As per ABC Analysis of management principle, it needs to be focussed Gain effort
Have you ever eaten at a restaurant, paid with a credit card, and forgotten to get your copy of the credit card receipt? Did you know that many of these receipts have your credit card number printed right there for anyone to see (and use)? And, if you've signed them, your signature is also right there for someone to carefully copy. This can lead to the most simple form of identity theft. With this bit of information, some unscrupulous person can be well on his way to making purchases either by phone or on the Internet using your credit card number. All they have to have, in most cases, is your mailing address, which can be looked up in a phone book or easily found on the Internet.It can happen when your pre-approved credit card offers fall into the wrong hands. All a person has to do is get these out of your mailbox (or trash can) and mail them in with a change of address request and start spending. Someone can even apply for a credit card in your name if they have the right information. You won't know a thing about it until the credit card company tracks you down and demands payment for the purchases &quot;you&quot; have a racked up. Now, think about the types of information you have to provide in order to get a credit card or a loan or lease a car. There is very little additional information that is needed in order to get that loan. It would not have been that difficult to &quot;create&quot; loan documents using someone else's bank account numbers and other personal information. That's a scary thought! Imagine finding out that someone had gotten a mortgage in your name. Clearing that up with the bank and getting it off of your credit history would be quite a battle. You are left with the time-consuming task of repairing your credit and getting your finances back on track.
The percentage that each type of credit card fraud represents is described below: · Counterfeit credit card: Makes up for 37% of all funds lost through credit card frauds. To make fake cards criminals use the newest technology to “skim” information contained on magnetic stripes of cards and to pass security features such as holograms. · Lost or Stolen Cards: Cards stolen from their cardholders or lost by them account for 23% of all card frauds. Often, cards are stolen from the workplace, gym, and unattended vehicles. · No-Card Fraud: Comprises 10% of all the losses and is completed without the physical card in hand. This can happen by giving your credit card information on the phone to shady telemarketers and deceptive Internet sites that are promoting the sales of their non-existent goods and services. · Non-Receipt Fraud: Is responsible for 7% of all losses. It occurs when new or replaced cards mailed by your card company are stolen during the process of being mailed. However, this type of fraud is on the decline with the card-activation process that most companies use. In 1992, non-receipt fraud represented16 % of the losses. · Identity-Theft Fraud: Accounts for 4% of all losses, and occurs when criminals apply for a card using someone else’ identity and information.
For example: PriceWaterhouseCoopers has set up a Cybercrime Prevention and Response Practice Team.
BIN Bank Identification Number: The first 6 digits of a credit card number is known as the Bank Identification Number (BIN). These identify the institution that issued the card to the card holder. 20 (Airlines) 34 (American Express) 36 (Diners Club International) 37 (American Express) 40-9: VISA 51-55: MasterCard 65 (Discover Card)
Cognizable: PI is duty bound to take action, failing which he is criminally liable under PCA 1988 sec 13-D i.e. criminal misconduct of Public servant punishable for 7 yrs RI
ECONOMIC OFFENCES USING CREDIT CARDS Harshad S. Patil, B.Tech. (I.T.)(V.J.T.I.), PG.Dip. Cyber Crime Management 6/12/08
Fraud is the deliberate misrepresentation (or concealment) which causes another person to suffer damages, usually monetary losses. (Source:www.wisegeek.com/what-is-fraud.htm )
All multifarious means which human ingenuity can devise, and which are resorted to by one individual to get an advantage over another by false suggestions or suppression of the truth. It includes all surprises, tricks, cunning or dissembling, and any unfair way which another is cheated. ( Source: Black’s Law Dictionary, 5th ed., by Henry Campbell Black, West Publishing Co.,)
Examples of Fraud
Producing Fraudulent Financial Statements
Larceny – unlawful taking and removing of property with intent of permanently depriving the owner
Skimming – taking of property before it is recorded on the books
Kickbacks and bribes
Unauthorized or illegal use of confidential or proprietary information
Glossary: Describes the process in which a device is used to copy the magnetic stripe encoding off of a card - one reason card holders are cautioned against using ATM machines that look unusual Skimming A loan or credit card debt written off as uncollectible from the borrower. The debt, however, remains valid and subject to collection Charge off
Secure Socket Layer
This is a security protocol for data exchange on the Internet. Set up on a server, mitigates the chance that information exchanged between the merchant’s server and the purchaser’s browser be intercepted by a third party.
(Secure payment gateway)
Its independent service acting as an intermediary between merchant’s shopping cart and the different bank networks involved in the transaction, (the purchaser’s bank card bank and the seller’s merchant account bank)
It verifies the validity and encrypts the details of each transaction, ensures of the correct destinations for the data, and decodes the responses sent back to the shopping cart.
Internet Merchant Account
This is the virtual terminal linked to the bank account; it enables the merchant to accept payment by bank card from its customers and to receive money for sales
IMA Internet Payment Service Provider or Payment Service Provider, provider supplying an online payment solution. Cashtronics is an IPSP or PSP IPSP
A chargeback takes place when the cardholder informs his/her bank that they have not authorized a transaction or that the product ordered by him/her has not been delivered. In other words, it is an outstanding amount because the merchant is required to reimburse the cardholder.
There are several levels of chargebacks, the most serious being for fraud, or if the card has been stolen.
If online credit card fraud scares consumers, then it absolutely terrifies merchants! While consumers have some protection against fraud, fraudulent credit card transactions are costing ecommerce merchants many millions of dollars annually.
Counting the cost of fraud.
There are a couple of winners when it comes to fraud... the people perpetrating the fraud of course, and the credit card issuing banks. The fees involved with chargebacks are horrendous - US$ 30 and upwards per transaction! Additionally, if you experience a high rate of fraud, you may wind up paying higher processing fees or have your merchant account terminated altogether. After being terminated, it's very difficult to gain processing services elsewhere. Proper fraud screening is critical in not only saving money, but it can also save your business.
An ISO 7812 number contains a single-digit Major Industry Identifier (MII), a six-digit Issuer Identification Number (IIN), an account number, and a single digit check sum calculated using the Luhn algorithm . The MII is considered to be part of the IIN.
The term "Issuer Identification Number" (IIN) replaces the previously used "Bank Identification Number" (BIN)
A card verification value, or CVV, is a three- or four-digit number printed on a credit card (and encoded on the mag strip) for fraud protection. It provides a cryptographic check of the information embossed on the credit card. The use of the CVV in an online transaction is intended to signify the physical presence of the card at the transaction’s origin, e.g. in the hands of an online customer, thus reducing the occurrence of credit card fraud in card-not-present transactions. Unfortunately, as CVVs have been captured and stored in merchant databases that are subsequently compromised, the anti-fraud value of the CVV has recently diminished.
These are the last three digits (or four digits for American express) of the number found on the back of bank cards. Without this number it is often impossible to carry out a purchase in an online shop.
Card Security Code /Card Identification Number (CIN)
is typically the last three digits printed on the signature strip on the back of the card. In the case of American Express cards, it can be a four-digit number printed (but not embossed) on the front of the card.
The first digit of your credit card number is the Major Industry Identifier (MII), which represents the category of entity which issued your credit card. Different MII digits represent the following issuer categories:
3 - travel/entertainment cards (such as American Express and Diners Club)
4 - Visa
5 - MasterCard
6 - Discover Card
The first 6 digits of your credit card number (including the initial MII digit) form the issuer identifier. This means that the total number of possible issuers is a million
Issuer Identifier Card Number Length
VISA 4xxxxx 13, 16
MasterCard 51xxxx-55xxxx 16
Digits 7 to (n - 1) of your credit card number are your individual account identifier. The maximum length of a credit card number is 19 digits.
the final digit is the check digit, this means that the maximum length of the account number field is 19 - 7, or 12 digits. Each issuer therefore has a trillion possible account numbers.
Final digit of your credit card number is a check digit, akin to a checksum.
Eg: 4408 0412 3456 7890
The first credit card offer showed a picture of a card with the number 4408 0412 3456 7890.
The Major Industry Identifier (MII) is 4 (banking and financial), the issuer identifier is 440804 (a VISA partner), the account number is 123456789, and the check digit is 0.
The magstripe can be " written " because the tiny bar magnets can be magnetized in either a north or south pole direction and is very similar to a piece of cassette tape.
Credit Card Skimming is a method by which encoded information from the magnetic stripe of a credit card is gathered by an electronic credit card reader (skimmer). This information is used legitimately when processing a transaction. In the hands of a criminal the electronic credit card reader becomes a handy tool to gather information to use later in illegal transactions and purchases. Usually a criminal connects this "skimmer" to the credit card machine or a portable "skimmer" could be used to swipe your card when you are not looking. If you make a purchase, your information will automatically be stored in the "skimmer". At a later stage the criminal will use this information to make unauthorized purchases or encode this information on the magnetic stripe of a counterfeit card.
Credit card skimming often occurs in businesses where credit cards are used regularly, such as restaurants and other entertainment venues. In restaurants you will normally lose sight of your card when the waiter takes it to pay your bill. Some skimmers are as small as your hand, which makes it extremely easy for waiters to keep in their pouches.
During 2003 a crime syndicate was detected in New York, Connecticut and Massachusetts in the USA that smuggled Chinese immigrants into the US. The immigrants were forced to work as waiters in various Chinese restaurants to pay back money they owed to smugglers that assisted them to get into the country illegally. As waiters working in these restaurants they were forced by the crime ring to carry pocket-sized credit card skimmers and collect data from the cards of unsuspecting customers. The information they gathered was then handed over to the crime ring to pay off their debt.
‘ Card skimming’ is the illegal copying of information from the magnetic strip of a credit or ATM card. It is a more direct version of a phishing scam.
The scammers try to steal your details so they can access your accounts. Once scammers have skimmed your card, they can create a fake or ‘cloned’ card with your details on it. The scammer is then able to run up charges on your account.
Card skimming is also a way for scammers to steal your identity (your personal details) and use it to commit identity fraud. By stealing your personal details and account numbers the scammer may be able to borrow money or take out loans in your name.
Merchant passes credit card to Payment Processor .
Payment Processor approves Customer and gives OK to Merchant to deliver.
Payment Processor bills Bank .
Bank bills Customer .
Customer Applies Bank Issues Credit Card Customer Uses Card Merchant Receives Card Payment Processor Receives Card Payment Processor Bills Bank Customer Pays Stolen Illgotten card, theft, or skimmered Issued by bank without demand from customer/supplied by dishonest courier Illegitimate users (criminal involvement at both ends) Forged request
Credit Cards or credit card information is usually fraudulently obtained through methods such as:
Card swapping at ATM’s
Theft – often out of motor vehicles or houses
E-mails purporting to come from the credit card service provider (Phishing)
Bogus Internet web sites
Credit card numbers are bought and sold in underground "carder" forums, which bring together the people who have stolen the credit card numbers with those who want to use them. These charitable donations are typically made by the person buying the card numbers as a final check to ensure that the numbers will work,
Thief goes through trash to find discarded receipts or carbon, and then uses your account number illegally
A dishonest clerk makes extra imprint of your credit card and uses it to make personal charges
You respond to mail asking you to call long distance number fro free trip or bargain-priced travel package. you are told you must join travel cub first and you are asked for account number. From then you receive charges on bill which you didn't make and you never get the trip
CCF is a theft and fraud carried out using credit card or any alike payment mechanism as a fake source for fund transaction
A credit card fraud is a transaction that is completed with your credit card by someone else. Often a fraudulent transaction is made hours after the credit card or card number is stolen or lost; often before the cardholder gets the chance to report the card as missing or stolen.
Card swapping – where a customer’s ATM card is swapped for another card without their knowledge whilst undertaking an ATM transaction.
Card jamming – where an ATM machine card reader is deliberately tampered with so that a customer’s card will be held in the card reader and cannot be removed from the machine by the customer. The criminal removes the card once the customer has departed.
Vandalism – where an ATM machine is deliberately damaged and/or the card reader is jammed preventing the customer’s card from being inserted.
Physical attacks – where an ATM machine is physically attacked with the intention of removing the cash content.
Mugging – where a client is physically attacked whilst in the process of conducting a transaction at an ATM machine.
Modus Operandi of CCF using Identity Theft Sale of ID data. Goods available on underground servers: 1 Credit cards (22%) US$ 0.50 – 1 2 Bank accounts (21%) US$ 30-400 3 Email passwords (8%) US$ 1-350 4 Full identity (6%) US$ 10-150 (Symantec data for Jan – June 2007) OBTAIN IDENTITY INFORMATION FRAUD AND OTHER OFFENCES
Credit fraud can fall into one of five categories:
Counterfeit credit card
Lost or Stolen Cards
Identity Theft Fraud
CC mail order fraud
Statistics show that the misuse of lost or stolen credit cards is still the most popular type of credit card fraud in India . Counterfeiting credit cards are, however, increasing at an alarming rate. Fraudsters will typically use fraudulent credit cards to buy cigarettes , cellular phones and computers, jewelry, other electronic items .
Credit card fraud has become such an issue that no precise number can truly defined the global losses. And while most financial institutions are rather sensitive about the subject, a report from the FBI indicated that credit cards were largely responsible for the $315 billion loss the U.S. endured from financial fraud in 2005. A recent study in Europe also revealed that well over 22 million consumers fell victim to credit card fraud in 2006.
To truly understand the risk and likelihood of credit card fraud, you must first make yourself familiar with a brand new lingo. Terms such as "phishing", "pharming", "skimming" and "dumpster diving" may not sound malicious, but these are in fact just a few of many ways that money can be thieved from your credit card.
Below you will find more details on these popular techniques and how they are used to commit credit card fraud:
This technique refers to randomly distributed emails that attempt to trick recipients into disclosing account passwords, banking information or credit card information. This one scam has played a major factor in the crisis we face today. Since phishing emails typically appear to be legitimate, this type of crime has become very effective. Well designed, readily available software utilities make it nearly impossible to trace those guilty of phishing. Phishtank, an anti-phishing organization, recently revealed that nearly 75,000 attempts of this nature are made each month.
This device is usually secretly mounted to an ATM machine as a card reader.
- This shameless act refers to a process in which an individual vigorously sift's through someone else's trash in search of personal and financial information. With a mere credit card approval that contains a name and address, a criminal can easily open up a credit card in your name and accumulate substantial debt in no time.
- This new technique is one of the most dangerous of them all. Pharming involves a malicious perpetrator tampering with the domain name resolution process on the internet. By corrupting a DNS, (Domain Name System), a user can type in the URL for a legitimate financial institution and then be redirected to a compromised site without knowledge of the changes. Unaware of the background predators, the consumer types in their bank account details or credit card number, making them the latest victim of fraud.
Microdot printing on checks, hidden markings on checks and cards that show up on color photocopiers, holograms, magnetic strips, and now embedded chips–all these and many more advances have raised the level of skill and equipment needed for fraudsters to counterfeit checks and cards.
Dedicated fraudsters quickly acquire the skills and equipment, so are soon able to produce checks and cards that are extremely difficult to identify as counterfeit. In fact,
International organized crime groups that specialize in counterfeit credit cards generally lie beyond the reach of local police, although their markets certainly lie within local neighborhoods.
These groups became very active in Southeast Asia toward the end of the 1990s, and in a short time, have managed to overcome every new security feature introduced into plastic-card manufacture.
Their distribution system employs Asians in large North American and European cities.
Many card issuers are eager to get customers. In recent years, the competition has become very intense.
The mail and Internet are loaded with tempting offers, and it is now very easy to get a credit card.
Many card issuers do not hold cardholders responsible for any loss incurred through fraudulent use by another.
Thus, cardholders have no real motivation to take security precautions. In fact, they may even collude with others.
Retailers may bear the loss in card-not present sales, and card issuers in standard credit-card sales.
Although police face these and other obstacles when addressing check and card fraud, there is much that can be done.
Be aware that most card fraud is due to factors beyond police control
Security flaws in card design and production
Police do not have access to the vulnerability points in the complex transactions that make up card processing.
Inherent difficulty to verify a card user's identity
Internet increased the opportunities for fraud, greatest impact through fraudulent card-not-present sales
Information about counterfeiting, skimming, and hacking is now available on the Internet
To some extent, the sheer volume of card use accounts for the increased amount of card fraud.
In the United Kingdom, the United States, and Australia, debit and credit card use has increased tremendously over the last 20 years, although in the U.S., checks remain the primary form of payment (besides cash).
In Japan, credit cards have been very slow to catch on, but debit cards have gained wider acceptance.
These differences are largely related to the structure of financial service markets in the various countries.
The amount of card fraud committed internationally has substantially increased in recent years. For example, the proportion of fraud committed abroad on U.K. cards has doubled in the past decade.
Although the rate of check fraud has decreased considerably in the past decade, the financial loss due to check fraud continues to increase, simply because of the increase in the volume of sales. There is a technological "arms race."
Each technological advance makes it harder and harder to counterfeit checks and cards.
Fraud prevention techniques Tactical Guidelines Enterprises selling online should: • Assess their risk exposure to online credit card fraud based on their own experiences and on the types of goods and services they sell. • Implement internal rules and procedures that can identify many potential frauds. • Consider using fraud-prevention products and services to assess each transaction attempt if the risk of fraud is significant.
SSL is protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http:.
128-bit encryption - Cryptographers consider 128-bit encryption practically impossible to crack (it would take millions of years with the fastest computers to try all the combinations). With 128-bit encryption you can ensure that your international customer base will be able to exchange information with you using the strongest possible encryption.
How does SSL Work?
Client requests for secure resource.
Web-server presents its certificate.
Client verifies the certificate.
Client generates a Session Key (40, 56 or 128bit).
Client extracts the public key from the web server certificate and encrypts the session key.
Client then sends encrypted key back to the Web-server.
Web- server decrypts the session key and both now have a common key for that session.
Both the web-site and the client can now communicate securely.
When the browser closes the window or server drops the connection the session is terminated.
Next time browser comes back to the same page a new session key is generated.
MELBOURNE: An Australian technology firm has come up with a unique battery power super card, which they believe can fight online fraud.
Company reckons that it can stop up to $1 billion a year in credit card fraud with its invention.
The card, which includes
an alpha-numeric display ,
built-in microprocessor ,
a keypad and
three years of battery power ,
and will display a one-time number with which to authenticate each online credit card transaction, whenever the user will enter the pin number .
The technology was developed by a small Deloitte-backed technology firm based in Adelaide and Melbourne called EMUE Technologies .
Each card costs around five times more than a regular credit card to produce and will be sold to bank customers for between $18 and $30 each .
The technology could also be used for verifying your bank’s identity when it calls you over the phone. “When the card is created for the user it has a unique seed on it, and that unique seed is stored with the bank along with the pin the user chooses.
If I enter the wrong pin [into the credit card] it will still generate a number for me, but when I put that into the browser [to buy something] it will reject that as a transaction .
MessageLabs (service provider) is able to offer a 100% virus detection service-level agreement. Outbound content inspection capabilities are above average and include dictionaries in multiple languages and credit card and SIN detection, but workflow is limited.
Sophos (antivirus) Outbound filtering capabilities include content inspection dictionaries covering credit cards, SSNs but are limited to the Unix compliance module.
Address Verification System (AVS) codes are generated at the time the merchant requests credit card authorization.
The code tells the merchant if the billing address provided on the order matches the billing address of record for the credit card number. Specific codes mean different levels of matching. For example, the credit card payment company Paymentech(c) (one of many such companies that offer AVS) uses the following AVS response codes (among others):
I-1 means the billing address on the order is a complete match to the billing address of record for the credit card provided.
I-5 means that only the Zip Code doesn't match; perhaps the customer has been issued a new one without updating the billing address of record.
The codes to worry about are I-4 and I-8.
AVS code I-4 means that the street address isn't a match, while the Zip Code does match. Blocking such orders may seem to be a given, but there's a slight problem. AVS logic looks for a number at the beginning of an address. Addresses that begin with a letter aren't recognized and result in an I-4 code. Too many customers use addresses that begin with a letter (P.O. Box 100, or One Rockefeller Plaza) to make this a suspect code.
AVS code I-8 means that nothing matches - the street address and the Zip Code are both different. Perhaps the customer moved and forgot to change the address, but this is probably an NCE attack, which is sending randomly generated credit card numbers with the addresses of their forwarders in both the billing and ship to address fields. Beware. Canceling I-8 orders Many companies have begun canceling orders that are coming back from Paymentech(c) with an AVS code of I-8. The customer is notified that the billing address of record didn't match the billing address entered on the order. The customer can re-order using the proper address from his credit card statement. This simple step saved the previously mentioned company $4 million in credit card "charge backs" in addition to the handling time. A charge back is the process in which the true credit card holder refuses payment for a good or service that he didn't order. The merchant's account is debited for the money unless the merchant can prove that the card holder actually received the good or service.
Internet credit card orders require the merchant to enter into a credit card transaction similar to a person coming into a store with a bag on their head and trying to make a credit card purchase without ID or bothering to sign the credit card slip. Who would allow such a thing? Internet merchants do it every day!
CHIP AND PIN METHOD site: http://www.chipandpin.co.uk/
"Chip and PIN " is the used for the new EMV Card Payments System designed to augment and eventually replace magnetic stripe payment cards in Europe.
designed by Europay, Mastercard and Visa,
Microchip technology The ease with which credit cards with magnetic stripes are used in defrauding companies, financial institutions and individuals have necessitated banks and other card issuing companies to implement microchip card technology. This is due to the fact that cards with magnetic stripes can to easily be cloned. The cardholder’s information will be stored on a microchip, which will be much safer than the magnetic stripe. The new standard, to which all role players must adhere to, will come into operation on the 1st January 2005. This new standard was dubbed EMV, which was taken from the first letter of the three companies that initiated it, namely Europay, Visa and MasterCard. This technology was introduced in France more than 10 years ago. According to the credit card industry in this country card fraud dropped by 80% after the new technology was introduced. This new prevention method does not come cheap and banks are spending millions changing from the old magnetic stripe cards to the new generation microchip cards. It is estimated that the conversion process in South Africa will entail issuing new cards to 16-million users, upgrading 9000 ATM’s throughout the country, upgrading 130 000 point-of-sale terminals and upgrades on back-end processing systems to handle the new technology. This will come at a price tag of between R 1,5bn and R 2bn extended over a period off 10 years. Converting a top of the range ATM can cost as much as R 30 000.00. This technology will, however, require the customer to pin in a code every time they use the credit card. This is safer due to the fact that merchants or cashiers will no longer have to verify signatures. Studies in Europe have shown that signature based products are more susceptible to those that are PIN based. One advantage of smart card technology is that a credit card will be able to hold a considerable amount of information. This will ensure that even merchants in rural areas will be able to accept payments without telephonic access to a bank. Some of the major banks have started issuing the new cards to their employees for internal trials and to certain clients.
Difference between normal and Chip n Pin Method
Offline Counterfeiting Chip and PIN counterfeit cards can still be used offline in terminals that are not connected to the bank's network or have been temporarily disconnected. The fraudster does not even need to know the PIN.
Cross-Border Fraud one easy fraud will be replaced by another when Chip and PIN fails close off important avenues from fraud. The customer gets all the hassle and gains nothing.
Fallback :The same old fraud can continue because magnetic stripe technology is not on the way out for a long time.
Devices for breaching CHIP and PIN
Tamper resistance of Chip & PIN (EMV) terminals
Chip & PIN (EMV) Interceptor : It does not copy the chip! It only gains enough information from overhearing the conversation to make a magnetic stripe counterfeit.
Chip & PIN (EMV) relay attacks
terminal sends the card a random number, known as a challenge .
customer then enters their PIN into the terminal and it is sent to the card.
card computes a cryptographic response , that incorporates the challenge, whether the PIN was entered correctly, and a secret known only to the card and the bank which issued it (the terminal does not know this secret).
purpose of including the challenge is so that the terminal can detect whether an old response is being replayed.
response is sent back to the terminal which then goes on-line and sends the challenge and response to the bank, who will verify them.
PIN Entry Device (PED) vulnerabilities
By tapping these communications, fraudsters can obtain the PIN and create a magnetic strip version of the card to make ATM withdrawals in the UK and abroad.
Two popular PEDs, the Ingenico i3300 and Dione Xtreme, fail to adequately protect card details
IAS (Internet Access System) supports the built-in fraud protection services provided by the processing network, including AVS (Address Verification Service) and Card Verification Value. In addition, IAS provides enhanced tools and services to help you maximize revenue and profit potential—actually helping you to convert more orders to sales and reduce chargebacks.
Supports Verified by Visa and MasterCard SecureCode services (3D Secure standard)
Additional fraud screen available to control risk on non-Visa or MasterCard transactions
Works with any payment system
Single connection provides access (also available as a software component)
Minimize online credit card fraud and customer disputes
Receive chargeback protection on qualifying transactions
Implement easily via single Internet connection or single software component
Obtain relief from fraud liability (pending compliance)
Member verification (for online transactions e.g.: ecommerce)
Profit and competitive advantage
Record keeping and audit trail
Suggested Precautions to be taken by merchants for prevention of online CCF Geolocation by IP address Know the online buyers geographic information to prevent fraud. Identify locations where the probability of fraud is the highest. It allows additional authentication measures or identification for those transactions which show a great difference of distance. Legitimate customers welcomes legitimate authentication measures, which will protect them from credit card fraud also and keep the costs of doing business on the Internet down, especially if the customer is properly informed and advised by the merchant of these protection measures. Comparison of the IP address country with the billing address country
An IP address is a unique network identifier issued by an Internet Service Provider to a user’s computer every time they are logged on to the Internet. Make sure the IP address country and the billing address country are the same.
Check whether the country is a “high risk” country
ClearCommerce® survey: The top 12 international sources for online fraud are Ukraine, Indonesia, Yugoslavia, Lithuania, Egypt, Romania, Bulgaria, Turkey, Russia, Pakistan, Malaysia, and Israel.
The same survey also showed that the 12 countries with the lowest fraud rates are Austria, New Zealand, Taiwan, Norway, Spain, Japan, Switzerland, South Africa, Hong Kong, the UK, France, and Australia. Pay more attention if the card or the shipping address is in an area prone to credit card fraud.
Since, alien to us (Pakistan), they will never cooperate in investigation and so, it becomes a perfect crime, impossible to detect and beneficiary of fraud is guaranteed to go scot-free
Check whether an anonymous proxy server was used to place the order
The main purpose using a proxy server is to remain anonymous or to avoid being detected. While well known businesses use this to protect internal networks, fraudsters hide themselves behind anonymous proxy servers. It is not easy to detect anonymous proxy servers because they appear and disappear from time to time.
FraudLabs™ provides a hassle free method to keep the always up-to-date anonymous proxy server list as web service.
Secure Socket Layer and new layer for CCF prevention
Firewalls and upgrades (for online CCF)
But, as cost increases, with increase in tools used, it is not economically feasible and therefore fraudsters are fortunate and get the opportunity to rob people by plastic money and go scot-free due to legal lacuna in the system. (Suggestion: There should be strict liability and burden of proof should be on accused like food adulteration laws and custom laws). Protect yourself!
Keep your credit card and ATM cards safe. Do not share your personal identity number (PIN) with anyone. Do not keep any written copy of your PIN with the card
Check your bank account and credit card statements when you get them. If you see a transaction to be suspicious, report it to your credit union or bank
Choose passwords that would be difficult for anyone else to guess
1. Indian jailed for Britain's biggest credit card fraud
Oct 2008 : An India-born computer specialist who was the mastermind behind Britain's biggest fake credit card racket has been jailed for six years.
Anup Patel (30) and his accomplices had amassed nearly £2 million (over $3 million) by making counterfeit credit cards and using them in several countries in Asia and Europe. Police believe they would have cheated people of 16 million pounds by now had they not been caught.
A computer sciences graduate from Kingston University, Patel stole original credit card numbers and PIN (Personal Identification Numbers) and engraved them on counterfeit cards.
The fake cards were transported by one of his accomplices, Anthony Thomas (jailed for 2 years), to countries in Asia like Thailand and eastern Europe where the chip-and-PIN security system is not in use. Local members of the gang withdrew money using those cards by faking signatures of the original card holders.
The police launched an investigation after motorists using the M25 petrol pumps started receiving credit card statements citing purchases and cash withdrawals in various countries.
Patel managed to steal details of nearly 19,000 cards. Police suspect that Patel's gang collected the data from petrol pumps on the M25 motorway near London with the help of secret cameras and data card readers. They still do not have a clue as to how these gadgets were installed. Thousands use these pumps for fuel daily and payment is almost always through credit cards.
The operation was busted in October, 2006 when the police, acting on an intelligence tip off, raided Patel's rented office premises at the Croydon House Business Centre in south London.
They found a literal computer factory inside the premises: Thousands of magnetic strips and blank plastic cards, a library of 19,000 skimmed card and PIN details, holograms, card printers, corrupted payment terminals and £20,000 in cash.
Patel gave himself up to the police after learning that his accomplices had been arrested in Thailand and at London's airports.
When the case came to court, prosecutor David Povall told the jury at the Croydon Crown Court that both men had previous criminal record. Patel was jailed for two years for a credit card fraud in France 10 years ago, and Thomas had 65 previous convictions. During investigation, the police found they had links with criminal gangs in other countries, including Thailand and Turkey.
Patel, who lived in Thornton Heath in South London, was born in India and came to Britain at the age of two. He obtained a degree in computer sciences from Kingston University in 2006, leading police to believe that he was trying to beat the chip-and-PIN system even as he was studying.
2. Busting of Fake Credit Card racket near Toronto makes this a good time to revisit Credit Card Fraud!
A fake credit card racket was busted in the last week of January this year in Markham near Ontario. Using specialized equipment, the fraudsters were converting ordinary plastic cards to credit cards, health cards, social insurance cards and whatever else you can imagine.
In the second week of this month, the State Attorney General of Oklahoma warned residents of the state that internet fraud was on the rise in the area. While the two incidents may not be related, it will do us good to heed these as a warning.
A resident of the state in fact, alerted the police after he received a phony credit card in his ordinary mail. The card came along with a letter requesting the recipient to confirm his bank details to enable activation of the card. The letter also directed the resident to a website where the relevant details could be submitted.
Having the advantage of being familiar to such scams, the alert resident’s suspicions were immediately aroused. Immediately, he reported the matter to the police.
What the scammers were aiming at, was to get hold of such critical information as bank account number and/or social security number and to misuse it for personal gain. In internet fraud parlance, this is commonly known as Phishing and identity theft.
3. 45.6 million cards hacked in biggest ever credit fraud
Eleven people have been indicted in Boston for stealing and selling 41 million credit and debit card numbers they obtained by hacking into the computers of nine major US retailers, the US Justice Department said.
In what the department believes is the largest hacking and identity theft case it has ever prosecuted, the stolen numbers were sold via the Internet to other criminals in the US and Eastern Europe and used to withdraw tens of thousands of dollars at a time from ATMs.
The eleven defendants include three US citizens , three from Ukraine , two from China , one from Belarus , one from Estonia and one whose place of origin is unknown, the department said in a statement. The indictment was returned Tuesday by federal grand juries in Boston, Massachusetts, and San Diego, California.
The indictment alleges that after they collected the data, the conspirators concealed the data in encrypted computer servers that the defendants controlled in Eastern Europe and the United States. From there, the stolen numbers were “cashed out” by encoding card numbers on the magnetic strips of blank cards, and then used to extract cash from ATMs, the Justice Department said.
The defendants were allegedly able to conceal and launder their fraud proceeds by using anonymous Internet-based currencies both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe, it added.
“ So far as we know, this is the single largest and most complex identity theft case ever charged in this country,” said US Attorney General Michael Mukasey. “While technology has made our lives much easier it has also created new vulnerabilities,” said US Attorney for the District of Massachusetts Michael Sullivan.
The 11 people — including three Americans — allegedly targeted such retailers as TJX Companies, BJs Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
Prosecutors say the defendants hacked into the computer networks of nine major U.S. retailers, including TJX. The Framingham-based company disclosed a massive computer security breach in late 2006. The indictments were handed down by federal grand juries in Boston and San Diego.
U.S. Attorney General Michael Mukasey says the hackers were able to gather enormous amounts of personal financial data, which they allegedly sold to others or used themselves. Mukasey says its "impossible to quantify" the total dollar amount of the theft, which caused widespread losses for banks, retailers and consumers.
Those named in the indictment allegedly sold the information to criminals abroad and in the U.S., or encrypt blank credit cards to withdraw money from ATMs, officials said.
Prosecutors say three of the defendants are U.S. citizens from Miami, while others are from China, Estonia, Ukraine and Belarus. The scheme is believed to be the largest identity theft case ever prosecuted by the federal government.
Delhi Police busts credit card racket- arrested five in Delhi and UK NRI is on the run
New Delhi, April 02, 2008 Santosh Kumar
Delhi Police Crime Branch arrested five people- Vivek Prasad, 27, Nafees Ahmed, 37, Raju Khan, 27, Brijesh Yadav, 27, Dildar Hussain, 32, in south Delhi and recovered 21 fake credit cards from them. The racket has exposed the negative side of the technology advancements.
Deputy Commissioner of Police, Crime Branch, Anil Shukla told media in New Delhi:
More than 20 UK residents were cheated of Rs.3 million (30 lakh with the help of cloned credit cards) after the gang obtained information encoded on their credit cards issued by seven British banks such as Barclays Bank andLloyds TSB Bank.....
The police intercepted a Maruti Wagon car at Netaji Subhash Place and arrested the persons. A case of cheating (Sec 420) and fraud (Sec 25) has been lodged against them with Saraswati Vihar police station.
NRI Loknathan in UK used to swipe his victim credit card on a skimmer, a small portable device like a pager that records all the information encoded in the microchip of the card. Loknathan has been operating the scam for the past three months.
In UK, the owner of credit card does not pay if any fraud involved. The loss was either borne by the bank or by the insurance company. Since the fraud occurred in India no one pursues the matter from UK
According to the police, the group had at least eight such transactions in the past three months. They carefully used a credit card once and never visited the shopping area again.. They used to swipe the cloned credit cards with the help of shopkeepers and owners of the swipe machines.
Mostly they bought jewelry, laptops and mobiles worth lakhs of rupees and collected cash return by paying 5-6% commission to the swipe machine owners
Vivek Prasad, Banglore University graduate, worked as business development executive in a firm in Hyderabad is the mastermind of the racket. He used to procure information on credit cards from one of his associate, Loknathan in UK. Loknathan used to visit India often for the past six months.
Vivek then collaborated with Ahmed, who used to run a call centre for the HDFC Bank. Ahmed and his recruits to run these cards on swipe machines in Delhi. With the help of swipe machines owners, they used the card depending on its credit limit. Ahmed and his friend were keeping 10-20% of the amount.
Vivek transferred 40% of the transaction to Loknathan in UK.
Operation began in November, 2006 when Seattle, WA United States Secret Service (USSS) office requested Jacksonville USSS office to locate and interview suspects identified in credit card fraud scheme with Magic Online (an online gaming company).
Carreras located and initial interview conducted on 11/16/2006.
The investigation revealed that in January of 2006, Carreras had met a subject on-line through a spam email offering a job opportunity designing web pages. That subject then in turn started him in a scheme that used stolen credit card numbers to purchase "event tickets" for use in the Magic Online game, which were then sold on EBay and the profit split between the two.
Sometime during the summer of 2006 Carreras and his partner quit the Magic Online account scam and began engaging in direct credit card scams, by purchasing "packets" of credit card data from persons on underground chat rooms.
With the information obtained on the chat rooms, and online background checks bought through legitimate online companies, the two then began purchasing money transfers from Western Union online. Western Union requires that for any purchase made online the purchaser has to call Western Union and validate the transfer by answering several questions about themselves, which is why it was necessary to purchase the backgrounds on the people whose credit card information had been purchased.
Carreras eventually began operating on his own and ultimately ended up recruiting other local persons to assist him in his illegal enterprise, listed below.
Carreras initially cooperated with the authorities in their attempts to positively identify his source and initial partner. But, even while cooperating he was still conducting his fraudulent activities.
Carreras, and two other suspects Melissa Renee Caraballo and Michael Duane Widrig II, fled the northeast Florida area in January of 2007. Arrest warrants were obtained for him, and the other two suspects.
On May 7, 2007, Carreras, Caraballo, and Widrig were located by Secret Service Agents, and members of the Las Vegas Metropolitan Police SWAT team at a Las Vegas, Nevada Suzuki Motorcycle Dealership.
Agent Rohrer and Detective Brown traveled to Las Vegas and interviewed all three suspects, again.
On May 22, 2007, they were returned to Florida and booked into the Putnam County Jail. Carreras remains in jail without benefit of bond, Widrig is still in jail with a $75,000 bond, and Caraballo was released from jail on 5/30/2007 with a $10,000 bond.
There are, at this time, eight known unnamed co-conspirators in this northeast Florida organization. There has been in excess of $50,000 worth of illegal wire transfers attributed to this one group.
This northeast Florida organization is tied into a much larger nationwide organization, which is responsible for even more illegal wire transfers, totaling hundreds of thousands of dollars.. The investigation continues, with more arrests anticipated.
Simon Peter Carreras, 23 years of age, Charged with: Violation of Racketeer Influenced and Corrupt Organization Act (similar to MCOCA in Maharashtra) and Organized Scheme to Defraud in excess of $50,000
Melissa Caraballo, 18 years of age, Charged with Organized Scheme to Defraud in excess of $300.00
Michael Duane Widrig II, 21 years of age, Charged with Organized Scheme to Defraud in excess of $300.00
Amy Leigh Bishop, 21 years of age, Arrested on 5/31/2007, charged with Organized Scheme to Defraud in excess of $300.00, still in Putnam County Jail, bond $50,000
Randall Karry Ritchie Jr, 31 years of age, Arrested on 5/24/2007, charged with Organized Scheme to Defraud in excess of $300.00. Released from jail on 5/24/2007 on $75,000 bond.
Edward Bruce Dodd, 36 years of age, Arrested on 5/7/2007, charged with Organized Scheme to Defraud in excess of $300.00. Still in Putnam County Jail, bond set at None by 1st appearance judge.
Eddie Ramon Renta-Aler, 27 years of age. Arrested on 5/3/2007, Organized Scheme to Defraud in excess of $300.00. Released from jail on 5/4/2007 on $15,000 bond.
Amber Dawn Renta-Aler, 26 years of age, Arrested on 5/3/2007, Organized Scheme to Defraud in excess of $300.00. Released from jail on 5/4/2007 on $15,000 bond.
Florida Police: Credit card racket case: contd.. Arrested people
Be warned when stuff you never bought arrives at your doorstep. As a new scam uncovered in Utah revealed, identity thieves have tweaked their modus operandi to literally have victims handover to them, goods purchased online with their victim’s card money. In a new move, fraudsters are using card holders’ addresses to receive goods purchased using their compromised credit card accounts .
Such frauds are known to be mostly committed by fraudsters from overseas . Until now , the fraudsters were seen to be employing people as ‘ money mules’ to do this service. They would hire people online to work as re-forwarding or re-packaging agents for them on commission basis, on every package they safely send across.
If and when the scam gets busted , the real fraudsters would go scot-free while the local agents would have a hard time explaining how they came to be in possession of the stolen goods.
Fraudsters are not only stealing from the card but also using the owner’s address for receiving the goods bought using it!
Card owners would naturally be surprised when items they never purchased turn up at their doorstep. They would immediately mean to send it back . So, they wouldn’t be surprised when the same day or the day after, somebody comes to pick the package saying it was all a mistake. Folks who turn up to collect the goods claim they were hired by the seller to have the goods sent back. Card owners wouldn’t realize they were really accomplices of fraudsters come to take away stolen goods.
The fraudsters are counting on card owners not discovering the scam early. Card owners would only come to know of the scam, if they check their credit card account statements and discover the suspicious transactions.
This gives one more reason to keep a close watch on your account statement. Noticed early, it can become an opportunity to set a trap for the fraudsters and turn the tables on them.
Crime syndicates use the latest technology, including computers, embossing and lamination to create more realistic looking credit cards. Today’s counterfeit credit card will often have a complete hologram and a fully encoded magnetic strip. Most of the tools used to create counterfeit cards are manufactured in the Far East and smuggled to developed and developing countries throughout the world. To the untrained eye these cards will appear to be completely legitimate.
Hologram of different cards are unique: In most instances the hologram on a counterfeit card is fixed on top of the card, whereas the legitimate hologram is embedded in the plastic during the manufacturing process.
The white strip that carries your signature on the card should never be plain white. It always has ‘Visa’ or ‘MasterCard’ printed across in small print, many times over.
It is a clear sign of a fake card even if this print is unclear or smudged.
When placed under UV light, a large image of a white dove or the letters MC show up respectively on the card, according to it being a Visa or MasterCard.
Genuine cards also feature micro printing on them: what looks like a thin line to the naked eye turns out to be really fine printing when looked through a magnifying glass. This feature is especially important as it’s very hard to imitate using ordinary printing equipment.
Problems in fixing criminal which enhances this crime and new methods to overcome it
The challenge with credit card fraud is that as it is typically an interstate fraud, meaning happening from one state to the next, the cost and time to prosecute is typically beyond the crime itself!!! as it would cost more to extradite a person even across country for a crime typically no more than a few thousand (for small scale Indian fraudsters) if not a few hundred dollars.
The reality: Identity theft and online credit card fraud are reaching epidemic proportions and the local law enforcement, no matter how much they want to, just don’t have the resources to enforce interstate crimes.
Online Credit Card Offence & Indian Law :
Indian legal position: Any offence pertaining to online payment through credit cads will come within the purview of Information Technology Act , 2000 read with relevant provisions of Indian Penal Code, 1860. Section 378 of the Code defines the term “ theft ” as follows:
“ Whoever intends to take dishonestly, any property, out of the possession of any person without the consent of that person moves the property in order to such taking, is said to commit theft .”
In order to commit theft following ingredients are required to be satisfied :
(a) The intention must be dishonest.
(b) Such property must be movable in nature.
(c) Such property must be taken out of the possession of its owner.
(d) Such property must be taken without the consent of the owner.
(e) Such property must be removed from its original place to another.
Now we have to examine whether online credit card theft satisfies the abovementioned requirements in order to book the offender to justice. This definition, if interpreted in strict sense , does not include the online theft of credit card information. But, if a merchant dishonestly obtains the blank purchase slip and forges the signature of the cardholder’s signatures on it and thereafter obtains the payment from bank, he can be booked under the offence of forgery (discussed later).
Thus, if there is no intention (intention is difficult to prove) to deceive or secrecy, the act though dishonest is not fraudulent.
Intend to defraud : not a bare intent to deceive but intent to cause person to act or omit to act, as a result of deception played upon him, to his disadvantage.
To deal with CCF, our Parliament has been enacted the Information Technology in the year 2000. Following penal provisions of this statute are relevant to mention here.
Section 66- This section provides the following penalties for hacking with computer systems:
Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hack.
Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
The offence under this Section is cognizable and non-bailable.
Section 43- Clauses (a), (b) and (g) of Section 43 state that if a person has unauthorized access or secures access to computer, computer system, computer network or downloads copies or extracts any data from such computer, computer system, computer network or even assists another person to facilitate access in the aforesaid manner respectively, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.
It is quite apparent from the above that besides legal protection it is necessary to carefully examine the technological and contractual protection existing within the system because law is not an alternative to other security measures required to be taken by the cardholder while making online payment.
Sec 21 defines public servant i.e. any employee of public sector undertaking (under control of State/central govt.) (r.w. article 12 of Constitution of India)i.e. employees of all scheduled banks and co-operative banks are public servant
Sec 34 (act done by several persons in furtherance of common intention)
Each person is liable in same manner as if it were done by him alone
Sec 201 (Causing disappearance of evidence of offence or giving false information to screen offender)
If less than 10 years then 1/4 th of longest term of imprisonment for offence and/or fine.
Sec 407 (criminal breach of trust by carrier)
Punishment- 7 years imprisonment and fine
Sec 420 (cheating and dishonestly inducing delivery of property)
Punishable up to 7 years imprisonment and fine
Sec 466 (Forgery of public register- any data or electronic records (as defined in clause ‘r’ of section 2(1) of IT Act 2000)(cc number in e-form) to be kept by the public servant (banker))
Punishable for 7 years RI and fine
Sec 467 (Forgery of valuable security- bill etc)
Punishment: life imprisonment or 10 years imprisonment and fine
Punishment 7 years RI and fine
Cognizable, non Bailable offence, triable by Magistrate of 1 st class, non compoundable
Sec 470 defines forged document or e-record – wholly or partly
Sec 471 (using as genuine a forged (document or e-record))
Punishment same as if he has forged (467)
Sec 474 (having possession of document described in sec 466 and 467, knowing it to be forged and intending to use it as genuine)
7 years Imprisonment and fine or
Sec 475 (possessing counterfeit marked material (plastic card) )
Punishable for Life imprisonment or 7 years imprisonment and fine
Sec 476 counterfeiting device or mark used for authenticating documents other than described in sec 467
Possesison of any such device counterfeited punishable for 7 years and fine
Sec 477-A Falsification of accounts with intent to defraud (i.e. e-record etc) by clerk, officer, servant
punishable for 7 years and fine
Sec 409 (criminal breach of trust (defined in sec. 405 IPC) banker/agent/merchant)
Punishment is prescribed (for misappropriation of funds) as:
Life imprisonment or
imprisonment of 10 years and fine
Problems in fixing criminal which enhances this crime and new methods to overcome it..contd (due to Criminal Jurisprudence)
Any quantum of suspicion cannot be substitute for evidence (SC ruling ..and supreme court ruling is law of the land under article 141 of constitution of India and judge is duty bound to decide the case based on law
Benefit of doubt must go to accused in criminal proceedings. Therefore, the strategy of defense counsel is to shed doubt on the evidence and take out his client from clutches of law.
Every link between crime and criminal must be established. strength of the chain is just from the weakest link in the chain.
It must be proved beyond shadow of reasonable doubt which is very difficult task for the prosecution . The burden of proof is totally on the prosecution
If there is circumstantial evidence only, then it must be of such a nature that it should lead to one and only one inescapable inference about criminality of the accused. This is also very difficult to prove)
Accused should be treated innocent till proved guilty- principle of criminal jurisprudence should be changed to strict criminal liability principle i.e. burden of proving innocence should be on the accused like food adulteration cases
Future!....If no proactive steps taken Courtesy: (Niculae Asciu)
As this crime is spreading like jungle fire throughout the world especially developed countries, India is developing country, and we should prevent this epidemic to economy timely and vigilantly .
In India, credit card fraud is mostly limited to the physical space. Online con jobs make up just about 1% of the total numbers here, unlike 40% in the developed world.
All parties to credit card transactions are at risk when it comes to the hacking of credit card numbers. It is incumbent on the credit card associations to implement and enforce stricter rules regarding security and data protection practices by card issuers, merchant acquirers, processors, merchants and any other entities that manage or store card numbers on their servers. The card associations should also implement and enforce new rules that protect consumers from identity theft and credit reporting misinformation that can result from credit card fraud . Otherwise , consumer groups will force protective legislation in a lengthier and costlier process.
But, as consumers graduate to the shop-easy internet and pay with their cards, instances of fraud are bound to rise. As access to the web increases, reported cases of card fraud are estimated to rise at 20-30 % every year. In online transactions , contracts are one-sided and the customer is always held responsible in case of fraud .
Phishing is a commonly-used defrauding mechanism. To top it, people are careless in offering their card details.
Thus, we can conclude that with the help of the legal remedies available as cited earlier in the paper, legal action can be brought against the offenders who are held liable for credit card frauds and misuse and they can be bought to books .