The Green Sheet Online Edition
July 24, 2016 • Issue 16:07:02
Fraud in the payment system: What - me worry?
CrossCheck is located in Sonoma County or, as we call it, "Wine Country." You would think people would just drink the wine and enjoy it, but no. They all have opinions. Four popular words bandied about are "biodynamic," "organic," "natural" and "sustainable." Sometimes winemakers put these words on their labels; sometimes they don't accurately reflect what's actually in the bottle.
Biodynamic wine relies on nature; no chemical fertilizers or other non-natural agents are used to control weeds and molds. In this case, the vineyard should be a self-sustaining farm organism, and it should be treated with only herb and mineral-based preparations. Planting and picking should be timed to specific Earth and Moon celestial "forces." France, Germany, and Australia all have different rules to certify a biodynamic vineyard, but not the United States.
Organic wine is produced from organically farmed grapes and processed in accordance with certified organic standards. Sustainable practices apply to all aspects of grape farming, winery operation and even distribution and sales, as well as the use of water and electricity in making wine. There is no certification for this.
Unlike "industrial" wine, natural wine is made without chemicals, contains little or no sulfur, and uses native yeasts. Now, when winemakers use these terms here, there is no real way to verify the terms are accurately applied to product labels. You might call this "friendly fraud."
Contrast this with famous cases of outright fraud in California winemaking involving Fred Franzia (the founder of Two Buck Chuck) and Delicato Vineyards. In the late 1980s, Delicato was the largest maker of bulk white Zinfandel wine, producing it for many other wineries.
Delicato bought grapes from the Bavaro brothers, who harvested Carignane and Valdepena grapes and passed them off as white Zinfandel grapes. Over time, they produced almost 1 million gallons of adulterated wine. Another crook was Fred Franzia, the nephew of Ernest Gallo, who passed off Carignane and Grenache grapes (worth about $196 a ton in 1992) as Cabernet grapes (worth about $387 then).
In the early 1990s, more than 20 civil and criminal lawsuits were brought against Delicato, Franzia and others. All those charged either pleaded guilty or were convicted.
In the payments industry, fraud has exploded. Every day you read about a new data breach, wire fraud scheme, ATM skimming or POS fraud. This is in addition to the always present chargebacks and friendly fraud in the card-not-present space.
Any card-not-present scenario, which would involve MO/TO and Internet purchases, is fraught with fraud potential in cases where the merchant does not know the buyer, and criminals could be using stolen or invented payment credentials.
A June 2016 Juniper Research LLC report predicted worldwide online fraud will reach $25.6 billion by 2020, up from $10.7 billion in 2015. A recent report from Aite Group LLC forecasted online fraud in the United States alone would grow from $2.8 billion in 2014 to $7.2 billion in 2020. Of particular concern is the use of mobile devices to initiate payments. The RSA Anti-Fraud Command Center reported that about 42 percent of all U.S. e-commerce transactions in 2015 started on mobile devices.
Besides exploiting the mobile channel, fraudsters take advantage of the popularity of gift cards, and store "buy online, pick up in-store" programs. The most prevalent way fraudsters obtain gift cards is to purchase them with stolen credit cards. Digital gift cards have immediate delivery, no physical address requirements and high consumer adoption – a perfect storm. For example, between Black Friday and Christmas 2015, 9.5 percent of all online fraud attempts were on downloadable e-gift cards, according to ACI Worldwide.
CNP.com estimated $950 million was lost to e-gift fraud in 2015. LexisNexis found that for every dollar lost to fraud, it costs merchants about $2.27 in e-commerce and $2.89 in mobile channels. Fraud management techniques can combat this; however, that is beyond this article's scope.
Unlike credit card fraud, it is impossible to accurately measure check fraud. There are approximately 5,260 commercial banks in the United States and about 7,270 credit unions. All of these offer checking accounts. However, just as money center banks are loath to report wire transfer fraud, no banks want to advertise check fraud by their customers, and they are not required to report it.
The FBI estimates losses from check fraud total about $18.7 billion annually. Previous estimates by payments experts suggested total check fraud of around $10 billion, of which roughly 10 percent is borne by the financial institutions (FIs) and the rest by merchants. But, of course, no merchants want to advertise or report check fraud at their stores.
The average fraud scheme lasts 18 months before it is detected. Check fraud is a crime, but local prosecutors only pursue thefts involving large transaction volumes or amounts. The FBI estimated 75 percent of these cases are never prosecuted.
The 2013 American Bankers Association study on deposit account fraud estimated demand deposit account fraud at $1.744 billion, with 54 percent coming from debit card fraud and 37 percent coming from check fraud.
The 2015 Association of Financial Professionals Payment Fraud Survey found the most common types of check fraud are:
- Alteration (chemical washes to change check amount or payee, stolen account information printed on different check paper, etc.)
- Forged endorsement
- Counterfeit checks
- Forged signatures
- Fraudulent use of third-party bill payment services
- Writing checks on closed accounts
Credit card losses
LexisNexis Risk Solutions published a paper called Issuers Confront Application Fraud and Account Takeover in a Post-EMV US. It includes data from a report by Javelin Strategy & Research titled Data Breach Impact Report 2015. Here are some key findings from the report.
- Issuers lose $10.9 billion to card fraud annually. Credit cards account for 71 percent ($7.6 billion) of the losses, and debit accounted for 25 percent ($2.7 billion). Prepaid cards had $0.5 billion in fraud loss.
- The loss per card for credit is three times that of debit ($9 versus $2.80).
A survey of large card issuing banks showed bank executives believe that EMV (Europay, MasterCard and Visa) will cause a migration from card-present fraud to card-not-present fraud.
- Detecting synthetic identities is even more troublesome for FIs than stolen identities. Unlike stolen identities, which will eventually be found out by the victim, there is no one to detect the fraud besides the affected FI.
- Coordinating with affiliates complicates fraud mitigation (co-brand partner or private-label partner).
- Mobile wallets are a unique area of concern around the growth of account takeovers.
Customer-service oriented call centers are serious contributors to the problem of account takeovers because this is the weakest link in the account access process.
- Banks have a hard time distinguishing between first-party fraud, third-party fraud and credit risk.
- Application fraud and account takeover each represent 20 percent of total fraud losses. Counterfeit cards are responsible for 16 percent of losses.
- The misuse of lost or stolen payment cards comprises 28 percent of total fraud losses. Non-receipt fraud is 15 percent of fraud loss.
- Data breaches have given fraudsters access to a vast array of personal information. In 2014 alone, over 60 million people said they had been notified of a data breach. Because of this, 41 percent of fraudulent applications are composed entirely of stolen identifiers, and 27 percent are only partially composed of stolen identifiers (manipulated identities).
Payment concerns by large enterprises
A May 2016 study by Visa Inc.'s CyberSource subsidiary on behalf of the Merchant Risk Council (which has 450 firms in 20 countries) showed managing fraud is the top payment concern of e-commerce merchants. Compounding the issue, MRC merchants support an average of 14.5 payment types, almost twice as many as the 7.6 supported by non-members. These include digital wallets, bank transfers and invoices, gift cards or vouchers, and carrier billing.
In addition to data breaches, large enterprises' payment concerns fall into the following categories:
- Phishing attacks
- Spoofed websites
- Card skimmers
- Fraudulent ATM withdrawals
- Computer malware
- Infiltrated retail POS systems
- Weak payments security
This overview has highlighted the pervasiveness of fraud in the payments system. As a merchant or processor or ISO, you can no longer assume the "What ‒ me worry?" stance or think this is someone else's problem.
Brandes Elitch, Director of Partner Acquisition for CrossCheck Inc., has been a cash management practitioner for several Fortune 500 companies, sold cash management services for major banks and served as a consultant to bankcard acquirers. A Certified Cash Manager and Accredited ACH Professional, Brandes has a Master's in Business Administration from New York University and a Juris Doctor from Santa Clara University. He can be reached at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.