Compromised accounts

Posted on 09. Feb, 2009 by admin in Merchant Article

Card account information is stored in a number of formats. Account numbers are often embossed or imprinted on the card, and a magnetic stripe on the back contains the data in machine readable format. Fields can vary, but the most common include:

  • Name of card holder
  • Account number
  • Expiration date
  • Verification/CVV code

There have been high profile examples of companies being compromised resulting in large scale identity theft, the largest to date being TJX.

Mail/Internet order fraud

The mail and the Internet are major routes for fraud against merchants who sell and ship products, as well Internet merchants who provide online services. The industry term for catalog order and similar transactions is “Card Not Present” (CNP), meaning that the card is not physically available for the merchant to inspect. The merchant must rely on the holder (or someone purporting to be the holder) to present the information on the card by indirect means, whether by mail, telephone or over the Internet when the cardholder is not present at the point of sale.

It is difficult for a merchant to verify that the actual card holder is indeed authorizing the purchase. Shipping companies can guarantee delivery to a location, but they are not required to check identification and they are usually not involved in processing payments for the merchandise. A common preventive measure for merchants is to allow shipment only to an address approved by the cardholder, and merchant banking systems offer simple methods of verifying this information.

Additionally, smaller transactions generally undergo less scrutiny, and are less likely to be investigated by either the bank or the merchant. CNP merchants must take extra precaution against fraud exposure and associated losses, and they pay higher rates to merchant banks for the privilege of accepting cards. Anonymous scam artists bet on the fact that many fraud prevention features do not apply in this environment.

Merchant associations have developed some prevention measures, such as single use card numbers, but these have not met with much success. Customers expect to be able to use their credit card without any hassles, and have little incentive to pursue additional security due to laws limiting customer liability in the event of fraud. Merchants can implement these prevention measures but risk losing business if the customer chooses not to use the measures.

Account takeover

There are two types of fraud within the identity theft category, application fraud and account takeover.

Application fraud occurs when criminals use stolen or fake documents to open an account in someone else’s name. Criminals may try to steal documents such as utility bills and bank statements to build up useful personal information. Alternatively, they may create counterfeit documents.

Account takeover involves a criminal trying to take over another person’s account, first by gathering information about the intended victim, then contacting their bank or credit issuer — masquerading as the genuine cardholder — asking for mail to be redirected to a new address. The criminal then reports the card lost and asks for a replacement to be sent. The replacement card is then used fraudulently.

Some merchants added a new practice to protect consumers and self reputation, where they ask the buyer to send a copy of the physical card and statement to ensure the legitimate usage of a card.

Source: Wikipedia

Tags: , ,

Leave a reply