Stolen Card Fraud
When a card holder loses or has their credit card
stolen, it is possible for the thief to make
unauthorized purchases on that card up until the
card is cancelled. Businesses that accept credit
cards are not permitted to request supplemental ID
from the cardholder, unless the credit card is not
signed. A thief can potentially purchase thousands
of dollars in merchandise or services before the
card holder or the bank realize that the card is
in the wrong hands. Self-serve payment systems
such as gas stations are also highly prone to
accepting a stolen credit card, as there is no
verification of the card holder's identity,
however many stations are trying to prevent this
by adding a check requiring the user to key in a
zip code. The zip code must match the code
registered to the credit card or the transfer will
fail.
Account Takeover Fraud
Fraud perpetrators call in and impersonate actual
cardholders using stolen personal information.
They have the address and other information of the
cardholder changed to an address they control.
Additional cards and possibly PIN mailers are
requested and issued to the new address and used
by the fraudsters to make purchases and/or obtain
cash advances.
Sometimes the fraudster will attempt to add
themselves or an alias that they control as an
authorized user to the account in order to make it
easier to commit the fraud.
Credit Card Mail Order
Fraud
Using a stolen credit card number, or computer
generated card number, a thief will order stolen
goods.
Skimming
Skimming is the theft of credit card information
by a dishonest employee of a legitimate merchant,
manually copying down numbers, or using a magnetic
stripe reader on a pocket-sized electronic device.
Common scenarios for skimming are restaurants or
bars where the skimmer has possession of the
victim's credit card out of their immediate view.
The skimmer will typically use a small keypad to
unobtrusively transcribe the 3 or 4 digit
Card Security Code
which is not present on the magnetic strip.
Many instances of skimming have been reported
where the perpetrator has put a device over the
card slot of a public cash machine (Automated
teller machine),
which reads the magnetic strip as the user
unknowingly passes their card through it. These
devices are often used in conjunction with a
pin-hole camera to read the user's
pin number
at the same time.
To
prevent Cards in countries such as the UK are
issued featuring a smart chip with public key
encryption. The chip cannot be copied, but the
card number, expiry date and security code can be,
and this set of data is often sufficient to use
the victim's credit card account for fraudulent
purposes with so-called "card not present"
transactions, e.g., manual input, over the
telephone or internet.
Carding
Carding is a term used by
fraudsters
for a process they use to verify that sets of
stolen credit card data are still valid. The
fraudster will present each set of credit card
details in turn on a website that has real-time
transaction processing, making a purchase for a
very small monetary amount so as not to use up the
card's credit limit, and so as not to attract the
attention of a human reviewer to the transaction.
Often, an online donation site for a charity is
used instead of an eCommerce merchant, since there
is no need to find an item of a suitable price to
put in the virtual shopping cart, nor to supply
shipping details. The carder may do this manually
with a web browser, or may write automated
software to interface to the website's checkout or
billing forms.
In
the past, carders used to use computer programs
called "generators" to produce a sequence of
credit card numbers, and then test them to see
which were valid accounts. However, this process
is no longer viable due to widespread requirement
by internet credit card processing systems for
additional data such as the billing address, the 3
to 4 digit
Card Security Code
and/or the card's expiry date. Nowadays, carding
is more typically used to verify credit card data
obtained directly from the victims by
Skimming
or
Phishing.
A
set of credit card details that has been verified
in this way is known in fraud circles as a phish
(see
Phishing).
A carder will typically sell data files of phish
to other individuals who will carry out the actual
fraud. Market price for a phish ranges from
US$1.00 to US$50.00 depending on the type of card,
freshness of the data and credit status of the
victim.
|
