Prevention of Card Fraud: Trends and Industry Action

Card fraud is one of the most widespread problems in the banking industry today. This type of crime causes more than direct losses to the market participants, it also undermines cardholder trust in banks’ services, spoils the image of the financial sector and payment card ‘brand’ altogether. Moreover, card fraud causes other social and economic problems that appear as a chain reaction, e.g. financing of other criminal activities.

The losses that industry faces due to card fraud are estimated at millions of euros annually. These losses are mostly covered by acquirers and issuers; however the cardholders are also forced to handle significant troubles – the waste of time and energy while fraud case is being investigated. Figure 1 demonstrates the card fraud losses increase in UK over the last decade.

Figure 1: Plastic Card Fraud Losses on UK-issued Cards: 1997 – 2007

Source: cardwatch.org.uk

Card Fraud Types

One of the reasons that fighting fraud in the payment card industry is difficult is the fact that new fraud types appear quickly and constantly, while existing fraud types are still difficult to classify as they are diverse and adaptive. The most common fraud types are:

1. Card-not-present fraud – fraud performed over the Internet, by telephone, fax and mail order, etc. First card data is stolen in the real world and then criminals use it for the purchases.
2. Counterfeit card fraud – this type of fraud occurs when a fake card is made using compromised card details. Skimming often takes place at merchant site, where an employee uses a special device to electronically copy the data from magnetic stripe.
3. Lost and stolen card fraud – when a card is physically stolen or lost and later used by a criminal.
4. Mail non-receipt card fraud – this type of fraud occurs when a card is stolen in transit after it has been mailed to the cardholder from their bank.
5. Identity theft on cards – this type of fraud occurs when a criminal uses fraudulently-obtained personal information to open or access card accounts held in someone else’s name.

Notwithstanding the constant improvements in fraud fight and regular upgrades of fraud detection systems, the stolen money volumes are still rising. The share of different fraud types doesn’t stay the same. The figures below demonstrate the shifts in fraud types in the UK within the past decade.

Figure 2: Plastic Card Fraud Losses in £ Millions (1997)

Source: cardwatch.org.uk

Figure 3: Plastic Card Fraud Losses in £ Millions (2002)

Source: cardwatch.org.uk

The fraud landscape is changing and the transformation is not limited to the targets and methods, but it also shows advance in the way fraudsters are structured, i.e. the crime is not organised, the crime is well-organised these days. Fraudsters work on a global scale thus making local prevention measures less effective. Despite the fact that many countries have governmental measures in place, fraud is not eliminated – it simply migrates to other countries.

The fraud schemes and fraud landscape are becoming more complicated, and accordingly, fraud prevention, detection and fight measures should also evolve.

Industry Measures to Prevent Card Fraud

Since the very early years of the payment card business, the industry has tried to protect itself and fight fraud. Today a number of different approaches are implemented:

1. Black lists of ‘hot files’ – these lists contain the information on cards that have been reported lost or stolen. When a merchant accepts a card payment it is automatically checked against the files and the retailer is alerted if the card’s details match the list.
2. Systems to reduce phone, Internet and mail order fraud, such as Visa and MasterCard secure payment systems. According to industry data, 3-D Secure scheme, branded as MasterCard SecureCode and Verified by Visa, is now used for about 10% of all e-commerce card transactions in UK. Unfortunately 3D Secure is not a convenient solution and on its own is not enough to prevent fraud from happening.
3. Chip and PIN – this measure alone has provided a dramatic change in fraud patterns and volumes. Due to the fact that chip and PIN is often very expensive and time consuming, criminals focus their attention on mag-stipe and card-not-present fraud. The potential next stage in making remote channel transactions safer is using chip and PIN in non face-to-face situations, such as online or phone shopping. One solution – hand-held card readers – builds upon chip and PIN technology. However, this is a rather expensive approach as a bank’s clients must be provided with the necessary devices.
4. The payment associations are continuing to push the PCI DSS forward. These regulations require retailers to build and maintain a secure network, protect cardholder data, maintain a vulnerability management programme, implement strong access control measures, regularly monitor and test networks and maintain an information security policy. However, many businesses are unwilling to comply with requirements, as it often requests drastic changes in workflow.
5. Number of lines of defence against fraud used by banks – e.g. they fight ATM fraud with physical barriers on the ATM, devices to jam or scramble transmission of card data by skimmers and by installing cameras.
6. Education, trainings and governmental aid – various industry players pay significant attention to this method, i.e. education of customers and retailer’s staff to stop fraud and increase people awareness. The services provided by the government and other organisations, such as dedicated police departments play an important role in fighting card fraud. Although such an approach is implemented in only a few countries, card fraud is mostly classified as money stealing, and no special units are organised.
7. Last, but not least, is the effort of banks and third party processors (TPPs) to use intelligent fraud prevention and detection systems – this approach to fraud management is rather innovative and probably the one that will be seen as essential in the future. Nevertheless, the market players do not want to invest money in preventing fraud until it is really happening. The implementation of fraud or risk management systems is one of the newest trends in the payment card business, and the amounts of money that can be saved by banks using such systems significantly surpass the investments in the software. So this is not a matter of a price or technology anymore – it is about banks’ business reputation and profits.

The main advantage of this last approach is the possibility to check for unusual spending patterns and spot fraud before it is reported by the cardholder and, in many cases, even before the fraud actually happened. In most cases, the requirement is for fraud prevention where authorisations are evaluated during the transaction time. It’s not post-factum checking, it’s moving to real time. These systems could use technologies such as fuzzy logic, neural networks and rules to analyse transactions and pick up likely frauds. Taking into account changing patterns of fraud, anti-fraud systems must be adaptive and dynamic. Shared databases for cross sector trends are becoming vital to detect changing trends in fraud. Collaborative fraud management is basically a way of saying that businesses can share data and experiences to reduce fraud. The problem with this approach is the fact that it is rather difficult to gather enough information, which on the one hand allows companies to work together and on the other hand doesn’t compromise customer data.

The fraud prevention and detection success largely depends on a software solution implemented in the bank or TPP. Hence the acquirers, as well as other market players – issuers or third party processors, while choosing the fraud prevention system, should closely evaluate the solution offered.

Rule-based Approach to Fraud Management

A rule-based approach is one recommended way to set up a fraud management system. In this case there’s a possibility by the setting of a standard functionality to create and describe the necessary business terms, subsequently creating monitoring rules becomes easier. Such an option ensures maximum effectiveness and convenience for system users. The implementation of these systems is fast and thus cheap enough, as it doesn’t require enormous amounts of time to set things up, as for example, in a neural system. Moreover, it allows analysis of the fraud cases and its details, which is not supported in neural-network systems.

The other vital advantage of a rule-based system is the possibility to choose the desired strategy of fraud prevention behaviour – i.e., a bank can set high fraud tolerance and maximise client comfort, increase risk level, or vice versa, increase the security level boosting the rejection number.

It is important that system users do not have more than just a possibility to define rules. In some advanced systems the user is also able to define precisely which statistics are to be accumulated and for what period of time. There should exist a possibility to describe scenarios of the fraud, which means that not only the single checking rule is used during the authorisation, but the system also ‘remembers’ previous card activity and checks whether any fraud scenario might be in process. The warning message for risk analysts, notifying them about a possible fraud scenario in progress, might be generated, even if it is not the final stage of such a scenario yet.

The other recommendation is to have dispute and fraud management systems integrated, which can give a serious overall performance improvement, as charge-backs often mean missed fraud events; consequently mutual analyses shows where rules need to be updated.

It is also considered important that a fraud monitoring system has a possibility to check the authorisations and transactions against lists based on internal or external data (such as ‘hot’ or ‘black’ lists mentioned above). The mentioned functionality could be enriched by the support of the usage of information which is not directly available within the authorisation message, such as information about compromised cards, individual/group limits, information about cardholder or merchant, etc. There is a wide range of rules and parameters by which fraud can be detected, e.g. for the acquirer the set of rules might be based on some of following warning signs:

• Evidence that credit card purchases have been intentionally structured by a merchant to keep individual amounts below the ‘floor limit’ to avoid approval requirements.
• Merchant account activity that reflects a substantial increase in the number and/or size of charge-backs.
• Merchant that has a sudden or unexplained increase in the level of authorisation requests from a particular merchant location.

For any fraud management system, it is vital to provide a user friendly graphical interface – workspace for risk officer, so he can reassign cases to other officers, make notes on the cases, check the authorisation and transaction history, etc. The system should provide features that allow a risk officer to analyse card authorisations and transactions quickly and initiate precise fraud control activities to meet new fraud challenges as they happen.

Online fraud prevention systems should be designed in the way that makes them capable of stopping the identified fraud at a very early stage. To be most effective, it should be built as a part of authorisation processing, therefore granting a possibility to prevent even the first authorisation for identified fraud schemes and not requiring intervention of the risk analyst.

It is essential for offline fraud detection systems to operate in near real time, delivering fraud alerts within minutes or even seconds after transaction, so bank/processing centres can contact the client and clarify the issue.

The whole fraud management solution must be able to react and prevent new fraud schemes as soon as they appear in the given region, because one of the biggest problems is the speed with which fraudsters can adapt to any new fraud prevention instrument.

Conclusion

There are three key points to remember when talking about card fraud:

1. Current global market trends demonstrate the constant increase in digital payment means, consequently pumping up fraud volumes.
2. Fraudsters never stand still – new schemes, methods, patterns of fraud appear daily.
3. In order to fight fraud successfully, a multilayered approach is required.

Looking back at the evolution of fraud, its victims and approaches, we must emphasise the fact that the targets of fraudsters become bigger and without the appropriate scheme of general protection, a fraud detection and prevention system, all the parties involved – cardholder, bank, processing centre – are exposed to fraud.