Fighting Credit Card Fraud
John Price
In August this year, an extraordinary case of identity theft and credit card fraud came to light in the United States, involving 130 million credit and debit card numbers stolen between 2006 and 2008. According to government investigators, the culprits, including 28-year old master hacker Albert Gonzalez, infiltrated the computer networks of Heartland Payment systems – a leading credit card payment processor – and several major retailers. The prominent case focused attention on the increasingly complex cyber war between criminals and the credit card industry, and will likely spur new firewalls, state-of-the art software solutions, and well-trained IT security consultancies.
Although such a response is necessary – the fastest growing forms of card fraud are of the high-tech kind – mature market banks and their IT security apparatus are winning this war. In percentage terms, credit card theft rates in the United States and Europe have steadily declined over the last decade. Banks in emerging markets, however, continue to lose their battle with credit card fraud, particularly of an old fashioned, mundane, yet ultimately more costly type.
In 2007, card fraud globally took in an estimated $5.5 billion, a startling number, but just 0.05 percent of the total card transaction volume, two percent of what card companies charge for their services, and even less than what issuers earn in interest from customers.
While card fraud losses are a mere pin prick for United States card issuers, losses in emerging markets are far more substantial. In Brazil in 2008, according to Kroll’s analysis, this fraud reached an estimated $300 million, or 0.15 percent of the transaction volume – three times the global average. In Colombia, where banks are arguably less sophisticated than Brazil, losses approach 0.25 percent of total card volume or eight times the United States average.
In July, this year’s annual Latin American Tarjetas y Medios de Pago (Cards and Payments Systems) conference attracted leaders from the region’s burgeoning card industry. At a Kroll-led workshop, about 50 participants recounted their most recent fraud “war stories”.
One Brazilian bank’s outsourced ATM maintenance supplier had inserted data stripping devices to copy pin numbers and other bank data from cards used in the machines. A retailer in Colombia recounted how corrupt employees had, in collaboration with criminal elements, installed devices at the register to copy data from cards swiped there and sell it for the production of cloned cards. One Caribbean bank – a leading issuer – explained how members of its own IT department had downloaded card holder identities from its own computers. A Mexican bank described how its ATMs were being ripped out of walls by forklifts, after which the computers inside the machines werehacked and the numbers stolen.
What these stories highlight was that most of the fraud was committed by employees or vendors. Moreover, all the guilty parties had some criminal record that had not been discovered in the internal background checking process of hiring or contracting. In the case of the “smash and grab” forklift theft, the surveillance equipment and systems were not functioning, victims of budget cuts. The most galling conclusion reached by seminar participants was how preventable most of these episodes were.
While the “arms race” between hackers and IT security may involve strategies incomprehensible to most card industry decision makers, issuers and processors can prevent the majority of frauds by following disciplined protocols in areas such as third-party administered background checks, due diligence on key vendors, the handling of sensitive data, and third-party audited IT security. Furthermore, a regular, external vetting of operations for vulnerabilities will help root out the largely internal sources of fraud. High-tech defenses alone cannot beat low-tech crime.
Global Fraud Report
2009/2010 Annual Edition
