Association of Certified Fraud Examiners
   Welcome! You are not logged in. - Join Now   - CPE   - Renew Your Membership  view cart - View Cart   - Login   


  
You Are Here: Home / Fraud Resources / Article Archive / Article Detail
Article Detail
 
Print Friendly | Font Size

© March/April 2005
Association of Certified Fraud Examiners

Foiling Internet Fraudsters

Preventing Internet credit card fraud

By Joel Bartow, CFE, CBM, LPI, CPP

From the March/April 2005 issue of
Fraud Magazine


Batman once said, "If only they would use their genius for good instead of evil!" While Internet fraudsters will never stop finding new ways to use cyberspace to victimize, fraud examiners now have methods to prevent their crimes rather than just trying to investigate after the fact.

A Nigerian Criminal Enterprise (NCE) has been using computers in Lagos, Nigeria, to perpetrate a version of the forwarder scam - placing thousands of Internet orders using randomly generated credit card numbers and expiration dates on the Web sites of hundreds of U.S. businesses.

Members of this NCE recruit U.S. citizens to receive merchandise and forward the goods back to Nigeria where they sell them on the black market. Christian Internet chat rooms are their favorite recruiting grounds. Preying on the willingness of their recruits to help out those in need, the NCE operative poses as a young woman trying to get needed computer equipment or clothing ostensibly without paying oppressive Nigerian import taxes. The good-deed doer begins receiving stolen property and sends it to Nigeria using a stolen account number for an overnight delivery company supplied by the NCE operative. By the time authorities ring the doorbell of the unsuspecting accomplice, the NCE has recruited a new forwarder to take that person's place. One company received more than $4 million in fraudulent orders in one year from an NCE using 23 different forwarders.

With no possibility of arrest or prosecution, fraud examiners have to protect their companies from such attacks without interrupting the flow of legitimate customer orders. Fraud examiners need to concentrate on foiling Internet fraudsters rather than trying to investigate after the fact.

Not all companies are fully aware of the tools used to protect Web sites from this menace. While almost all companies use a credit card verification system of some kind, not all such systems are equally effective.

The simplest verification system for Internet credit card numbers affirms that a specific number has in fact been issued and that the expiration date matches the credit card number provided. While this will prevent an order from using an unassigned number, this doesn't tell the merchant company to whom that number has been issued only that it has been issued. Since the NCE has the ability to predict the expiration dates of credit card numbers (using a computer program), such systems are insufficient to stop an NCE attack.

Address verification system codes
Address Verification System (AVS) codes are generated at the time the merchant requests credit card authorization. The code tells the merchant if the billing address provided on the order matches the billing address of record for the credit card number. Specific codes mean different levels of matching. For example, the credit card payment company Paymentech(c) (one of many such companies that offer AVS) uses the following AVS response codes (among others):

I-1 means the billing address on the order is a complete match to the billing address of record for the credit card provided.

I-5 means that only the Zip Code doesn't match; perhaps the customer has been issued a new one without updating the billing address of record.

The codes to worry about are I-4 and I-8.

AVS code I-4 means that the street address isn't a match, while the Zip Code does match. Blocking such orders may seem to be a given, but there's a slight problem. AVS logic looks for a number at the beginning of an address. Addresses that begin with a letter aren't recognized and result in an I-4 code. Too many customers use addresses that begin with a letter (P.O. Box 100, or One Rockefeller Plaza) to make this a suspect code.

AVS code I-8 means that nothing matches - the street address and the Zip Code are both different. Perhaps the customer moved and forgot to change the address, but this is probably an NCE attack, which is sending randomly generated credit card numbers with the addresses of their forwarders in both the billing and ship to address fields. Beware.

Canceling I-8 orders
Many companies have begun canceling orders that are coming back from Paymentech(c) with an AVS code of I-8. The customer is notified that the billing address of record didn't match the billing address entered on the order. The customer can re-order using the proper address from his credit card statement. This simple step saved the previously mentioned company $4 million in credit card "charge backs" in addition to the handling time. A charge back is the process in which the true credit card holder refuses payment for a good or service that he didn't order. The merchant's account is debited for the money unless the merchant can prove that the card holder actually received the good or service.

Internet credit card orders require the merchant to enter into a credit card transaction similar to a person coming into a store with a bag on their head and trying to make a credit card purchase without ID or bothering to sign the credit card slip. Who would allow such a thing? Internet merchants do it every day!

Card Security Value
To the rescue comes the "V" code or the Card Security Value (CSV) system. You've probably seen or used the extra three digits on the back of your Visa(c) and MasterCard(c) or the extra four digits on the front of your American Express(c) to place an order on line. The extra digits are entered as a separate field in Internet orders and phone orders where the card isn't present. The "V" code is verified at the time the card company verifies the card. An extra assurance that the customer actually has the card in hand, the "V" code isn't used in the traditional "card present" transaction or on the credit card bill. Therefore, a fraudster, who obtains a credit card receipt or a bill from the trash can, can't place a "card not present" order using the credit card number and expiration date even if they have the card owner's true billing address of record. The fraudster has 1,000 possible "V" codes (000-999) to try before he can place a successful order. There are greener pastures for organized fraudsters unless they can rely on a computer program to rapidly attempt credit card orders using a numeric progression of "V" codes until the right one is found. There are actually such enterprising fraudsters out there! As Batman once said, "If only they would use their genius for good instead of evil!"

CAPTCHA
The latest tool for Internet fraud prevention can even stop the fraudsters' computerized attacks on the "V" code. CAPTCHA is starting to be seen on some Internet order sites. A CAPTCHA (an acronym for "Completely Automated Public Turning test to tell Computers and Humans Apart") is a type of challenge-response test used in computing to determine if the user is human. The term was coined in 2000 by Luis von Ahn, Manuel Blum, and Nick Hopper of Carnegie Mellon University, and John Langford of IBM. (For more information on CAPTCHA see http://en.wikipedia.org/wiki/Captcha.)

A common type of CAPTCHA requires that the user type the letters of a distorted and/or obscured sequence of letters or digits that appears on the screen. A CAPTCHA image shows a random string, which the user has to type to submit a form. This is a simple problem for (seeing) humans. But computers, which have to use character recognition, have a difficult time decoding the alienated random string. Following are some examples of CAPTCHAs that randomly appear on your order screens to ensure the ordering entity is a person and not a computer:


Images used with permission of Luis von Ahn, Carnegie Mellon University

Using the "V" code in conjunction with CAPTCHA and the blocking of orders that have AVS codes like the Paymentech(c) I-8 code will save your company from the headaches of most organized credit card fraud attacks today.

No automated system can prevent a single fraudster from using a stolen credit card. For example, it's always a good policy to call the billing phone number on all high-dollar orders when the "ship-to" address is different from the billing address to ensure that the area code of the billing phone number is the area code for the billing address and not the ship-to address. But the newer automated systems blended with traditional methods will form a complete and sound program of protection and fraud prevention.

Scam artists hit U.S. residents with counterfeit postal money orders

A fraud scheme making the rounds through Internet chat rooms and auction sites, in e-mail messages, and over the telephone is costing U.S. victims time, money, and unpleasant chats with bank and law enforcement officials about passing counterfeit postal money orders, according to the U.S. Postal Inspection Service.

The counterfeit money order scam begins when a victim is contacted by someone through an Internet chat room or on-line auction site claiming to have financial problems or needing help to cash domestic and/or international postal money orders. The person in need often claims to be living in a foreign country (usually Nigeria), but the scam artist can cook up the scheme from any location. The scam artist is simply looking to recruit someone in the United States to cash the money orders and return the funds via wire transfer.

A U.S. resident is lured into the scam when he is told he can keep some of the money as a gift or payment for his help. The unsuspecting victim provides his home mailing address to the fraudster who tells him he will receive a check or postal money order that he should deposit into his own bank account. The fraudster tells the victim to immediately send the money via Western Union or conventional bank wire transfer to a bank or person located outside the United States.
The victim learns the postal money order is counterfeit only when he attempts to cash it, or when his bank account takes a hit for the full amount when the bank refuses payment on the bogus deposit. For more information about postal money order security features, visit the U.S. Postal Service Web site at www.usps.com/missingmoneyorders/security.htm.

To report a fraud complaint, call the Fraud Complaint Hotline at 1-800-372-8347 or visit the U.S. Postal Inspection Service Web site at www.usps.com/postalinspectors/fraud/MailFraudComplaint.htm.

Joel Bartow, CFE, is the director of fraud prevention for ClientLogic, based in Nashville, Tenn., with more than 40 locations globally. Hi e-mail address is: JoelBar@clientlogic.com.


The Association of Certified Fraud Examiners assumes sole copyright of any article published on ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: FraudMagazine@ACFE.com.


- Contact Us   - FAQ   - Local Chapters   - Advertise With Us   - Privacy Policy   - Trademark Usage   - ACFE Japan   - ACFE Foundation  
All Content © 2010 Association of Certified Fraud Examiners