Credit card fraud

This article is about all types of Credit card fraud. For ultimately used for fraud. A simple example is that of
organised trade and laundering of credit card informa- a store clerk copying sales receipts for later use. The
tion, see Carding (fraud).
rapid growth of credit card use on the Internet has made
database security lapses particularly costly; in some cases,
millions[6] of accounts have been compromised.
Credit card fraud is a wide-ranging term for theft and
fraud committed using or involving a payment card, such Stolen cards can be reported quickly by cardholders, but
as a credit card or debit card, as a fraudulent source of a compromised account can be hoarded by a thief for
funds in a transaction.[1] The purpose may be to obtain weeks or months before any fraudulent use, making it difgoods without paying, or to obtain unauthorized funds cult to identify the source of the compromise. The cardfrom an account. Credit card fraud is also an adjunct holder may not discover fraudulent use until receiving a
to identity theft. According to the United States Federal billing statement, which may be delivered infrequently.
Trade Commission, while the rate of identity theft had Cardholders can mitigate against this fraud risk by checkbeen holding steady during the mid 2000s, it increased ing their account frequently to ensure constant awareness
by 21 percent in 2008. However, credit card fraud, that in case there are any suspicious, unknown transactions or
crime which most people associate with ID theft, de- activities.
creased as a percentage of all ID theft complaints for the
sixth year in a row.[2]
Although incidence of credit card fraud is limited to
about 0.1% of all card transactions, this has resulted in
huge nancial losses as the fraudulent transactions have
been large value transactions. In 1999, out of 12 billion
transactions made annually, approximately 10 million
or one out of every 1200 transactionsturned out to
be fraudulent.[3] Also, 0.04% (4 out of every 10,000)
of all monthly active accounts were fraudulent. Even
with tremendous volume and value increase in credit card
transactions since then, these proportions have stayed the
same or have decreased due to sophisticated fraud detection and prevention systems. Todays fraud detection systems are designed to prevent one twelfth of one percent
of all transactions processed which still translates into billions of dollars in losses.[3]

2 Stolen cards
When a credit card is lost or stolen, it may be used for illegal purchases until the holder noties the issuing bank and
the bank puts a block on the account. Most banks have
free 24-hour telephone numbers to encourage prompt reporting. Still, it is possible for a thief to make unauthorized purchases on a card before the card is cancelled.
Without other security measures, a thief could potentially
purchase thousands of dollars in merchandise or services
before the cardholder or the card issuer realizes that the
card has been compromised.
The only common security measure on all cards is a signature panel, but, depending on its exact design, a signature may be relatively easy to forge. Some merchants will
demand to see a picture ID, such as a drivers license,
to verify the identity of the purchaser, and some credit
cards include the holders picture on the card itself. In
some jurisdictions, it is illegal for merchants to demand
card holder identication.[7] Self-serve payment systems
(gas stations, kiosks, etc.) are common targets for stolen
cards, as there is no way to verify the card holders identity. There is also a new law that has been implemented
that identication or a signature is only required for purchases above $50, unless stated in the policy of the merchant. This new law makes it easier for credit card theft to
take place as well because it is not making it necessary for
a form of identication to be presented, so as long as the
fraud is done at what is considered to be a small amount,
little to no action is taken by the merchant to prevent it.

In the decade to 2008, general credit card losses have

been 7 basis points or lower (i.e. losses of $0.07 or less
per $100 of transactions).[4] In 2007, fraud in the United
Kingdom was estimated at 535 million.[5]

Initiation of a card fraud

Card fraud begins either with the theft of the physical

card or with the compromise of data associated with the
account, including the card account number or other information that would routinely and necessarily be available to a merchant during a legitimate transaction. The
compromise can occur by many common routes and can
usually be conducted without tipping o the card holder,
the merchant or the issuer, at least until the account is A common countermeasure is to require the user to key
1

2
in some identifying information, such as the users ZIP
or postal code. This method may deter casual theft of a
card found alone, but if the card holders wallet is stolen,
it may be trivial for the thief to deduce the information by
looking at other items in the wallet. For instance, a U.S.
driver license commonly has the holders home address
and ZIP code printed on it. Visa Inc. oers merchants
lower rates on transactions if the customer provides a ZIP
code.[8]

COMPROMISED ACCOUNTS

3 Compromised accounts
Card information is stored in a number of formats. Card
numbers formally the Primary Account Number (PAN)
are often embossed or imprinted on the card, and a
magnetic stripe on the back contains the data in machine
readable format. Fields can vary, but the most common
include:

In Europe, most cards are equipped with an EMV chip

Name of card holder
which requires a 4 to 6 digit PIN to be entered into
Card number
the merchants terminal before payment will be authorised. However, a PIN isn't required for online trans Expiration date
actions, and is often not required for transactions using
the magnetic strip. However magnetic strip transactions
Verication/CVV code
are banned under the EMV system (which requires the
PIN). In many/most European countries, if you don't have
a card with a chip, you will usually be asked for photo3.1 Card not present transaction
ID - e.g. national ID card, passport, etc. at the point of
sale. Many self-service machines (e.g. ticket machines
Main article: Card not present transaction
at railway stations, and self-service check-in at airports)
require a PIN and chip in EMV-land (i.e. which is most
The mail and the Internet are major routes for fraud
of Europe, Asia, Middle East etc.).
against merchants who sell and ship products, and afRequiring a customers ZIP code is illegal in California,
fects legitimate mail-order and Internet merchants. If
where the states 1971 law prohibits merchants from rethe card is not physically present (called CNP, card not
questing or requiring a card-holders personal identipresent) the merchant must rely on the holder (or somecation information as a condition of accepting the card
one purporting to be so) presenting the information infor payment. The California Supreme Court has ruled
directly, whether by mail, telephone or over the Internet.
that the ZIP code qualies as personal identication inWhile there are safeguards to this,[9] it is still more risky
formation because it is part of the cardholders address.
than presenting in person, and indeed card issuers tend to
Companies face nes of $2501000 for each violation.[8]
charge a greater transaction rate for CNP, because of the
Requiring a personal identication number (PIN) may
greater risk.
also be a violation.
It is dicult for a merchant to verify that the actual cardCard issuers have several countermeasures, including soholder is indeed authorising the purchase. Shipping comphisticated software that can, prior to an authorized transpanies can guarantee delivery to a location, but they are
action, estimate the probability of fraud. For example, a
not required to check identication and they are usually
large transaction occurring a great distance from the cardnot involved in processing payments for the merchandise.
holders home might seem suspicious. The merchant may
A common recent preventive measure for merchants is to
be instructed to call the card issuer for verication, or to
allow shipment only to an address approved by the carddecline the transaction, or even to hold the card and refuse
holder, and merchant banking systems oer simple methto return it to the customer. The customer must contact
ods of verifying this information. Before this and similar
the issuer and prove who they are to get their card back
countermeasures were introduced, mail order carding was
(if it is not fraud and they are actually buying a product).
rampant as early as 1992.[10] A carder would obtain the
In Australia, there is a service called "Paypass" or more credit card information for a local resident and then intercolloquially known as tap and go. This is where a per- cept delivery of the illegitimately purchased merchandise
son can purchase goods or services and can just tap the at the shipping address, often by staking out the porch of
credit (or debit) card on the card reader. If the transaction the residence.
is less than Aud$100.00, no PIN or signature is required.
Small transactions generally undergo less scrutiny, and
A stolen credit or debit card could be used for a signiare less likely to be investigated by either the card issuer
cant amount of these transactions before the true owner
or the merchant. CNP merchants must take extra precan have the account cancelled.
caution against fraud exposure and associated losses, and
they pay higher rates for the privilege of accepting cards.
Fraudsters bet on the fact that many fraud prevention features are not used for small transactions.
Merchant associations have developed some prevention
measures, such as single use card numbers, but these have

3.4

Checker

not met with much success. Customers expect to be able

to use their credit card without any hassles, and have little
incentive to pursue additional security due to laws limiting customer liability in the event of fraud. Merchants
can implement these prevention measures but risk losing
business if the customer chooses not to use them.

3.2

Identity theft

Identity theft can be divided into two broad categories:

application fraud and account takeover.
3.2.1

Application fraud

Application fraud takes place when a person uses stolen

or fake documents to open an account in another persons
name. Criminals may steal documents such as utility bills
and bank statements to build up useful personal information. Alternatively, they may create fake documents.
With this information, they could open a credit card account or Ioan account in the victims name, and then fully
draw it.
3.2.2

Account takeover

An account takeover occurs when a criminal poses as a

genuine customer, gains control of an account and then
makes unauthorized transactions. According to Action
Fraud, Fraud is committed at the point money is lost.[11]
The most common method of account takeover is a
hacker gaining access to a list of user names and passwords. Other methods include dumpster diving to nd
personal information in discarded mail, and outright buying lists of 'Fullz,' a slang term for full packages of identifying information sold on the black market.[12]

3.3

3
Skimming can also occur at merchants such as gas stations when a third-party card-reading device is installed
either outside or inside a fuel dispenser or other cardswiping terminal. This device allows a thief to capture
a customers card information, including their PIN, with
each card swipe.[15]
Instances of skimming have been reported where the perpetrator has put over the card slot of an ATM (automated
teller machine) a device that reads the magnetic strip
as the user unknowingly passes their card through it.[16]
These devices are often used in conjunction with a miniature camera (inconspicuously attached to the ATM) to
read the users PIN at the same time.[17][18] This method
is being used in many parts of the world, including South
America, Argentina,[19] and Europe.[20] Another technique used is a keypad overlay that matches up with the
buttons of the legitimate keypad below it and presses
them when operated, but records or wirelessly transmits
the keylog of the PIN entered. The device or group of
devices illicitly installed on an ATM are also colloquially
known as a skimmer. Recently made ATMs now often
run a picture of what the slot and keypad are supposed to
look like as a background, so that consumers can identify
foreign devices attached.
Skimming is dicult for the typical cardholder to detect,
but given a large enough sample, it is fairly easy for the
card issuer to detect. The issuer collects a list of all the
cardholders who have complained about fraudulent transactions, and then uses data mining to discover relationships among them and the merchants they use. For example, if many of the cardholders use a particular merchant,
that merchant can be directly investigated. Sophisticated
algorithms can also search for patterns of fraud. Merchants must ensure the physical security of their terminals, and penalties for merchants can be severe if they
are compromised, ranging from large nes by the issuer
to complete exclusion from the system, which can be a
death blow to businesses such as restaurants where credit
card transactions are the norm.

Skimming

Skimmer (device)" redirects here. For other uses, see 3.4 Checker
Skimmer (disambiguation).
Checker is a term used for a process to verify the validity
[21]
Skimming is the crime of getting private information of stolen card data. The thief presents the card inforabout somebody elses credit card used in an otherwise mation on a website that has real-time transaction pronormal transaction. The thief can procure a victims card cessing. If the card is processed successfully, the thief
number using basic methods such as photocopying re- knows that the card is still good. The specic item purceipts or more advanced methods such as using a small chased is immaterial, and the thief does not need to purelectronic device (skimmer) to swipe and store hundreds chase an actual product; a web site subscription or chariof victims card numbers. Common scenarios for skim- table donation would be sucient. The purchase is usuming are restaurants or bars where the skimmer has pos- ally for a small monetary amount, both to avoid using the
session of the victims payment card out of their immedi- cards credit limit, and also to avoid attracting the card
ate view.[13] The thief may also use a small keypad to un- issuers attention. A website known to be susceptible to
obtrusively transcribe the 3 or 4 digit Card Security Code, carding is known as a cardable website.
which is not present on the magnetic strip. Call centers In the past, carders used computer programs called genare another area where skimming can easily occur.[14] erators to produce a sequence of credit card numbers,

and then test them to see which were valid accounts. Another variation would be to take false card numbers to a
location that does not immediately process card numbers,
such as a trade show or special event. However, this process is no longer viable due to widespread requirement
by internet credit card processing systems for additional
data such as the billing address, the 3 to 4 digit Card Security Code and/or the cards expiration date, as well as
the more prevalent use of wireless card scanners that can
process transactions right away.[22] Nowadays, carding is
more typically used to verify credit card data obtained
directly from the victims by skimming or phishing.
A set of credit card details that has been veried in this
way is known in fraud circles as a phish. A carder will
typically sell data les of the phish to other individuals
who will carry out the actual fraud. Market price for a
phish ranges from US$1.00 to US$50.00 depending on
the type of card, freshness of the data and credit status of
the victim.

3.5

BIN attack

Credit cards are produced in BIN ranges. Where an issuer

does not use random generation of the card number, it is
possible for an attacker to obtain one good card number
and generate valid card numbers by changing the last four
numbers using a generator. The expiry date of these card
IDs would most likely be the same as the good card.

3.6

Phishing

charge the card a small amount multiple times at infrequent intervals such as monthly or annually until the card
expires. The vendor may state in the ne print that the
customer is now a member and the membership will be
renewed periodically unless the card holder noties the
vendor in accordance with a cancellation procedure in the
membership agreement which the card holder agreed to
when they made the initial purchase. Because the periodic charges are unexpected, infrequent, and small, most
card holders will not notice the charges. If a card holder
complains to the bank that the charges were unauthorized,
the bank will notify the vendor of the disputed charges
and the vendor will respond that the card holder never
cancelled the membership which the card holder agreed
to. Since most card holders have no idea what the cancellation procedure is and the vendor will reveal it only
to new customers, the bank will not reverse the charges,
but instead will oer to cancel the credit card and reissue it with a dierent account number or expiration date.
Unexpected repeat billing is in a gray area of the law, depending on whether the customer legitimately agreed to
the charges.
Online bill paying or internet purchases utilizing a bank
account are a source for repeat billing known as recurring bank charges. These are standing orders or bankers
orders from a customer to honor and pay a certain amount
every month to the payee. With E-commerce, especially in the United States, a vendor or payee can receive
payment by direct debit through an Automated Clearing House (ACH). While many payments or purchases
are valid, and the customer has intentions to pay the
bill monthly, some are known as Rogue Automatic Payments.[23]

Scammers may use a variety of schemes to lure victims

into giving them their card information through tricks
such as websites pretending to be of a bank or payment 5
system. Telephone phishing can also be employed, in
which a call center is set up to pretend to be associated
5.1
with a banking organization.

3.7

Balance transfer checks

Some promotional oers include active balance transfer

checks which may be tied directly to a credit card account. These are often sent unsolicited, and may occur
as often as once per month by some nancial institutions.
In cases where checks are stolen from a victims mailbox
they can be used at point of sales locations thereby leaving the victim responsible for the losses. They are one
path at times used by fraudsters.

Unexpected repeat billing

PROFITS, LOSSES AND PUNISHMENT

Prots, losses and punishment

United States

The Department of Justice has announced in September

2014 that it will seek to impose a tougher law to combat overseas credit card tracking. Authorities say the
current statute is too weak because it allows people in
other countries to avoid prosecution if they stay outside
the United States when buying and selling the data and
don't pass their illicit business through the U.S. The Department of Justice asks Congress to amend the current
law that would make it illegal for an international criminal to possess, buy or sell a stolen credit card issued by a
U.S. bank independent of geographic location.[24]

5.1.1 Cardholder liability

In the US, federal law limits the liability of card holders

When a card holder buys something from a vendor and to $50 in the event of theft of the actual credit card, reexpects the card to be charged only once, a vendor may gardless of the amount charged on the card, if reported

5.4

Credit card companies

within 60 days of receiving the statement.[25] In practice

many issuers will waive this small payment and simply
remove the fraudulent charges from the customers account if the customer signs an adavit conrming that
the charges are indeed fraudulent. If the physical card is
not lost or stolen, but rather just the credit card account
number itself is stolen, then Federal Law guarantees card
holders have zero liability to the credit card issuer.[26]
5.1.2

Merchants

The merchants and the nancial institutions bear the loss.

The merchant loses the value of any goods or services
sold, and any associated fees. If the nancial institution
does not have a charge-back right then the nancial institution bears the loss and the merchant does not suer
at all. These losses incline merchants to be cautious and
often they ban legitimate transactions and lose potential
revenues. Online merchants can choose to apply for additional services that credit card companies oer, such as
Veried by Visa and MasterCard SecureCode. However,
these are complicated and awkward to do or use for consumers so there is a trade-o of making a sale easy and
making it secure.

5
Identity manipulation describes the alteration of
ones own identity
Identity theft describes the theft or assumption of
a pre-existing identity (or signicant part thereof),
with or without consent and whether, in the case of
an individual, the person is living or deceased
Identity crime is a generic term to describe
activities/oences in which a perpetrator uses a
fabricated identity, a manipulated identity, or a
stolen/assumed identity to facilitate the commission
of a crime(s).[27]
5.3.1 Losses
Estimates created by the Attorney-Generals Department
show that identity crime costs Australia upwards of $1.6
billion each year, with majority of about $900 million
being lost by individuals through credit card fraud, identity theft and scams.[27] In 2015, the Minister for Justice
and Minister Assisting the Prime Minister for CounterTerrorism, Michael Keenan, released the report Identity
Crime and Misuse in Australia 2013-14. This report estimated that the total direct and indirect cost of identity
crime was closer to $2 billion, which includes the direct
and indirect losses experienced by government agencies
and individuals, and the cost of identity crimes recorded
by police.[28]

The liability for the fraud is determined by the details of

the transaction. If the merchant retrieved all the necessary pieces of information and followed all of the rules
and regulations the nancial institution would bear the liability for the fraud. If the merchant did not get all of the
necessary information they would be required to return
the funds to the nancial institution. This is all deter- 5.3.2 Cardholder Liability
mined through the credit card processory.
The victim of credit card fraud in Australia, still in possession of the card, is not responsible for anything bought
5.2 United Kingdom
on it without their permission. However, this is subject
to the terms and conditions of the account. If the card
In the UK, credit cards are regulated by the Consumer has been reported physically stolen or lost the cardholder
Credit Act 1974 (amended 2006). This provides a num- is usually not responsible for any transactions not made
ber of protections and requirements.
by them, unless it can be shown that the cardholder acted
[27]
Any misuse of the card, unless deliberately criminal on dishonestly or without reasonable care.

the part of the cardholder, must be refunded by the mer- [[File:Number of victims and proportion of population or
chant or card issuer.
household, by oence type.png|thumb|A graph showing
the number of victims and proportion of population or
household aected by dierent oences]]

5.3

Australia

In Australia, credit card fraud is considered a form of

identity crime. The Australian Transaction Reports and
Analysis Centre has established standard denitions in
relation to identity crime for use by law enforcement
across Australia:

5.4 Credit card companies

To prevent being charged back for fraud transactions,

merchants can sign up for services oered by Visa and
MasterCard called Veried by Visa and MasterCard SecureCode, under the umbrella term 3-D Secure. This re The term identity encompasses the identity of nat- quires consumers to add additional information to conural persons (living or deceased) and the identity of rm a transaction.
bodies corporate
Often enough online merchants do not take adequate
Identity fabrication describes the creation of a c- measures to protect their websites from fraud attacks, for
titious identity
example by being blind to sequencing. In contrast to

6
more automated product transactions, a clerk overseeing
card present authorization requests must approve the
customers removal of the goods from the premises in real
time.
Credit card merchant associations, like Visa and
MasterCard, receive prots from transaction fees, charging between 0% and 3.25% of the purchase price plus
a per transaction fee of between 0.00 USD and 40.00
USD.[29][30] Cash costs more to bank up, so it is worthwhile for merchants to take cards. Issuers are thus motivated to pursue policies which increase the money transferred by their systems. Many merchants believe this pursuit of revenue reduces the incentive for credit card issuers to adopt procedures to reduce crime, particularly
because the cost of investigating a fraud is usually higher
than the cost of just writing it o. These costs are passed
on to the merchants as chargebacks. This can result
in substantial additional costs: not only has the merchant
been defrauded for the amount of the transaction, he is
also obliged to pay the chargeback fee, and to add insult to
injury the transaction fees still stand.. Additionally merchants may lose their merchant account if their percent
of chargeback to overall turnover exceeds some value related to their type of product or service sold.
Merchants have started to request changes in state and
federal laws to protect themselves and their consumers
from fraud, but the credit card industry has opposed many
of the requests. In many cases, merchants have little ability to ght fraud, and must simply accept a proportion of
fraud as a cost of doing business.
Because all card-accepting merchants and card-carrying
customers are bound by civil contract law there are few
criminal laws covering the fraud. Payment transfer associations enact changes to regulations, and the three
parties the issuer, the consumer, and the merchant
are all generally bound to the conditions, by a selfacceptance term in the contract that it can be changed.

FAMOUS CREDIT FRAUD ATTACKS

6 Famous credit fraud attacks

Between July 2005 and mid-January 2007, a breach of

systems at TJX Companies exposed data from more than
45.6 million credit cards. Albert Gonzalez is accused
of being the ringleader of the group responsible for the
thefts.[31] In August 2009 Gonzalez was also indicted
for the biggest known credit card theft to date information from more than 130 million credit and debit
cards was stolen at Heartland Payment Systems, retailers
7-Eleven and Hannaford Brothers, and two unidentied
companies.[32]
In 2012, about 40 million sets of payment card information were compromised by a hack of Adobe Systems.[33] The information compromised included customer names, encrypted payment card numbers, expiration dates and information relating to orders Chief Security Ocer Brad Arkin said.[34]
In July 2013, press reports indicated four Russians and
a Ukrainian were indicted in New Jersey for what was
called the largest hacking and data breach scheme ever
prosecuted in the United States. [35] Albert Gonzalez
was also cited as a co-conspirator of the attack, which
saw at least 160 million credit card losses and excess of
$300 million in losses. The attack aected both American and European companies including Citigroup, Nasdaq OMX Group, PNC Financial Services Group, Visa
licensee Visa Jordan, Carrefour, J. C. Penny and JetBlue
Airways.[36]
Between 27 November 2013 and 15 December 2013 a
breach of systems at Target Corporation exposed data
from about 40 million credit cards. The information
stolen included names, account number, expiry date and
Card security code.[37]

From 16 July to 30 October 2013, a hacking attack compromised about a million sets of payment card data stored
on computers at Neiman-Marcus.[33][38] A malware sys5.5 Merchants
tem, designed to hook into cash registers and monitor the
credit card authorisation process (RAM-scraping malThe merchant loses the payment, the fees for processing ware), inltrated Targets systems and exposed informathe payment, any currency conversion commissions, and tion from as many as 110 million customers.[39]
the amount of the chargeback penalty. For obvious reasons, many merchants take steps to avoid chargebacks On September 8, 2014, The Home Depot conrmed that
such as not accepting suspicious transactions. This their payment systems were compromised. They later remay spawn collateral damage, where the merchant ad- leased a statement saying that the hackers obtained a total
ditionally loses legitimate sales by incorrectly blocking of 56 million credit card numbers as a result of the breach.
legitimate transactions. Mail Order/Telephone Order On May 15, 2016, in a coordinated attack, a group of
(MOTO) merchants are implementing Agent-assisted au- around 100 individuals used the data of 1600 South
tomation which allows the call center agent to collect the African credit cards to steal 12.7 million USD from 1400
credit card number and other personally identiable in- convenience stores in Tokyo within three hours. Usformation without ever seeing or hearing it. This greatly ing a Sunday and acting in an other country than the
reduces the probability of chargebacks and increases the bank which issued the cards, they are believed to have
likelihood that fraudulent chargebacks will be success- won enough time to leave Japan before the heist was
fully overturned.[9]
discovered.[40]

Countermeasures

Countermeasures to combat credit card fraud include the

following.
By merchants:

Industry collaboration and information sharing

about known fraudsters and emerging threat
vectors[47][48]
By Governmental and Regulatory Bodies:

PAN truncation not displaying the full number on

receipts

Enacting consumer protection laws related to card

fraud

Tokenization (data security) not storing the full

number in computer systems

Performing regular examinations and risk assessments of credit card issuers[49]

Requesting additional information, such as a PIN,

ZIP code, or Card Security Code

Publishing standards, guidance, and guidelines for

protecting cardholder information and monitoring
for fraudulent activity[50]

Perform geolocation validation, such as IP address

Use of Reliance Authentication, indirectly via PayPal, or directly via iSignthis or miiCard.
By card issuers:
Fraud detection and prevention software[41][42][43]
that analyzes patterns of normal and unusual behavior as well as individual transactions in order to ag
likely fraud. Proles include such information as
IP address.[44] Technologies have existed since the
early 1990s to detect potential fraud. One early market entrant was Falcon;[41] other leading software solutions for card fraud include Actimize, SAS, BAE
Systems Detica, and IBM.
Fraud detection and response business processes
such as:

Regulation, such as that introduced in the SEPA and

EU28 by the European Central Banks 'SecuRe Pay'
requirements and the Payment Services Directive 2
legislation.
By cardholders:
Reporting lost or stolen cards
Reviewing charges regularly and reporting unauthorized transactions immediately
Installing virus protection software on personal
computers
Using caution when using credit cards for online
purchases, especially on non-trusted websites

Keeping a record of account numbers, their expi Contacting the cardholder to request vericaration dates, and the phone number and address of
tion
each company in a secure place.[51]
Placing preventative controls/holds on accounts which may have been victimized
Additional technological features:
Blocking card until transactions are veried by
cardholder
EMV
Investigating fraudulent activity
3-D Secure
Strong Authentication measures such as:
Strong authentication
Multi-factor Authentication, verifying that the
BillGuard - a personal nance security app
account is being accessed by the cardholder
through requirement of additional information
True Link
such as account number, PIN, ZIP, challenge
questions
Point to Point Encryption
Multi possession-factor authentication, verifying that the account is being accessed by the
cardholder through requirement of additional 8 See also
personal devices such as smart watch, smart
phone Challenge-response authentication [45]
Chargeback insurance
Out-of-band Authentication,[46] verifying that
Carding (fraud)
the transaction is being done by the cardholder
through a known or trusted communica Credit card hijacking
tion channel such as text message, phone call,
FBI
or security token device

9
Financial crimes

REFERENCES

Friendly Fraud

[12] What Hackers Want More Than Your Credit Card Number | Credit.com. Credit.com. 2015-09-01. Retrieved
2016-05-16.

Identity theft

[13] Inside Job/Restaurant card skimming. Journal Register.

Immigration and Customs Enforcement (ICE)

[14] Little, Allan (19 March 2009). Overseas credit card

scam exposed. bbc.co.uk.com.

Internet fraud
Phishing
Predictive analytics
Reimbursement
Trac analysis

[15] NACS Magazine Skimmming. nacsonline.com

[16] All About Skimmers Krebs on security
[17] ATM Camera Snopes.com
[18] Manipulated ATMs. The H. 2007. Archived from the
original on 26 July 2013.

White-collar crime

[19] Clarn

International credit card data theft

[20] A Dramatic Rise in ATM Skimming Attacks. Krebs on

Security. 2016.

United States Postal Inspection Service

United States Secret Service

References

[21] Krebs, Brian (4 June 2014). Peek Inside a Professional

Carding Shop. Retrieved 8 August 2015.
[22] Hacker shows how easy it is to steal credit card numbers
from thin air. Daily Mail Australia.
[23] Rogue automatic payments- Retrieved 2016-02-07

[1] Credit Card Fraud - Consumer Action (PDF).

Consumer Action. Retrieved 2009. Check date values
in: |access-date= (help)

[24] Tucker, Eric. Prosecutors target credit card thieves overseas. AP. Retrieved 13 September 2014.

[2] Consumer Sentinel Network Data Book: January - December 2008 (PDF). Federal Trade Commission. 26
February 2009. Retrieved 21 February 2010.

[25] Section 901 of title IX of the Act of May 29, 1968 (Pub.
L. No. 90-321), as added by title XX of the Act of
November 10, 1978 (Pub. L. No. 95-630; 92 Stat. 3728),
eective May 10, 1980

[3] Hassibi PhD, Khosrow (2000). Chapter 9 on Detecting

Payment Card Fraud with Neural Networks in book Business Applications of Neural Networks. Singapore-New
Jersey-London-Hong Kong: World Scientic. pp. 141
158. ISBN 978-9810240899.

[26] Lost or Stolen Credit, ATM, and Debit Cards. Ftc.gov.

Retrieved 2 August 2014.

[4] Paterson, Ken (December 2008). Credit Card Issuer

Fraud Management, Report Highlights (PDF). Mercator
Advisory Group. Archived from the original (PDF) on 29
December 2009.

[28] Identity crime in Australia. www.ag.gov.au. Commonwealth of Australia Attorney-Generals Department.

2015.

[27] Identity Crime. Australian Federal Police. Commonwealth of Australia. 2015.

[29] Mastercard Interchange Rates

[5] Plastic card fraud goes back up. BBC. 12 March 2008.
Retrieved 14 October 2013.

[30] Visa Interchange Rates

[6] Court lings double estimate of TJX breach. 2007.

[31] Zetter, Kim (2010-03-25). TJX Hacker Gets 20 Years

in Prison. WIRED. Wired Magazine.

[7] Can Stores Require an ID When I Pay by Credit Card?".

Privacy Rights Clearinghouse. Privacy Rights Clearinghouse. 2008-02-05.

[32] http://www.theregister.co.uk/2009/08/17/heartland_
payment_suspect/

[8] Zip Codes Draw Fire, Wall Street Journal, 22 February

2011, page C7

[33] Skimming O the Top; Why America has such a high rate
of payment-card fraud, 15 February 2014, The Economist

[9] Adsit, Dennis (21 February 2011). Error-proong strategies for managing call center fraud. isixsigma.com.

[34] Krebs, Brian (2014-10-04). Adobe hacked: customer

data, source code compromised. The Sydney Morning
Herald. The Sydney Morning Herald Newspaper.

[10]
[11] ActionFraud (2010-07-07). Account takeover. Action
Fraud. Retrieved 2016-05-09.

[35] Russian hackers charged in 'biggest' data breach case,

160mn credit card numbers stolen, 25 July 2013, Catherine Benson, Reuters

[36] Reuters (2013-07-25). Six charged in biggest credit card

hack on record. CNBC.
[37] The
Wall
Street
Journal
http:
//online.wsj.com/news/articles/
SB10001424052702304367204579267992268980478.
Missing or empty |title= (help)
[38] Neiman Marcus Data Breach FAQ: What to Do Now, by
Paul Wagenseil, 27 January 2014, Toms guide
[39] Perlroth, Elizabeth A.; Popper, Nathaniel; Perlroth,
Nicole (2014-01-23). Neiman Marcus Data Breach
Worse Than First Said. The New York Times. ISSN
0362-4331.
[40] McCurry, Justin (2016-05-23). 100 thieves steal $13m
in three hours from cash machines across Japan. The
Guardian. Retrieved 2016-05-23.
[41] Hassibi PhD, Khosrow. Detecting Payment Card Fraud
with Neural Networks in the book titled Business Applications of Neural Networks. World Scientic. Retrieved 10
April 2013.
[42] IBM RiskTech. Risk Smarter Risk Management for
Financial Services. Risk Smarter Risk Management for
Financial Services. Retrieved 14 July 2011.
[43] Richardson, Robert J. Monitoring Sale Transactions for
Illegal Activity (PDF). Monitoring Sale Transactions for
Illegal Activity. Retrieved 14 July 2011.
[44] FraudLabs. 10 Measures to Reduce Credit Card Fraud.
10 Measures to Reduce Credit Card Fraud for Internet Merchants. FraudLabs. Retrieved 14 July 2011.
[45] Alhothaily, Abdulrahman; Alrawais, Arwa; Cheng, Xiuzhen; Bie, Rongfang (2014). Towards More Secure
Cardholder Verication in Payment Systems. 8491:
356367. doi:10.1007/978-3-319-07782-6_33. ISSN
0302-9743.
[46] BankInfoSecurity. FFIEC: Out-of-Band Authentication. FFIEC: Out-of-Band Authentication. BankInfoSecurity. Retrieved 14 July 2011.
[47] Early Warning Systems. Early Warning Systems. Early
Warning Systems. Early Warning Systems. Retrieved 14
July 2011.
[48] Financial Services - Information Sharing and Analysis Center (FS-ISAC). Financial Services - Information
Sharing and Analysis Center. Financial Services - Information Sharing and Analysis Center. FS-ISAC. Retrieved
14 July 2011.
[49] FFIEC. IT Booklets Information Security Introduction Overview. FFIEC IT Examination Handbook Credit Cards. FFIEC. Retrieved 14 July 2011.
[50] FFIEC. IT Booklets Retail Payment Systems Retail
Payment Systems Risk Management Retail Payment Instrument Specic Risk Management Controls. FFIEC IT
Examination Handbook - Credit Cards. FFIEC. Retrieved
14 July 2011.
[51] Avoiding Credit and Charge Card Fraud

10 External links
Federal Financial Institutions Examination Council
(FFIEC) IT Booklets Information Security Appendix C: Laws, Regulations, and Guidance
Visas fraud control basics for merchants
Mastercards merchant training support
Stopping Card Fraud
The Internet Crime Complaint Center (IC3) is a
partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime
Center(NW3C).
Internet Fraud, with a section Avoiding Credit Card
Fraud, at the Federal Bureau of Investigation website
Counterfeiting and Credit Card Fraud at the Royal
Canadian Mounted Police website
Avoiding Credit and Charge Card Fraud at U.S.
Federal Trade Commission
Credit Card Fraud: Prevention and Cures Idaho Ofce of Attorney General
US Federal Trade Commission Consumer Sentinel
Network Report

10

11

11
11.1

TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES

Text and image sources, contributors, and licenses

Text

Credit card fraud Source: https://en.wikipedia.org/wiki/Credit_card_fraud?oldid=737059168 Contributors: AxelBoldt, Edward, CesarB,

EdH, PaulinSaudi, Jeq, Donarreiskoer, Jmabel, Zidane2k1, Miles, Mattaschen, David Gerard, Subsolar, Jason Quinn, OverlordQ,
WhiteDragon, The Inedible Bulk, Ablewisuk, CaribDigita, TonyW, Joyous!, Grstain, Freakofnurture, Monkeyman, RossPatterson, Discospinster, Rhobite, Bender235, Jantangring, Welshie, Sietse Snel, Jpgordon, Cmdrjameson, Toh, Pearle, Sanmartin, Alansohn, Hinotori, Apoc2400, Wtmitchell, ProhibitOnions, Wtshymanski, Danthemankhan, BDD, KTC, Richard Arthur Norton (1958- ), Mindmatrix,
TheArmadillo, Duncan.france, Tabletop, Dmol, Wikiklrsc, Mangojuice, Deltabeignet, BD2412, Canderson7, Rjwilmsi, Koavf, Syndicate,
RexNL, Riki, Simishag, YurikBot, Wavelength, Huw Powell, Dleonard, Me and, Janke, Arichnad, Mgcsinc, Emersoni, PyreneesJIM, Dekushrub, DeadEyeArrow, Barnabypage, Searchme, Zzuuzz, Peter, Je Silvers, Luk, DocendoDiscimus, Yvwv, Veinor, SmackBot, MattieTK,
Dweller, Prthealien, Pgk, Stie, CommodiCast, Gilliam, Algont, Ohnoitsjamie, Jushi, Mukukv, Chris the speller, Master Jay, Bluebot,
Emufarmers, Thumperward, Rossjohnson, Dlohcierekims sock, Nbarth, Colonies Chris, Celebraces, BoKu, Kstinch, BesselDekker, Kntrabssi, Dcrooke, Fitzhugh, Jestep, Kuru, Buchanan-Hermit, JohnI, Smartyllama, Minna Sora no Shita, Scoty6776, TastyPoutine, Alexa
Foster, Hu12, Courcelles, Tawkerbot2, Ebarcell, CmdrObot, Ron Barker, NessBird, Harej bot, Jesse Viviano, Stymiee, StayinAnon, Fredhopper, VashiDonsk, Gogo Dodo, Danorton, JFreeman, He01, Adolphus79, Pajz, Smarcus, LeeNapier, A3RO, PHaze, Nick Number,
AntiVandalBot, Gioto, Bundas, Barek, MER-C, Nthep, Fetchcomms, Greensburger, Ekpyrosis~enwiki, Guccipuppy1986, Mr. Holm,
VoABot II, Chevinki, Mbc362, Dulciana, Wrockca, Nposs, 28421u2232nfenfcenc, Marianna1407, Glen, DerHexer, Thajeer, Flowanda,
STBot, CliC, Storewanderer, Parenthetical guy, Poeloq, Kmh134, Keith D, Nyp, CommonsDelinker, Tgeairn, J.delanoy, Trusilver, Maurice Carbonaro, WarthogDemon, Hooksbooks, Thomas Larsen, Crocodile Punter, Wohlford, Sallen2006, NewEnglandYankee, Urzadek,
FJPB, Bahram.zahir, Pyrogenix, Gtg204y, S (usurped also), CardinalDan, Stevenrowe6, Hellno2, Jimnz111, Rjh1880, Don Megale, Philip
Trueman, Oshwah, Vipinhari, Kimmysharma, WillMorganSeattle, DennyColt, Bwv1004, Cf252, ChiefStrategist, Andy Dingley, Meters,
ASI2007, Brianga, Aleish, Joekucker, Demize, S.rvarr.S, Dprice99, RJaguar3, Grumnut, Mg1967cup2001, SimonTrew, Ducrecon, Kjtobo, Thatotherdude, Bobbybrown1, De728631, Elassint, ClueBot, Fyyer, Foxj, Jdelacastro, Enthusiast01, Ndenison, Grouf, Stefanbcn,
Ottawahitech, Trivialist, William Ortiz, IDTP, Wiki libs, Razorame, Chakreshsinghai, Aitias, Versus22, DumZiBoT, Otr500, Thunderthighs92, Against the current, XLinkBot, Roxy the dog, HeiseUK, Allioupe, Hobbema, Vaheterdu, Addbot, FrankAndProust, Geigerin,
Hilary Gage, Ronhjones, Jncraton, CanadianLinuxUser, Download, DoeRan, Buster7, TheWicker, Kingkong1392, Favonian, Tide rolls,
Lightbot, OlEnglish, Aadieu, Fiilott, Yobot, Alexpl, Securus, Orion11M87, AnomieBOT, Gtz, Piano non troppo, Brocli, Openinformation,
Kingpin13, Ulric1313, RandomAct, Marnyreddt, Kevin chen2003, Mononomic, Nobody657, Rharun, Nbdubya, A.amitkumar, MendleTown, FrescoBot, Ahaupteisch, Elliot Clark, LittleFatPinky, Civilizededucation, DrilBot, Bobmack89x, Arctic Night, Karinnika, LiamSP,
NoFlyingCars, Apollinaire2, Nmiracle, Crusoe8181, DGHunter, DARTH SIDIOUS 2, Mean as custard, RjwilmsiBot, MoodFreak, WinContro, Wohlstand, John of Reading, Outika, T3dkjn89q00vl02Cxp1kqs3x7, Mordgier, Tony4177, Dewritech, GoingBatty, RenamedUser01302013, Tommy2010, Jpengel3, Michael Essmeyer, Dung19phan86, Serhatoren, Alex.hager, Tolly4bolly, Thine Antique Pen,
Clarityn, Palosirkka, Pun, Orange Suede Sofa, ToastIsTasty, ClueBot NG, Jenlynlamont, Googoogaga307, Andrew Kurish, Muon, Widr,
MerlIwBot, BG19bot, Altar, Original1768, Mjae1, Judgyface, Justinburke, David.moreno72, ChrisGualtieri, Devinwhite717, Mogism,
Cerabot~enwiki, XXzoonamiXX, Aam Janta, Epicgenius, Apph, Hendrick 99, U81I82, Info-TMDSecurity, CobraBanker, Melpereira, Anarcham, Scottie.j.murray, Hlbgle, KubaSoup, Jetotheweb, Sam.gov, Monkbot, KH-1, Third party481, Serchan10, Johanna, AntiFraudCard, Mattster3517, JITR, JamesHenry00, LiquidNe2Xus, MarkG5214, Pencilsharper, Srilekha selva, Redolta, Mdfaisal424, Y2kkitten,
Lizgoldman, Mariastown, MisterRandomized, Jazminhatherley97, Ih8mayo and Anonymous: 465

11.2

Images

File:Ambox_important.svg Source: https://upload.wikimedia.org/wikipedia/commons/b/b4/Ambox_important.svg License: Public domain Contributors: Own work, based o of Image:Ambox scales.svg Original artist: Dsmurat (talk contribs)
File:Ambox_rewrite.svg Source: https://upload.wikimedia.org/wikipedia/commons/1/1c/Ambox_rewrite.svg License: Public domain
Contributors: self-made in Inkscape Original artist: penubag
File:Coin_of_Maximian.jpg Source: https://upload.wikimedia.org/wikipedia/commons/a/a0/Coin_of_Maximian.jpg License: CC BYSA 3.0 Contributors: Transferred from en.wikipedia
Original artist: Rasiel Suarez. Original uploader was Rasiel at en.wikipedia
File:Crystal_Clear_app_kedit.svg Source: https://upload.wikimedia.org/wikipedia/commons/e/e8/Crystal_Clear_app_kedit.svg License: LGPL Contributors: Sabine MINICONI Original artist: Sabine MINICONI
File:Edit-clear.svg Source: https://upload.wikimedia.org/wikipedia/en/f/f2/Edit-clear.svg License: Public domain Contributors: The
Tango! Desktop Project. Original artist:
The people from the Tango! project. And according to the meta-data in the le, specically: Andreas Nilsson, and Jakub Steiner (although
minimally).

11.3

Content license

Creative Commons Attribution-Share Alike 3.0