Common Online Fraud Schemes
A 2010 RSA Security report found that the black market price for stolen credit card numbers with the CVV number was from $1.50 to $3, SSNs and dates of birth went for the same price, Zeus Trojan kits sold for $3,000 to $4,000, and login credentials for online bank accounts sold for anywhere from $50 to $1,000 depending on the type of account and balance.
DID YOU KNOW
A 2010 RSA Security report found that the black market price for stolen credit card numbers with the CVV number was from $1.50 to $3, SSNs and dates of birth went for the same price, Zeus Trojan kits sold for $3,000 to $4,000, and login credentials for online bank accounts sold for anywhere from $50 to $1,000 depending on the type of account and balance.
With the low price and high availability of stolen credit card numbers and identities fraudsters have seemingly infinite resources to run their schemes. There are many different ways scammers will try to defraud a merchant online, and in this section I discuss many of these common fraud schemes.
TYPES OF FRAUD SCHEMES
Card Generator Fraud
In this scheme a fraudster is working a block of card numbers to find one or more that will work on a purchase. They are typically working a specific issuing bank’s numbers. They will target smaller banks, and ones that are not up to date on the card types and solutions. For example they may not be up to date on AVS systems or real-time authorizations, or they may have set up automatic authorizations for certain amounts. The fraudster will find the banks meeting this criteria and find out their weakness and then attempt to hit all the credit numbers with the issuing bank’s assigned credit card number range. Once the fraudster successfully receives an authorization from one of the credit card numbers they will make one or more purchases with it, from your business and from someone else’s business if they can.
You can spot someone hitting you with a card generator by looking at the velocity of use and change characteristics of the orders. They will have to try the card multiple times, so you will see the same card with different expiration dates, you will see the same address with a lot of credit card numbers attempted against it.
The software for card generators is very widely available, so you will see activity from seasoned as well as “kiddie” fraudsters, trying it out. If you catch this activity occurring, look at the data being submitted and hot list any elements that were the same across all of the orders, like the e-mail address, shipping address and phone number.
Number of Purchases: 1 or more
Billing & Shipping Address: Typically different, the shipping address will typically be a drop point, abandoned point or temporary address
Phone: Bogus, or the real consumer’s number
Purchase Amount: Any
Fraud-Prevention Techniques : Velocity of use, velocity of change, fraud screening
Consumer Satisfaction Fraud
You can please some of the people some of the time, but you cannot please all of the people all of the time…
What do you do about that annoying customer that keeps charging back their orders, when you know you have done what they asked. They may say, “You didn’t send what I ordered,” “It didn’t arrive when you said it would,” or “I changed my mind.” The fact is charge-backs are expensive, and some customers, God bless them, you just can’t afford to have as a customer.
We have all heard, or experienced, the customer who purchased something, used it and then returned it saying they just aren’t happy with it. Merchants try to explain to consumers that they cannot take it back, because it’s used…but they simply complain to their issuer and the merchant is stuck with the bill.
I don’t have any magic answer on catching these consumers up front, if I did I would be a rich man, but there are things you can do to limit your exposure. First, if you are selling goods or services under $50 you should consider a no-hassle return policy. Just take it back, don’t mess with a charge-back unless you have an iron-clad case. In some cases the dollar value of a purchase makes fighting a charge-back a worthless proposition.
Second, implement a warm list or use your hot list and add this consumer to the list. I would recommend a two-strikes-you’re-out policy. One charge-back or return of goods or services and you are put on the warm list, two charge-backs or returns and you’re on the hot list. Make sure you review your warm list quarterly to see how many good purchases have occurred from these customers, if they have a good purchase in that same time period remove them from the list. However if the consumer actually did process a charge-back, wait for two good purchases before you take them off of the warm list. Remember the hot list automatically declines the order and the warm list automatically causes a review.
Number of Purchases: 1 or more
Billing & Shipping Address: Typically the same
Phone: Real consumer’s number
Purchase Amount: Any
Fraud-Prevention Techniques: Hot lists, warm lists
Credit & Return Fraud
This scheme has slowed down dramatically in the USA as most merchants have already implemented polices to avoid this scheme, but it still is occurring in Europe and Asia.
The scheme happens in one of two forms. The first is where a fraudster working alone will come in and make purchases for goods and services and then will return the goods to have a credit given in cash.
The second form of this scheme is where the fraudster works with an accomplice. The fraudster makes purchases with the fraudulent credit cards and the accomplice returns them for cash.
In both schemes there may be some time between the purchase and credit. On return they may or may not have the receipt. They will commonly try to do returns when not having a receipt when it is common, like during holiday shopping seasons.
What does the scheme have to do with e-commerce and MOTO? If your business has a direct retail presence you could see some of this type of fraud as cross-channel fraud. With the emergence of e-commerce and the buy online and return in-store capabilities, the fraudster can use this scheme to move goods and funds.
With this scheme you have to be very conscious of patterns of charge-backs on items not typically found to be charge-backs. The fraudster can target safer purchases with this scheme because they intend to return them to get cash or gift cards to then make purchases of higher end goods that they can sell on the street easier.
Most merchants in the U.S. have adopted a policy of only giving credits to the same credit card that was used for the purchase, or in the case of gifts they will give a gift card. This has curbed the scheme pretty well, but there is still a susceptibility to this scheme for most merchants because of the ability to make the fraudulent purchases, make the returns and then purchase another item.
Beyond adopting better return policies you can implement velocity of use and change checks on your credits and returns to catch people who are doing a lot of credits from a lot of different points. Be careful with this — make sure you know your customers. Some of your customers could very well have multiple people making purchases for them at the same store, and they could be looking to consolidate gifts and buy something different.
Number of Purchases: More than one
Billing & Shipping Address: Typically different, the shipping address will typically be a drop point or abandoned point
Phone: Bogus, or the real consumer’s number
Purchase Amount: Any
Fraud-Prevention Techniques: Better return policies, velocity of change and velocity of use
Colusive Fraud - Internal Fraud
Collusive fraud is when a member of the merchant’s staff is working with the fraudster. This person could be directly helping the fraudster commit the acts, or could be funneling goods to them.
The most common version of this type of fraud is where the inside person will work in a merchant’s call center to learn the fraud prevention policies and procedures. The inside person then feeds this information to the fraudster in a form in which they can get around your current fraud policies.
Other variations of this scheme are where the staff member is actually putting in orders or changing shipping information to have goods sent to other points. Or they are taking down credit card and personal information of consumers and then using this to make other purchases there or at other merchants.
Number of Purchases: More than one
Billing & Shipping Address: Same or different
Phone: Disposable mobile phone number or real consumer’s number (not the fraudsters)
Purchase Amount: Any, but usually more on the upper end
Fraud-Prevention Techniques: Velocity of use, velocity of change, hot lists, fraud screening, rules engines, implementing tiered reviews with managers reviewing staff and making sure you document the name of the staff member who works on each transaction
I have been working with merchants for years, and I am still amazed at the creativity fraudsters come up with to defraud merchants. These people aren’t stupid, uneducated thugs. They are educated, crafty and patient.
If there is one thing I have learned from my experiences, I know that even if you wanted to, it is not realistic to think you can stop all fraud. There are just too many ways to create a perfect one-use identity. The resources, time, money and people I would have to put into place to catch these fraudsters just don’t make sense.
But the good news is you don’t have to catch the perfect one-use criminal. The majority of fraudsters out there are still using the basic scams to de-fraud merchants because there are still too many businesses that aren’t doing anything to stop them. The purpose of this section is to give you an understanding of some of the general schemes that are out there. With this understanding you can look at your businesses and craft strategies to prevent fraud that most closely represents the type of fraud scheme your site sees.
This section will also give you the insight to look at fraud patterns to spot fraud schemes as they are being perpetrated against you. Remember that to be effective at preventing fraud you have to be proactive in the design of your strategy. Don’t just model your fraud strategies off what you have been hit with in the past, but look at your vertical market and see what other common fraud schemes may be pointed at you.
Where do those Fraudsters get the Credit Card Numbers?
Have you ever wondered where the fraudster gets their credit card information from? The fact is, lists of valid credit card numbers are available on the black market, with different prices for valid credit cards and credit cards with the card security numbers provided. Where do all of these cards come from? From several places.
The major point is from a scheme called skimming, in which card numbers are being harvested in common places like restaurants, bars, hotels, ATMs and airports. The fraudster places fake devices in these locations where an accomplice, or the entire staff unknowingly, is swiping each credit card that comes in. These numbers are then collected, and sometimes sold, to be used for fraudulent activity.
Credit card numbers can also come from fake applications for credit, identity theft, account takeovers and from valid unused account numbers. Since credit card numbers are allotted to issuers in blocks, fraudsters can methodically check each credit card number in a sequence by using a credit card generator to test a bank’s credit card numbers. Of all of these methods, identity theft is the most worrisome. In cases of identity theft a fraudster can look and feel perfect to all but the most sophisticated fraud solutions.
TYPES OF FRAUD SCHEMES
One Hit - One Merchant & One Hit - Multiple Merchants
This is one of the more difficult types of fraud to detect and prevent. In this scheme a fraudster will acquire a credit card profile and will make a single purchase from your site. They will not reuse your site again, or if they do it will only occur after very long periods, greater than three months. They are making more than one purchase on the credit card itself, but it is at different vendors rather than multiple purchases from the same vendor. The fraudster will also typically be drawn to very highly fence-able goods: electronics, jewelry, mobile phones, computer goods and gift cards.
Number of Purchases: 1
Billing & Shipping Address: Typically different; the shipping address will typically be a drop point or abandoned point
Shipping Method: Express Shipping
Phone: Bogus, or the real consumer’s number
Purchase Amount: High
Fraud-Prevention Techniques: High dollar amount rule with express shipping rule, reverse lookup address and phone, use of fraud screening that does cross-merchant velocity-of-use checking, card security schemes
Consumer-Perpetrated Fraud
This is a scheme in which the consumer or an accomplice of the consumer makes a purchase and then denies they made the purchase, or that they never received the goods or services. All of the data points will look good but the consumer will swear they did not make the purchase and did not receive the goods or services. They may also say they placed the order but never received the goods or services.
The consumer calls their issuing bank for the credit card and disputes the transaction for one of these reasons:
Claim they never made the charge
Claim their account was abused by someone else
Claim they never received the services
Claim that their spouse never made the transaction
If the consumer says they never placed an order, take a look at your past records to see if they have ever made a purchase from you before, and make sure you put them into at least a warm list to watch for them in the future.
Number of Purchases: 1 or more
Billing & Shipping Address: Typically the same; or if different, a real address with a real person
Phone: Real consumer’s number
Purchase Amount: Any
Fraud-Prevention Techniques: Signature required on delivery, use of consumer authentication techniques, Verified by Visa , MasterCard SecureCode and out-of-pocket checks, hot lists and warm lists, card security schemes
Morphing Fraud - Repeat Offenders
In short the morphing attack is where a fraudster is hitting a single merchant multiple times using slightly different data points each time. These attacks are typically of short duration with multiple purchases being made and sent to the same address or within a very close proximity. The fraudster may change every data point except one or two, so you have to be doing some good cross-reference checking to catch them.
This scheme has a couple of different variations. I call them the “bust-out,” the “slow morph” and the “multiple personality” morphing fraud attacks.
In the bust-out variation the fraudster will make multiple purchases from your site within a short timeframe with a number of different credit cards. All of the goods and/or services will be going to the same location, but all of the other data may change between purchases.
In the slow morph attack, the fraudster will make purchases over time with elapsed time between purchases to prevent raising any flags, and will change the credit card, address and phone slowly over time, just keeping in front of you.
In the multiple personality attack, the fraudster will set up several different personas with different cards and make periodic purchases over a 30 to 90-day timeframe. I have seen cases where the morphing attack was pulled off with 2 to 3 hits per month, all spread out over a 90-day period. The fraudster used three different credit cards and personas and made one purchase with each persona per month for a three-month period and then disappeared. The merchant in this case was using velocity of use and change, but was only counting usage and change for a 24-hour period to attempt to catch bust-outs. They finally caught on when they starting doing some research on past charge-backs to see the fraudster was using variations of the same name. For example “Sara, Sarah, Sam, Samantha, Bill, Bob, William, Willard and Wilda.”
The morphing attack is a little easier to spot if you have good velocity of use and change checks in place. The problem is determining how many purchases or changes constitute actual morphing. As a merchant we all pretty much assume and want to have our customers come back and buy from us. We never assume the fraudster knows this as well, and will play us based on this. Making a purchase once a month for three months wouldn’t in itself set off any alarms, but what they are buying and how the data points they send us change does.
In looking at catching morphing attacks you will have to really think about how you can look at previous account activity, and how you can look at the products purchased as well. The velocity of change and use checks are the best mechanisms to catch someone morphing their identity in their attack.
Some of the things you can look for to catch these morphing fraudsters include:
Look at the typical buying patterns for your merchandise. Would someone typically buy the product sold more than once in a day, week, month or year? For example if you sell televisions online, how often would the same person buy another television on the same day, week or month? If you sell jewelry, how often does someone buy the exact same piece of jewelry in a day, week, month or year?
If you are already looking at velocity of change and use on a daily basis today to stop bust-outs, don’t change it. Add another combined look at velocity of use and change over a 6-month period in which you look at the number of purchases on a given credit card, e-mail, phone and address. Track the number of changes of a credit card number to an e-mail, phone and address over time.
Look at the name associated with a credit number to see how many times it is changing. The name is typically not a good tool for doing fraud checks, but in the morphing attack, the attacker can change the name with everything else being the same. They don’t always do this. Though in the case I discussed earlier the fraudster used the same name, which is how we caught him, and stopped him from starting back up the following month with a fresh set of cards.
If you are doing e-commerce, track the IP address being used by the fraudster and check it against the IP address from past charge-backs to see if they are coming from the same points. It is very rare that they will have the same IP address, this typically means a real novice fraudster, but you can see trends to certain proxies or regions.
Number of Purchases: More than one
Billing & Shipping Address: Typically different, the shipping address will typically be a drop point or abandoned point
Phone: Bogus, or the real consumer’s number
Purchase Amount: Any
Fraud-Prevention Techniques: Velocity of use, velocity of change, geolocation, and consumer authentication, hot lists, card security schemes
Fraud Rings
Nothing strikes fear in a merchant’s heart like the dreaded fraud ring. If you are lucky you have only read about them in the paper or seen a piece on them in the news. If you’re not lucky, you have experienced how devastating they can be.
Fraud rings are very good at finding the weak points in your fraud-prevention process and exploiting them quickly and efficiently. They are patient, taking a lot of time to learn about your policies and procedures. They typically perpetrate one or more of the other fraud schemes listed above and to the left to find out how you react before they make a more massive attack.
They will target a merchant and see what channels and purchase instruments they will accept.
They will research the company via social engineering to see how the business operations work, how data is stored, how long before charge-backs occur.
They will look for vulnerabilities in the site, like dollar thresholds and rules that are applied.
They will attempt to hack the site.
What are fraud rings looking for? They want to find out where you really start looking at orders. Are there dollar thresholds you use that you don’t do any fraud screening on below certain amounts? Do you use any manual reviews; follow up with phone calls or reverse look-ups? Do you use hot lists, or fraud screening solutions? Each of these gives them a different angle of attack and tells them how to attack. These things also tell them what pace they can attack a merchant at. They will also look at how you change across time — do you have more lenient policies during slow times, or during peak holiday times?
One of the favorite times for a fraud ring to hit is during the Christmas season because they know you can’t look at everything, and you probably have temporary help in that is not as experienced. They also know you can’t take down your systems without effecting the rest of your business. Fraud Rings aren’t typically greedy about their attacks and will patiently attack your site during a holiday season to take you for a reasonable sum before the holiday season is over. They will be long gone before you can really see what was happening.
In stopping fraud rings, you have to focus on the basics of preventing fraud. The most basic point for fraud rings is catching the similar or common data points that can help you isolate the fraud ring and attempt to stop them. Using tools like geolocation, freight forwarder lists, delivery address verification, consumer authentication, and velocity checks, you can isolate these common data points. The most common data points you should be looking for are the use of the same address, phone or e-mail accounts. Or very close similarities between them (e.g., 12 Main Ave, 12a Main Ave, 12b Main Ave).
In the cases where the fraud ring is hitting multiple sites in their attack, use of the freight forwarder check and fraud-screening techniques that do cross-merchant velocity checks will help in catching these fraudsters. A lot of the fraud rings will use freight forwarders to move the goods out of the country to places such as Asia, Eastern Europe, Africa and South America.
The more dangerous fraud rings are typically well thought out, using true account takeovers with long active periods of good purchasing behavior in which everything will look OK, before performing a bust-out. You also have to assume they have plenty of valid credit card numbers to use since most are associated with skimming or harvesting activities for valid credit card numbers. There are very well known fraud rings that operate out of Eastern Europe and Africa. If you check out the United States Governmental sites for the Secret Service and Federal Trade Commission you can usually find advisories about these groups. The only point about checking out these sites, is once you see them in print, you have probably already been de-frauded.
Number of Purchases: More than one
Billing & Shipping Address: Typically different, the shipping address will typically be a drop point or abandoned point
Phone: Bogus, or disposable mobile phone number
Purchase Amount: Any
Fraud-Prevention Techniques: Velocity of use, velocity of change, geolocation, consumer authentication, hot lists, fraud screening, freight forwarder, rules engines, card security schemes
Identity Theft
Identity theft continues to be a major issue in the marketplace with a case of identity theft being reported every 79 seconds in 2001 according to MasterCard Risk Symposium, and for 9 consecutive years The United States Federal Trade Commission (FTC) had more consumer complaints filed about identity theft than any other single issue. The FTC also estimates about 700,000 cases of identity theft per year. The United States Postal Service puts the number around 500,000 and Security Management Magazine August 2002 estimated 500,000 as well.
In the United States the FTC has been charged with tracking cases of identity theft through the Federal Trade Commission Identity Theft Clearinghouse. In Canada cases of identity theft are tracked through the credit bureaus.
The United States Postal Service reported it will typically take a victim 12 months before they find out their identity has been stolen, and it will take these victims an average of 175 hours to clear their name.
As you can see identity theft is a major issue. The fact is a lot of merchants and consumers believe that the Internet is somehow to blame for the rise of identity theft, but in reality the Internet is not even in the top ten for methods of acquiring identity takeover information. Database intrusion was the number one method for stealing data followed by dumpster diving. Once a fraudster steals someone’s identity what do they do with it? According to the FTC 42% is used for credit card fraud, 20% for utility fraud and 13% for bank fraud.
Fraudsters can very easily takeover and create new identities. The CDC puts out an annual book that can tell the layman how to obtain birth certificates on anyone. The birth certificate is bar-none the best breeder document for identity theft. So where do they get the basic information on a person to start this process? From dumpster diving, database cracking and car rental agencies to name a few. Anywhere you might have to fill out an application is a potential compromise point for identity theft.
As of 2002 all 50 states delineated identity theft as a crime, whereas before some states would have to use impersonation, check fraud, etc. to prosecute. California recently passed legislation CA Code 530.8 in the Penal Code stating that when someone reports this type of fraud banks must allow the consumer or police to have access to all records including the files on the application or changes to applications.
So what can you do about identity theft? First educate your customer service representatives on the tactics of fraudsters. Perform comprehensive customer validation, namely out-of-pocket checks. Also perform velocity of use and change checks and use third-party fraud screening that combines velocity across merchants.
If you have a case of fraud and a consumer calls you and says he or she is a victim of identity theft, be patient with the consumer. It may be true that he or she is a fraudster trying to social engineer you, but you should be polite and assume it really is a case of identity theft unless you have clear evidence to the contrary. Tell the victim they need to provide you with and an affidavit and police report, with the police report number and officer’s phone number on it. The consumer can get a sample affidavit from the FTC website or they can get an Identity Theft Reporting Kit from our website. One note on the affidavit, technically the affidavit does not have to be signed or notarized to be legal, but ask for this anyway, if nothing else it is forensic evidence and could be used as evidence of perjury