What is credit card fraud? We examine the major categories of fraud and suggest ways you can prevent it from happening to you.
Physical Theft
Cards which are physically lost or stolen can be used until the cardholder notifies their financial institution. Cardholders typically aren't liable for any purchases made during this time, unless they contributed to the loss or theft or did not report the loss or theft in a timely manner.
The only physical security device on a lost or stolen card is the signature on the back panel, which can be easily forged. Some merchants request to see the cardholder's photo ID, but the customer can legally refuse. By even making the request, the merchant may be in violation of their agreement with the credit card company.
Card issuers use sophisticated algorithms to determine the probability of fraud before the transaction is approved. It takes into consideration factors such as the geographic location of the purchase (an overseas transaction may be deemed suspicious if the cardholder has not notified the bank of their intention to travel).
Compromised Data
Organisations often hold the credit card information of their customers, including the card number, expiry date, account name and card verification code. They may hold this information for the purposes of ongoing payments, such as subscriptions, or for direct debit arrangements.
Sometimes this data can be stolen from or lost by the organisation. In 2007, US company TJX was the victim of a hacker intrusion which resulted in the loss of credit card and personal information which affected over 45 million consumers.
Skimming
'Skimming' is the term used to describe the theft of credit card information during a legitimate transaction.
In Australia, a number of 'skimming devices' have recently been found on ATMs. These machines were placed over the ATM card slot and read information from the card when it was inserted. These devices are often used in conjunction with a tiny camera which records the user typing in their PIN.
Skimming can also occur on a low-tech scale - store employees may steal or photocopy receipts or even simply write down the card number while processing the transaction. For this reason, it is advisable to always keep your credit card in view.
In order to detect skimming, financial institutions correlate data from reported fraudulent transactions, then use data mining techniques to discover relationships between those cards (e.g. they were all used at the same restaurant or ATM).
Card Not Present
A card not present (CNP) transaction is where the card information is used over the telephone or Internet. The merchant never sees the card and has little opportunity to verify the identity of the cardholder.
As such, CNP transactions are considered particularly risky. Many online merchants will not accept credit card payments unless the customer has an established relationship with the business. Others will only ship goods to an address approved by the card holder - the card issuer (Visa, MasterCard etc) provides easy mechanisms for merchants to verify address data.
In a CNP transaction, the card verification or CVV code is commonly used to verify the card. The CVV code is a three-digit code found on the back of the card. As such, anyone in possession of the card has sufficient information to make an online transaction.
Identity Theft
Identity theft typically comes in two categories - application fraud and account takeover.
In application fraud, a criminal will apply for a credit card under the victim's name, using information or documents obtained illegally or fraudulently. Documents may be completely fabricated, or may be real documents such as utility bills or previous credit card statements which have been stolen from the victim. These documents can be often be obtained by going through the victim's rubbish or recycling (a process called 'dumpster diving').
In an account takeover, the criminal takes control of the victim's existing account by contacting the financial institution and purporting to be the genuine card holder. They may request a change of address and/or change the account password, then report the card lost or stolen and request a replacement card to be sent.
