The Evolution of Fraud
Fraud, the F word in the payments world, has long been a source of frustration, financial failures and foible. From as far back as commercial credit was available, enterprising people have looked at the payment card systems and tried to take advantage of it using every scheme imaginable. Today, these fraudsters utilize sophisticated techniques to bypass risk engines and to exploit systems designed to provide convenience to consumers. This week, Dicorm will delve into the dark and shady underworld of fraud and show how while the methods have changed, the end goal has always been the same, to steal as much money from as many people as quickly and as often as possible.
1899 had a few notable events, the patent for aspirin, the founding of the Victoria and Albert Museum, and the first recorded instance of credit card fraud. In this case, a customer received a credit card from a carriage company (like Grab or Uber). The cardholder did not apply for this card and did not want it so he threw it away. The card was found by someone else who promptly used the card freely racking up around $850 USD (adjusted for inflation) in charges. The cardholder had no choice but to pay this bill. Fraudsters have changed their methodologies since then and become more sophisticated over the 120 years since this occurrence. When credit cards in its current form were first issued in 1959, the fraudsters were not far behind.
The 70s and 80s
Much like our taxi-thief above, early fraud was very opportunistic in nature, meaning when a cardholder had a lapse in judgment or attention, the fraudster would swoop in and steal the card. More often than not, these were corporate cards given to sales representatives to cover entertainment and traveling expenses when on company business. It was also common for fraudsters to intercept posted credit cards and steal them from the cardholder’s mailboxes. To combat this and the problem of a lack of funds in an account, IBM created cards with a magnetic strip. These strips contained information about the cardholder and allowed the merchant to swipe a card at their terminal and get an approval or rejection message in a manner of seconds, a process that prior to this took days.
In the 1990s, businesses realized the potential of using the internet to grow their business and to make sales online, and in 1994, e-commerce exploded onto the scene. Almost immediately, the fraudsters went to work. They knew that the names on transactions were not being checked during checkout and that if they were to utilize a famous person’s name, merchants would be so excited about the sale that they would forgo any logical checks. As a result, many merchants fell victim to scams involving 'Brooke Shields', 'Bill Clinton' and the ever-popular 'Scrooge McDuck'. Once merchants caught on to what was going on, the fraudsters became much more technologically sophisticated.
The late 1990s saw fraudsters team up to create simple card generators. This software would generate card numbers that fraudsters would then be able to enter into a merchant’s online store. Initially, fraudsters tended to use the generated card number to make multiple purchases on the same merchant’s website. However, they quickly realized that these generated card numbers were more valuable when they attacked multiple merchants for smaller values less frequently as this would make their activity less noticeable. They were right as merchants who were dependent on print outs and ‘eyeballing’ to prevent fraud were unable to identify these attacks until they were informed of them by card associations, weeks if not months later. While these methods were effective, they relied heavily on trial and error as not all the numbers generated were valid. Thus, once again, the fraudsters changed their tactics and got even more technical and creative.
In a bid to increase the amount of money a card could be exploited for, fraudsters developed an ingenious solution - become merchants. Fraudsters created websites for existing brick and mortar stores and waited for customers to make a purchase. The credit card information received was accurate and true and the fraudster now had all the information they needed to make purchases on other websites or, to charge the card multiple times. These fraudsters often shared these credit card numbers with other fraudsters online, creating an interconnected web of deceit. This masked their activity as it seemed like the cardholder was going on a shopping spree rather than fraud. This also gave local crime rings a foot in the door as seen in the HBO show, 'The Sopranos' where credit card information is stolen using skimmers and sold onto these fraud rings.
At this point in time, a few ideas were implemented to combat this fraud such as enticing buyers to create accounts that needed to be verified or placing physical locks on terminals to prevent skimmers from being used. However, fraudsters always found a way to bypass these security measures like taking over accounts created by customers, changing the password and shipping address or placing the skimmer on the phone line instead of on the terminal.
Yet with the introduction of 3D-secure, the credit card companies began fighting back. Requiring the buyer to enter a secure code, phrase or one time pin that was sent to the cardholder’s phone or dongle, 3D-secure had the potential to reduce fraud rates exponentially. Yet government regulations plus financial institutions unwillingness to change and a resistance to adding an impediment to a sale meant that this program was not universally implemented.
As card payments became more frequently used, fraudsters started organizing themselves better and they adopted a significantly more methodical approach to fraud. Sharing card information within their network, the name of the game was to make multiple purchases from one website using stolen cards only to resell those items and use the card details they received to make the next batch of purchases. Surprisingly this, self sustaining sequence succeeded in swindling society so smoothly that suspicions seldomly surfaced. Furthermore, fraudsters began playing a long game, setting up websites and merchant accounts up to a year in advance to build a good reputation via reviews on websites like trustpilot. At the end of the year, when sales volumes picked up across the board, these fraudsters would charge every card that had been used on their website to get away with millions of dollars.
It was not until 2018 that Visa made it mandatory for CVV numbers to be passed when the physical card was not present during a transaction like during online shopping. This made it more difficult for fraudsters to use stolen credit cards but by then, they had moved on again this time to advanced techniques like synthetic fraud or collaborative fraud.
Contact Dicorm now to find out how you can stay aware of and ahead of fraudsters in this high stakes game of cat and mouse.