New York: To understand the world of credit card fraud, you must first learn an entirely new language. Words like “skimming,” “shoulder surfing” and “phishing” may sound less criminal than “stealing,” but they are, in fact, ways in which money can be stolen off your credit card.
And though there are no definitive global figures on losses from credit card fraud - most financial institutions are tight-lipped on the subject — an FBI report from 2005 indicated that credit cards represented the majority of the total $315 billion (Rs1,283,310 crore) U.S. financial fraud loss for that year, while a recent European study found that more than 22 million adults fell victim to credit card scams in 2006. Figures from the Banque de France, the country’s central bank, showed a credit card fraud loss of 236 million euros, or $319 million, for 2005.
Equally disturbing are crimes affecting online banking, which until recently, because of security concerns, was the fastest growing activity on the Internet, with three-quarters of Europeans banking online and 38% of U.S. adults.
“There were zero online banking fraud losses in 2003 in the U.K,” Smith said. In 2006, 33.5 million pounds, or $66.4 million, was lost. A U.S. survey by the market research group Gartner in 2004, the latest figures available, reported that nearly two million Americans had their checking accounts raided with an average loss of $1,200 per incident, or total losses of more than $2 billion for the year. Most incidents were attributed to online banking.
“The numbers are, quite frankly, staggering,” said Francis Ravez, secretary general of the European Security Transport Association, a nonprofit organization that represents cash-industry logistics businesses, which conducted the credit card study in Europe. “The cost of fraud is enormous, and it is only going to get worse if proper security is not put in place.”
The latest figures from Apacs, the British trade body that represents payment institutions like banks and card issuers, reveals exactly how deceptive crooks have become in executing “card-not-present,” or CNP fraud — purchases by phone, the Internet or via mail order.
Although overall credit card fraud in Britain fell by 3% from 2005 to 2006, to 428 million pounds, CNP fraud increased by 16% in 2006 to 212.6 million pounds — almost half of all plastic losses due to fraud. The decrease in overall fraud is entirely due to the introduction of a security measure in 2006 called “Chip and Pin,” which requires cardholders to identify themselves at the point of sale through a personal identification number, or PIN.
“The increase in Internet fraud could be expected when you look at how many more businesses are accepting online transactions,” said Jemma Smith, a spokeswoman for Apacs. Twenty-five million people in Britain alone now shop online, she said. “The problem is that the criminals are targeting the customers more than the technology. It is not about hacking into computers as much as it is about tricking users into revealing their card or account details.
“That is why opening an unsolicited e-mail is like opening the front door of your home to a stranger,” Smith said.
As far as banks and credit card companies are concerned, online theft is the same as its equivalent in the physical world: If someone steals your card information, the bank or card issuer will normally cover most or all of unauthorized charges. That is why many card issuers are putting new security measures in place. “Verified by Visa” is a free service where your purchases are protected with participating online merchants by a password, as is MasterCard’s new SecureCode service.
Card companies are hoping the extra layer of security will reduce some of the more popular types of identity theft, both online and off, that fraudsters are now employing:
Skimming describes the process in which a device is used to copy the magnetic stripe encoding off of a card — one reason card holders are cautioned against using ATM machines that look unusual.
Shoulder surfing refers to the method in which a fraudster obtains a PIN number by standing near a cardholder at an ATM machine. In some cases, the scam will occur after the PIN has been entered, with the thief distracting the person withdrawing money with a free newspaper. When the cardholder turns away, an accomplice quickly withdraws money.
Phishing refers to e-mail messages randomly sent out to trick customers into disclosing credit card numbers, account passwords or banking information. It is this type of theft that is causing the most problems. These fraudulent e-mail messages pretend to be from well-known companies. A recent study by Gartner of 5,000 adults in the United States estimated that 24.4 million Americans were tricked by phishing e-mail messages in 2006. Statistics from Phishtank, an antiphishing network, found that last month alone some 77,709 phishes were sent out, with 19% originating in the United States, 15% in France, 14% in Turkey and 10% from South Korea.
“This is a global problem,” said David Ulevitch, the founder of Phishtank, whose data is now being used by Yahoo to help make the Internet safer.
One of the companies most targeted for phishing is PayPal, the Internet-based money transfer business. PayPal has put advice on its Web site about how to spot fraudulent e-mail messages and is putting other measures in place to prevent them from reaching their 142 million clients in the first place.
“We are digitally signing our e-mails now and letting the ISPs know that if we have not signed it, they should drop it,” said Michael Barrett, PayPal’s chief information security officer, referring to Internet service providers.
PayPal’s fraud rate is very low — less than a third of 1% of the value of transactions. Barrett attributes that to the company’s security vigilance, which encompasses measures like supporting safer Web browsers. Both Firefox 2 and Internet Explorer 7 have antiphishing filters that alert users to suspect sites, while OpenDNS, the parent company of Phishtank, offers a free downloadable service that blocks phishing sites. In addition, PayPal is testing the use of security tokens: for $5, customers can buy access to randomly generated six-digit codes that are then used as part of the login process on the PayPal Web site.
“We are treating e-crime on as broad a spectrum as we can, hitting it at all life cycles like an antibiotic,” he said.
At the same time, Barrett and others in the industry are hoping to dial down the alarm among consumers that online fraud is rampant. “There is a public perception that e-commerce is much less secure than it is,” Barrett said, adding that PayPal’s low fraud rate demonstrates that safety can be ensured.
But he acknowledged that some jurisdictions are more secure than others. “Generally the problem is worse in jurisdictions that are less effective when it comes to law enforcement,” he said, mentioning Eastern Europe and China, in particular.
To combat online banking fraud, Barclays Bank will introduce the PINsentry device, an industry-developed handheld chip and pin card reader, that will allow online banking customers to authenticate their identity at home before making certain third-party payments. The Royal Bank of Scotland Group plans to introduce its own branded version of the same device to their customers this summer. “We believe it will be difficult to break into this system,” said Emma Austin, a spokeswoman for Barclays.
But in a complex global system, nothing is 100% foolproof. “Criminals may exploit one component of the payment system,” said a spokesman for Visa Europe who did not give his name, citing company policy. The challenge, he added, is “to remain one step ahead.”