informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/anarchy/CARDING/cc101_4.txt

236 lines
14 KiB
Plaintext
Raw Normal View History

Initial commit
2021-04-15 11:31:59 -07:00
This is part four of a planned six-part series on the credit card in-
dustry. It will be helpful if you have read parts one through three,
as I use a lot of terminology here that was introduced earlier. Enjoy.
WARNING
This installment describes various methods of perpetrating fraud
against credit and charge card issuers, acquirers, and cardholders. Le-
gal penalties for using these methods to commit fraud are severe. The
reason for sharing this information is so that consumers will be aware
of the importance of security and be aware of the procedures used by
financial institutions to protect against fraud. Neither I nor my em-
ployer advocate use of the fraudulent methods described herein.
All the information here is publicly available from other sources. Un-
necessary detail is purposely not included, particularly as it applies
to detection and prevention of fraud.
CARDHOLDER FRAUD
---------- -----
The most common type of fraud against credit cards is cardholders fal-
sifying applications to get higher credit limits than they can afford
to pay, or to get multiple cards that they cannot afford to pay off.
Sometimes this is done with intent to defraud, but most often it is
done out of desperation or sheer financial ineptitude. Those who in-
tend to defraud generally use the multiple-card approach. They give
false names and financial data on several (sometimes as many as hun-
dreds) of applications. Often, the address of a vacant house that the
crook has access to is given, making it difficult to track the crook's
real identity. Once cards start showing up, the crook uses them for
cash advances or charges merchandise that is easy to sell, like con-
sumer electronics. The crook will run all the cards up to the limit
immediately, and will generally move on by the time the bills start ar-
riving. This type of fraud is not applicable to debit cards, since
they require an available account balance equal to or greater than any
purchases or withdrawals.
Protecting against this type of fraud, either intentional or otherwise,
is exactly the purpose of credit bureaus such as TRW. Issuers have be-
come more aware of the need for careful screening of applications, and
are using better techniques for detecting similar applications sent to
multiple issuers. More sophisticated velocity file screening can also
be used to detect possibly fraudulent usage patterns. Since this is a
method of fraud that can be used to gain really large amounts of
money, it is a high priority with issuers' security departments.
A variant of this scheme is much like check kiting. Can you use your
VISA to pay your MasterCard? Well, you might be able to manage it, but
if you're doing it with intent to defraud, you can be prosecuted. Kit-
ing schemes typically don't last long, have a low payoff, and are very
easy to detect.
Another type of cardholder fraud is simply contesting legitimate
charges. Most often, retrieving the documents gives pretty convincing
proof. Frequently, a family member will be found to have used the card
without the cardholder's permission. Such cases are usually pretty
easy to resolve. In the case of an ATM card, cameras are often placed
at ATMs (sometimes hidden) to record users of the machine. The camera
is usually tied to the ATM, so that a single retrieval stamp can be
placed on the film and the ATM log. If a withdrawal is contested, the
bank can then retrieve the picture of the person standing at the ma-
chine, and conclusively tie that picture to the transaction.
A type of cardholder fraud that is endemic only to ATMs is making false
deposits. You could, theoretically, tell the ATM that you are deposit-
ing a large amount of money, and put in an empty envelope. Most banks
will not let you withdraw amounts deposited into an ATM until the de-
posit has been verified, but some will allow part of the deposit to be
withdrawn. Typically, you can't get away with much. If you have any
money actually in your account, the bank has easy, legal recourse to
seize those funds. Most banks have no sense of humor about such
things, and will remove ATM card privileges after the first offense.
THIRD-PARTY FRAUD
----------- -----
The simplest way for a third party to commit fraud is for them to get
their hands on a legitimate card. There is a large black market for
credit cards obtained from hold-ups, break-ins and muggings. Perhaps
one of the cruelest methods of getting a card is a "Good Samaritan"
scam. In such a scam, credit cards are stolen by pick-pockets,
purse-snatchers, etc. That same day, someone looks up your number in
the phone book and calls you up. "I just found your wallet. All the
money is gone, but the credit cards and your driver's license are still
here. It just happens that I'll be in your neighborhood next Wednesday
and I'll drop it off then." Since the cards are found, you don't re-
port them stolen, and the crooks get until next Wednesday before you're
even suspicious. If such a thing happens to you, ask if you can come
and pick the cards up immediately. A true good samaritan won't mind,
but a crook will stall you. If you can't get your hands on the cards
immediately, report them as stolen. Most issuers will be able to get
you a new card by next Wednesday, anyway.
Often stolen cards will be used for a time exactly as is. The best
tool for preventing this is verification of the signature, but this is
ineffective because most merchants don't consistently check signatures
and some people don't even sign their cards. (I guess these people
figure that all purse snatchers are accomplished forgers as well.)
Many cards will eventually be modified as the various security schemes
start catching up.
It is a very easy matter, for example, to re-encode a different number
on the magnetic stripe. Since the card still looks fine, a merchant
will accept it and run it through the POS terminal, completely ignorant
of the fact that the number read off the back is not the same as that
on the front. Although the number on the front would fail a negative
file check, the number on the back is one that hasn't been reported
yet. A card can be re-encoded almost any number of times, as long as
you can keep coming up with new valid PANs. To protect against this,
some merchants purposely avoid using the magnetic stripe. Others have
terminals that display the number read from the stripe, so the cashier
can compare it to the number on the card. Some issuers are experiment-
ing with special encoding schemes, to make re-encoding difficult, but
most of these schemes would require replacing the entire embedded base
of POS terminals. An interesting approach I've seen (it's probably
patented) uses a laser to burn off the parts of the magnetic stripe
where zeroes are encoded, leaving only the ones. This severely limits
the changes you can make to the card number. Some issuers use the
"discretionary data" field to encode data unique to the card, that a
crook would not be able to guess, to combat this type of fraud.
Since an ATM doesn't have a human looking at the card, it is especially
susceptible to re-encoding fraud. A crook could get a number from a
discarded receipt and encode it on a white card blank, which is easy to
obtain legally. Many people use PINs that are easy to guess, and the
crook has an easy job of it. Most ATMs will not give you your card
back if you don't enter a correct PIN, and will only give you a few
tries to get it right, to prevent this type of fraud. Velocity file
checks are also important in detecting this. You should always take
your ATM receipts with you, pick a non-obvious PIN, and make sure that
nobody sees you enter it.
One place that a crook can get valid PANs to encode on credit cards is
from dumpsters outside of stores and restaurants. The credit slip
typically is a multipart form, with one copy for you, one for the mer-
chant, and one for the issuer (ultimately). If carbon paper is used,
and the carbons are discarded intact, it's pretty easy to read the num-
bers off of them. Carbonless paper and forms that either rip the car-
bons in half or attach them to the cardholder copy automatically are
used to prevent this.
There are a lot of scams for getting people to tell their credit card
numbers over the phone. Never give your card number to anyone unless
you are buying something from them, and make sure that it is a le-
gitimate business you are buying from. "Incredible deal!! Diamond
jewelry at half price!! Call now with your VISA number, and we'll rush
you your necklace!!" When you don't get the necklace for four weeks,
you might start to wonder. When you get your credit card bill, you'll
stop wondering.
There are other, more sophisticated ways to modify a credit card. If
you're skillful, you can change the embossing on the card and even the
signature on the back. For most purposes, these techniques are more
trouble than they're worth, since it's not difficult to come up with a
new stolen card, or fake ID to match the existing card.
MERCHANT FRAUD
-------- -----
There are many urban rumors of merchants imprinting a card multiple
times while the cardholder isn't looking, and then running through a
bunch of charges after the cardholder leaves. I don't know of any case
where this is an official policy of a merchant, but this is certainly
one technique a dishonest cashier could use. The cashier can then take
home a bunch of merchandise charged to your account. Although some
people are afraid of this happening in a restaurant, where a waiter
takes your card away for a while, it's actually less likely there,
since there isn't anything the waiter can charge against your card and
take home.
A merchant could also make copies of charge slips, to sell the PANs to
other crooks. (See above for use of PANs.) Most credit card investi-
gation departments are sensitive to this possibility, and catch on real
fast if it's happening just by looking at usage history of cards with
fraudulent charges.
A merchant is also in a position to create many false charges against
bogus numbers, to attempt to defraud the acquirer or issuer. These
schemes are usually not too effective, since acquirers generally re-
spond very quickly to an unusual number of fraudulent transactions by
tightening restrictions on the merchant.
ACQUIRER AND ISSUER FRAUD
-------- --- ------ -----
The place to make really big bucks in fraud is at the acquirer or is-
suer, since this is where you can get access to large amounts of money.
Fortunately, it's also fairly easy to control things here with audit
procedures and dual control. People working in the back offices, pro-
cessing credit slips, bills, etc. have a big opportunity to "lose"
things, introduce false things, artificially delay things, and tempo-
rarily divert things. Most of the control is standard banking stuff,
and has been proven effective for decades, so this isn't a big problem.
A bigger potential problem to the consumer is the possibility of an em-
ployee at the issuer or acquirer selling PANs to crooks. This would be
very hard to track down, and could compromise a large part of the card
base. I know of no cases where this has happened.
Programmers, in particular, are very dangerous because they know where
the data is, how to get it, and what to do with it. In most shops, de-
velopment is done on completely separate facilities from the production
system. Certification and installation are done by non-developers, and
developers are not allowed any access to the production facilities.
Operations and maintenance staff are monitored very carefully as well,
since they typically have access to the entire system as part of their
jobs.
Another type of fraud that is possible here is diversion of materials,
such as printed, but not embossed or encoded, card blanks. Such mate-
rials are typically controlled using processes similar to those used at
U.S. mints. Since most of the cards issued in the United States are
actually manufactured by only a handful of companies, it's not too hard
to keep things under control.
There are many types of fraud that can be perpetrated by tapping data
communication lines, and using protocol analyzers or computers to in-
tercept or introduce data. These types of fraud are not widespread,
mainly because of the need for physical access and because sophisti-
cated computer techniques are required. There are message authentica-
tion, encryption, and key management techniques that are available to
combat this type of fraud, but currently these techniques are far more
costly than the minimal fraud they could prevent. About the only such
security technique that is in widespread use is encryption of PINs.
The next episode will be devoted to debit cards, and the final episode
will talk about the networks that make all this magic happen.
Joe Ziegler
att!lznv!ziegler