Fraud Trends 2010: Tips for Merchants

Friday, August 27, 2010

Fraud Trends 2010: Tips for Merchants

Nicholas Cucci of Network Merchants Inc, writes and excellent article about the latest trends in credit card fraud.  Even Google Inc has recently be a victim, so be sure to check out the entire article so you can protect your organization from fraud.

Financial fraud is a large business domestically and internationally. It accounts for more than $200 billion in losses each year in the United States alone, according to Symantec Corp., a provider of information security software and services.

The number of fraudsters has grown exponentially within the last five years, and they have become more sophisticated in how they steal and sell credit card information.

The buying and selling of credit card information has become so widespread that the British Broadcasting Corp. reported that U.K. credit card information is now for sale in India.

According to the BBC, a man named Saurabh Sachar told two undercover BBC reporters in Delhi that he could supply them with hundreds of credit and debit cards each week at $10 USD per card.

He claimed to have obtained the card data from call centers handling mobile phone sales and payments for phone bills and hotels. After receiving sample credit card numbers, the BBC reporters found they were valid.

Understanding fraud techniques

A powerful way for the payments industry to fight back is to understand how fraudsters work. One technique described by First Data Corp. is the use of fraud forums. These are highly popular web-based forums dedicated to individuals and groups that perpetrate fraud and provide a convenient way for them to exchange stolen information.

People looking for stolen data or interested in stealing and selling data themselves need only create a username and password on these websites to gain access to the goods. The sites provide how-to guides and even specialized venues for specific countries or regions. I was able to find within minutes people willing to sell malware to obtain information illegally for $35 to $500 USD.

No fraudulent act is complete until a “cash-out” on the stolen data occurs. This is when the “cashiers” and “money mules” come into play. They are available for hire to act as intermediaries in converting information into true currency. There’s even another business inside of this business; the fraudsters basically have their own fraud-support teams.

Intermediaries will transfer funds from stolen accounts into legitimate currency for a commission on the amount transferred and, for a nominal fee, will even help validate cardholder verification value code numbers against their corresponding credit card numbers and expiration dates. You can even request a cashier’s check for a specific location, nationality or gender to match the identity of the victim to minimize suspicion when withdrawing funds. The sophistication with which fraudsters conduct their business is unbelievable.

With technology advancing daily, it simply cannot be stressed enough that today’s criminals are more adept and organized than ever. We need to continuously evolve our methods to keep ahead of the fraudsters.

People from all walks of the payments industry need to understand that fraud is still a two-step process for the perpetrators. The first step is stealing the data; the second is converting the data into money through various means. Following are the current top five fraud trends, based on information I gathered from Symantec, the Internet Crime Complaint Center and First Data Corp.

Malware attacks

Malware is short for “malicious software” that is designed to gain access to, and potentially damage, the victim’s computer without the victim’s knowledge. In 2009 the number of attacks was 10 times greater than in 2008. Most malware attacks today are intended for financial gain.

Malware escapes detection while collecting and transmitting sensitive data such as users’ bank account information, passwords and card details.

Criminal hackers create new malware Trojans daily, exploiting new vulnerabilities before they can be detected and fixed. Keeping your anti-virus software up to date gives you the upper hand. Vulnerabilities are usually found in out-of-date virus detection systems.

Advanced phishing, SMSishing and whaling

Pretending to be a trustworthy entity such as a bank or credit card company, phishers send out emails and instant messages that prompt users to send sensitive information to confirm they are the actual owners of the accounts. Phishers even send out text messages now, too – a practice called SMSishing.

Whaling in the fraud world occurs when high-worth accounts are targeted. Usually this is through social networking sites such as LinkedIn and even Facebook. Whalers target profiles with certain descriptors, such as vice president, chief executive officer, chief financial officer and so forth.

Google was recently hacked via a PDF file sent to its executives that, when opened, caused a vulnerability on each user’s computer so hackers in China were able to grab information. Google believes the hack stemmed from, or was at least approved by, the Chinese government, but the company cannot prove with 100 percent certainty the Chinese government’s involvement.

Phishing can happen to anyone; according to Gizmodo.com, the key is to always stay on top of everything and delete, without opening, any file that you do not completely recognize.

ATM skimming

In this type of fraud, skimmer devices are placed directly over the slot where customers swipe their cards to get cash from an ATM. The skimmer reads and stores sensitive personal information kept on the bankcard’s magnetic stripe. The skimmers are so small that authorities have a hard time finding them. Skimming has been around since the early 90s.

SQL injections

SQL stands for structured query language, a language used for database programming. Hackers inject SQL into web forms containing login fields or browser addresses to access and manipulate the database being utilized by the site or system. These attacks allow criminals to access restricted data, such as credit card details and PIN data. This is becoming a more popular attack because of its versatility.

Counterfeiting in non-EMV countries

Many countries outside of the United States have adopted the Europay/MasterCard/Visa smart card standard. This allows for a more secure chip and PIN technology. This technology deployment has resulted in a higher level of security and caused the basis points on card transactions in the United Kingdom to drop from 18 in 2001 to 12 in 2008. I hope it is only a matter of time before this method is adopted in the United States.