The New Fraudsters

  Despite a host of high-tech anti-fraud measures, the battle against fraud continues as crooks poke and prod for the card industry's weak spots. CCM reviews the latest fraud trends and what's being done to counter them.
  Credit card fraudsters are an ingenious bunch. Just ask any risk manager.
  Over the past 30 years, criminals have been able to sidestep nearly every fraud-prevention measure developed by the card industry. They poke and prod until they find another weakness in issuers', acquirers', or merchants' security systems.
  In the early days of the card industry, fraudsters generally worked alone. Card fraud was a crime of opportunity originating from a sales slip with an account number fished out of a Dumpster or a card found in a lost or stolen wallet or purse. And scams typically were limited to the region in which the criminals lived.
  But fraudsters have come a long way over the past 30 years. Today's crooks are nearly as technologically savvy as the card companies. As quickly as the card industry introduces high-tech fraud-prevention measures, criminals just as rapidly find ways to breach them. And fraud itself has evolved into a highly organized business that reaches around the world.
  About 10 years ago, "Dumpster diving used to be the number-one concern," says Catherine Black, director of fraud prevention and data security for American Express Co. Fraud prevention in that era consisted of tearing up carbon copies of sales slips. "These were very manual ways for people to collect information and perpetrate fraud," she says. "Now it's identity theft, 'phishing,' skimming."
  That's not to say that fraud is out of control. Both MasterCard International and Visa International say fraud losses represent only about six or seven basis points of total sales volume in the United States. Morgan Stanley's Discover card and American Express also report low fraud losses, although they won't give details.
  Still, that's little comfort to the issuers, acquirers and merchants that end up being victimized. Rising card charge volume is offsetting reduced fraud rates. CCM estimates U.S. bank credit card fraud losses were $820 million in 2003, up 6% from $770 million in 2002, and that doesn't count fraud on American Express, Discover, private-label or debit cards. London-based research firm and consultancy Datamonitor estimates total card fraud losses last year were $1.5 billion.
  The stakes can be high for consumers as well, even though the major card brands don't hold cardholders liable for fraudulent charges. Confidential information that finds its way into the hands of criminals can plunge cardholders into the murky world of identity theft, where they may spend months, if not years, reclaiming their financial identities.
  The Federal Trade Commission estimates that Americans last year spent 300 million hours resolving problems related to identity theft. Almost two-thirds of that time-194 hours-was spent by victims of new accounts and identity-related frauds.
  Perhaps one of the most alarming recent trends is that organized crime is playing an increasingly larger role in card fraud worldwide, experts say.
  "Anyplace you see credit card fraud that's very successful, it's almost always got some degree of organization behind it," says Ted Crooks, vice president of identity protective services at Minneapolis-based scoring and risk-control technology firm Fair Isaac Corp. "That organization is often linked to other issues. It may be ethnic, it may be political in some cases, but it generally involves people who know and trust one another."
  Adds Steve Cole, chief executive of Future Route, a Kent, England-based software company: "The credit card companies have a major problem on their hands because they're dealing not only with minor fraud but they're dealing with criminal elements that are very well organized and very clever. The more defenses you put up against these people, the cleverer they get." Future Route specializes in automatic rules generation systems for fraud detection.
  This sophistication can be seen in one of fastest-growing categories of card fraud-so-called phishing or spoofing-in which crooks use e-mail messages and replicas of legitimate Web pages to con consumers into revealing credit card account numbers and other confidential information. Phishing is closely tied to identity fraud.
  "Some of the statistics show that some 10 million Americans were victimized by ID theft last year alone, with possible losses of $50 billion," Dale Miskell, supervisory special agent for the Federal Bureau of Investigation, said in a recent conference call to discuss Internet crime. Austin, Texas-based ClearCommerce Corp., which specializes in software for risk management and scoring, sponsored the call.
  There are estimates that up to 5% of recipients of such fraudulent e-mails respond and divulge personal data such as credit card account numbers and passwords, says Oksana Selezneva, a retail analyst with Datamonitor.
  Fraudsters also are using computer viruses to take over computers that are connected 24 hours a day to the Internet and then using them to cloak their identity while they send out spam, Daniele Micci-Barreca, director of fraud solutions for ClearCommerce, said during the Internet crime conference call. "Some of that spam would be phishing-type spam, which is mostly used to collect account information on credit cards," Micci-Barreca says. Those account numbers are then used to make purchases from e-merchants.
  So-called Trojan viruses also can be used to capture keystrokes that reveal a cardholder's account number or give the fraudster access to a Web site storing the number, Micci-Barreca says.
  It is difficult to break these new types of technological fraud into categories, Selezneva says. But Datamonitor estimates they have been growing by 50% annually over the past five years. In 1999 losses from these types of fraud totaled $21 million, "a relatively small figure," she says. "By 2003, we're looking at $109 million.
  The information obtained using this new technology often ends up on Web sites that cater to crooks. "What we're seeing is the dark side of the Internet, especially chat rooms where a lot of fraudsters and hackers exchange information," Micci-Barreca says.
  And there's no shortage of stolen account numbers to be found, Micci-Barreca says. "You just go on the Internet and you can buy plenty of credit card numbers," he says.
  One disturbing trend showing up in Internet chat rooms is the sale of credit account numbers with card verification or validation codes, Micci-Barreca says. These three-digit codes-developed by Visa and MasterCard to prevent counterfeiting-are algorithms based on the cardholder's account number. The codes-printed on the signature panel above the magnetic stripe on the back of the card-also prevent stolen account numbers from being used in card-not-present transactions, such as mail-order, telephone-order or e-commerce transactions.
  Effectiveness Waning?
  American Express has a four-digit card identification code, known as the CID.
  "The (codes) are based on a very complex encryption of the credit card number, but they turn out to be three or four numbers that aren't very difficult to memorize," Micci-Barreca says.
  When first introduced in the 1990s, the codes cut chargebacks significantly and deterred fraudsters, he says. But in recent months, a merchant using the codes has experienced "a drastic increase, about six times, in the amount of fraud," he says. "These are not chargebacks. These are actual fraud attempts that were identified by other means."
  "We're seeing this throughout the industry and a lot of merchants who have implemented (verification codes) are starting to see a decrease in effectiveness of that tool," Micci-Barreca says.
  MasterCard, too, has found that fraudsters have found ways to decode the card-verification algorithms, Sergio Pinon, MasterCard International's senior vice president of security and risk management, said in an e-mail message. MasterCard is "migrating to Triple DES (for Triple Data Encryption Standard as opposed to the older single DES technology) algorithms, which will enhance security and make it almost impossible to break ... and further reducing the number of people who would be able to break the security of this highly protected algorithm," he says.
  American Express's card identification code uses "a number of different security codes embedded in the card's magnetic stripe," and on the front of the card, says Black. "All of these are separate security codes, so you can't get from one to the other like an algorithm," she says.
  Black also downplays the danger posed by chat rooms selling credit card account numbers and card verification numbers. "By the time you see it on the Web site, it's already a dead account, and usually it's been dead for some period of time," she says. She adds that AmEx on a daily basis sends out "crawlers" to seek out such sites.
  She also notes that equipment used to skim account numbers from magnetic stripes isn't capable of picking up a card verification code. That means the theft of such codes would have to be done manually, a slow process. "I'm more concerned with the high-volume perspective," she says.
  "Anybody can do anything (during the processing) of the transaction, and break down a great deal of information about a consumer," Black says. "But when they get into an environment where it's high volume, it becomes a little bit more concerning."
  Fraudsters' use of technology shows, too, in the resurgence of some older types of card fraud, including counterfeiting and skimming. In skimming, crooks use devices-originally designed for use by merchants-to capture magnetic-stripe data and then re-encode credit and debit cards. The cards are given to runners, who shop at malls, high-end jewelry stores, electronics stores, and other retailers.
  Much of this high-tech fraud is coming out of Eastern Europe, Pinon says. "The old Communist Bloc ... countries, such as Romania and Russia, have become havens for hackers and sophisticated criminals who use technology as their main weapon," he says.
  This technology has given new life to some familiar types of fraud. Identity fraud continues to grow, albeit at a slower pace, despite the best anti-fraud efforts of the industry and law enforcement.
  Fair Isaac's Crooks says identity thieves fall into two categories. The first includes those who commit "general bonehead fraud" by stealing "a little bit of somebody's information" and taking advantage of a weakness in an issuer's or merchant's security system. That "goes on a fair amount and that's been growing," he says.
  Credit-Abuse Fraud
  The second type is "more sophisticated, better organized and seems to be growing significantly and is probably the much longer-term threat," Crooks says. Identity theft by such crooks, fortunately, will be somewhat constrained "because it does require a certain degree of patience and organization to collect all that information about someone," he says.
  To be sure, not everyone in the card industry is seeing an increase in identity theft. At Visa USA, the dollar amount of fraud tied to ID theft has "actually gone down in the past 12 to 15 months," says John Shaughnessy, senior vice president of risk control.
  Card-not-present fraud, however, continues to grow as electronic commerce becomes more commonplace. "Internet transactions are anonymous venues and they are not as easily identified in some cases by the issuers," Shaughnessy says.
  But even as the card industry works to find ways to thwart long-familiar fraud schemes, new ones are emerging. One scam that's on the rise in the United Kingdom, and is likely headed towards the U.S., is so-called credit-abuse fraud, also known as first-party fraud, Crooks says.
  In this type of fraud, people take out credit with no intention of paying off the debt. "This has grown very rapidly in the U.K. and we think it may be growing in the U.S.," Crooks says, adding that the level of losses in the U.K. has "become substantial-it's among the top forms of fraud they're suffering."
  He notes that while there always have been people who run up charges and then walk away from the debt, these cases are experiencing a "tremendous growth in their frequency."
  It's difficult to detect credit-abuse fraud in its early stages because "it's not easy to differentiate from collections of ordinary bad debt," Crooks says. "It can grow into a fairly substantial problem before it's recognized."
  In addition, these schemes appear to be highly orchestrated. "The evidence is that these folks are generally managed and coached by somebody else who has experience and is doing this with multiple people," Crooks says. "That gives us the feeling that there's an organized crime connection. What kind of organized crime is hard to say."
  The pattern of the scheme is "pretty straightforward," Crooks adds. "These folks will be excellent customers for as much as a year or even a year-and-a-half. They pay everything on time, do everything exactly as you would like a customer to do."
  If a full-service bank issues the card, the fraudsters often have multiple products of the bank, including demand-deposit accounts and consumer loans.
  "At the end of the year or year-and-a-half, they'll run up all their balances and then they just won't pay a dime," Crooks says. "That's the way in which you recognize them as being different."
  Normally, when a customer with a high credit score and excellent payment behavior runs into problems, "they at least will tell you the story of what happened," he says. "They'll say 'I got divorced,' 'I got sick,' 'I lost my job,' or they will make some effort to pay something. But in these cases, if you do reach them by phone, they say, 'I'm not going to pay you' and hang up."
  One way to prevent credit-abuse fraud is to monitor account behavior across the multiple accounts held by the customer. "Typically, what we're seeing is activity that is almost too good, customers that are working very hard at being good customers," Crooks says.
  Once a probable credit-abuse case is detected, the issuer needs to carefully manage the customer's credit lines and avoid the extension of credit that would otherwise have occurred. "It's more of a preventative in advance of any crime happening, because once the crime's happened, it's too late," he says.
  The rise and fall of these various types of fraud can be attributed to the so-called water-balloon effect, in which fraudsters locked out of the card system by one anti-fraud measure seek new weaknesses to exploit.
  That's the case in the U.K., where credit-abuse fraud rose after the recent adoption of personal identification number-based smart cards "stopped a lot of the traditional forms of fraud or at least made them more difficult," Crooks says.
  The U.S. also is seeing more fraud activity that may be related to the U.K.'s chip-and-PIN rollout, especially a surge in counterfeit fraud, according to Datamonitor's Selezneva. PIN and chip also is known as EMV, for the Europay/MasterCard/Visa smart card standards developed by the bank card associations.
  Indeed, counterfeit card fraud in the U.S. rose 121% to $211 million in 2003, up from $95.6 million in 1999, according Datamonitor.
  Total card losses for the same five-year period increased 57% to $1.5 billion. Counterfeit card fraud grew 30% last year, and accounted for 14% of total losses in 2003.
  Criminals, no longer able to breach companies' defenses, also are "turning to consumers as the weakest link in the chain of fraud" through phishing and other frauds that target individuals, Selezneva says.
  Not only are smart cards' chips much more secure than mag stripes, but also PIN-based transactions are much more secure than signature-based ones. But one of the obstacles to the implementation of EMV in the U.S. is the high cost of converting the current magnetic stripe-based system to the chip and PIN, an estimated $13 billion, Selezneva says. That compares to annual fraud losses of $1.5 billion in 2003. With that imbalance, "it is difficult for card issuers to build a business case for investment in anti-fraud measures," she says.
  Selezneva predicts that in the U.S. losses associated with counterfeit cards will increase rapidly over the next five years. That's because EMV-compliant cards are being rolled out in Europe "on a large scale," she says.
  "To counterfeit a card with a chip is infinitely more difficult than a card without a chip," Selezneva says.
  "Obviously, criminals who are currently trying to counterfeit cards in Europe will move to the areas, like the U.S., where the protection is weakest," she adds.
  But others disagree. "You still have to have authorization (of a transaction) over here 100% of the time, so I don't know if that's a valid argument," Visa's Shaughnessy says.
  But no matter what anti-fraud measures are developed, the card industry must accept the fact that fraud will never be wiped out, says Cole of Future Route. He notes that while the introduction of chip and PIN in the U.K. will put an end to many types of card fraud, "the level of fraud isn't going to decrease. They'll just do it another way."
  A New Approach
  It's because card fraud comes in many guises that the industry might be better served by a new approach, Fair Isaac's Crooks says.
  "It really stems from an idea that a fraud solution should be enterprise-wide, that it should be more lasting instead of being a specific product for a specific type of fraud," he says. "You should have a system ... prepared to handle the next kind of fraud even though you're not sure what it's going to be, but that you can respond to quickly so we don't keep getting into situations where we're always six months behind the bad guys."
  In addition, there is the "feeling that the fraud specialty as a management specialty needs to be recognized and developed," he says. "There's no place you can go to school to become a fraud manager."
  Fraud patterns are usually the same, regardless of the division of a bank it falls into, Crooks says. "There really are some similar patterns, similar kinds of skills and knowledge needed."
  Another issue the industry must deal with is "recognizing what's fraud and what's not in the collections string," he says. "We are finding that there's real benefit to be had in looking closely at writeoffs and determining what proportion are due to fraud."
  "If you don't know how much of it there is, it's hard to make good judgments about how to stop it," Crooks says.