At a time when credit card executives thought they had fraud under control, two types of troublesome scams have started to proliferate.
In one scam, the cardholder pays off a balance with a bad check, uses up the new credit line before the check clears, then disappears, leaving the bank unable to collect the funds. Security experts call this crime "bust- out."
The other type is perpetrated by merchants or their dishonest employees. A customer presents a card at a retail outlet-typically a restaurant or gas station-and the thief copies information from the magnetic stripe and creates a new card with the same account data. This is known as "skimming."
Experts say bust-out and skimming are spreading through word-of-mouth and because devices are available that people with bad intentions can use to replicate card data.
The problems are cropping up just as the MasterCard and Visa associations have been boasting of success at beating back other types of fraud through neural networks, address verification services, and other methods.
Though the number of dollars lost to fraud has been significant for some time, losses as a percentage of sales fell to record lows in 1997, the most recent year for which statistics are available.
MasterCard said its 1997 fraud rate was 7.7 cents out of every $100 of volume, 14% lower than the previous record, in 1996. Visa's number was 8 cents per $100 and it had been falling four consecutive years.
But fraud is a moving target, according to risk management experts. Con artists are creative and efforts to thwart them amount to a cat-and-mouse game.
"A few years ago we would have been talking about cards stolen out of the mail," said Joel S. Lisker, senior vice president of security and risk management for MasterCard in Purchase, N.Y.
Bust-out episodes are hard to detect and even more difficult to prevent. Usually, the customer who maxes out a card and then disappears used to have a good track record with the bank. Therefore, lenders do not immediately suspect wrongdoing and simply send the cases to collection departments.
When failing to track down the deadbeat, a bank must charge off the debt, typically between $10,000 and $20,000.
Bust-out fraud can be costly but it is less common than skimming.
This variation on counterfeiting is particularly galling to security experts because it can occur even when a consumer uses a card at a legitimate merchant. A dishonest waiter, for example, might scan a customer's card through a personal card reader that would capture the data, later to be copied onto another card. Or the waiter could swipe the customer's card twice through the restaurant's terminal-once to authorize the transaction and once to record the account information.
Skimming is a global problem that started in Asia and migrated around the world, Mr. Lisker said. He said lenders were winning the battle against counterfeiters until skimming emerged.
Counterfeit fraud was on the decline until 1998, when it began creeping back up. Skimming was largely to blame for a 20% increase in counterfeit fraud last year, according to MasterCard's preliminary figures.
Card association officials say they have been successful in stemming another type of counterfeiting, in which criminals erased data from magnetic stripes and recoded them with information from a lost or stolen card. MasterCard and Visa developed new techniques to protect the information in magnetic stripes, and they stumped thieves at least temporarily.
MasterCard and HNC Software Inc. have collaborated on Risk Finder, a tool that ferrets out merchants who have a pattern of suspicious activity.
Skimming is growing popular because devices that read cards are easy to obtain, experts said. Terminals are sold over the Internet, for example. There is even an aerosol spray called Magnaflux that reveals the encoded information on a card, they said. Magnaflux is sold through mail order catalogs as a product for splicing video tapes.
Battery-operated card readers make it easy for criminals to skim at their leisure and avoid detection by employers.
"Every time the industry makes things better for the customer, it makes things easier for the fraudsters," said Wesley K. Wilhelm, principal consultant for HNC, a San Diego company that sells fraud detection software.
"It is possible to simply capture data through a reader and transfer the information via e-mail to your buddy in another city," Mr. Wilhelm said.
Sophisticated criminals can gain access to account information by tapping merchants' telephone lines and reading the digital tones. Signals from the satellite dishes some merchants use to authorize card transactions can be picked up by criminals who retrofit police scanners, Mr. Wilhelm said.
"None of this information is encrypted-that is part of the problem," he said.
Australian banks are bracing for a heavy dose of skimming at the Olympics in 2000. They anticipate crooks will set up storefronts for the sole purpose of committing card fraud, said David J. Johnson, executive director of fraud control solutions for HNC.
The Olympics are fertile ground for con artists because of the number of tourists and high transaction volumes. The event "gives the criminal the opportunity to mask his behavior," Mr. Johnson said.
Credit card fraud is a $1.5 billion problem worldwide, according to the Nilson Report. The card associations, which track six categories of it: counterfeit; false applications; lost or stolen cards; fraudulent mail or telephone orders; cards that are never received in the mail; and identity theft. The last category was added to the list two years ago.
Bust-out does not fit any of these categories.
Nearly 60% of fraudulent transactions involve lost or stolen cards, but only 25% of losses come from this type of fraud, said Don McNelley, marketing manager for fraud solutions at Fair, Isaac & Co., San Rafael, Calif.
By contrast, false applications account for about 3% of bad transactions but 21% of losses, Mr. McNelley said. He said he expects bust-out fraud to begin claiming a higher portion of losses.
Companies that develop fraud detection software say lenders' best defense is to monitor patterns of customer behavior.
"The pattern for fraud is greed," said Jill Richardson, product marketing manager at Fair, Isaac. "Crooks charge more frequently and (buy) higher-end items. They will squeeze the card for all it is worth before it is shut off."
Thieves typically test a new card at a gas station, running it through a self-service terminal to make sure it works.
The next stop is a shopping mall, where jewelry and electronic gadgets- which can easily be turned into cash-are the main purchases.
Banks must be careful not to confuse miscreants with honest customers.
"Your very best customers are going to look like fraudulent customers, because they charge a lot and have high balances," Ms. Richardson said. "You don't want to flag them as potential frauds."
