This paper was presented at several conferences around the world, it is a few years old, but the concepts, trends and risks identfied in the is paper are still relevant today
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
Fraud An International Perspective
1. Presented at the
2002 Australian Institute of Credit Management National Conference
Adelaide, South Australia
10 – 12 October 2002
Fraud – an International Game
Formatted
Steve Mitchinson
B Digital Ltd
Level 3, Sheraton Court
207 Adelaide Terrace
Perth, Western Australia 6000
Phone: 08 94463 5800 Fax: 08 9463 5955
Email: steve.mitchinson@b-online.com.au
Formatted
ABSTRACT
When we think of fraud, we typically think of con men and actions against
disadvantaged groups, or we think of frauds against the corporation – typically from
within. These are frauds, tried and true, but they pale into insignificance against the
backdrop of a new era of organised fraud; activities that know no boundary and
which are bringing together credit files, e-commerce and poor privacy and security
practices to perpetrate frauds on a scale never before experienced. These new age
frauds are often variants on old themes, but the most serious are those that now
affect the credit provider, and borrower alike. T Whilst the Internet is fuelling the
growth in fraud, but importantly, it is also emerging as our strongest line of defense
Formatted
INTRODUCTION
Fraud was once defined as, ‘inducing a course of action by deceit or other dishonest conduct, involving acts or
omissions or the making of false statements, orally or writing, with the object of obtaining money or other
benefit from, or of evading liability’. Fraud pervades every form of business and comes in many forms – internal
and external to the organisation. Fraud is increasingly a fact of life, but it is manageable if we display awareness,
and apply the right systems and attitude. But is fraud what it used to be?
Many organisations view being the victim of fraud an embarrassment, or a demonstration of failure. This is not
necessarily the truth. We must avoid denial. Fraud is not always a sign of management or process failure, it is
more likely to be the result of attractive products or services (e.g. mobile phones) or new and somewhat
misunderstood business processes (e-commerce). Globally, the mobile phone market place has been a fraud
playground because; the product is attractive, e-commerce is the emerging fulfilment medium, and both
2. hardware (the phone) and software (calls) can be on-sold to unsuspecting, or compliant associates.
“The development of electronic commerce and the technologies have also democratized transnational economic
crime. Forty years ago, transnational frauds and money laundering were relatively rare and the exclusive domain
of sophisticated gangs. Today, anyone with a computer can defraud people from all over the world and target
tens of thousands of victims simultaneously, immediately routing any proceeds to a jurisdiction which lacks the
legislative powers, political will or technical ability to either block the transaction or identify, confiscate and
return the funds….
Some believe that governments and law enforcement agencies, who must respect 19th Century rules for national
sovereignty and international judicial cooperation, are no match for offenders using 21st century technologies. A
much greater level of national commitment and international cooperation is needed simply to keep up with the
evolution of transnational crime, let alone to achieve any real reductions.”
From remarks to the International Fraud And Financial Crime Convention (IFEX), London, 28 May 2002 by
Antonio Maria Costa, Undersecretary General/Executive Director, UN Office for Drug Control and Crime
Prevention
Most organisationorganisations today have response plans for dealing with a range of potential risks – fire, bomb
attack, theft, insurance loss etc, but how many have an equally robust plan to deal with a major or systemic
fraud? As credit providers we are usually experts in our area of risk. As the first steps in dealing with any risk
are identifying the risk, how many of us have done our jobs in respect of the overall credit fraud risk to our
organisation?
The risks identified should not only include the obvious ones, to which your organisation may be particularly
vulnerable, (e.g. credit fraud, false insurance claims, employee theft etc), but also the frauds to which every
commercial enterprise is vulnerable. But equally, as individuals we need to guard against frauds against
ourselves. Is your organization still implementing the same fraud fighting techniques it has used for years? If it
is, itt may be time to re-evaluate your approach... Fraudsters have.
We are probably all a bit bored with the cliched “we now work in global markets, not local markets”, but this
takes on real significance in fraud – there are no boundaries. The Serious Fraud Office in the UK reports that for
major frauds “Approximately 65% of our cases have an international dimension. National borders rarely prove to
be barriers to determined fraudsters. Money is channelled through overseas banks and offshore companies,
victims can reside anywhere in the world and suspects and evidence can hide behind the laws of different
jurisdictions.”
With the rapid growth in e-commerce we must not only deal with the increased ease of committing a fraud,
butbut also the limitations on dealing with it due to often outmoded legislative powers.
In their latest annual report, the New Zealand Serious Fraud offices made particular reference to the fact that,
like Australia, E-crime has been receiving considerable publicity lately. In their case, the Crimes Amendment
Bill (No 6) introduces a series of new offences dealing specifically with e-commerce and computer crimes e.g.
hacking. I quote from that report:
Importantly the Bill will also update the laws covering fraud offences to ensure that existing offences when
committed using electronic means will not go unpunished as a result of technical arguments based on out dated
definitions in the Crimes Act. There is no doubt that computers are being used more often now in the
commission of crimes and that law enforcement agencies need to be able to understand how the offending
occurred, how to collect the electronic evidence and how to present it in Court. But for the most part the
offences themselves are not radically different. The use of computers in perpetrating fraud can be compared to
the introduction of the motor car. There were some new offences but a bank robbery using a car as the getaway
transport rather than a horse was nonetheless a bank robbery.”
So what are the fraud risks, and what can we be doing to identify and protect against them.
. If you are involved in e-commerce, a starting point might be to take the preparedness test found at
http://www.merchantfraudsquad.com/pages/test.html
Given the current spotlight on fraud it is a little ironic that the Association of Certified Fraud Examiners recently
3. held their 13th Annual Conference in Hollywood. Non the less, in their publication “”The Small Business Fraud
Prevention Manual”, they identify the principal forms of fraud facing business today as:
Internal Fraud Threats
• Dishonest Employees
• Cash Receipts Fraud
• Cash Disbursements Fraud
• Inventory & Merchandise Thefts
• Fraud involving other Assets
• Employee Fraud (Payroll & Resume fraud)
External Fraud Threats
• Cheque Fraud
• Credit Card Fraud
• Shoplifting
• Vendor Fraud
• Con Schemes and Scams (including Identity Fraud)
They affect everybody – either directly as a victim of a scam or indirectly by having to pay more for goods as
businesses recoup their losses.
Most of these have been around for years, and I would expect most of the audience has experienced or observed
more than one of these. Each of these is universal and capable of affecting any one of us.
Whilst some of us may sit back and take the often promoted view that only “the dumb and uneducated fall for
frauds and scams”, the truth is the level of sophistication in the area of frauds and scams is growing at a rate far
greater than the rate of detection. Frauds are no longer just the domain of individuals and small groups, fraud is
also operating both nationally and internationally on another level.
Here are some of the topics discussed at the NACM’s recent conference on Loss Prevention:
• Do Cloned Credit Cards Fund Terrorism and Organized Crime?
• Business Credit Fraud and Terrorism: Is There a Connection?
• Identity Theft: The Basis for a Business Credit Fraud
But what about Australia, are we immune? Certainly not. Recent media coverage has highlighted the emerging
magnitude for credit frauds in Australia. Those of us involved in e-commerce know just how well established it
has become, and I will outline some chilling facts later in this paper.
Each of the preceding fraud typesse is a topic in it’s own right, and I include them to demonstrate that the credit
frauds I will outline today can in fact be far more than the illegal behaviour of an individual, they are, in their
most sophisticated form capable of being another front for organised crime. That is why it is so important that
we all take preventative steps. If one of them (fraudsters) breaks your defenses, rest assured others will seek to
do likewise. There is a real parallel with credit granting – if your organisation becomes known as an easy touch,
the delinquent debtors in your industry sector start lining up at your door. Fraud is no different, but the
consequences can be more severe.
Scambusters.com top ten scams
But getting back to the list of common frauds. Website http://www.scambusters.com/ gives us an insight into the
latest in scams and frauds, and lists it’s current top ten as:
10. Herbal Viagra
This is really a whole category of scams, relating to the sale of medical or quot;alternativequot; medical treatments
online. Usually using spam to get to the quot;customer.quot; If you're lucky, these products will do nothing at all.
9. Internet Investigator
quot;Be the first kid on your block to know all the dirty secrets your neighbors are hiding! Find out what your
prospective mate has hidden in his past! Find the lost city of Atlantis! Find your lost remote control!quot;
This one is more an annoyance than a real problem. It serves as a great example of the pure hype that you should
watch out for in online advertising.
8. Pump and Dump
You've probably received your share of these. The subject line or first part of the email says that this is quot;Highly
4. confidential information.quot;
This scam is based on touting quot;advance informationquot; on specific stocks in an attempt to drive up the price past
its true worth, so the promoters can sell at the higher price.
7. Credit Scams
There are all sorts of these that prey on the desires of people to repair or establish credit. The worst are the
alleged credit repair services. They promise to help you to remove accurate but negative information from your
credit record – but more on these later.
6. Auction Antics
You can get a lot of terrific deals through online auctions, but you need to be careful. Before buying anything
that seems too cheap, or that shouldn't be on an auction site at all, ask questions. A recent survey at
www.fraud.org indicated 87% of online frauds related to on-line “auction” sites
5. Chain Letters
quot;Add your name to position X, move the name in position Y to position Z, send 200 copies of this letter to your
closest personal friends, and very soon you'll have no personal friends left!quot;
4. Viruses
Get a good anti-virus program, keep it updated, and keep it running. What are viruses doing in the ranks of
scams? They're actually among the cleverer of scams, if you think about it. Deceptive subject lines, hidden code
that causes you to spread them to your friends, and almost always appealing to the most common desires.
3. Nigerian Fee Scam
This is an oldie, and a real baddie. They usually begin with a line like “I represent some high mucky muck who
wants to get a lot of suspicious money out of my country, and, and we need help from you to do it. We'll pay
you stupid amounts of cash to be a front person.quot;
Australia Post has reportedly confiscated nearly 2 million mail items linked to these scams. It has caused so
much grief around the world, it now has it’s own website! Visit: http://www.home.rica.net/alphae/419coal
2. Identity Theft
This is a VERY serious problem - particularly for credit providers and those whose ID is stolen. We deal with
this is detail later.
1. WTC Scams
The spams relating to the World Trade Center disaster began within an hour of the attacks. They range from
appeals for aid to the victims, usually sent through the spammers' web sites, to fake news items concerning
reported attacks. There's nothing funny to be said about these. You think you are sending a credit card payment
to a worthy cause but in effect you are donating your hard-earned cash to a fraudster, and in addition you have
also passed your credit card details, perhaps your tax number (for tax deductible receipts) and your personal
details. You are probably about to become the victim of identity fraud.
So three out of the top ten are credit related frauds, and they are amongst the credit frauds I want to concentrate
on today.
Simply using the term “international fraud” in a web search engine will return over 3000 sites of interest, type in
“credit fraud” and you will get over 9000 web references that deal with identifying credit fraud, guarding against
credit fraud or even worse, perpetrating credit fraud. The principal methods of executing a credit fraud are:
• Debt Consolidation
• Credit File Cleansing
• Credit File Segregation
• Credit Card Fraud
• Identity Theft/Makeover
I have excluded Cheque Fraud as thois was dealt with recently by John Tait in CMIA Vol 9 Number 5. I hope to
explain what they are and how they operate, outline some typical case studies, and suggest preventative
measures for not only our organisations, but also for us as individuals wanting to protect ourselves from fraud.
How easy is it to perpetrate credit fraud? Consider the following examplesse three examples (all based on
factual cases):
5. Case 1
A husband and wife team run a small business and keep their credit card terminals under the counter. They are
later arrested for credit fraud. In their house, investigators find countless credit cards embossed with other
people’s names. The couple is charged with identity theft and accused of charging more than $50,000 worth of
merchandise to other people’s accounts. We have seen these sorts of examples reported in the media.
Questions to ask?
Whilst not wishing to defend the offenders, who really is to blame?
Is it the credit card providers and suppliers who eagerly opened the fraudulent accounts without properly
verifying the couple’s true identity?
Is it the consumers who failed to protect their vital information/privacy?
Is it the consumers who never questioned why the credit card machine was under the counter, or who never
ensured carbon copies were torn up?
Case 2.
A computer enthusiast buys a couple of second hand PC’s from a liquidation sale. On the first he finds years of
customer detail and payment records for a local law firm contain all the vital information. The second includes a
family’sies financial records, employment application and diaries.
Things have not been too good for him of late – the temptation is too great….
Questions
Who really is to blame?
Is it the credit card providers and suppliers who eagerly opened the fraudulent accounts without properly
verifying the couple’s true identity?
Is it the auctioneer for not deleting all PC contents?
Is it the original owners who did not secure access to confidential information?
Is it the consumers who failed to protect their vital information/privacy?
Case 3
One of the above offenders applies on line or over the phone to purchase mobile phones from several providers.
They duly ask for details, despatch the handsets and then note the customers are immediately thousands of
dollars over their limits. They individually begin their follow up and what is the result – over $70,000 of fraud
committed within 72 hours – by one person, with 16 aliases.
Questions
Who really is to blame?
Is it the suppliers who eagerly opened the fraudulent accounts without:
•properly verifying the applicants true identity Formatted: Bullets and Numbering
•having effective validation and fraud detection systems in place.
How come 16 different people can order product for delivery to the same residential address?
Case 4 Formatted
A telecommunications employee obtains enough knowledge of a customer in order to
Iimpersonate him. He then uses the victim’s access codes and passwords to channel a considerable sum of
money from the victim’s bank account to their credit card and then uses those funds to buy goods over the
Internet
Whilst not wishing to defend the offenders, who really is to blame?
Questions to ask?
Is it the credit card providers and suppliers who eagerly opened the fraudulent accounts without properly
verifying the applicant’s true identity?
Is it the consumers who failed to protect their vital information/privacy?
Is it business owners who do not secure access to confidential information?
Is it the consumers who never questioned why the credit card machine was under the counter, or who never
ensured carbon copies were torn up?
Is it the auctioneer for not deleting all PC contents?
The telecommunications company for not having adequate controls over access to information?
The telecommunications company for not doing adequate employment checks
The banks and credit providers for not conducting adequate checks?
The victim for failing to properly control his information?
s it the consumers who failed to protect their vital information/privacy?
6. Prospective purchasers have three choices, in person, over the phone or over the Internet. Each channel has it’s
own, unique, risk profile.
With the explosion of e-commerce via both call centres and the Internet the opportunities for these forms of
deception are greatly increased. Prospective purchasers have three choices, in person, over the phone or over
the Internet. Each channel has it’s own, unique, risk profile. They may try all three with the one supplier!
Consumer expectations are such that there is a belief is that the more “e-business” the delivery channel, the
quicker the response they expect. That is not unreasonable, but from the credit perspective the biggest challenge
is due to the fact that the risk of fraud is such that the more “E-business” the solution the less “sight “ you get of
your customer, the greater potential for fraud. That is itself is a challenge. Consider also that during the past
year, Internet usage increased to 50 per cent of the Australian population compared to 32 per cent two years ago.
As you all face the prospect (if you haven’t already) of becoming internetInternet commerce enabled, you must
consider what this will mean to your business and your risk prevention methods?
The provision of any commodity via marketing and branding campaigns built primarily around inbound call
centres or Internet fulfillment is no longer a unique concept. Typically the branding proposition requires these
enterprises to have as seamless a process as possible between the response to that marketing and the
confirmation to the customer that their application for credit has been approved. This need for expediency
provides the opportunity for the fraudster, unless we develop and implement effective detection systems.
“The Internet, especially e-commerce, has created spectacular opportunities for companies to transform the way
they operate. Unfortunately, it has also revolutionised the possibilities available to the IT literate fraudster. The
actual frauds are often the old tried and tested ones, but he Internet has made them easier to perpetrate (e.g.
using larger than life web sites) and harder to catch (e.g. due to jurisdictional problems). Are you comfortable
you have these new risk covered?”
Source: The Year of Living Dangerously, by Ian Trumper & Edwin Harland, Financial News 15-21 November
1999
Unfortunately, online payment remains a major area of Internet immaturity. Payment and data transfer security
are allied problems. When buyer and seller meet physically to exchange money for goods, trust is less of an issue
than when two entities deal blind online.
So let’s look at the principal various forms of potential credit fraud. outlined earlier.
FILE CLEANSING
Take this unsolicited e-mail I received after searching several websites offering to help me “clean up” my credit
files and get a loan.
People who cannot obtain credit because of bankruptcy or past problems with paying bills may be tempted by
claims such as quot;make bad credit extinctquot; and quot;credit repair for $100,quot; to use a quot;credit repairquot; company or quot;credit
clinic.quot; Fortunately, this is much harder to do in Australia thatn some overseas jurisdictions where the practice
flourishes. For a fee that can range from $15 to hundreds of dollars, credit repair companies claim to quot;clean upquot;
or quot;fixquot; your credit record even if you have been denied credit because it revealed problems in paying your bills.
They often advertise that negative information will be erased from your credit report. (Fig 1)
7. Figure 1. – File Cleansing
Credit repair companies advise you of your right to dispute the accuracy of the credit bureau's file. The firms
either dispute the information for you or encourage you to challenge virtually everything in the file, accurate or
not. Through this process, the credit bureau soon becomes so overwhelmed with notices of disputed information
requiring reinvestigation on their part, that they may be unable to verify the information within the required
reasonable amount of time. Consequently, they must remove it from your file, at least until they can reinvestigate
it.
Take this unsolicited e-mail I received after searching several websites offering to help me “clean up” my credit
files and get a loan, which leads me into
BILL CONSOLIDATION
Figure 2 – BillDebt Consolidation
The other variation of file cleansing comes under the umbrella of “bill consolidation”. Whilst this approach is
often taken legitimately via financial advisers, financial counselors and others, and I hope supported by this
audience, there are also the shysters who work with those whose sole intent is to get away with paying less than
100 cents in the dollar, but without “marking” their credit file. They typically scan writ lists for defaulters and
then contact them offering to reduce their debts for a fee. They communicate with the creditors, purporting to be
8. trustees or similar in the hope creditors will compromise the debt or write it off altogether. Only the tenacious or
suspicious credit provider finishes up with anything. The perpetratorsBut they are getting braver, they now
advertise their services. There is a well-known operator in Perth who has operated under various guises for
years, others advertise their services on Melbourne breakfast radio, and overseas, now they even operate
websites. (Fig 2) such as:
http://www.harfordshelter.com/free_bill_consolidation.html
Guarding against this form of fraud, as opposed to genuine needs based requests, is as easy as verifying the bona
fides of the requestor, obtaining detailed financial information and asking questions. But when I deliver course
on collections, I am constantly surprised at the number of attendees who acknowledge being scammed by these
operators.
CREDIT FILE SEGREGATION
Figure 3 – Credit File Segregation
You can create an entirely new credit record by a method known as quot;file segregation.quot; This is so simple you can
do it yourself. There are literally hundreds of web pages offering to help you (Fig 3). The issue of “file
cleansing” or deliberate “file segregation” has been with us for some time, but fortunately the position in
Australia is nowhere near as bad as it is the US where it is a stand alone industry, but it is the modus operandi of
many a fraudster.
In the US, for example, it is quite straight forwarddead easy, and usually involves securing an Employer
Identification Number (EIN), a number normally used by businesses to report financial information to the
Internal Revenue Service. Sometimes the file segregation companies advise you to use a new mailing address
and phone number on credit applications as well. Thus your new identity will not be matched up with the old one
(the one with the bad credit record).
In Australia, we know there a certain number of matches required to match information provided by an applicant
with the credit bureau file. If the correct number of matches is not achieved we either get a new file (often
referred to as a shallow file), or if we are really lucky, a ”possible match”.
Until the NEVDIS scheme is fully introduced it is possible to have a current motor drivers license in each state,
each with a different address, each with a different looking photo, and if you know what to do, perhaps with a
different date of birth.
We can also deliberately misspell (ever so slightly) our name, our street address or our suburb, and a mismatch
can occur. All the “poor credit history” is now safely locked away in one file, and the new one looks perfect,
and probably will be good enough to get me around manyost credit scoring models.
9. So what can a credit provider do to try and protect themselves against this risk?
They could:
•Introduce address matching software to only allow correct AMAS compliant addresses Formatted: Bullets and Numbering
•Have a policy of what additional information is required where a shallow file is returned. Do we celebrate an
account for an apparent perfect credit risk, or do we ask why the applicant, a 48 year old employed male has
a shallow or new file?
•Ask for a paid utility account showing current address and name
•Match details against an established fraud database?
Do next of kin or employment checks?
Or you could simply go to http://www.platitudesinhell.com/Selfhelp/Identity/body_identity.html
For some truly absurd advice.
It is not that difficult to guard against file segregation isn this country if you follow steps such as those I willI
suggest, and train your staff in effective fraud detection. I will cover theseat topics later.
For credit providers tThe two most widespread and increasing fraud threats are Credit Card Fraud and Identity
Fraud:
• Both are often interwoven
• Both are being assisted by the emergence of e-commerce
• Both can be learnt or assisted via the Internet.
• Both are aided by the explosion of available information
• Both are promoted through poor privacy practices by both consumers and the corporate sector.
“The Internet, especially e-commerce, has created spectacular opportunities for companies to transform the way
they operate. Unfortunately, it has also revolutionised the possibilities available to the IT literate fraudster. The
actual frauds are often the old tried and tested ones, but he internet has made them easier to perpetrate (e.g.
using larger than life web sites) and harder to catch (e.g. due to jurisdictional problems). Are you comfortable
you have these new risk covered?”
Source: The Year of Living Dangerously, by Ian Trumper & Edwin Harland, Financial News 15-21 November
1999
Whilst they are very much entwined, I will attempt to separate them as much as possible, as they don’t have to
steal your identity to committcommit credit card fraud (although it helps),
CREDIT CARD FRAUD
While both Visa and MasterCard quote overall card fraud at around 0.08 per cent of all transactions, online fraud
(for which no separate figures are released) is estimated by many online traders at somewhere between three and
five percent. The figures are most definitely higher than for mail order or telephone sales. The fact that neither
Visa nor MasterCard will provide such figures should give all potential online retailers food for thought.
While credit card companies have consistently maintained that credit card fraud is no more prevalent online than
in traditional forms of commerce, a number of experts are disputing the notion.
According to Alvin Cameron, Credit/Loss Prevention Manager for online fulfillment house Digital River, an
estimated 20 to 40 percent of online purchases are fraud attempts
The fraudulent credit card activities of J K Publications are well chronicled, perhaps nowhere better than on the
website of one John G Faughnan (http://www.faughnan.com/ccfraud.html) .). Over forty million dollars and
somewhere around 900,000 victims were involved, across 22 countries. This is reported as the biggest credit card
fraud ever. Fraudulent credit card transactions were generated using adult web site merchant accounts, and
accounted for over 4% of all Visa chargebacks for the period involved!
Software to generate these well formedwell-formed numbers is available on hacker sites; the algorithms have
been a part of several shareware packages for years (see http://www.creditnet.com/ccs/ccn-shareware.html for
examples).
According to Alvin Cameron, Credit/Loss Prevention Manager for online fulfillment house Digital River, an
estimated 20 to 40 percent of online purchases are fraud attempts.
10. The NACM website currently features an overview of last months feature article in Business Credit (the
publication of the NACM). It says iof Internet credit fraud:
“Despite the growing problem, many companies around the world that conduct e-commerce pay too little
attention to Internet credit fraud. In fact, only a small minority of companies have included fraud protection in
their e-business plans. When launchingWhen launching an e-commerce operation, companies need to address
numerous aspects of fraud protection, including using fraud detection programs in conjunction with properly
trained personnel, and preparing for personal and corporate identity theft.
Some companies foster a narrow view that Internet fraud is limited to a specific region or country in the world.
However, it is a worldwide problem. Until every e-commerce company positively identifies all of its online
consumers, Internet credit fraud will remain a challenging aspect of doing effective e-commerce. Law
enforcement agencies and articles about Internet fraud refer to those who steal goods, services or company
information from e-commerce companies as hackers, super hackers, thieves, Internet shoplifters and bad guys.
Thief’s range in age from teenagers to the elderly, and some consider their actions harmless or an income
supplement. There are even a few organizations that hire people to attempt stealing as much as they can by
using stolen or falsified credit information.
Three-dimensional protection
The Internet industry, law enforcement and government officials give two-dimensional protection in the three-
dimensional online world where buyers wear gloves, ski masks, carry no identification and use any identity they
wish. For example, most companies have two dimensional theft prevention like credit personnel, loss prevention
personnel, fraud personnel, cameras and security personnel watching for thieves.
Three-dimensional protection is the ability to use new technology and personnel to make adjustments to the
ever-changing ways thieves attack an e-commerce operation. Three-dimensional protection must move swiftly,
rather than at the slow speed that most businesses have become accustomed to in the offline world.
The seller is now forced to be on the defensive, changing the adage of buyers beware to sellers beware.
The thieves have a head start by obtaining the best equipment and software products long before companies and
government agencies can buy them. Thieves network by using e-mail, chat rooms and other high-tech means to
inform other thieves about the sites that are easy targets for any particular day, week or month.
Unfortunately, most law enforcement agencies are under staffed and under trained when handling not only
various types of Internet crimes, but also the large volume of crimes.
On any given day, the number of attempted fraudulent orders prevented by an e-commerce provider can exceed
5,000 attempts.
The fraudulent credit card activities of J K Publications are well chronicled, perhaps nowhere better than on the
website of one John G Faughnan (http://www.faughnan.com/ccfraud.html). Over forty million dollars and
around 900,000 victims were involved, across 22 countries. This is reported as the biggest credit card fraud ever.
Fraudulent credit card transactions were generated using adult web site merchant accounts, and accounted for
over 4% of all Visa chargebacks for the period involved!
Software to generate these well-formed numbers is available on hacker sites; the algorithms have been a part of
several shareware packages for years (see http://www.creditnet.com/ccs/ccn-shareware.html for examples).
If I could use our own example, prior to implementing world class application processing and fraud detection
processes, fraud through these made up over 60% of our bad debts incurred. And yet we were using credit-
checking methods that were tried and proven in the world of face to face business, and which are probably still
being used by many organisations represented here today.
Though buyers - rightly - distrust online credit card payments, merchants suffer more from credit fraud. This is
because most online payment is by credit or debit cards, and the payment protocols for these were originally
intended for face to faceface-to-face sales where the cardholder and card are both physically present. Secondly,
there can be a long delay between the initial fraud and the clawback from card providers. Some foreign cards
can take as long as 5 months to notify you of the clawback. In developing solutions it is critical that they are
capable of detecting fraud well before then.
Physical presence offers security based on a customer signature and card imprint. But the merchant is almost
always responsible for losses when sales are made on a 'Cardholder Not Present' basis even when the vendor has
obtained authorisation from the card issuer
11. For those interested in transaction security, I recommend you visit
http://www.webdevelopersjournal.com/articles/card_fraud.html
And read the article “Reducing Online Credit Card Fraud” by Steve Patient.
But in Australia there still exists a great deal of “ignorance is bliss”., Iif a report in “the Australian’ of 14th
February 2002 is correct. “Spokesmen for ANZ, Westpac and National Australia Bank told The Australian
yesterday they were not aware of any cases of fraud involving their online banking services.” Perhaps it is time
for a reality check.
So how do the fraudsters get hold of your credit card information?
They can:
• “Surf the web” for details Formatted: Bullets and Numbering
• Interception of mail and “dumpster diving” which are perhaps the two most common, or quot;traditionalquot; ways Formatted: Bullets and Numbering
to collect card numbers. That is, stealing card statements, or gaining access to credit card receipts (carbon
copies), which provide both credit card information and expiration dates. Again see CMIA Vol 9 #5
• Land locate a ”credit card number generator” which will produce a list of valid card numbers, perhaps one
of which is yours?
Interception of mail and “dumpster diving” which are perhaps the two most common, or quot;traditionalquot; ways Formatted: Bullets and Numbering
to collect card numbers. That is, stealing card statements, or gaining access to credit card receipts (carbon
copies), which provide both credit card information and expiration dates.
• Use Credit card skimmers. Today’s technology now makes it much easier for fraudsters to collect credit
card numbers in a much more effective manner – via devices known as credit card skimmers! (Fig 4)
Figure 4: A credit card skimming device mounted on a Palm Pilot Formatted
Formatted
Card skimmers are small devices, about the size of a pack of cigarettes, and so easily concealed. They are
sometimes disguised as pagers or PDA’s. They can be hidden in a pocket, or even behind a tie. The purpose of
the skimmer is to read the information of a card's magnetic stripe and they are capable ofknown to storinge up to
1,000 card numbers in their memory. Typically they are then connected to a PC to download the information
“skimmed”. Credit card skimmers are relatively easy to find and relatively inexpensive in relation to the returns
possible. The web provides plenty of underground quot;hacker supermarketsquot; advertising these devices, which can
be purchased for as little as $600 (US).
Skimming typically occurs in situations where a collusive employee temporarily takes control of the card at a
point-of-sale device located out of consumer sight. A typical scenario for operation is this. You provide a credit
card for payment at a restaurant. As the waiter walks to the terminal, they quickly swipe the card through the
skimmer, collecting card number and expiration date (some skimmers can also read what is called quot;Track 1quot;
data, which includes the cardholder name). This is much easier than breaking into a corporate database to access
credit card numbers online, or dumpster diving. It is extremely effective as you are unaware that the card has
been skimmed, and it’s security compromised. The fraudster(s) can then use it for up to a month or maybe two
before you notice the unauthorized charges on your statements and can take action. Obviously, the Internet is the
safest place for a criminal to use these compromised numbers as it provides anonymous worldwide access to
thousands of commerce-enabled sites. Even worse, it is reported that numbers are sometimes posted on
underground chat rooms and hackers web sites for rapid exchange and distribution. The more sophisticated
criminals are also able to make matters worse by copying the data on to the magnetic stripe of counterfeit cards,
allowing multiple cards, with your details, to be used concurrently for face-to-face transactions.
12. Is there anything merchants can do? Thankfully the answer is yes. For starters, yYou will notice a 3-digit card
validation code imprinted on the back of Visa, Master Card, and Diners cards and the 4-digit code imprinted in
the front of American Express cards. These can provide significant protection as the code is not readable from
the magnetic stripe and so it can'’t be skimmed. If a purchaser is asked to provide these codes in card-not-
present transactions, online or by phone, a correct answer provides at least some assurance that a legitimate
cardholder is using the card.
Formatted
IDENTITY MAKEOVERS
“We dance round in a ring and suppose
But the secret sits in the middle and knows.”
Robert Frost
Misuse of identity is at the core of a wide range of criminal and fraudulent activity – credit fraud is perhaps #1.
How would you feel if you were stopped for a traffic offenceviolation and suddenly found yourself being
questioned, or even worse, arrestedhandcuffed and taken to gaoljail for a crime you never committedknow
nothing about? Or if you got a nasty call from a collection agency for a car loan you never had? Or if your
application for a home mortgage was turned down because of information in your credit report about overdue
bills on accounts you never opened? These are situations you could face as a victim of identity theft. While ID
theft can take many complex forms, the essence of this crime is simple—someone steals personal information
about you to use for fraudulent purposes.
In the largest known case of identity fraud involving the Internet, the bank and credit card details of 200 of the
USA’s richest people were fraudulently used. The details were taken form a listing in Forbes magazine, and the Formatted
fraudster then cloned their identities and invaded their financial records, taking money from their stock
brokerage and credit card accounts.
Identity makeovers or stolen identities are exploding. The FBI suggests it affect over 750,000 people each year,
The Privacy Rights Clearing House claim it affects over 500,000 per annum. It does not matter which figures
you believe, the problem is significant!
Online or e-commerce capabilities make it far easier to disguise or misrepresent ones true identity, or to assume
someone else’s identity. Fortunately, in Australia the tighter controls over the use of tax file numbers, and
information privacy generally, mean that the opportunities to commit identity fraud are considerable reduced in
comparison to other markets, such as the USA, where the use of social security numbers is fundamental to file
matching, and yet there are little or no controls over their disclosure, and apparently little in the way of number
authentication protocols applied. None the less, our markets no longer have physical boundaries, so the potential
exists for Australia to be struck with the same issues over time.
Identity theft was overwhelmingly number one on the US Federal Trade Commission's Consumer Sentinel fraud
database top 10 list in 2001, representing 42 per cent of all complaints recorded.
Of the 86,168 documented reports of identity theft (involving credit fraud) from across the US,
Stolen information was used to commit:
• Credit card fraud in 42 per cent of all instances
• Phone or utilities fraud in 20 per cent of all instances
• Bank fraud in 13 per cent of all instances of all instances
• Employment-related fraud 9 per cent of all instances
• Government benefits fraud 6 per cent of all instances
Victims reported out-of-pocket expenses of an average $A2302
Earlier this year the FTC agreed to give Australian law enforcers greater access to Sentinel to improve
information sharing.
Source: “Thieves steal 86,000 identities” , Karen Dearne, www.australianitnews.com.au, FEBRUARY 04,
2002
In fact, so bad is the problem in the USA that the Federal Government proclaimed the “Identity Theft and Formatted
Assumption Deterrence Act 1998” in October 19998, with maximum penalties of up to 15 years in prison, and
13. up to US$250,000 fines. This is addition to separate legislation in at least 47 states. It is argued that Australia
has, through various legislative reforms avoided to this point, the need for separate legislation to deal with this
issue.
In Australia there is much less information available as to the magnitude of the problem, but please consider the
following facts that have emerged over the past two years:
• Thieves have allegedly stolen the base stock to create over 20,000 drivers license cards, and the Formatted: Bullets and Numbering
equipment to manufacturer what look to be authentic MDL’s from the offices of two eastern state
licensing departments
• The ATO reports that there are 5 million excess tax file numbers on their books
• Westpac found that in the past year, 13% of customers opened accounts with counterfeit birth
certificates.
• The Victorian Attorney General warned that 70% if false passport applications involved fake birth
certificates
What form of ID do we ask for to get a Motor Drivers License? Answer: A birth certificate. What document do
we use to create credit file matches, and as the basis for establishing identity in Australia? Answer: An MDL.
And yet the controls for seeking a duplicate Extract of Birth are, in the view of authorities, non-existent in most
Australian states.
Identity theft, however, is not restricted to individuals. We are seeing increasing incidence of fraudsters
registering business names that are very, very similar to existing established business names. Perhaps just a
letter or two different, or the name mispelt. They then open bank accounts, and credit accounts or have purchase
orders printed under those names and intercept cheques destined for the legitimate business and credit them to
their newly established account or alternatively buy goods (for resale) knowing they will be charged to the
legitimate business.
And yet so many credit providers still don’t consider we have a problem.
Locally, in the July edition of Vantage, Baycorp Advantage Ltd national consultant Richelle Grant stated
thatstated “In the past year Baycorp Advantage’s experience indicates the evidence of such fraud (Identity fraud) Formatted
has risen around 50% in Australia”
Formatted
The claim that the Baycorp Advantage Fraud Database has saved corporate customers a massive $70 million
since it was established two years ago, underlines the serious cost of credit fraud in this country. That figure is a
small fraction of the cost – only a limited number of organizations have access to it, and there are of course
many, many organisations whose internal fraud checking identifies risks internally, and even more who have just
failed to report fraudulent events.. So who knows what the true cost is. Maybe we will never know, all we can
do is attempt to minimise the impacts through prudent management of customer identification and applying
effective privacy policies to information held.
What information do the fraudsters need, and how do they get the information?
• Stealing identification from the person e.g. burglary. They don’t have to steal the documentation, just the
information that is on it. So is there more to a break in where nothing is apparently stolen?
• Stealing letters and documents from the letterbox
• They complete a quot;change of address formquot; to divert your mail to another location.
• Using family members ID without their consent
• Finding ID in rubbish bins – “dumpster diving”
• Copying credit card details electronically at retail outlets, and matching it with customer details provided
from other sources
• From the internet
• From your staff (who have access to vital information)
• ASIC Searches
• Electoral Roll searches
• Your personal web page – does it have a photo, and other identifiers? Formatted: Bullets and Numbering
Or they can piece together the information required from any combination of these. Think about. If you have
done a workshop of “skip tracing” you might have been asked, “How could someone find you if you hasve
skipped?” You are required to compile a list of readily available information sources for the trained operator.
14. Typically people will come up with a list of 12-16 sources.
Apply that principal in reverse and you can see just how easy it is for a fraudster.
HOW PREPARED ARE YOU?
Charles Darwin said, “It is not the strongest of the species that survive, nor the most intelligent, but the one most
responsive to change.” How responsive are you? How responsive is your business?
If you are involved in e-commerce, a starting point might be to take the preparedness test found at
http://www.merchantfraudsquad.com/pages/test.html
Or you could simply go to http://www.platitudesinhell.com/Selfhelp/Identity/body_identity.html
For some truly absurd advice.
To be successful in the fight against the threat of fraud we must have:
• Acceptance at all levels that the threat exists - it is not something many corporations wish to admit to – Formatted: Bullets and Numbering
just look at recent US experiences. No-on wants to be seen as a “soft touch”
• Executive management support and sponsorship
• Have a risk management plan
• Robust processes aimed at identifying risks and exceptions
• Comprehensive training programmes
• Adequate funding. Fraud defence is not cheap
Even if we employ effective prevention strategies it is almost inevitable that we are going to be caught by a
fraudster at some point. Do we simply write to the debt off, along with other bad debts and put it down to
experience, or do we use the information positively
When our organisation is the victim of a credit fraud, we should, as a minimum:
• Review the fraudulent order for clues to what we could do better in future Formatted: Bullets and Numbering
• We should document the fraudulent order so everyone in the business can learn from it
• We should create a database of negative information gleaned form fraudulent orders (or attempts) so we
can match future orders against those criteria. A match does not guarantee another fraud, it just
suggests proceed with caution
• Create a default record on credit reporting bureaus. Use your experience to help others
• Report it where appropriate
Formatted
PROTECTING YOUR ENTERPRISE
So how do you guard against this risk?
NoteableNotable fraudsters often portray themselves to be:
• Security Officers Formatted: Bullets and Numbering
• Security Companies
• Government Officials or Agencies
• Media Personalities
• Sporting Personalities
• Emergency Services Officials; or
• Telecommunications Staff Formatted
Because inexperienced staff react differently – they are in awe or feel threatened or vulnerable. Formatted
Simple but effective preventative steps for all enterprises include:
• Introduce address matching software to only allow correct AMS compliant addresses Formatted: Bullets and Numbering
• Have a policy of what additional information is required where a shallow file is returned. Do we celebrate
an account for an apparent perfect credit risk, or do we ask why the applicant, a 48 year old employed male
have a shallow or new file?
• Ask for a paid utility account showing current address and name
• Match details against an established fraud database?
• Do next of kin or employment checks?
• Consider alternate distribution methods
15. TEN ANTI-FRAUD TIPS FOR ON-LINE VENDORS
So how do you guard against this risk?
Whilst not an exhaustive list, I suggest the following ten as a start:
1. Even though it might be a hassle, insist on a mailing address, postcode and phone number of the buyer and
then check them out to ensure they aren't fake. Try a reverse look-up of phone numbers to retrieve
corresponding addresses – you might be surprised
2. Insist on a faxed customer signature and a faxed photocopy of the credit card (from a photocopy is fine).
3. If you can't contact the buyer by phone or the phone number is unreachable, then don't process the order.
Telephone sales have CLI (Caller Line Identification) information to add to address verification
4. Use Address Verification services such as QAS or Geocoder or similar, where they're available
5. Be extremely wary of shipping overseas - it can be hard to pursue claims abroad. Eastern Europe is seen by
many as a high-risk area. Ask yourself the question” Why are we so popular with overseas purchasers?”
6. Check the email address against the name on the credit card. If the real name doesn't match the email name
then you definitely want more reassurance before processing the order.
7. Refuse to process orders from free email domains (such as hotmail.com or yahoo.com) unless you have
indisputable proof of the buyer's identity. Various research, including that by Forde & Armstrong (2002)
indicate e clear link between the level of e-mail anonymity and criminal or fraudulent activity.
8. Never ship products to postal box numbers. Always insist on a physical shipping address, or utilise Australia
Post proof of identity services. No-one lives in a mail box.
9. Check the DNS table of the remote IP of the customer. Find out the remote server's geographic area and check
it against the address of the customer. Few people connect to the Net using a long distance call. You also need to
check the mailing address, phone number and email address of the server, though thieves can also set up servers
too. This site will assist you:
http://shop.visualware.com/visualroute/
10. Be especially careful of those wanting higher priced fast delivery or otherwise being price insensitive.
Thieves don't care how much it costs as they don't plan to pay. A great example ifs high priced mobile phone
handsets.
11. 11. Insist on getting the 3-digit card CVV2 (Card Validation Value)validation code (fig 5)
imprintedimprinted on the back of Visa, Master Card, and Diners cards and the 4-digit code imprinted in the
front of American Express cards. T -– they can provide significant protection when run against authentication
tables. Approval of the credit card transaction confirms that the CCV is valid, and assists with confirming that
the cardholder has the card in their possession
Figure 5: Card Validation Value
16. Formatted
HOW PREPARED ARE YOU?
Charles Darwin said “It is not the strongest of the species that survive, nor the most intelligent, but the one most
responsive to change.” How responsive are you? How responsive is yourIn your business?
Even if we employ effective prevention strategies it is almost inevitable that we are going to be caught by a
fraudster at some point. Do we simply write to the debt off ,off, aongalong withowth other bad debts and put it
down oto experience, or do we use the onfoamtioninformation positively.
We should, as a minimum:
Review the fraudulent order for clues s to what we could do better inbetter in future Formatted: Bullets and Numbering
We should document htethe fruadualentfraudulent order so everyone in the business can learn from it
We should create a database of negative informaamtion gleaned form fraudulent orders (or attempts) so we
can match future orders against those criteria. A match does not gauranteeguarantee another fraud, it just
suggests proceed with caution
Create a default record on credit reporting bureaus. Use your experience to help others Formatted: Bullets and Numbering
• Report it where appropraite Formatted: Bullets and Numbering
CREDIIT FRAUD AND YOU
“You've always had a spotless credit history. You pay your bills on time. And you live well within your financial
means. But, recently you've received a few calls from collection agencies requesting payment for items you didn't
buy. Before you dismiss these actions as a mistake, investigate.
You could be the victim of credit fraud. Each year individuals with good credit histories fall prey to criminals
who steal their identity and run up thousands of dollars in bad debt under their names. If it happens to you,
through no fault of your own, you could be faced with years of trying to clear your credit history of false
information.”
So goes the spiel at www.gearheadcafe.com/credit. It then goes on to offer some tips for avoiding the pitfalls.
In the US there are estimated to be over 900,000 new victims of identity fraud each year (source: Association of
Certified Fraud Examiners)
We discussed earlier how fraudsters get the information. So what are the fundamental steps you should take, and
encourage your customers to take to minimise this risk or credit card fraud, or others gaining enough information
to facilitate a stolen identity suitable for perpetrating credit fraud?
Jerome Jackson, a professor of criminology in the USA may be the only researcher in the world to have actually
infiltrated one of these gangs and got inside their operation. I am guided by his suggestions in presenting the
following list.
• Don't print your Drivers License number on your cheques. Only give it out if absolutely necessary.
• Shield the ATM screen when using it in a public place.
• Tear up pre-approved credit card offers that arrive in the mail.
• Never leave a receipt with your credit card number on it in a public place. Take it home with you to a safe
place or tear it up.
• Keep current with the information that is on your credit file. Don't learn about negative information when
you go to apply for a loan. Be proactive about your credit history & help protect it by checking your files on
a regular basis.
If you suspect someone has used your name, driver’s, driver’s license or other information to obtain credit, do
the following:
• Call the fraud units of the credit bureaus, in Australia that means Baycorp at this point in time.
• Report identity theft crimes to the local police or law enforcement agency in your area. Visit the AFP
website
• Put a quot;cfreaditud alertquot; on your credit file.
17. • Report the possible theft to all credit card issuers. Cancel all your current cards.
• Notify your bank, credit union or building society and/or savings and loan of the theft.
• Request new account numbers and new ATM and Web Banking numbers and password.
• Consider changing your driver's license number if you suspect someone has been using it.
• Don't carry extra credit cards, your birth certificate, passport ,passport, Medicare or Social Security number
with you unless necessary. This will minimize the amount of information a thief can steal from you.
HOW DOES YOUR ENTERPRISE KEEP AHEAD?
Having assumed you have established a high profile of the risks of fraud across the organisation:
Firstly, train your staff.
Secondly, make your systems and processes secure. Appendix 1 to the paper will assist with this.
Throughout the world there are various systems and legislative regimes designed to detect fraud, but fraudsters
are smarter than that. Just like Australia, the Dutch have a detection system for detecting potential money
laundering transactions. It has been reported that of the automatically reported transactions only 17% needed
further investigation, whereas of the transactions reported by tellers who were trained in detecting behavior traits
such as body language etc, 83% of transactions warranted further investigation. So you might have what you
think is a great set of rules, but fraudsters don’t follow the rules.
Time prevents me covering some basic but effective training tips, but I have included them as an appendix to the
paper.
Thirdly,Firstly, do your research. Whilst there are plenty of relevant texts available forrom bookshops, such is
the rapidly changing face of fraud,fraud; the web now provides our best resources. Whilst the Internet is fuelling
the growth in fraud, it is also emerging as our strongest line of defense
I have attached a list of worthwhile sites in the acknowledgements to this paper, but perhaps none is better than:
. http://www.merchantfraudsquad.com/ Field Code Changed
Secondly, make your systems and processes secure. Appendix 1 to the paper will assist with this.
Thirdly, train your staff. Time prevents me covering the some basic but effective training tips, but I have
included them as an appendix to the paper.
18. CONCLUSIONS
The potential for fraud pervades every aspect of commercial life. The role of credit managers and credit
departments in identifying potential risks, and building systems and processes to reduce or eliminate the risk is
perhaps now greater than ever before. E-commerce means the magnitude of any successful fraud can go way
beyond what we may have thought possible. Do everything you can to protect your enterprise, do everything
you can to protect yourselves.
REFERENCES
Rossett, S; Murad, U; Neumann, E; Idan, Y; Pinkas, G; (2002) Discovery of Fraud Rules for
Telecommunications – Challenges and Solutions. , amdocs.com Amdocs (Israel) Ltd Formatted
Smith, Dr R, (2002) Examining the Legislative & Regulatory Controls on Identity Fraud in Australia.
Proceedings of Marcus Evans Conferences “Corporate Fraud Strategy: Assessing the Emergence of
Identity Fraud” Conference, Sydney New South Wales 25-26 July 2002
Hepworth, A (2002) What’s in a name?, Australian Financial Review, Australia October 2, 2001
Kaufman, D (2001) Stolen Identity. The Age Newspaper, Melbourne Victoria 24th July 2001. Formatted
Trumper, I. & Harland E. (1999) The year of living dangerously, Financial News, London, England, 15th Formatted
November 1999.
Formatted
Martin, B, (2002), Fraud Training for Staff, B Digital Ltd Training Courses
Formatted
International Fraud Symposium (2002) Web pages of International Fraud Symposium. Accessed August – Sept
2002 Formatted
http://www.fraud-symposium.org
Better Business Bureau (2002) Web pages of Better Business Bureau. Accessed August – Sept 2002
http://www.bbb.org/alerts/index.asp
Internet Scambusters (2002) Web pages of Internet Scambusters. Accessed August – Sept 2002
http://www.scambusters.com/
National Fraud Information Centre (2002) Web pages of National Fraud Information Centre (USA). Accessed
August – Sept 2002
http://www.fraud.org
Serious Fraud Office (2002) The Web pages of serious Fraud Office (UK). Accessed August – Sept 2002
http://www.sfo.gov.uk/
National Association of Credit Management (2002). Web pages of National Association of Credit Management
http://www.nacm.org/
State of California, Department of Consumer Affairs (2002) Web pages of State of California, Department of
Consumer Affairs. Accessed August – Sept 2002
http://www.dca.ca.gov/legal/p-3.html
Identity Fraud Inc. (2002) Web pages of Identity Fraud Inc. Accessed August – Sept 2002
www.identityfraud.com
Consumer Info.com (2002) Web pages of Credit Matters.com. Accessed August – Sept 2002
www.stolen.identity.com
www.creditmatters.com
Triad Commerce Group LLC (2002) Web pages of E-commerce Times. Accessed August – Sept 2002
www.ecommercetimes.com
United Nations (2002). Web pages of UN Office of Drug Control and Crime Prevention. Accessed August –
Sept 2002
http://www.undcp.org
John G Faughan (2002) Web links on credit card fraud from Web pages of John G Faughan. Accessed August
– Sept 2002
http://www.afp.gov.au/page.asp?ref=/Crime/Fraud/ Field Code Changed
Australian Federal Police (2002). Webpages of Australian Federal Police – Fraud Topics. Accessed 9th Formatted
September 2002
http://www.faughnan.com/ccfraud.html
New York Times (1999). E-commerce library article. Accessed 9th September 2002. Formatted
http://www.nytimes.com/library/tech/99/09/cyber/commerce/20commerce.html
Field Code Changed
Merchant Fraud Squad.com (2002) Web pages of Merchant Fraud Squad.com. Accessed 25th August 2002.
Formatted
http://www.nytimes.com/library/tech/99/09/cyber/commerce/20commerce.html
19. http://www.merchantfraudsquad.com/
European Anti Fraud Office (20020. Web pages of European Ant Fraud Office. Accessed August – September
2002
http://europa.eu.int/comm/anti_fraud/index_en.html
WEB Developers Journal.com. Article “Reducing Online Credit Card Fraud” by Steve Patient. Accessed 12th Formatted
August 2002
http://www.webdevelopersjournal.com/articles/card_fraud.html
Federal Government (USA) Consumer Information site (2002). Credit Information page of Consumer.gov
affiliation. Accessed August – September 2002
http://www.consumer.gov/idtheft/
Visa International Service Association (2002). Web information for merchants. Accessed August – September
2002.
http://usa.visa.com/business/merchants/fraud_basics_cvv2.html Field Code Changed
Credit –Bankruptcy.com (USA). Web page on Bill Consolidation. Accessed 14th August 2002
Formatted
http://www.harfordshelter.com/free_bill_consolidation.html
20. APPENDIX 1
Formatted
Extract from “Reducing Online Credit Card Fraud” by Steve Patient.
Security and PrivacySECURITY & PRIVACY FOR ONLINE TRANSACTIONS
(Extract from “Reducing Online Credit Card Fraud” by Steve Patient)
There are two areas of concern: ensuring the privacy of data involved in the transaction to re-assure the buyer,
and ensuring the buyer is engaged in a valid transaction - for the benefit of the seller.
The first is most easily solved using SSL (Secure Socket Layer) an encryption protocol built into current
browsers and supported by most Web servers. Base Apache doesn't support it for patent reasons (RSA owns
certain algorithms in the US) but Apache SSL does.
Using SSL once it's enabled is straightforward - simply change Web page references to https:// instead of http://,
like so:
<form method=quot;POSTquot;action=quot;https://www.a-domain.com/cgi-bin/ssl-form.cgiquot;>
This posts the contents of a form back to you using SSL.
Digital Certificates
SSL is only half of the solution, though. Customers want to feel confidence in your company. This is achieved
using a 'trusted third party' which begs its own questions.
TTP's are simple in principle. The TTP is a public company which provides a vendor with a digital certificate.
This confirms to the customer that the company they think they're dealing with is who it claims to be. Digital
certificates can be bought from many companies including Verisign and Thawte. They require a fair amount of
company documentation.
Public Key Encryption
Both SSL and the digital certificates require encryption. This is provided using asymmetrical - a.k.a. public key -
encryption. This requires two keys: public and private. The public key is published and can be used by anyone to
encrypt anything but only the private key can decrypt it.
An SSL exchange is carried out using a public key given to your browser by the server. The digital certificate
provider confirms that the key belongs to a valid certificate used by the company at the domain where the
transaction is taking place. In effect, it's a three-way transaction, but each party can only access the information
it needs to do its job.
Trusting Customers
To accept online credit card payments with a minimum level of confidence you need two services: a merchant
account - either your own or access to one via a third party - and real time authorisation.
Taking credit card payments online for overnight processing is commercial insanity. Anyone can create credit
card details which will pass validation checks - including expiry dates - using one of dozens of freely available
programs on the Net.
In practice, real-time credit card transactions are pre-authorised to a set value provided the vendor checks card
numbers against a supplied hot list. Transactions over the limit must be authorised. This doesn't guarantee you'll
be paid but it eliminates the more incompetent criminals.
Authorisation is a two-part process. First the customer sends in the order by secure form (using SSL). The details
on the card and the amount are then sent from your server to the authorising company (only larger concerns deal
directly with banks). The authorising company runs the check with the card-issuing bank then authorises or
denies it immediately.
21. Formatted
APPENDIX 2
TRAINING TO PREVENT FRAUD Formatted
What types of people commit fraud? Formatted
All types of people commit fraud many. In order to commit fraud they must beat your systems or convince your
staff they are legitimate. They often seek to improve their legitimacy, and in turn cause staff to “drop their
guards” by telling you that they are somebody they are not. Notable are claims to be: Security Officers, Security
Companies Government Officials or Agencies, Media Personalities, Sporting Personalities, Emergency Services
Officials or Telecommunications Staff.
There are ‘5 senses’ we can apply to identify fraud, either face to face, or over the phone.
Formatted
HEAR FRAUD
• ‘Stop hearing and start listening’. We were given two ears but only one mouth – this
• is because our creator knew that listening was twice as hard as talking.
• One way to improve your listening skills is to ask questions.
• Develop the habit of asking questions - Use questions to encourage people to talk
• Open your mind and ears – be receptive to the messages the customer is giving out
• Listen from the first word and give your undivided attention
• Stay cool! Don’t overact to highly charged words and tones.
• Hear the person out, then respond. Most people will calm down once their anger is vented.
• Avoid figuring out what the customer is going to say; you may miss what he or she actually says
• Never interrupt! It cuts off the flow of dialog and is rude and offensive, and does not give them a chance to
slip up
Putting this into practice in identifying fraud over the telephone: Formatted
• Does the customer sound nervous?
• Does the customer hesitate when giving personal details? i.e. address, date of birth
• Does the customer sound like the age given?
• Does the customer constantly refer your questions to a third party in the background?
• Does the customer place you on hold constantly?
• Does the customer request delivery of the goods to an address different to home or work?
• Does the person sound like they are in a hurry or impatient?
• When requested, does the person state that they have no ID, driver’s license etc?
• Is it obvious that the customer is fabricating his personal details i.e.. Drivers license number?
• Does the customer hang up when asked to reconfirm details or send ID?
22. FEEL FRAUD
Give it a feel –is it a genuine MDL or Credit Card? Frauds can look like the real thing, but often they don’t fell Formatted
like the real thing. Try being one of the first to use the see thru Amex card
Formatted
TASTE & SMELL FRAUD
Do you smell something cooking – first impressions are often the best – or just call it intuition? Formatted
If I could use our own example, we have developed some of the most sophisticated fraud detection mechanisms
of anyone in our industry sector, and have received approaches from some of the largest players in our region for
access to our intellectual property. As good as it is, a significant portion of the detected fraud from comes from
alert sales and assessment staff who detect something in the voice or response of the applicant, or in the content
of the internet application. Trained by our Loss Prevention Manager, these sales staff, in conjunction with our
systems, have saved us over $2million in handset fraud in just over 15 months!
SEE FRAUD
Observation Skills Test 1 – Mr. Smith
What do we see?
Observation Test 2 – ID checking -the fine detail
• Check photograph on ID matches age (and sex)
• Check obvious alterations to name and address
• Is the ID signed?
• Is the ID expired?
Check credit card numbers are correct and security characters are present
When examining credit cards, check to see if the card:
• Is damaged?
• Does not have a valid expiry date
• Embossing appears altered
• Hologram appears suspicious
When checking the signature:
Is there a signature present?
Has the signature panel been altered?
Does the customer’s signature match the card?