Embed Size (px)
Citation preview
6/12/08
ECONOMIC OFFENCES USING CREDIT CARDS
Harshad S. Patil, B.Tech. (I.T.)(V.J.T.I.), PG.Dip. Cyber Crime Management
2
Agenda Types of frauds Statistics Why is credit card fraud more disastrous and damaging than others? Glossary What credit card numbers signify Working What is Credit Card fraud (CCF) Modus Operandi and scope of fraud in it Common Types of CCF Tools for CCF Factors contributing to CCF Suggested Precautions to be taken by merchants for prevention of online CCF Credit Card Fraud (CCF) Detection Techniques Tools to control CCF Fraud Prevention Techniques Types of Credit Card frauds Cases related to Credit Card frauds Problems in fixing criminal which enhances this crime and new methods to overcome it Videos of credit card frauds Conclusion
3
Fraud Defined
• Fraud is the deliberate misrepresentation (or concealment) which causes another person to suffer damages, usually monetary losses. (Source:www.wisegeek.com/what-is-fraud.htm )
• Textbook Definition:All multifarious means which human ingenuity can devise, and which are resorted to by one individual to get an advantage over another by false suggestions or suppression of the truth. It includes all surprises, tricks, cunning or dissembling, and any unfair way which another is cheated. (Source: Black’s Law Dictionary, 5th ed., by Henry Campbell Black, West Publishing Co.,)
Examples of Fraud• Producing Fraudulent Financial Statements• Larceny – unlawful taking and removing of property with intent of permanently depriving the owner• Skimming – taking of property before it is recorded on the books• Fraudulent Disbursements• Kickbacks and bribes• Unauthorized or illegal use of confidential or proprietary information
4
Types of Fraud
Online Pharmacy Fraud incorporates numerous crimes and potentially dangerous health considerations.
Pharmacy fraud
In what many are calling America's fastest growing type of robbery, crooks use your name, social security number or that blank, pre-approved credit application you tossed out.
• Hacking• Identity Theft• Phishing/Spoofing• Spam• Spyware
Identity Fraud Any non-violent offense committed by
or against an individual or corporation and which results in a financial loss.
• Cross-Border Fraud • Advanced Fee Scams• Charities Fraud• Investment Fraud • Job Scams• Debt Elimination• Nigerian "4-1-9" Scams• Ponzi Schemes
The most common cross-border frauds involve:
– Phony prize promotions
– Foreign lottery schemes
– Advance-fee loans
– Travel offer scams
– Unnecessary credit card loss "protection"
Financial FraudAuction Fraud
Thousands of American consumers receive sweepstakes promotions but if you have to pay to play or pay to receive your "winnings" the promotion is a scam.
• Foreign Lottery Fraud• Sweepstakes/Prizes
Scam
Sweepstakes Fraud
The latest scam to hit American consumers involves counterfeit financial instruments.
• Counterfeit Cashier's Checks
• Counterfeit Money Orders
Counterfeit Payments Fraud
Internet auction fraud occurs in several ways, but the most common is the failure to deliver the purchased item.
•International Auction Fraud•Escrow Services Scam
Internet auction fraud involves non-delivery, misrepresentation, triangulation, fee stacking, black-market goods, multiple bidding, and shill bidding:
The victim signs up with the phony escrow service and sends payment to the service and receives nothing in return.
5
Causes of Fraud
Rationalization
Incentive Opportunity
6
The Fraud Triangle helps explaining the human process for committing fraud
Employees, vendor, others justify fraud: “They owe me” or “I earned it” “I need it more than they do” “It’s only fair” “God will forgive me”
• Rationalization is a form of denial. The person is not accepting reality.
• Rationalization is the hardest area for management to influence or control.
Rationalization Incentives and Pressure can be real or
imagined: Compulsive behaviors
Gambling, alcohol, illegal drug use Financial debts
Credit cards, health care Family problems
Divorce, extramarital affairs, problems with children
IncentiveOpportunity is the perception by someone believing they can commit a fraud without getting caught.Management controls and influences “opportunity” more than any other factor in the Fraud Triangle.Management tools are employment checks, internal controls, internal and external audits and a host of other techniques.
90% of Frauds are committed by “trusted” employees. Source: http://www.acfe.com
Opportunity
These issues on employees can be reduced via Employee Assistance Plans, counseling and work assignments. EAPs are management’s tool to help control fraud.
Fraud Indicators
Accounting anomalies Internal Control weaknesses Analytical anomalies Extravagant lifestyles Unusual behaviors Tips and complaints – whistleblower policy
7
Fraud statistics
8
Why does credit card fraud matter?
• The Federal Trade Commission estimates that 10 million people are victimized by credit card theft each year
• According to the US Department of Homeland Security, the cost of credit and charge card fraud may be as high as $500 million a year
• These costs ‘trickle down’ in higher interest rates and fees for all consumers
• Fraud victimisation in credit card frauds– 28 per cent of florists;– 43 per cent of booksellers;– 26 per cent of recorded music retailers;– 33 per cent of toy and game retailers;– 30 per cent of computer hardware retailers.– Overall one-third of all retailers who had ever sold products online have been the victim of– Online fraud at some stage.
9
Why is CCF more damaging and disastrous than most of the other types?
10
CCF break up as per types
http://www.popcenter.org/problems/credit_card_fraud/images/piechart.gif
11
Stats in Canada
Data source: Statistics Canada, Canadian Centre for Justice Statistics,
12
Stats in US
Source:http://www.stargatesemiconductor.com/9003460290/CreditCardFraud.bmp
13
Stats in UKFig Courtesy:KPMG
14
Describes the process in which a device is used to copy the magnetic stripe encoding off of a card - one reason card holders are cautioned against using ATM machines that look unusual
Skimming A loan or credit card debt written off as uncollectible from the borrower. The debt, however, remains valid and subject to collection
Charge off
•Secure Socket Layer
•This is a security protocol for data exchange on the Internet. Set up on a server, mitigates the chance that information exchanged between the merchant’s server and the purchaser’s browser be intercepted by a third party.
SSL (Secure payment gateway)
Its independent service acting as an intermediary between merchant’s shopping cart and the different bank networks involved in the transaction, (the purchaser’s bank card bank and the seller’s merchant account bank)
It verifies the validity and encrypts the details of each transaction, ensures of the correct destinations for the data, and decodes the responses sent back to the shopping cart.
Gateway
Glossary:
Internet Merchant Account
This is the virtual terminal linked to the bank account; it enables the merchant to accept payment by bank card from its customers and to receive money for sales
IMA
Internet Payment Service Provider or Payment Service Provider, provider supplying an online payment solution. Cashtronics is an IPSP or PSP
IPSP
A chargeback takes place when the cardholder informs his/her bank that they have not authorized a transaction or that the product ordered by him/her has not been delivered. In other words, it is an outstanding amount because the merchant is required to reimburse the cardholder. There are several levels of
chargebacks, the most serious being for fraud, or if the card has been stolen.
Chargeback
15
For the merchants, its terrifying!!
If online credit card fraud scares consumers, then it absolutely terrifies merchants! While consumers have some protection against fraud, fraudulent credit card transactions are costing ecommerce merchants many millions of dollars annually.
Counting the cost of fraud.
There are a couple of winners when it comes to fraud... the people perpetrating the fraud of course, and the credit card issuing banks. The fees involved with chargebacks are horrendous - US$ 30 and upwards per transaction! Additionally, if you experience a high rate of fraud, you may wind up paying higher processing fees or have your merchant account terminated altogether. After being terminated, it's very difficult to gain processing services elsewhere. Proper fraud screening is critical in not only saving money, but it can also save your business.
16
Credit card (Front Side)
An ISO 7812 number contains a single-digit Major Industry Identifier (MII), a six-digit Issuer Identification Number (IIN), an account number, and a single digit check sum calculated using the Luhn algorithm. The MII is considered to be part of the IIN.
The term "Issuer Identification Number" (IIN) replaces the previously used "Bank Identification Number" (BIN)
17
CARD VERIFICATION VALUE (CVV)
A card verification value, or CVV, is a three- or four-digit number printed on a credit card (and encoded on the mag strip) for fraud protection. It provides a cryptographic check of the information embossed on the credit card. The use of the CVV in an online transaction is intended to signify the physical presence of the card at the transaction’s origin, e.g. in the hands of an online customer, thus reducing the occurrence of credit card fraud in card-not-present transactions. Unfortunately, as CVVs have been captured and stored in merchant databases that are subsequently compromised, the anti-fraud value of the CVV has recently diminished.
CVV2 CODE
These are the last three digits (or four digits for American express) of the number found on the back of bank cards. Without this number it is often impossible to carry out a purchase in an online shop.
Card Security Code/Card Identification Number (CIN)
is typically the last three digits printed on the signature strip on the back of the card. In the case of American Express cards, it can be a four-digit number printed (but not embossed) on the front of the card.
Credit card (Rear Side)
18
Credit card (Rear Side)
19
Meaning of CC digits:
• The first digit of your credit card number is the Major Industry Identifier (MII), which represents the category of entity which issued your credit card. Different MII digits represent the following issuer categories:
– 3 - travel/entertainment cards (such as American Express and Diners Club) – 4 - Visa – 5 - MasterCard – 6 - Discover Card
• Issuer IdentifierThe first 6 digits of your credit card number (including the initial MII digit) form the issuer identifier. This means that the total number of possible issuers is a million
• Issuer Identifier Card Number LengthVISA 4xxxxx 13, 16 MasterCard 51xxxx-55xxxx 16
• Account NumberDigits 7 to (n - 1) of your credit card number are your individual account identifier. The maximum length of a credit card number is 19 digits. the final digit is the check digit, this means that the maximum length of the account number field is 19 - 7, or 12 digits. Each issuer therefore has a trillion possible account numbers.
• Final digit of your credit card number is a check digit, akin to a checksum.Eg: 4408 0412 3456 7890
• The first credit card offer showed a picture of a card with the number 4408 0412 3456 7890.
• The Major Industry Identifier (MII) is 4 (banking and financial), the issuer identifier is 440804 (a VISA partner), the account number is 123456789, and the check digit is 0.
• The magstripe can be "written" because the tiny bar magnets can be magnetized in either a north or south pole direction and is very similar to a piece of cassette tape.
20
Credit Card Skimming • Credit Card Skimming is a method by which encoded information from the magnetic stripe of a credit card is
gathered by an electronic credit card reader (skimmer). This information is used legitimately when processing a transaction. In the hands of a criminal the electronic credit card reader becomes a handy tool to gather information to use later in illegal transactions and purchases. Usually a criminal connects this "skimmer" to the credit card machine or a portable "skimmer" could be used to swipe your card when you are not looking. If you make a purchase, your information will automatically be stored in the "skimmer". At a later stage the criminal will use this information to make unauthorized purchases or encode this information on the magnetic stripe of a counterfeit card.
• Credit card skimming often occurs in businesses where credit cards are used regularly, such as restaurants and
other entertainment venues. In restaurants you will normally lose sight of your card when the waiter takes it to pay your bill. Some skimmers are as small as your hand, which makes it extremely easy for waiters to keep in their pouches.
• During 2003 a crime syndicate was detected in New York, Connecticut and Massachusetts in the USA that
smuggled Chinese immigrants into the US. The immigrants were forced to work as waiters in various Chinese restaurants to pay back money they owed to smugglers that assisted them to get into the country illegally. As waiters working in these restaurants they were forced by the crime ring to carry pocket-sized credit card skimmers and collect data from the cards of unsuspecting customers. The information they gathered was then handed over to the crime ring to pay off their debt.
• ‘Card skimming’ is the illegal copying of information from the magnetic strip of a credit or ATM card. It is a more direct version of a phishing scam.
• The scammers try to steal your details so they can access your accounts. Once scammers have skimmed your card, they can create a fake or ‘cloned’ card with your details on it. The scammer is then able to run up charges on your account.
• Card skimming is also a way for scammers to steal your identity (your personal details) and use it to commit
identity fraud. By stealing your personal details and account numbers the scammer may be able to borrow money or take out loans in your name.
21
Working (Simple Version) & Intrusion points1. Bank issues credit card to Customer.2. Customer pays Merchant with credit card.3. Merchant passes credit card to Payment Processor.4. Payment Processor approves Customer and gives OK to Merchant
to deliver.5. Payment Processor bills Bank. 6. Bank bills Customer.
Customer Applies
Bank Issues Credit Card
Customer Uses Card
Merchant Receives Card
Payment Processor Receives Card
Payment Processor Bills Bank
Customer Pays
Stolen Illgotten card, theft, or skimmered
Issued by bank without demand from customer/supplied by dishonest courier
Illegitimate users (criminal involvement at both ends)
Forged request
22
From where do they get your information?
Credit Cards or credit card information is usually fraudulently obtained through methods such as:• Card swapping at ATM’s
• Theft – often out of motor vehicles or houses
• Skimming
• Pick-pocketing
• E-mails purporting to come from the credit card service provider (Phishing)
• Bogus Internet web sites
• Credit card numbers are bought and sold in underground "carder" forums, which bring together the people who have stolen the credit card numbers with those who want to use them. These charitable donations are typically made by the person buying the card numbers as a final check to ensure that the numbers will work,
• Thief goes through trash to find discarded receipts or carbon, and then uses your account number illegally
• A dishonest clerk makes extra imprint of your credit card and uses it to make personal charges
• You respond to mail asking you to call long distance number fro free trip or bargain-priced travel package. you are told you must join travel cub first and you are asked for account number. From then you receive charges on bill which you didn't make and you never get the trip
23
What is Credit Card Fraud (CCF)
• CCF is a theft and fraud carried out using credit card or any alike payment mechanism as a fake source for fund transaction
• A credit card fraud is a transaction that is completed with your credit card by someone else. Often a fraudulent transaction is made hours after the credit card or card number is stolen or lost; often before the cardholder gets the chance to report the card as missing or stolen.
24
Techniques used to carry out ATM crime
• Card swapping – where a customer’s ATM card is swapped for another card without their knowledge whilst undertaking an ATM transaction.
• Card jamming – where an ATM machine card reader is deliberately tampered with so that a customer’s card will be held in the card reader and cannot be removed from the machine by the customer. The criminal removes the card once the customer has departed.
• Vandalism – where an ATM machine is deliberately damaged and/or the card reader is jammed preventing the customer’s card from being inserted.
• Physical attacks – where an ATM machine is physically attacked with the intention of removing the cash content.
• Mugging – where a client is physically attacked whilst in the process of conducting a transaction at an ATM machine.
25
Modus Operandi of CCF using Identity Theft
Sale of ID data. Goods available onunderground servers:1 Credit cards (22%) US$ 0.50 – 12 Bank accounts (21%) US$ 30-4003 Email passwords (8%) US$ 1-3504 Full identity (6%) US$ 10-150(Symantec data for Jan – June 2007)
OBTAIN IDENTITY INFORMATION FRAUD AND OTHER OFFENCES
Assume another person’s identityto:Exploit bank accounts, credit cardsCreate new accountsTake out loans and creditOrder goods and servicesDisseminate malware
CREDIT CARD FRAUD USING IDENTITY THEFT
1. Physical methods (skimmers, dumpster diving etc) 2. Search engines 3. Insider attacks (eg: Video) 4.Attacks from the outside (illegal access, trojans,
keyloggers, spyware and other malware) 5. Phishing and other social engineering techniques
26
Common Types of CCF
Types of Credit Card FraudCredit fraud can fall into one of five categories:
• Counterfeit credit card• Lost or Stolen Cards• No-Card Fraud• Non-Receipt Fraud• Identity Theft Fraud • CC mail order fraud• Chargeback fraud• Skimming
Statistics show that the misuse of lost or stolen credit cards is still the most popular type of credit card fraud in India.
Counterfeiting credit cards are, however, increasing at an alarming rate. Fraudsters will typically use fraudulent credit cards to buy cigarettes, cellular phones and computers, jewelry, other electronic items .
27
Emerging Fraud: Online Credit Card Fraud• Credit card fraud has become such an issue that no precise
number can truly defined the global losses. And while most financial institutions are rather sensitive about the subject, a report from the FBI indicated that credit cards were largely responsible for the $315 billion loss the U.S. endured from financial fraud in 2005. A recent study in Europe also revealed that well over 22 million consumers fell victim to credit card fraud in 2006.
• To truly understand the risk and likelihood of credit card fraud, you must first make yourself familiar with a brand new lingo. Terms such as "phishing", "pharming", "skimming" and "dumpster diving" may not sound malicious, but these are in fact just a few of many ways that money can be thieved from your credit card.
• Below you will find more details on these popular techniques and how they are used to commit credit card fraud:
.
This technique refers to randomly distributed emails that attempt to trick recipients into disclosing account passwords, banking information or credit card information. This one scam has played a major factor in the crisis we face today. Since phishing emails typically appear to be legitimate, this type of crime has become very effective. Well designed, readily available software utilities make it nearly impossible to trace those guilty of phishing. Phishtank, an anti-phishing organization, recently revealed that nearly 75,000 attempts of this nature are made each month.
This device is usually secretly mounted to an ATM machine as a card reader.
Phishing Pharming
- This shameless act refers to a process in which an individual vigorously sift's through someone else's trash in search of personal and financial information. With a mere credit card approval that contains a name and address, a criminal can easily open up a credit card in your name and accumulate substantial debt in no time.
Skimming Dumpster Diving
- This new technique is one of the most dangerous of them all. Pharming involves a malicious perpetrator tampering with the domain name resolution process on the internet. By corrupting a DNS, (Domain Name System), a user can type in the URL for a legitimate financial institution and then be redirected to a compromised site without knowledge of the changes. Unaware of the background predators, the consumer types in their bank account details or credit card number, making them the latest victim of fraud.
28
Fake Security Message
29
A Fake Security Checkup
30
Tools used for CCF
CC number generator site on Internet
Merchant/ his dishonest agent (with or without employer consent) retaining CC numbers processed through retail outlet and using them unlawfully!
Discarded copies of CC vouchers via waste receptacles
Hacking computer where CC Numbers are stored
Stolen CC or some mobile top up cards
Some magnetic strips, Blank CC from grey markets, embossing device to emboss character on card and holograms, skimmers
31
CC generator
Command line python program using PHP script and JavaScript
It generates CC number (13-16 digits VISA, MasterCard, Amex) to use in e-commerce sites conforming to the Luhn formula (MOD 10 check).
In testing situations any expiry date within the next 3 years should work
521688820405217653618718315700785286074279331408536803086244 3423539683952294793852921330954489605167035421750120515615938238882055 697149314327345428252030308191
MasterCard
45329392546819664024007136276580488524344009083349296081760338924 5329143644643974485479173552029453901255809442846504960262274424716291 5364951484623817115847754
VISA
375619651773339376605277731560372447156708581348116787204085373 589733548110
American Express
601107715832529260112390204793496011696418325048
Discover
www.darkcoding.net/credit-card-numbers/
32
CC generator Rocklegend
33
Creditwizard site:www.CreditCardgenerator.org
34
Sale of Credit Cards: Whats the rate going on in US?
Forum.carderplanet.net offered credit cards.
USD $200.00 - 300 USA credit cards without cvv2 code: credit card number, exp. day. cardholder billing address,zip,state).
USD $200.00 - 50 USA credit cards with cvv2 code: credit card number, exp. day. cardholder billing address & CVV code
from the back side of the card).
Also cards with SSN+DOB at $40 each.
Minimal deal $200
35
Hackershomepage.com 800b MSR206 MAGNETIC STRIPE CARD READER/WRITER
THIS IS THE DEVICE EVERYONE HAS BEEN ASKING FOR
.
This device will allow you to change the information on magnetic stripe cards
It will also allow you to write to new cards.
36
From Hackershomepage.com POS (Point Of Sale) Data Logger
701 COMPUTER KEYSTROKE GRABBER Use this device to capture ALL keystrokes on a
computer including user name and password.
Password will be in plain text and not echoed like "********". This device will grab email and system passwords.
37
801 POS DATA LOGGER
38
Warning signs of Credit Card Fraud (CCF)
A shop assistant takes your card out of your sight in order to process your transaction.
You are asked to swipe your card through more than one machine.
You see a shop assistant swipe the card through a different machine to the one you used.
You notice something suspicious about the card slot on an ATM (e.g. an attached device).
You notice unusual or unauthorized transactions on your account or credit card statement.
39
Microdot printing on checks, hidden markings on checks and cards that show up on color photocopiers, holograms, magnetic strips, and now embedded chips–all these and many more advances have raised the level of skill and equipment needed for fraudsters to counterfeit checks and cards.
Dedicated fraudsters quickly acquire the skills and equipment, so are soon able to produce checks and cards that are extremely difficult to identify as counterfeit. In fact,
International organized crime groups that specialize in counterfeit credit cards generally lie beyond the reach of local police, although their markets certainly lie within local neighborhoods.
These groups became very active in Southeast Asia toward the end of the 1990s, and in a short time, have managed to overcome every new security feature introduced into plastic-card manufacture.
Their distribution system employs Asians in large North American and European cities.
Many card issuers are eager to get customers. In recent years, the competition has become very intense.
The mail and Internet are loaded with tempting offers, and it is now very easy to get a credit card.
Many card issuers do not hold cardholders responsible for any loss incurred through fraudulent use by another.
Thus, cardholders have no real motivation to take security precautions. In fact, they may even collude with others.
Retailers may bear the loss in card-not present sales, and card issuers in standard credit-card sales.
Although police face these and other obstacles when addressing check and card fraud, there is much that can be done.
Be aware that most card fraud is due to factors beyond police control
Security flaws in card design and production Police do not have access to the vulnerability points in the
complex transactions that make up card processing. Inherent difficulty to verify a card user's identity Internet increased the opportunities for fraud, greatest
impact through fraudulent card-not-present sales Information about counterfeiting, skimming, and hacking is
now available on the Internet To some extent, the sheer volume of card use accounts for
the increased amount of card fraud. In the United Kingdom, the United States, and Australia,
debit and credit card use has increased tremendously over the last 20 years, although in the U.S., checks remain the primary form of payment (besides cash).
In Japan, credit cards have been very slow to catch on, but debit cards have gained wider acceptance.
These differences are largely related to the structure of financial service markets in the various countries.
The amount of card fraud committed internationally has substantially increased in recent years. For example, the proportion of fraud committed abroad on U.K. cards has doubled in the past decade.
Although the rate of check fraud has decreased considerably in the past decade, the financial loss due to check fraud continues to increase, simply because of the increase in the volume of sales. There is a technological "arms race."
Each technological advance makes it harder and harder to counterfeit checks and cards.
Factors contributing to CCF
40
Credit Card Fraud (CCF) Detection
Publish your mail server addresses (to thwart spoofing)
Educate customers (employees and merchants also)
Establish online communication protocols (SSL Credit card protocol)
Proactively monitor for phishers and fraudsters
General Characteristic of those Who Commit Fraud– They are intelligent.– They are very egotistical.– They are risk takers.– They are rule breakers.– They are hard workers.– They are under stress.– Many are married.– Many are members of management.
41
Strategies
Prevention is the best course of action. If fraud does occur, the strategy is to detect and stop fraud in it’s early stages. Failing 1 and 2, we want to develop a strategy for what to do when a fraud does occur.
Be PROACTIVE not REACTIVE. Think like a crook. “If I were going to do something
like this, how would I do it.” Trust, but verify. Screen your employees. This is an ongoing process,
not just when they are hired.
Prevention Detection
Establish a whistleblower policy and better yet, a hotline.
Perform an Internal Audit. Conduct an External Audit or Review.
42
Fraud Prevention Techniques
43
Fraud prevention techniques
Tactical GuidelinesEnterprises selling online should:
• Assess their risk exposure to online credit card fraud based on their own experiencesand on the types of goods and services they sell.
• Implement internal rules and procedures that can identify many potential frauds.
• Consider using fraud-prevention products and services to assess each transactionattempt if the risk of fraud is significant.
44
Latest means to prevent CCF
• SSL CertificateSSL is protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http:.
• 128-bit encryption - Cryptographers consider 128-bit encryption practically impossible to crack (it would take millions of years with the fastest computers to try all the combinations). With 128-bit encryption you can ensure that your international customer base will be able to exchange information with you using the strongest possible encryption.
• How does SSL Work?– Client requests for secure resource.– Web-server presents its certificate.– Client verifies the certificate.– Client generates a Session Key (40, 56 or 128bit).– Client extracts the public key from the web server certificate and encrypts the session key.– Client then sends encrypted key back to the Web-server.– Web- server decrypts the session key and both now have a common key for that session.– Both the web-site and the client can now communicate securely.– When the browser closes the window or server drops the connection the session is terminated.– Next time browser comes back to the same page a new session key is generated.
45
Battery credit card to avoid fraud
MELBOURNE: An Australian technology firm has come up with a unique battery power super card, which they believe can fight online fraud.Company reckons that it can stop up to $1 billion a year in credit card fraud with its invention.The card, which includes
an alpha-numeric display, built-in microprocessor, a keypad and three years of battery power, and will display a one-time number with which to authenticate each online credit card transaction, whenever the user will enter the pin number.
The technology was developed by a small Deloitte-backed technology firm based in Adelaide and Melbourne called EMUE Technologies.Each card costs around five times more than a regular credit card to produce and will be sold to bank customers for between $18 and $30 each. The technology could also be used for verifying your bank’s identity when it calls you over the phone. “When the card is created for the user it has a unique seed on it, and that unique seed is stored with the bank along with the pin the user chooses.If I enter the wrong pin [into the credit card] it will still generate a number for me, but when I put that into the browser [to buy something] it will reject that as a transaction.
46
Softwares for preventing Credit Card fraud
• MessageLabs (service provider) is able to offer a 100% virus detection service-level agreement. Outbound content inspection capabilities are above average and include dictionaries in multiple languages and credit card and SIN detection, but workflow is limited.
• Sophos (antivirus) Outbound filtering capabilities include content inspection dictionaries covering credit cards, SSNs but are limited to the Unix compliance module.
47
Credit Card Fraud Detection Techniques
48
AVS (Address Verification System)• Address Verification System (AVS) codes are generated at the time the merchant requests credit card authorization. • The code tells the merchant if the billing address provided on the order matches the billing address of record for the credit
card number. Specific codes mean different levels of matching. For example, the credit card payment company Paymentech(c) (one of many such companies that offer AVS) uses the following AVS response codes (among others):
• I-1 means the billing address on the order is a complete match to the billing address of record for the credit card provided.
• I-5 means that only the Zip Code doesn't match; perhaps the customer has been issued a new one without updating the billing address of record.
• The codes to worry about are I-4 and I-8.
• AVS code I-4 means that the street address isn't a match, while the Zip Code does match. Blocking such orders may seem to be a given, but there's a slight problem. AVS logic looks for a number at the beginning of an address. Addresses that begin with a letter aren't recognized and result in an I-4 code. Too many customers use addresses that begin with a letter (P.O. Box 100, or One Rockefeller Plaza) to make this a suspect code.
• AVS code I-8 means that nothing matches - the street address and the Zip Code are both different. Perhaps the customer moved and forgot to change the address, but this is probably an NCE attack, which is sending randomly generated credit card numbers with the addresses of their forwarders in both the billing and ship to address fields. Beware.
Canceling I-8 ordersMany companies have begun canceling orders that are coming back from Paymentech(c) with an AVS code of I-8. The customer is notified that the billing address of record didn't match the billing address entered on the order. The customer can re-order using the proper address from his credit card statement. This simple step saved the previously mentioned company $4 million in credit card "charge backs" in addition to the handling time. A charge back is the process in which the true credit card holder refuses payment for a good or service that he didn't order. The merchant's account is debited for the money unless the merchant can prove that the card holder actually received the good or service.
• Internet credit card orders require the merchant to enter into a credit card transaction similar to a person coming into a store with a bag on their head and trying to make a credit card purchase without ID or bothering to sign the credit card slip. Who would allow such a thing? Internet merchants do it every day!
49
1. Pattern Detection
This technique identifies a person as a fraudster if:
Multiple orders are placed which are delivered to the same address, but using different credit cards
Multiple orders are being sent from the same IP address
The credit card number varies by only a few digits
User repeatedly submits same credit card number with different expiry dates
50
2. Fraud Screening
It provides risk prediction scores by assessing 150 order variables
These variables include
domestic and international address validation
domestic and international IP address verification
It controls fraud to as little as .5%
Automatically identifies whether order is valid potentially fraudulent in real time
Patented global identity morphing detection
Detailed, web based reports
Features Benefits
Detects more single event fraud as soon as it occurs
Detects fraud trends more quickly
Minimizes time, cost of manual review
51
Fraud screening: screenshot
52
3. Cardwatch site: www.cardwatch.org.uk
To raise awareness of card fraud prevention
It reduces fraud by:
fraud prevention training to staff
fraud prevention advice to customers
encouraging staff vigilance and awareness
advice and assistance to other organizations of praud prevention as in crime stoppers
running card security initiative to increase awareness among people
educating and supporting police and crime reducing officers
53
4. 3D secure
Its authentication requires card holder to register their card to take advantage of their service
One time process taking place on the card issuer's site and involves the cardholder answering security questions to whihc issuer and cardholder only have the answer
Its online version of Chip and Pin Technology where cardholder has personalized passwrod registered with his card that is entered during checkout process
Limitations of 3D Secure
Not be used as complete fraud prevention tool, but used in conjunction with existing fraud checks as AVS and CVV2 to help minimize your risk
Chargebacks can still occur even when they have been fully authenticated by 3D Secure
54
Fraudlabs
XML based service validating online credit card transactions
web service screens and detects online credit card fraud
Its proven solution to prevent chargebacks and reduce fraud for online merchants
55
Fraudlabs 1
56
Fraudlabs 2
57
Fraudlabs 3
58
CHIP AND PIN METHOD site: http://www.chipandpin.co.uk/
"Chip and PIN" is the used for the new EMV Card Payments System designed to augment and eventually replace magnetic stripe payment cards in Europe.
designed by Europay, Mastercard and Visa,
Microchip technology The ease with which credit cards with magnetic stripes are used in defrauding companies, financial institutions and individuals have necessitated banks and other card issuing companies to implement microchip card technology. This is due to the fact that cards with magnetic stripes can to easily be cloned. The cardholder’s information will be stored on a microchip, which will be much safer than the magnetic stripe. The new standard, to which all role players must adhere to, will come into operation on the 1st January 2005. This new standard was dubbed EMV, which was taken from the first letter of the three companies that initiated it, namely Europay, Visa and MasterCard. This technology was introduced in France more than 10 years ago. According to the credit card industry in this country card fraud dropped by 80% after the new technology was introduced.
This new prevention method does not come cheap and banks are spending millions changing from the old magnetic stripe cards to the new generation microchip cards. It is estimated that the conversion process in South Africa will entail issuing new cards to 16-million users, upgrading 9000 ATM’s throughout the country, upgrading 130 000 point-of-sale terminals and upgrades on back-end processing systems to handle the new technology. This will come at a price tag of between R 1,5bn and R 2bn extended over a period off 10 years. Converting a top of the range ATM can cost as much as R 30 000.00. This technology will, however, require the customer to pin in a code every time they use the credit card. This is safer due to the fact that merchants or cashiers will no longer have to verify signatures.
Studies in Europe have shown that signature based products are more susceptible to those that are PIN based. One advantage of smart card technology is that a credit card will be able to hold a considerable amount of information. This will ensure that even merchants in rural areas will be able to accept payments without telephonic access to a bank. Some of the major banks have started issuing the new cards to their employees for internal trials and to certain clients.
59
Difference between normal and Chip n Pin Method
60
Limitations of CHIP and PIN Offline Counterfeiting Chip and PIN counterfeit cards can still be used offline in terminals that are not connected to the bank's
network or have been temporarily disconnected. The fraudster does not even need to know the PIN. Cross-Border Fraud one easy fraud will be replaced by another when Chip and PIN fails close off important avenues from fraud. The
customer gets all the hassle and gains nothing. Fallback:The same old fraud can continue because magnetic stripe technology is not on the way out for a long time.
Devices for breaching CHIP and PIN
Tamper resistance of Chip & PIN (EMV) terminals Chip & PIN (EMV) Interceptor : It does not copy the chip! It only gains enough information from
overhearing the conversation to make a magnetic stripe counterfeit. Chip & PIN (EMV) relay attacks
terminal sends the card a random number, known as a challenge. customer then enters their PIN into the terminal and it is sent to the card. card computes a cryptographic response, that incorporates the challenge, whether the PIN was
entered correctly, and a secret known only to the card and the bank which issued it (the terminal does not know this secret). purpose of including the challenge is so that the terminal can detect whether an old
response is being replayed. response is sent back to the terminal which then goes on-line and sends the challenge and
response to the bank, who will verify them. PIN Entry Device (PED) vulnerabilities
By tapping these communications, fraudsters can obtain the PIN and create a magnetic strip version of the card to make ATM withdrawals in the UK and abroad.
Two popular PEDs, the Ingenico i3300 and Dione Xtreme, fail to adequately protect card details
61
Credit Card Fraud Management
IAS (Internet Access System) supports the built-in fraud protection services provided by the processing network, including AVS (Address Verification Service) and Card Verification Value. In addition, IAS provides enhanced tools and services to help you maximize revenue and profit potential—actually helping you to convert more orders to sales and reduce chargebacks.
Key Features Supports Verified by Visa and MasterCard SecureCode services (3D Secure standard) Additional fraud screen available to control risk on non-Visa or MasterCard transactions Works with any payment system Single connection provides access (also available as a software component)
Key Benefits Minimize online credit card fraud and customer disputes Receive chargeback protection on qualifying transactions Implement easily via single Internet connection or single software component Obtain relief from fraud liability (pending compliance)
62
Deploy a Spam and Malware Catchers
63
1,333 Intruders Caught in one Week
64
The need?
A trusted environment with:
Privacy Policy Member verification (for online transactions e.g.: ecommerce) Customer Support Profit and competitive advantage Record keeping and audit trail
65
Geolocation by IP address
Know the online buyers geographic information to prevent fraud.Identify locations where the probability of fraud is the highest.It allows additional authentication measures or identification for those transactions which show a great difference of distance.
Legitimate customers welcomes legitimate authentication measures, which will protect them from credit card fraud also and keep the costs of doing business on the Internet down, especially if the customer is properly informed and advised by the merchant of these protection measures.
Comparison of the IP address country with
the billing address country
An IP address is a unique network identifier issued by an Internet Service Provider to a user’s computer every time they are logged on to the Internet. Make sure the IP address country and the billing address country are the same.
Check whether the country is a “high risk” country
ClearCommerce® survey: The top 12 international sources for online fraud are Ukraine, Indonesia, Yugoslavia, Lithuania, Egypt, Romania, Bulgaria, Turkey, Russia, Pakistan, Malaysia, and Israel. The same survey also showed that the 12 countries with the lowest fraud rates are Austria, New Zealand, Taiwan, Norway, Spain, Japan, Switzerland, South Africa, Hong Kong, the UK, France, and Australia. Pay more attention if the card or the shipping address is in an area prone to credit card fraud.Since, alien to us (Pakistan), they will never cooperate in investigation and so, it becomes a perfect crime, impossible to detect and beneficiary of fraud is guaranteed to go scot-free
Check whether an anonymous proxy server was used to
place the order
The main purpose using a proxy server is to remain anonymous or to avoid being detected. While well known businesses use this to protect internal networks, fraudsters hide themselves behind anonymous proxy servers. It is not easy to detect anonymous proxy servers because they appear and disappear from time to time.FraudLabs™ provides a hassle free method to keep the always up-to-date anonymous proxy server list as web service.
Suggested Precautions to be taken by merchants for prevention of online CCF
66
Tools to control CCF
• Public Key Encryption• Secure Socket Layer and new layer for CCF prevention• Biometrics/Smartcards• Firewalls and upgrades (for online CCF)• Digital Certification• IP verification• Cookies• Pattern anomalies• Collateral evidence
But, as cost increases, with increase in tools used, it is not economically feasible and therefore fraudsters are fortunate and get the opportunity to rob people by plastic money and go scot-free due to legal lacuna in the system. (Suggestion: There should be strict liability and burden of proof should be on accused like food adulteration laws and custom laws).
Protect yourself!From Skimming Keep your credit card and ATM cards safe. Do not share your personal identity number (PIN) with anyone. Do not keep any
written copy of your PIN with the card Check your bank account and credit card statements when you get them. If you see a transaction to be suspicious, report it
to your credit union or bank Choose passwords that would be difficult for anyone else to guess
67
Credit Card Fraud Cases
68
1. Indian jailed for Britain's biggest credit card fraud
Oct 2008: An India-born computer specialist who was the mastermind behind Britain's biggest fake credit card racket has been jailed for six years.
• Anup Patel (30) and his accomplices had amassed nearly £2 million (over $3 million) by making counterfeit credit cards and using them in several countries in Asia and Europe. Police believe they would have cheated people of 16 million pounds by now had they not been caught.
• A computer sciences graduate from Kingston University, Patel stole original credit card numbers and PIN (Personal Identification Numbers) and engraved them on counterfeit cards.
• The fake cards were transported by one of his accomplices, Anthony Thomas (jailed for 2 years), to countries in Asia like Thailand and eastern Europe where the chip-and-PIN security system is not in use. Local members of the gang withdrew money using those cards by faking signatures of the original card holders.
• The police launched an investigation after motorists using the M25 petrol pumps started receiving credit card statements citing purchases and cash withdrawals in various countries.
• Patel managed to steal details of nearly 19,000 cards. Police suspect that Patel's gang collected the data from petrol pumps on the M25 motorway near London with the help of secret cameras and data card readers. They still do not have a clue as to how these gadgets were installed. Thousands use these pumps for fuel daily and payment is almost always through credit cards.
• The operation was busted in October, 2006 when the police, acting on an intelligence tip off, raided Patel's rented office premises at the Croydon House Business Centre in south London.
• They found a literal computer factory inside the premises: Thousands of magnetic strips and blank plastic cards, a library of 19,000 skimmed card and PIN details, holograms, card printers, corrupted payment terminals and £20,000 in cash.
• Patel gave himself up to the police after learning that his accomplices had been arrested in Thailand and at London's airports.• When the case came to court, prosecutor David Povall told the jury at the Croydon Crown Court that both men had previous
criminal record. Patel was jailed for two years for a credit card fraud in France 10 years ago, and Thomas had 65 previous convictions. During investigation, the police found they had links with criminal gangs in other countries, including Thailand and Turkey.
• Patel, who lived in Thornton Heath in South London, was born in India and came to Britain at the age of two. He obtained a degree in computer sciences from Kingston University in 2006, leading police to believe that he was trying to beat the chip-and-PIN system even as he was studying.
69
2. Busting of Fake Credit Card racket near Toronto makes this a good time to revisit Credit Card Fraud!
A fake credit card racket was busted in the last week of January this year in Markham near Ontario. Using specialized equipment, the fraudsters were converting ordinary plastic cards to credit cards, health cards, social insurance cards and whatever else you can imagine.
In the second week of this month, the State Attorney General of Oklahoma warned residents of the state that internet fraud was on the rise in the area. While the two incidents may not be related, it will do us good to heed these as a warning.
A resident of the state in fact, alerted the police after he received a phony credit card in his ordinary mail. The card came along with a letter requesting the recipient to confirm his bank details to enable activation of the card. The letter also directed the resident to a website where the relevant details could be submitted.
Having the advantage of being familiar to such scams, the alert resident’s suspicions were immediately aroused. Immediately, he reported the matter to the police.
What the scammers were aiming at, was to get hold of such critical information as bank account number and/or social security number and to misuse it for personal gain. In internet fraud parlance, this is commonly known as Phishing and identity theft.
70
3. 45.6 million cards hacked in biggest ever credit fraud
Eleven people have been indicted in Boston for stealing and selling 41 million credit and debit card numbers they obtained by hacking into the computers of nine major US retailers, the US Justice Department said.
In what the department believes is the largest hacking and identity theft case it has ever prosecuted, the stolen numbers were sold via the Internet to other criminals in the US and Eastern Europe and used to withdraw tens of thousands of dollars at a time from ATMs.
The eleven defendants include three US citizens, three from Ukraine, two from China, one from Belarus, one from Estonia and one whose place of origin is unknown, the department said in a statement. The indictment was returned Tuesday by federal grand juries in Boston, Massachusetts, and San Diego, California.
The indictment alleges that after they collected the data, the conspirators concealed the data in encrypted computer servers that the defendants controlled in Eastern Europe and the United States. From there, the stolen numbers were “cashed out” by encoding card numbers on the magnetic strips of blank cards, and then used to extract cash from ATMs, the Justice Department said.
The defendants were allegedly able to conceal and launder their fraud proceeds by using anonymous Internet-based currencies both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe, it added.
“So far as we know, this is the single largest and most complex identity theft case ever charged in this country,” said US Attorney General Michael Mukasey. “While technology has made our lives much easier it has also created new vulnerabilities,” said US Attorney for the District of Massachusetts Michael Sullivan.
The 11 people — including three Americans — allegedly targeted such retailers as TJX Companies, BJs Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
Prosecutors say the defendants hacked into the computer networks of nine major U.S. retailers, including TJX. The Framingham-based company disclosed a massive computer security breach in late 2006. The indictments were handed down by federal grand juries in Boston and San Diego.
U.S. Attorney General Michael Mukasey says the hackers were able to gather enormous amounts of personal financial data, which they allegedly sold to others or used themselves. Mukasey says its "impossible to quantify" the total dollar amount of the theft, which caused widespread losses for banks, retailers and consumers.
Those named in the indictment allegedly sold the information to criminals abroad and in the U.S., or encrypt blank credit cards to withdraw money from ATMs, officials said.
Prosecutors say three of the defendants are U.S. citizens from Miami, while others are from China, Estonia, Ukraine and Belarus. The scheme is believed to be the largest identity theft case ever prosecuted by the federal government.
71
Delhi Police busts credit card racket- arrested five in Delhi and UK NRI is on the run
New Delhi, April 02, 2008Santosh Kumar
Delhi Police Crime Branch arrested five people- Vivek Prasad, 27, Nafees Ahmed, 37, Raju Khan, 27, Brijesh Yadav, 27, Dildar Hussain, 32, in south Delhi and recovered 21 fake credit cards from them. The racket has exposed the negative side of the technology advancements.
Deputy Commissioner of Police, Crime Branch, Anil Shukla told media in New Delhi: More than 20 UK residents were cheated of Rs.3 million (30 lakh with the help of cloned credit cards) after the gang obtained
information encoded on their credit cards issued by seven British banks such as Barclays Bank andLloyds TSB Bank..... The police intercepted a Maruti Wagon car at Netaji Subhash Place and arrested the persons. A case of cheating (Sec 420) and
fraud (Sec 25) has been lodged against them with Saraswati Vihar police station. NRI Loknathan in UK used to swipe his victim credit card on a skimmer, a small portable device like a pager that records all the
information encoded in the microchip of the card. Loknathan has been operating the scam for the past three months. In UK, the owner of credit card does not pay if any fraud involved. The loss was either borne by the bank or by the insurance
company. Since the fraud occurred in India no one pursues the matter from UK According to the police, the group had at least eight such transactions in the past three months. They carefully used a credit card
once and never visited the shopping area again.. They used to swipe the cloned credit cards with the help of shopkeepers and owners of the swipe machines.
Mostly they bought jewelry, laptops and mobiles worth lakhs of rupees and collected cash return by paying 5-6% commission to the swipe machine owners
Vivek Prasad, Banglore University graduate, worked as business development executive in a firm in Hyderabad is the mastermind of the racket. He used to procure information on credit cards from one of his associate, Loknathan in UK. Loknathan used to visit India often for the past six months.
Vivek then collaborated with Ahmed, who used to run a call centre for the HDFC Bank. Ahmed and his recruits to run these cards on swipe machines in Delhi. With the help of swipe machines owners, they used the card depending on its credit limit. Ahmed and his friend were keeping 10-20% of the amount.
Vivek transferred 40% of the transaction to Loknathan in UK.
72
73
Case Synopsis: Operation began in November, 2006 when Seattle, WA United States Secret Service (USSS) office requested Jacksonville
USSS office to locate and interview suspects identified in credit card fraud scheme with Magic Online (an online gaming company).
Carreras located and initial interview conducted on 11/16/2006. The investigation revealed that in January of 2006, Carreras had met a subject on-line through a spam email offering a job
opportunity designing web pages. That subject then in turn started him in a scheme that used stolen credit card numbers to purchase "event tickets" for use in the Magic Online game, which were then sold on EBay and the profit split between the two.
Sometime during the summer of 2006 Carreras and his partner quit the Magic Online account scam and began engaging in direct credit card scams, by purchasing "packets" of credit card data from persons on underground chat rooms.
With the information obtained on the chat rooms, and online background checks bought through legitimate online companies, the two then began purchasing money transfers from Western Union online. Western Union requires that for any purchase made online the purchaser has to call Western Union and validate the transfer by answering several questions about themselves, which is why it was necessary to purchase the backgrounds on the people whose credit card information had been purchased.
Carreras eventually began operating on his own and ultimately ended up recruiting other local persons to assist him in his illegal enterprise, listed below.
Carreras initially cooperated with the authorities in their attempts to positively identify his source and initial partner. But, even while cooperating he was still conducting his fraudulent activities.
Carreras, and two other suspects Melissa Renee Caraballo and Michael Duane Widrig II, fled the northeast Florida area in January of 2007. Arrest warrants were obtained for him, and the other two suspects.
On May 7, 2007, Carreras, Caraballo, and Widrig were located by Secret Service Agents, and members of the Las Vegas Metropolitan Police SWAT team at a Las Vegas, Nevada Suzuki Motorcycle Dealership.
Agent Rohrer and Detective Brown traveled to Las Vegas and interviewed all three suspects, again. On May 22, 2007, they were returned to Florida and booked into the Putnam County Jail. Carreras remains in jail without
benefit of bond, Widrig is still in jail with a $75,000 bond, and Caraballo was released from jail on 5/30/2007 with a $10,000 bond.
There are, at this time, eight known unnamed co-conspirators in this northeast Florida organization. There has been in excess of $50,000 worth of illegal wire transfers attributed to this one group.
This northeast Florida organization is tied into a much larger nationwide organization, which is responsible for even more illegal wire transfers, totaling hundreds of thousands of dollars.. The investigation continues, with more arrests anticipated.
Florida Police: Credit card racket case:
74
Simon Peter Carreras, 23 years of age, Charged with: Violation of Racketeer Influenced and Corrupt Organization Act (similar to MCOCA in Maharashtra) and Organized Scheme to Defraud in excess of $50,000
Melissa Caraballo, 18 years of age, Charged with Organized Scheme to Defraud in excess of $300.00
Michael Duane Widrig II, 21 years of age, Charged with Organized Scheme to Defraud in excess of $300.00
Amy Leigh Bishop, 21 years of age, Arrested on 5/31/2007, charged with Organized Scheme to Defraud in excess of $300.00, still in Putnam County Jail, bond $50,000
Randall Karry Ritchie Jr, 31 years of age, Arrested on 5/24/2007, charged with Organized Scheme to Defraud in excess of $300.00. Released from jail on 5/24/2007 on $75,000 bond.
Edward Bruce Dodd, 36 years of age, Arrested on 5/7/2007, charged with Organized Scheme to Defraud in excess of $300.00. Still in Putnam County Jail, bond set at None by 1st appearance judge.
Eddie Ramon Renta-Aler, 27 years of age. Arrested on 5/3/2007, Organized Scheme to Defraud in excess of $300.00. Released from jail on 5/4/2007 on $15,000 bond.
Amber Dawn Renta-Aler, 26 years of age, Arrested on 5/3/2007, Organized Scheme to Defraud in excess of $300.00. Released from jail on 5/4/2007 on $15,000 bond.
Florida Police: Credit card racket case: contd.. Arrested people
75
Distinct modus operandi of Identity Thieves
• Be warned when stuff you never bought arrives at your doorstep. As a new scam uncovered in Utah revealed, identity thieves have tweaked their modus operandi to literally have victims handover to them, goods purchased online with their victim’s card money. In a new move, fraudsters are using card holders’ addresses to receive goods purchased using their compromised credit card accounts.
• Such frauds are known to be mostly committed by fraudsters from overseas. Until now, the fraudsters were seen to be employing people as ‘money mules’ to do this service. They would hire people online to work as re-forwarding or re-packaging agents for them on commission basis, on every package they safely send across.
• If and when the scam gets busted, the real fraudsters would go scot-free while the local agents would have a hard time explaining how they came to be in possession of the stolen goods.
• Fraudsters are not only stealing from the card but also using the owner’s address for receiving the goods bought using it!
• Card owners would naturally be surprised when items they never purchased turn up at their doorstep. They would immediately mean to send it back. So, they wouldn’t be surprised when the same day or the day after, somebody comes to pick the package saying it was all a mistake. Folks who turn up to collect the goods claim they were hired by the seller to have the goods sent back. Card owners wouldn’t realize they were really accomplices of fraudsters come to take away stolen goods.
• The fraudsters are counting on card owners not discovering the scam early. Card owners would only come to know of the scam, if they check their credit card account statements and discover the suspicious transactions.
• This gives one more reason to keep a close watch on your account statement. Noticed early, it can become an opportunity to set a trap for the fraudsters and turn the tables on them.
76
What to do if you are victim of CCF
• When you use credit card, you can be vulnerable to fraud, whether you pay online, over phone, or even in person at your neighborhood grocery store
• If you think you have been the victim of fraud or a scam, immediately follow these steps:
– Close any affected accounts– Change the password on all your online accounts– Place a fraud alert on your credit reports– Contact the proper authorities– Record and save everything
77
How to make out counterfeit cards:• Crime syndicates use the latest technology, including computers, embossing
and lamination to create more realistic looking credit cards. Today’s counterfeit credit card will often have a complete hologram and a fully encoded magnetic strip. Most of the tools used to create counterfeit cards are manufactured in the Far East and smuggled to developed and developing countries throughout the world. To the untrained eye these cards will appear to be completely legitimate.
• Hologram of different cards are unique: In most instances the hologram on a counterfeit card is fixed on top of the card, whereas the legitimate hologram is embedded in the plastic during the manufacturing process.
• The white strip that carries your signature on the card should never be plain white. It always has ‘Visa’ or ‘MasterCard’ printed across in small print, many times over.
• It is a clear sign of a fake card even if this print is unclear or smudged.
• When placed under UV light, a large image of a white dove or the letters MC show up respectively on the card, according to it being a Visa or MasterCard.
• Genuine cards also feature micro printing on them: what looks like a thin line to the naked eye turns out to be really fine printing when looked through a magnifying glass. This feature is especially important as it’s very hard to imitate using ordinary printing equipment.
78
Why people don’t report credit card frauds
79
Problems in fixing criminal which enhances this crime and new methods to overcome it
• The challenge with credit card fraud is that as it is typically an interstate fraud, meaning happening from one state to the next, the cost and time to prosecute is typically beyond the crime itself!!! as it would cost more to extradite a person even across country for a crime typically no more than a few thousand (for small scale Indian fraudsters) if not a few hundred dollars.
• The reality: Identity theft and online credit card fraud are reaching epidemic proportions and the local law enforcement, no matter how much they want to, just don’t have the resources to enforce interstate crimes.
• Online Credit Card Offence & Indian Law:– Indian legal position: Any offence pertaining to online payment through credit cads will come within the purview of
Information Technology Act, 2000 read with relevant provisions of Indian Penal Code, 1860. Section 378 of the Code defines the term “theft” as follows:
– “Whoever intends to take dishonestly, any property, out of the possession of any person without the consent of that person moves the property in order to such taking, is said to commit theft.”
• In order to commit theft following ingredients are required to be satisfied:– (a) The intention must be dishonest.– (b) Such property must be movable in nature.– (c) Such property must be taken out of the possession of its owner.– (d) Such property must be taken without the consent of the owner.– (e) Such property must be removed from its original place to another.
• Now we have to examine whether online credit card theft satisfies the abovementioned requirements in order to book the offender to justice. This definition, if interpreted in strict sense, does not include the online theft of credit card information. But, if a merchant dishonestly obtains the blank purchase slip and forges the signature of the cardholder’s signatures on it and thereafter obtains the payment from bank, he can be booked under the offence of forgery (discussed later).
• Thus, if there is no intention (intention is difficult to prove) to deceive or secrecy, the act though dishonest is not fraudulent.
• Intend to defraud: not a bare intent to deceive but intent to cause person to act or omit to act, as a result of deception played upon him, to his disadvantage.
80
IT Act 2000 for action against CCF:
• To deal with CCF, our Parliament has been enacted the Information Technology in the year 2000. Following penal provisions of this statute are relevant to mention here.
• Section 66- This section provides the following penalties for hacking with computer systems:– Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or
deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hack.
– Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
• The offence under this Section is cognizable and non-bailable.
• Section 43- Clauses (a), (b) and (g) of Section 43 state that if a person has unauthorized access or secures access to computer, computer system, computer network or downloads copies or extracts any data from such computer, computer system, computer network or even assists another person to facilitate access in the aforesaid manner respectively, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.
• It is quite apparent from the above that besides legal protection it is necessary to carefully examine the technological and contractual protection existing within the system because law is not an alternative to other security measures required to be taken by the cardholder while making online payment.
81
Definitions in IPC
• This offense also attracts provisions of Maharashtra Control Of Organized Crime Act (MCOCA)• Counterfeit (28)
– Ingredients:• Causing 1 thing to resemble another thing• Intending by means of that resemblance to practice deception• Knowing it to be likely that deception will thereby be practiced
• E-record (29A)- 2(1)(t) of IT Act 2000Criminal conspiracy ingredientsThere should be agreement between 2 and more persons who are alleged to conspireThe agreement should be to do/caused to be done
An illegal actAn act which may not itself be illegal, by illegal means
• Injury (44)
• Property-movable (22)-credit card
• Dishonestly (24)– Whoever does anything with intention of causing wrongful gain to one person or wrongful loss to another person is said to do that
thing dishonestly– Wrongful gain and wrongful loss (23)-person who acquires wrongfully is wrongful gainer and person deprived wrongfully is wrongful
loser
• Fraudulently (25) – As defined in Law of contract Three ways to do fraud:
• Deprive man of his right, either by obtaining something by deception or taking something wrongfully without knowledge or consent of the owner
• To withhold wrongfully from another what is due to him• To defeat or frustrate wrongfully, wrongfully another’s right of property
82
Definitions in IPC
Dishonestly Sec 24
Fraudulently Sec 25
CounterfeitSec 28
E-record(29A) [2(1)(t) of IT Act 2000]
Whoever does anything with intention of causing wrongful gain to one person or wrongful loss to another person is said to do that thing dishonestly
Wrongful gain and wrongful loss (23)-person who acquires wrongfully is wrongful gainer and person deprived wrongfully is wrongful loser
As defined in Law of contract Three ways to do fraud:
Deprive man of his right, either by obtaining something by deception or taking something wrongfully without knowledge or consent of the owner
To withhold wrongfully from another what is due to him
To defeat or frustrate wrongfully, wrongfully another’s right of property
ForgedIngredients:
•Causing 1 thing to resemble another thing
•Intending by means of that resemblance to practice deception
•Knowing it to be likely that deception will thereby be practiced
Any record in electronic form
CCF also attracts• Provisions of Maharashtra Control Of Organized Crime
Act (MCOCA) Criminal conspiracy which has ingredients
There should be agreement between 2 and more persons who are alleged to conspire
The agreement should be to do/caused to be done an illegal act
An act which may not itself be illegal, by illegal means
Injury
83
Sections of IPC attracted for CC Fraudsters• Sec 21 defines public servant i.e. any employee of public sector undertaking (under control of State/central govt.) (r.w. article 12 of
Constitution of India)i.e. employees of all scheduled banks and co-operative banks are public servant• Sec 34 (act done by several persons in furtherance of common intention)
– Each person is liable in same manner as if it were done by him alone• Sec 201 (Causing disappearance of evidence of offence or giving false information to screen offender)
– If less than 10 years then 1/4th of longest term of imprisonment for offence and/or fine. • Sec 407 (criminal breach of trust by carrier)
– Punishment- 7 years imprisonment and fine • Sec 420 (cheating and dishonestly inducing delivery of property)
– Punishable up to 7 years imprisonment and fine
• Sec 466 (Forgery of public register- any data or electronic records (as defined in clause ‘r’ of section 2(1) of IT Act 2000)(cc number in e-form) to be kept by the public servant (banker))
– Punishable for 7 years RI and fine• Sec 467 (Forgery of valuable security- bill etc)
– Punishment: life imprisonment or 10 years imprisonment and fine• Sec 468
– Punishment 7 years RI and fine– Cognizable, non Bailable offence, triable by Magistrate of 1st class, non compoundable
• Sec 470 defines forged document or e-record – wholly or partly
• Sec 471 (using as genuine a forged (document or e-record))– Punishment same as if he has forged (467)
• Sec 474 (having possession of document described in sec 466 and 467, knowing it to be forged and intending to use it as genuine)– Punishment
• 7 years Imprisonment and fine or • life imprisonment
• Sec 475 (possessing counterfeit marked material (plastic card) )– Punishable for Life imprisonment or 7 years imprisonment and fine– Non-cognizable
• Sec 476 counterfeiting device or mark used for authenticating documents other than described in sec 467 – NC, NB– Possesison of any such device counterfeited punishable for 7 years and fine
• Sec 477-A Falsification of accounts with intent to defraud (i.e. e-record etc) by clerk, officer, servant– punishable for 7 years and fine
• Sec 409 (criminal breach of trust (defined in sec. 405 IPC) banker/agent/merchant) – Punishment is prescribed (for misappropriation of funds) as:
• Life imprisonment or • imprisonment of 10 years and fine
84
Problems in fixing criminal which enhances this crime and new methods to overcome it..contd (due to Criminal Jurisprudence)
Any quantum of suspicion cannot be substitute for evidence (SC ruling ..and supreme court ruling is law of the land under article 141 of constitution of India and judge is duty bound to decide the case based on law
Benefit of doubt must go to accused in criminal proceedings. Therefore, the strategy of defense counsel is to shed doubt on the evidence and take out his client from clutches of law.
Every link between crime and criminal must be established. strength of the chain is just from the weakest link in the chain. It must be proved beyond shadow of reasonable doubt which is very difficult task for the prosecution . The burden of proof is
totally on the prosecution If there is circumstantial evidence only, then it must be of such a nature that it should lead to one and only one inescapable
inference about criminality of the accused. This is also very difficult to prove) Accused should be treated innocent till proved guilty- principle of criminal jurisprudence should be changed to strict criminal
liability principle i.e. burden of proving innocence should be on the accused like food adulteration cases
85
Future!....If no proactive steps taken
Courtesy: (Niculae Asciu)
86
Videos of credit card frauds tools
87
Conclusion
• As this crime is spreading like jungle fire throughout the world especially developed countries, India is developing country, and we should prevent this epidemic to economy timely and vigilantly.
• In India, credit card fraud is mostly limited to the physical space. Online con jobs make up just about 1% of the total numbers here, unlike 40% in the developed world.
• All parties to credit card transactions are at risk when it comes to the hacking of credit card numbers. It is incumbent on the credit card associations to implement and enforce stricter rules regarding security and data protection practices by card issuers, merchant acquirers, processors, merchants and any other entities that manage or store card numbers on their servers. The card associations should also implement and enforce new rules that protect consumers from identity theft and credit reporting misinformation that can result from credit card fraud. Otherwise, consumer groups will force protective legislation in a lengthier and costlier process.
• But, as consumers graduate to the shop-easy internet and pay with their cards, instances of fraud are bound to rise. As access to the web increases, reported cases of card fraud are estimated to rise at 20-30 % every year. In online transactions, contracts are one-sided and the customer is always held responsible in case of fraud.
• Phishing is a commonly-used defrauding mechanism. To top it, people are careless in offering their card details.
• Thus, we can conclude that with the help of the legal remedies available as cited earlier in the paper, legal action can be brought against the offenders who are held liable for credit card frauds and misuse and they can be bought to books.
88
Thanks!
89
90
91
Source Links
• www.visa.com/secured• www.cyberfraudsolutions.com• www.cybersource.com• http://news.com.com/2100-1017-966835.html• www.celent.com• http://www.securitystats.com/reports/Symantec
Internet_Security_Threat_Report_vIII.20030201.pdf• http://www.cert.org/stats/cert_stats.html• http://www.usatoday.com/money/perfi/credit/2003-02-19-
credit-card-hacker_x.html
