Online Credit Card Fraud
Fraud is the intentional representation of a falsehood as being a fact. The purpose of fraud, including e-commerce or online fraud is to deceive another party through misrepresentation and involves an illegal and dishonest transaction in order to obtain a profit.
The most important difference between traditional person to person fraud and e-commerce, mail-order/telephone order (MOTO) or online payment fraud is that the credit or debit card is not physically presented to the merchant for a transaction to take place. The fraudster simply needs the correct card information to progress the purchase. Criminal networks, often functioning in the Dark-net, steal and sell this information to other criminals and can also provide the physical credit card itself. The work, techniques, knowledge, methods and intention of using credit card information to facilitate a fraudulent transaction is known to criminals as ‘carding’.
There is a large amount of card information available to dishonest persons and transactions using this stolen information has been become relatively easy to acquire.
New measures are adopted by financial institutions and merchants that are largely protective and make fraud more difficult but these measures can be circumvented. The more protective measures in place the better the security but there are still many avenues for criminals to be deceitful. Constant cross-check methods including BIN number validations should be part of an online merchant’s risk-mitigation techniques.
Banking systems and checks
Most banks currently have several measures incorporated into their security systems that greatly reduce the risk to customers from credit card fraud:
- Chip and PIN: Many countries mandate the use of “micro computer chips and PIN” technology that are the practicable elements of the EMV (Europay, MasterCard, and Visa) technical standard. The imbedded chip replaced the need to swipe the magnetic strip on credit cards and is considered to be more secure. They are regulated through the standards based on ISO/IEC 7816 for contact cards, and standards based on ISO/IEC 14443 for contactless cards;
- Two-factor authentication: Many banks use text messages or tokens that generate a unique, time-limited code to help verify the legitimacy of transactions;
- Monitoring of customer habits: some banks have complex sets of algorithms that monitor the spending habits and transactions of their customers. They frequently have the ability to identify a suspicious (often fraudulent) transaction and either request extra validation or block it entirely.
Indicators to consider
Hackers and fraudsters take precautions that aim to make themselves unnoticed and anonymous. There are several methods recommended to help stop fraud, including the following guidance for detecting fraud. One of these indications by itself may not be an indication of fraud, but it is worth giving the transaction special or closer attention if one or more of these indicators occurs for a particular transaction.
- Multiple addresses may be used for the same credit card to help disguise an association;
- Customers who are making a purchase from you for the first time - although some tactics involve a small initial purchase to build trust and then a larger order that is dishonoured;
- Orders from Internet addresses using free email addresses;
- The destination of the products is unusual - although some credit card frauds use accomplices to collect the stolen goods in the same country as their stolen credit card is registered;
- Unusually large quantities of the high value products, which may be easier for the criminal to on-sell such as:
Shipping address and billing address that are not the same;
A significantly large number of transactions using the same or similar details in a short amount of time;
Payments made with many credit cards of similar or sequential numbers;
Orders for multiple quantities of the same item;
Customers who place a number of orders within a short space of time;
Orders placed where the first card ordered is declined, and a second card is immediately used to reorder;
Orders shipped to a country where the goods could easily be purchased locally. The question must be asked why the purchaser is prepared to pay the shipping expense, and wait longer for the goods to arrive;
Orders requesting the goods to be shipped to a third party;
Selecting expensive shipping options that seek quick and rushed delivery;
Orders where the only contact number provided is a mobile phone;
Several cards used from the same IP address - although IP disguising software is sometimes used by criminals;
Orders for goods not normally supplied by your business.
- Electrical goods;
- Household appliances;
- Goods which are easily disposed of for cash.
Exercise particular caution in relation to overseas orders. Large orders should in all cases be held back for shipping while further enquiries are made into the legitimacy of the purchaser. Merchants should not ship goods until satisfied that the purchase is legitimate. While all orders from overseas countries represent an increased fraud risk, transactions originating from the following countries have been identified as generating a disproportionate level of credit card fraud:
- South East Asia;
- West Africa;
- Eastern Europe;
- Or where the order is from a country from which you don’t usually receive orders.
It should be noted that some fraudsters have accomplices in the country where the supplier originates and therefore orders delivered within the country of origin can still be the work of dishonest buyers.
Fraudulent purchases can often lead to chargebacks. A chargeback is a sum that must be returned by the merchant to the cardholder after a fraudulent transaction. Processing a chargeback can include operational costs such as transaction fees, legal fees and currency conversions etc. These amounts become the total lose in money to the deceived merchant in addition to the time and inconvenience of processing the correspondence and payments to deal with the chargeback.
If the merchant incurs a large number of chargebacks the result can, at worst, be that he can’t find an acquirer to process his payments, as he is considered a high-risk customer.
Another loss for the deceived merchant is the product sold to the fraudster - the merchant will not get the “sold” (stolen) product returned.
Merchants can reduce the risk of fraudulent purchases and chargebacks from online and
MOTO transactions by implementing the following measures:
- Request the purchaser to provide the CVV2 (Visa) or CVC2 (Mastercard) three digit number located on the signature panel of the credit card. If the purchaser is not in possession of the card, it is unlikely they will know this number;
- Validate the card issuer country of origin with the delivery address using BIN number check (BINLists.com);
- Request the purchaser to provide a fax copy of their driver’s licence;
- Call up the customer to confirm the details of the order;
- Ensure the customer’s billing address and delivery address is consistent;
- Check the telephone book to verify address and phone numbers provided;
- Obtain a signed receipt from the cardholder when the goods are delivered;
- In the case of orders for a large number of different goods, telephone the cardholder after the order is placed to confirm the order. Also, have the purchaser read back all details of the order. Frequently, where an order is fraudulent, the purchaser will be unable to confirm these details, as they were ordering at random, with no record of what they ordered;
- Don’t continue to attempt authorisation after receiving a decline;
- Keep up to date with latest scams.
If you're unsure a transaction is legitimate you can take some extra steps to validate the order and reject any order that still appears to be suspicious.