scammers have all the necessary store data (name, management names, Merchant ID, etc.) and possibly trade slips. Next, a letter / call to the Bank notifying you of the change in the store’s current account. As a result, refunds for operations performed in a real trading company are transferred to the fraudsters ‘ accounts. According to VISA, the average loss of the Bank from such fraud is approximately 100 thousand dollars.
In this case, store A of a certain payment system provides an opportunity for store B, which does not have an agreement with any Bank to accept cards of this payment system, usually for a certain Commission, to accept cards of this payment system. At the same time, if B is a fraudster, then A after some time remains one — on-one with the refusals of payments that came from operations allegedly performed by store B. according to VISA, the losses of store A on average amount to about 500 thousand dollars.
Using the reporting of a legally existing commercial enterprise (Laundering)
Fraud Until now, it was about fraud in ATMs of insurance companies. Recently, there have been more and more reports of fraud using ATMs. Transactions through ATMs are characterized by increased security, since the Issuer authorizes transactions online with mandatory verification of the cardholder’s personal ID (PIN). The fact of increased security of transactions through ATMs is also confirmed by statistics — the volume of fraud through ATMs is several orders of magnitude lower than the same indicator for trading.
Still, the latest reports from payment systems suggest that fraudsters are gradually getting closer to ATMs. In 2004, the losses of UK banks alone from ATM fraud amounted to 75 million pounds (about 15% of all card fraud in the country).
Until recently, there were several typical ways to use an ATM to commit fraud. Briefly describe them.
Unfortunately, despite numerous explanations, many cardholders still write the values of their PIN code on the card. It is obvious that in case of theft/loss of the card, the thief has everything necessary to commit fraud — both the card and the PIN code.
Another method of ATM fraud is the so-called “friendly” fraud. The essence of it is that once the card along with the PIN code was given to a family member or friend to perform an operation through an ATM. Then the same card was used in an ATM without the authorization of its holder.
“Looking over your shoulder.” The person behind the card holder can see the entered PIN code value.
“The Lebanese loop”. Almost circus-like method of fraud in which an unsuspecting card holder, stick it in a pre-processed with a scammer ATM. The essence of the” processing ” of the ATM was that a piece of photographic film was inserted into the slot of the ATM card reader, the ends of which were imperceptibly fixed on the outside of the ATM. The camera roll after the operation did not allow the card to exit the card reader. The fraudster was nearby and offered to help the cardholder. He recommended that he re-enter his PIN code, and when this did not work, he entered it himself from the words of the holder, claiming that he had already seen such cases before and when re-entering the PIN code, the card should exit the ATM. The card, of course,was not returned, and the fraudster advised its holder to come to the Bank the next day (the fraud was carried out during the hours when the Bank branch was no longer working), and then the card will be returned to him. After the cardholder left, the fraudster removed the film along with the card from the ATM and emptied the cardholder’s account.
Fake ATMs. The fraudsters used specially manufactured devices that emulate ATMs and are designed to read information about the card’s magnetic stripe and PIN code. It should be noted that with more active use of PIN codes for some cards in POS terminals (including microprocessor cards with static authentication), the task of obtaining the information necessary for fraud is significantly simplified.
Information about PIN codes leaked from processing centers of servicing banks.
Recently, fraudsters are actively using additional equipment installed on ATMs to carry out fraud. This equipment includes an overhead card reader and a micro-camera. Sometimes an overhead keyboard is used instead of a micro-camera.
An invoice card reader is a device attached to the top of an ATM card reader and used to read information from the card’s magnetic stripe. It is invisible to the cardholder who is not experienced in the knowledge of ATMs and is able to transmit data read from the magnetic stripe over a distance of several tens of meters over the radio channel.
A micro-camera is an optical camera that is installed next to an ATM and is aimed at the ATM’s keyboard in order to record the sequence of digits entered by the customer when entering a PIN code.
An alternative to a micro-camera is a keyboard that is superimposed on top of a regular ATM keyboard and stores or transmits the values of the entered PIN codes over the radio channel.
Thus, with the help of additional equipment, fraudsters get all the information necessary for fraud: magnetic stripe data and PIN code value. With this data, the fraudster is able to personalize the so-called “white” plastic (a blank card that does not contain any design elements of a regular card on its surface) and use it to withdraw cash from the account of an unsuspecting holder of a compromised card.