The Green Sheet Online Edition
April 25, 2011 • Issue 11:04:02
Old fraud schemes resurfacing?
Are old fraud schemes a thing of the past? Actually, it looks like fraudsters have resumed old tactics in France and the United States, according to one U.S. credit union's report of suspicious low-dollar charges coming from European tollbooths. International Airline Employees Federal Credit Union of Briarwood, N.Y., reported the suspect transactions to the National Association of Federal Credit Unions.
Easy to create card numbers
These schemes rely on online applications commonly known as "credit master" or "credit wizard" programs. These applications are used to create a legitimate card number for a given bank identification number (BIN), which is easy for fraudsters to find online. The card number created might be an active card number, but could also be a possible or potential card number. They test the BIN by just running it through to help them create an algorithm.
The algorithm is then checked when a card is submitted at the POS before authorization measures (such as confirming the Card Verification Value or Card Verification Code and expiration date) occur.
An unattended payment terminal, a tollbooth for example, is the perfect place for fraudsters to test cards, especially since no card authorization is required. They use this as their loophole because it provides the perfect opportunity to use fake cards.
Recently, only small charges have been attempted using this method, but this old scheme could make a strong comeback.
Skimming makes a comeback
In the United States, pay-at-the-pump skimming scams are also increasing. Warm weather and easy targets have made self-service gas pumps in Arizona and Florida attractive targets. Card fraud at gas stations is popping up more and more in tourist locations.
The challenge with pay-at-the-pump terminals is that compromised terminals are extremely difficult to detect. Unlike ATM skimming, which involves placing a skimming device over an ATM's external card reader, a skimming device at a pump terminal is placed inside the pump's enclosure, making it visibly undetectable.
With gas prices on the rise, this scheme will probably grow rapidly. As gas gets more expensive, it will force customers to make sure they are using a credit card with enough credit for the month or, better yet - in the eyes of a fraudster - a debit card.
Gas terminals are more vulnerable to attacks simply because they are easy for the criminal element to access. The use of universal keys, which open pump enclosures, remains a mainstay in the petroleum market. Anyone with a key to a pump can open up any pump of the same make and model.
The reason why ATMs are less vulnerable than gas pumps is because ATMs are required to have unique access codes for enclosure access for service and maintenance.
Once gas pump skimming devices are installed on pumps, they collect card numbers and transmit card data wirelessly, usually via Bluetooth, to nearby fraudsters. Some instigators have even developed devices that scan for local Internet access via Wi-Fi and then, leeching off the current connection, forward the card information to a proxy server.
John Buzzard, who oversees client relations for the FICO Card Alert Service, which provides decision management and predictive analytics for card issuers, said increased PIN-debit usage at self-service gas pumps, as well as other unattended self-service terminals, also has fueled card fraud. "Debit usage is at an all-time high," Buzzard said. "More and more consumers are using PIN debit at the pumps, so this makes for a rich harvest for the criminals."
The economy and geography play a role
Two main factors in these fraud schemes are the location and economic conditions there. Typically Arizona and California are in the top five states for identity theft every year. This correlates with the demographics and high unemployment rates in those states; it is easier for the ringleaders to find mules to do the dirty work.
As long as merchants continue to believe that controlling access to pump stations is not their problem, they will not be proactive in protecting the pumps from intrusions. These pump attacks are at least a decade old, but hackers have just started cashing in on them within the past few years.
Economic conditions and the proliferation of fraud schemes demand that security measures be stepped up. Merchants and consumers need to feel confident that personal information is being taken care of by the policies currently in place.
ISOs should be proactive
It all starts with the ISOs. Selling secure solutions will help restore trust for merchants and consumers, strengthening the foundation of their relationships. Credit and debit card fraud is the number one fear of Americans in the midst of the global financial crisis. According to the Unisys Security Index, concern about fraud supersedes that of terrorism, computer viruses, health viruses and even personal safety.
To help clarify respective responsibilities in regard to fraud, I posed the following question to veteran law enforcement official Roy Derby, who is now the Director of Risk Management for ABA LLC: "What are some steps merchants and ISOs can take to cut back on fraud?"
In response, Derby stated, "The credit card processing industry is based on risk, and it's our duty and obligation to mitigate the risk for our merchants. One of the most overlooked and basic ways to help your merchants is prevention through education."
Remaining proactive is essential to reducing one's risk. One way to achieve this is through training. Most merchant sales staff receives entry-level instructions on how to use the credit card processing equipment and minimal education on how to identify and prevent fraud.
More specific, ongoing fraud training and established policies defining what to do when suspicious activity occurs will be central to minimizing data theft. The small price of keeping staff updated on the latest scams and trends can have a positive impact on your merchants' profit margins, as well as your own, while also enhancing your clients' reputations for zero tolerance.
Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.