Fraud examiners can help tackle the problem by exposing credit card fraudsters' methods and by promoting training in the cards industry, government, and law enforcement. 

"Diamond jewelry worth $12,500 bought in Memphis!" exclaims the senior oil executive in Kuwait, after seeing his latest credit card statement from his bank. "I haven't bought any diamonds in my life! Where did these come from?"

" A large-screen TV bought in London!! I haven't been to London in the past 6 months," protests the CEO of a Hong Kong financial consultancy firm, after opening his billing statement.

"Jewelry purchases, restaurant charges, video CDs, laptop bought in Sydney!! I only used my card when I went on holiday with my family to Malaysia and Singapore last month! How did these appear on my bill?" screams a senior manager in a Bombay global bank.

These are typical responses of thousands of credit card holders across the world when they see their monthly bills. They are a part of the global credit/debit card theft in excess of USD $1 billion in 2001, according to Visa and MasterCard global fraud figures. Although fraudulent transactions on cards are less than 1 percent of the total general-purpose card billing volume, according to the card companies, consumers are still quite susceptible to thieves. Banks have to devote considerable time and resources in fighting card fraud.

Fraud examiners can help tackle the problem by exposing credit card fraudsters' methods, and by promoting training in the cards industry, government, and law enforcement.

Kid Brother to Identity Theft

The hot topic among security and law enforcement officials is identity theft - crooks stealing an individual's identity and using it to access bank accounts, obtain credit, and park the losses on the victim. (See "Invasion of the Identity Snatchers," July/ August and September/October 2002.) However, fraud examiners should know that credit card theft and misuse - a kid brother to identity theft - is a much larger menace because it is an easier crime to commit and affects many more. The growing global reliance on plastic in merchant transactions and especially on the Internet is leading to a natural growth in fraud.

Unauthorized credit card use has been prevalent for many years. Until the mid-1980s, when the magnetic stripe data was not being swiped at the point-of-sale terminals, thieves were busy using stolen cards. They took advantage of the banks' practice of merely sending paper warning bulletins to merchants at periodic intervals and bought furiously during the time lags. The manual credit card imprinters offered no security and the merchants were responsible for preventing fraud. Subsequently, when the online point-of-sale terminals were instituted, thieves devised counterfeit cards complete with magnetic stripe data that passed the security checks instituted by the credit card companies. Today, a conventional magnetic stripe card is vulnerable to high quality counterfeits by smart crooks using the latest technology.

Five Questions

Let us ask the traditional who, what, where, why, and when questions.

Who? Four parties are involved and affected in a fraudulent credit card transaction: a) the cardholder; b) the fraudster; c) the bank issuing the card; and d) the merchant's location where the card is used.

Professional criminals commit a majority of credit card crimes (hackers into business Web sites are some of the biggest culprits) but otherwise law-abiding citizens also see opportunities and succumb. They can be colleagues, friends, secretaries, neighbors, and store employees - anyone who has access to credit card information.
What? Crooks only need credit card numbers and expiration dates to make fraudulent "card not present" purchases through telephone orders, mail orders, and the Internet.

Where? Of course, crooks access card information from stolen wallets and handbags, and supposedly secure Web sites. Also, they scrounge through trash receptacles inside and outside stores and restaurants to find charge slips thrown away by cardholders and merchants.

They use illegal card readers to copy or "skim" the data on cards' magnetic stripes and make quality counterfeit cards. The data from the strips are often stolen in bulk and sold to organized racketeers who mass-produce the cards. (Skimming may be the greatest menace to the card industry because it leaves banks helpless to prevent fraudulent transactions.)

Why? Credit card misuse is growing in popularity because it is easy, often anonymous and leaves no trace. Victims usually are ordinary citizens, their loss is distributed among a large number, they have no connection with each other, and they seldom report the crimes to the police. Also, fraudsters now can commit the crimes from the faceless comfort of their homes.

Most countries do not have specific legislation to address credit card fraud, according to Visa and MasterCard fraud management. The greatest challenge of card issuers and banks is educating law enforcement on methods of investigation and apprehension of credit card fraudsters. According to card companies, less than 5 percent of the reported frauds result in convictions because of the small charge amounts, and the cost and effort involved in pursuing investigations.

When? Credit card theft and misuse is committed every second across the world. There are no special segments or geographic areas. Credit card misuse is rampant during the holiday season and is exacerbated by the global economic recession.

A Global Menace

The universal acceptability of credit cards allows card numbers stolen in country A to be counterfeited in country B, and used in country C.

Card industry data shows that the United States accounts for more than half the total worldwide credit card fraud. But countries such as Taiwan, Hong Kong, Malaysia, Italy, Spain, and Japan have a high card fraud rate.

Curbing the Menace

What can a fraud examiner at a credit card issuer/bank do to keep the entity's fraud losses at a minimum?
The fraud manager's fight against card fraud is engaged on the following fronts:

Technology: Tools such as cardholder verification value encryption on the card's magnetic strip, online real-time bank authorization of transactions by use of point-of-sale terminals, and security features - such as holograms - embedded on credit cards have curbed fraud. (Unfortunately, crooks have matching new technology with sophisticated card readers and electronic tools.)

Many banks use sophisticated "artificial intelligence" of neural networks, statistical models, and other predictive techniques to find unusual spending patterns and thereby preempt fraudulent transactions.

"Smart cards" use embedded computer chips instead of magnetic strips to secure information. France has used this technology successfully but the option has not succeeded globally yet. Biometrics - the identification of individuals using biological traits such as retinal or iris scanning, fingerprints, or face recognition - is touted as the future of the payments industry. However, the prohibitive costs of installing biometric equipment and the lack of a standard processing and verification system to operate leave this option unattractive in the short run.

Customer Education: Merchant and customer ignorance about cards' security features, safeguards, and guidelines frustrate card issuers.

Banks and card companies have realized that regular education of cardholders and merchants provide huge benefits. Banks across the world send out mailers to their customers stressing some simple dos and do nots:

• Always sign the back of the card. Keep the card in a prominent place in the wallet or purse to notice in case of theft or loss.
• Keep the bank's telephone number and the card number handy if the card is stolen.
• Inform the bank immediately if the card cannot be located or if it is stolen.
• Always memorize the PIN. Never keep the card and PIN in the same place.
• Do not let a waiter take a card out of sight at a restaurant.
• Always shred card receipts and vouchers.
• Keep track of expenses and confirm statements when received.

Fraud examiners can supply these guidelines to merchants:

• Maintain card data securely in computer systems and records.
• Keep a close tab on employees handling credit cards. They should be subject to the same level of safeguards as if they were handling money.
• Make sure vouchers and slips are not carelessly thrown away.
• Train counter staff on alertness and card features.
• Allow only authorized personnel to handle point-of-sale terminals.
• Maintain adequate security precautions such as store cameras and staff identification.
• Ensure that staff members handling cards are trained on card security features, hot-listed cards, suspicious behavior of cardholders, and key contact telephone numbers.

Fraud Control Units: A bank or credit card business' effectiveness in curbing fraud is only as good as the fraud control unit staff members.

Continuous training, the latest tools, and management support are musts for the fraud control unit.

Law enforcement: Most Asian and European countries do not have dedicated police divisions for economic crimes. Fraud examiners must maintain police and judicial contacts for timely coordination when fraud occurs.
Monitoring Portfolio: Managers of fraud examination efforts must have "watchdogs" who monitor spending and payment patterns 365 days a year in the entity's credit card portfolio.

The watchdogs must be particularly alert during the holiday season since fraudsters know that banks tend to have minimal working staff and merchants are overloaded with customers. Fraud examiners must have strong contingency plans for systems outage, telecommunications breakdowns, and disasters because that is when the fraudsters will hit. Crooks abound when disaster strikes.

Global credit card fraudsters are becoming more organized and sophisticated. Fraud examiners - working with the cards industry, government, and law enforcement - can help entities by exposing a problem that will not disappear.

Sriram S. Natarajan, CFE, CPA, MICM, AICWA, is manager of credit & collections in the Credit Cards Division of the National Bank of Kuwait in Safat. 

New Technology Could Curb Credit Card Fraud

Visa and MasterCard have devised programs for cardholders to authenticate themselves while shopping online at participating merchants. "Verified by Visa," and MasterCard's "SecureCode" (both generically 3-D Secure) provide an extra layer of protection during the online transaction by enabling card-issuing banks to validate a cardholder's identity.

A cardholder registers online with a card company and establishes a password that he or she will enter when purchasing at participating online stores. Merchants initiate the authentication process through software integrated with their transaction processing systems. The card company validates participation by the cardholder and the financial institution and then presents the cardholder with a window prompting the cardholder's password. Results of the authentication are then passed back to the merchant. If verified, the merchant processes the payment authorization - just as it is normally does - with routine order confirmation messages being returned to the cardholder. The merchants and financial institutions never see the cardholder's password.

3-D Secure, a globally interoperable payment solution, uses encryption to shield sensitive cardholder information from unauthorized viewers.