First-party fraud largely goes unreported

Losses from first-party credit card fraud are bigger than those from third-party fraud, and although it represents 10% to 20% of bad debt, first-party fraud often goes unreported.

First-party fraud is a new threat to the banking industry and is more difficult to detect than third-party fraud as banks often write it off as bad debt, when in fact fraudsters have given inaccurate financial and personal details in order to obtain a credit card or loan without ever intending to pay it off.

At a recent webinar held by analyst firm Lafferty Group, Martin Warwick, principal consultant, solutions management, at decision-management software vendor, FICO, said first-party fraud is different from third-party fraud in that the account for a loan or credit card is set up using a "synthetic" or false identity. The application also contains false or "misrepresented" financial information. Banks continue to write it off as bad debt, he says, because of challenges around proving intent.

Warwick says first-party card fraud can be detected during the application process and the "transactional life" of the account. Things to look out for are:

• First payment defaults on cards
• Cases where the customer is massively over their credit limit
• Customer ends up as a no trace
• Or if less than 5% of the loan is repaid.

Stand-alone scorecards and customer profiling applications can be used at the time of applying for a card or loan to detect whether an individual is likely to commit first-party fraud. However, Warwick says a holistic approach needs to be taken as first-party fraud can start with current accounts and quickly spread to other banking accounts and channels such as loans, mortgages and insurance. Both qualitative and quantitative measures need to be used to distinguish first-party fraud from bad debt.

A new form of credit card fraud

CHIP and PIN, Visa and MasterCard SecureCode and PCI-DSS for the safe storage of customer credit card data, are just some of the tactics deployed in the ongoing battle against credit card fraud.

All of these measures have had mixed success and while they may have helped reduce card present fraud, card-not-present fraud is on the increase particularly in online shopping and cross-border transactions.

A new form of credit card fraud called "first-party fraud" is also emerging and experts say it could cost banks and other card issuers up to $21 billion in losses this year. Instead of fraudsters stealing customer credit card details or trading credit card numbers in underground communities, "first-party fraud" involves people using false income and financial declarations to apply for a credit card, which they intend to use and never repay.

Banks typically treat these applications as bad debts and only discover much further down the line that instead they may be dealing with fraud. Lafferty Group estimates that "first-party fraud" losses this year were $15 billion for the US, $2.5 billion for Asia-Pacific, and $2.2 billion for Western Europe.

Chip and PIN no 'panacea'

Chip and PIN has forced fraudsters away from the high street, Shopsafe.co.uk director Simon Crisp was quoted as saying recently. While that may be true, what it has done is resulted in higher levels of card-not-present fraud and cross-border card fraud.

Crisp is quoted as saying stopping card fraud is about staying "one step ahead" of the fraudsters and that Chip and PIN is helping deter criminals. Well most so-called fraud experts would argue that Chip and PIN is not the 'panacea' some thought it would be and that it has merely forced fraudsters to become more sophisticated in their efforts to use cards for criminal purposes.

While it may have helped reduce the amount of card present fraud committed on the high street, online shopping presents numerous opportunities for fraudsters as the card is not presented. Malicious software and phishing attacks can also be used to capture personal banking as well as PIN and password details. I don't think Chip and PIN can really be classed as staying one step ahead of the fraudsters, as they have already jumped that 'hurdle'.

Detecting suspicious activity sooner rather than later

This is what Michelle Weatherhead, manager, EMEA, Risk Solutions for payments software provider, ACI Worldwide, had to say recently about the rise in UK card fraud in 2008.

The APACS annual statistics finding that UK card fraud in 2008 increased by 14% is, unfortunately, relatively unsurprising. The one statistic that was immediately notable was the increase in card ID theft, which was up 39%.

Card ID theft, which is when someone gets hold of your card details and PIN and starts to use them on an ongoing basis, is a real problem. There is the issue of consumer education - encouraging members of the public to shred card statements when they dispose of them, change PINs regularly and carefully check statements to make sure they are accurate, is a first step. However, there are techniques that the bank can use to help prevent this type of fraud.

One step that many banks are turning to is monitoring all activity on an account, both financial and non-financial transactions, as well as combining intelligence about how a customer uses all their cards and accounts, not just an individual one.

This helps the banks build up a complete profile of that individual - how often they travel, where they tend to shop, how much they usually spend - so that as soon as a transaction occurs that is outside that customer's usual spending patterns, alarm bells start to ring and that transaction can be flagged as suspicious. What is important is that the banks detect suspicious activity as soon as the account is taken over, otherwise the fraudster will build up their own 'profile' so activity may appear genuine.

This leads to tools such as SMS alerting, which banks are starting to implement to help them stop fraud early. SMS alerting means that if suspicious activity occurs, such as a transaction that is overseas, over a certain value, or in a type of outlet the customer hasn't used before, the bank can send a text message to the customer immediately, informing them of the transaction and asking them to respond if it isn't genuine.

This can also be used to confirm with customers that they have changed their address or requested a new PIN for example, which can be a first sign of account takeover.This combination of activity can enable the banks to block compromised cards quickly, protecting themselves from losses, and also building confidence with members of the public that they are protected too.

Fraud is always changing and moving - the APACS’ statistics for 2009 when they come out in 12 months’ will show similar trends to those we have seen in this announcement - but as banks embrace the latest technology, just maybe some of these numbers will start to come down.

Chip and PIN is failing banking customers

Posted by Anita Hawser

With banks around the world distracted by the global credit crunch, plunging share prices and government bail-outs, this can be a time when fraudsters up the ante hoping that banks will be too distracted to notice the rising incidence of fraud.

According to risk management software provider, Actimize, the number of mass data breaches, particularly those involving ATM and debit fraud, has accelerated, and a at time when banks' balance sheets look compromised, the reputational and direct costs of replacing lost or compromised cards, is an unwelcome additional cost for any bank to have to deal with.

Just as banks need to restore confidence in one another so interbank lending can resume, so too do they need to restore customer's confidence in debit and credit cards. But in a heightened threat landscape where the threat level is becoming increasingly sophisticated and insidious, banks appear to be on the back foot.

Fighting card fraud is not just about compromised ATMs or phishing emails anymore, as recent incidents have borne out. For example, according to Actimize, in Ireland recently fraudsters posing as bank workers, replaced credit card readers in a number of retail stores with fake readers that captured the data on 10,000 credit and debit cards.

In Calgary, Canada, local businesses were defrauded of approximately CAN $2 million by fraudsters that broke into company databases and inflated the value of pre-paid debit cards. They then withdrew money at ATMs with "cloned" cards.

Authentication specialists, GrIDsure, highlight a recent incident where MasterCard users were the victims of sophisticated Chip and PIN fraud involving up to 40 stores across Britain including Asda, Tesco and Sainsbury’s. It has called for affirmative action to avoid "further embarrassment" for the UK banking industry.

"While Chip and PIN scams are becoming more and more frequent, it seems that nobody is willing to address the issue head on," says Jonathan Craymer, chairman of GrIDsure. "It is blatantly obvious that Chip and PIN’s reliance on a fixed PIN number is leaving the system vulnerable to attack through sophisticated scams such as this recent one involving MasterCard customers. I wonder how many more people will fall victim to scams like this before the industry stands up and takes action."

Recent incidents highlight the vulnerabilities of Chip and PIN, which were introduced to try and prevent fraud, but Craymer seems to be saying that the industry needs to improve the security of the Chip and PIN system with the introduction of one-time PINs.

UK banks have sent smart card readers that generate one-time PINs to online banking customers, however, Craymer says it is time to find a solution that effectively addresses transaction authentication, not just on the UK high street, but also online and abroad. “Chip and PIN was introduced to put a stop to high street fraud, but as fraudsters begin to find their way around the system we have seen total card fraud losses increase by 14% in the first half of this year alone.”

The UK’s credit card crisis

Posted by Nick Kochan

In the week that the Royal Bank of Scotland and NatWest have accepted that a computer sold on eBay has exposed the data of one million customers to possible abuse, a spokesman for the Government’s new National Strategic Fraud Authority, set to be launched on 1 October, says credit card and banking fraud will be a prime target.

Spokesman Adam Morris says the Agency is in discussions with representatives of UK banks and payment companies about the UK’s deteriorating position as a haven for credit card fraud. Morris says, ‘There are many agencies targeting fraud, but the Fraud Review found they were not always working together. We are targeting the symptoms of fraud and aim to bring banks and other stakeholders together.’

UK credit card fraud is at record levels due to abuse of the internet, says the banking industry body, APACS. Annual plastic card losses in 2007 amounted to £535.2m. This compares with £428m in 2006.

The majority of this -- £290.5m -- was incurred by those buying goods on the internet. ‘Card-not-present’ fraud increased by almost £80m on the previous year. As money has been poured into chip-and-pin to deal with lost and stolen cards -- down from £68.5m in 2006 to £56.2m in 2007 -- counterfeit theft and internet abuse of cards has risen sharply.

Metropolitan and City Police forces, fighting card fraud through the Dedicated Cheque and Plastic Crime Unit (a joint public/public sector agency), face an uphill struggle, say industry observers.

Thieves keep several steps ahead of the industry and the police, says Amir Orad, executive vice president of Actimize, the banking consultancy."Credit card fraud is growing and changing its form to respond to the growing efforts of those who seek to curb it. The crooks are a long way ahead of the institutions cracking down on it."

Leaky credit card systems in retailers presented thieves with their latest juicy target. A group of 11 worked together to break into the systems of US retailer TJX Companies. TJX owns the popular cut-price UK retailer TJ Maxx and the company has admitted that some of the 41 million credit card numbers hacked from retailers belonged to UK and Irish customers.

The 11 were allegedly engaged in ‘war-driving’, the concept of data-theft via wireless networks. The thieves had apparently gone cruising through different areas with a laptop looking for accessible wireless signals. They then installed ‘sniffer’ programs that captured credit and debit card numbers as they moved though the retailers processing networks. The information was stored on the thieves’ processors in Latvia and Ukraine.

The US Attorney General, Michael Mukasey, said, "They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves."

Organised gangs perpetrate credit card fraud, says Paul Ravenscroft, a spokesman for Visa."Law enforcement tells us that some of the perpetrators of large scale payment card fraud are gangs that utilise the skills of technically sophisticated individuals. As we introduce new fraud countermeasures such criminals will migrate their attacks to other parts of the system."

The godfather in a credit card gang is the guy who understands the technology, says Kevin O’Leary, the chief executive officer at Norkom, a Dublin-based consultancy. "At the top is a group of technicians who provide the intellectual property of how to get at the data that you are going to need to perpetrate a fraud. They must understand how the point of sale server computer architecture works.

"People who commit the technical aspect of the crime need to be several degrees removed from the people who perpetrate the crime at the end of the chain. They do not think of themselves as criminals in the true sense." Smart con men occupy the gang’s second tier. O’Leary says that they go into the grocery store to install the rogue equipment and need to be brazen. "They risk criminal prosecution, if they are found and apprehended."

Street level functionaries "exchange data with other gangs and recruit hundreds of people to use fake cards to walk up to cash machines and make withdrawals. These are people at the bottom of the food chain." O’Leary warns companies to beware of insiders who obtain techniques from their employers to defraud them.

Banks do not sufficiently understand this threat, says David Porter, head of security and risk at Detica, the security consultancy. "Insider fraud has been under-addressed by the bank security community.

"Not all credit card fraud is perpetrated by external bogeyman. There are some highly effective technologies for spotting the unusual outlier in a community of employees who may be embezzling money or confidential data. Organisations need to tackle this problem area rather than sweep it under the carpet."

Banks and retailers need to completely review anti-fraud policies in the light of the burgeoning credit card fraud, says David Hobson, the managing director of Global Secure Systems. "Methods to counter data leakage are slowly coming together. Many banks still do this piecemeal. They are considering a single part of the issue rather than the whole issue."

O’Leary says banks have been slow to act. "Fixed-point solutions like credit card scoring and credit card detection technology on credit card transactions only work up to a point. They give you a fairly limited intelligence to understand what’s going on. Banks need to join all these things up and look at them in a unified fashion."

Fraudsters leave tracks across an organisation says Orad." Patterns of banking activity, like cheques, ATM machines and online banking are used to catch credit card fraud in particular and enterprise fraud in general."

Credit card payment companies like Visa and MasterCard have brought in new technology to attack credit card fraud. Customers tap in extra pieces of secure data, in addition to the PIN, when making a credit card purchase at a retailer.

APACS spokesman Mark Bowerman attacks retailers for failing to install the system to allow the customer to make the check. "Take-up has been slow but is now increasing. The vast majority of people need to use it and the vast majority of merchants need to use it. It is a competitive issue. It is up to them whether they decide to implement it in their business."

Merchants are the weak point in the credit card chain, says Hobson. "Credit card details are lost at merchants where there is not the same understanding of risk. They are actually custodians of the customer’s data. If a merchant is processing millions or billions of pounds says it doesn’t want to bring in the new secure systems, will any credit card company really refuse their business? Unlikely, as they take a business decision to take a risk!"

Anti-fraud technology based on Chip and PIN is lagging criminal techniques, says Porter. ‘There's been a lot of focus on Chip-and-PIN, but this is only half the solution since it's a preventative measure. We also need advances in the way we detect criminals who inevitably overcome these preventative measures.

"Banks and credit card processors have invested in automated detection systems based on behavioural modeling: learn how a fraudster does his tricks and then go looking for similar patterns. Fraudsters are getting wise to this method of detection. These legacy detection systems are unable to identify fragmented schemes where each entity or activity alone is too small to appear "on the radar".

Fraudsters are pouring resources into attacking credit card data. They have set their sights on opening up and benefiting from leaky systems and security glitches. Banks are in the firing line, but customers need to demand tighter controls at every link in the credit card chain if fraud is to be reduced, and costs to the user of the credit card on the high street reduced.