Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 911
- Points
- 113
Card fraud is understood as deliberate fraudulent actions by a party based on the use of bank card technology and aimed at unauthorized seizure of funds deposited in the "card" accounts of bank card holders or due to a merchant for card transactions.
Card fraud is often called fraud (from the English, fraud. - fraud, deception).
It is customary to divide fraud into two groups: fraud from the issuance of cards and fraud from the side of their service. The first group includes frauds related to unauthorized use of the issuer's cards (stolen / lost cards, counterfeit cards, unreceived cards, cards obtained from the bank dishonestly as a result of using stolen identification data / documents of a “reliable” person, etc.). The second group includes fraud initiated by a merchant (fake / distorted slips, re-entry of transactions, etc.).
The ratio of the volume of financial losses incurred as a result of card fraud to the total volume of sales made with plastic cards (F / S, or Fraud / Sales) is considered as an indicator of the level of fraud. The unit of measurement for the F / S ratio is considered to be the basis point. One basic point refers to the level of fraud, which is 0.01% of the total turnover on bank cards. In other words, a fraud rate of one basis point (abbreviated as bp) corresponds to a loss of 1 cent for every $ 100 card turnover.
1.5.1. The severity of the problem of security of transactions using plastic cards
Over the past 10 years, the average losses of a bank from operations with plastic cards are 7-12 cents per $ 100 of card turnover (7-12 bp). This is significantly less losses of banks associated with customer lending, amounting to $ 3-4 for every $ 100 issued loans. However, banks and payment systems pay special attention to the problem of security of transactions with plastic cards. This is due to the fact that in the cases under consideration, the nature of the risks is different. In the case of card fraud, the client suffers. Even if the issuer bears the losses caused by fraud, the moral damage associated with the inconveniences arising for the cardholder will be felt. The possibility of fraud seriously undermines the confidence of bank customers in card technology in general.
To illustrate what has been said, let us carry out a simple analysis. The average person in the West uses his card for non-cash payments on average about 40 times a year, with a typical card usage rate of 0.1 per day. With the current level of fraud, equal to approximately 10 bp, the probability that the next operation on the card of our chosen master will end with a fraud is p - 0.001. In reality, this probability is lower, since several fraudulent transactions are carried out on a card compromised in one way or another, and, in addition, the average size of a fraudulent transaction is higher than usual. However, to illustrate the "magnitude of the disaster", such an estimate of the likelihood that a cardholder's transaction is fraudulent is appropriate.
Then, over 10 years of using cards, our master will make N = 400 non-cash purchases and the probability that he will suffer from card fraud is P F = 1 - (1 - p) ' v , and at the current level of fraud is close to 0.33. In other words, about one in three of those who have been using cards for more than 10 years, with the current level of fraud over the past decade, have suffered from card fraud.
The card holder we have chosen for illustration does not live in an airless space. He is surrounded by family, friends, colleagues. If we consider that the inner circle of the cardholder consists of 10 people, then it follows that the probability that at least one person from this environment has suffered from card fraud over the last decade is greater than 0.98 (N = 4000).
In other words, most of us know about card fraud not only from books and magazines, but also from personal experience. Of course, such close acquaintance with card fraud will not encourage you to use your plastic card more intensively.
Therefore, the security of transactions with plastic cards is the cornerstone of the development of the card industry, and this problem is receiving serious attention from payment systems and banks. And yet, payment systems play the first fiddle here. It is they who have the necessary resources and powers to improve the technology of bank cards, making card transactions more and more secure. Banks mainly, following in the wake of payment systems, are struggling with their own financial and reputational losses.
The absolute size of card fraud can be roughly estimated as follows. In 2007, based on the 2007 Nilson report, the turnover on transactions in the leading payment systems VISA, MasterCard, American Express, Diners Club, JCB amounted to approximately $ 5.9 trillion (VISA and MasterCard account for 85% of the total world turnover in banking maps). Taking into account the level of fraud (8-10 Lp), it is easy to find that the absolute size of card fraud in 2007 was about $ 5-6 billion.
According to the 2007 Nilson Report, banks' losses from fraud amounted to $ 5.5 billion, which indicates a fairly high accuracy of our method for estimating the volume of card fraud.
However, this is only the visible part of the iceberg called "card fraud". Experience shows that a significant proportion of frauds do not fall into the reports of payment systems, since banks, trying to protect their reputation, often do not report the occurrence of fraud in payment systems. According to the Frost & Sullivan agency, losses from fraud with bank cards in 2008 reached about $ 15.5 billion, that is, more than 2 times higher than the forecasted value ($ 6-7 billion).
In addition to direct financial losses from card fraud, banks incur indirect losses: customer abandonment and a decrease in the inflow of funds due to a blow to the bank's reputation (loss of confidence in the bank's financial products / services), the cost of maintaining personnel dealing with security issues, the cost of upgrading equipment, etc. NS.
More than 20,000 banks worldwide issue cards. Almost all of them have a card security division. Even if we assume that the average budget for such a division is $ 50,000 per year, banks spend about a billion dollars annually on personnel involved in card security.
It is difficult to accurately estimate the cost of information systems purchased to ensure security (network protection systems, operations monitoring, HSM modules, terminal security elements, equipment for card personalization zones and PCs, etc., etc.). In order, it amounts to several billion dollars, assuming that the bank spends about 100 thousand dollars on the acquisition of such systems. Taking into account the amortization period of information systems over approximately 10 years, the annual costs amount to several hundred million dollars.
As a result, the total annual losses from the consequences of card fraud, together with the costs of banks to mitigate these losses, turn out to be significantly higher than the estimates given by payment systems.
The characteristic features of card fraud include:
analysis of the operation of algorithms for checking individual card details, assessment of the reliability of the database of card details, etc .;
high flexibility and efficiency of criminal structures: only a few days pass from the moment a weakness in the bank's defense is discovered until a massive attack is carried out;
concentration of fraud on three main types: CNP-trans-actions, fake cards, stolen / lost cards. Other types of card fraud account for no more than 6-8% of losses (!);
migration of fraud (especially in EMV regions) from one type to another. The obvious migration towards CNP fraud (in the UK in 2007 it accounted for 54% of all fraud committed on the cards of British banks), fraudulent card fraud through ATMs (ATM Fraud), fraud using cards obtained from stolen documents ( ID Theft) from such types of fraud as fake cards at POS terminals, stolen / lost cards, unreceived cards. All types of fraud listed here will be discussed below;
rapid growth of CNP fraud (about 20% per year) in EMV regions;
an increase in cross-channel fraud, where data leaks from one customer service delivery channel are used to perform fraud using another channel;
an increase in the volume of fraud and skimming through ATMs (fake ATMs, an overhead keyboard / micro camera / dispensers, malware, Lebanese loop, the use of technical problems on the side of the servicing bank / ATM, information leakage from the PC, peeping from the shoulder, etc.) ... According to EAST (European ATM Security Team), the amount of skimming via ATM in Europe in 2008 increased by 43% (!);
about 80% of all card frauds are online transactions. This is due to the desire of fraudsters to quickly empty the cardholder's account (for this they use large-value transactions performed in real time) and means that the online nature of transaction processing is not an effective means of combating fraud when using magnetic stripe card technology;
• credit cards (more precisely, cards like Pay Later) are the main target of fraudsters. Special attention is paid to "gold", "platinum" and other privileged cards. The data in the table shows that the rate of fraud on credit cards is about four times higher than on debit cards (see table);
• payment systems divide the area of their presence into geographic regions, national markets within which have common features, if only because of their geographic and cultural proximity. It turns out that the domestic level of fraud is the lowest, and the interregional one is the highest. The data below illustrates what has been said. For EMV regions, there is a migration of fraud towards interregional operations: in the UK, over the three years from 2006 to 2008, foreign fraud grew by 250%! The source of the fraud is the cloning of a magnetic stripe and PIN-code of an English bank card and the use of a counterfeit card made on "white" plastic, for example, in Malaysia or Thailand (countries with a very high level of fraud on the part of card servicing).
Distribution of sales volumes by traffic type
Distribution of fraud volumes by traffic type
Distribution of F / S by type of traffic with an average level of fraud of 7-10 bp
MasterCard
^? 9
1.5.2. The main types of fraud
As noted at the beginning of Section 1.5, it is customary to divide fraud into two groups: fraud on the part of card issuance and fraud on the part of card servicing. The main types of fraud of the first group (on the issue side):
The oldest and most natural type of fraud - people have lost, are losing and will continue to lose cards. Sometimes cards are stolen. In Russia, according to the National Agency for Financial Research (NAFI), about 19.8% of cardholders have ever lost them. Time passes before the detection of the loss and blocking of the card in the system, which is used by the fraudsters who have the card in their hands.
Until the bank is informed about the loss of the card, as a result of which the issuer blocks the card, the cardholder is usually responsible for this type of fraud.
For a long time, this type of fraud was one of the most popular: in the mid-90s it accounted for about 50% of fraud, and at the very beginning of this century - 25-30% of all fraud. In 2007 in Europe, according to the leading payment systems, lost / stolen cards accounted for 14-16% of all card fraud, and this share continued to decline with the expansion of migration to Chip & PIN technology. According to MasterCard data for the second quarter of 2009, lost / stolen cards accounted for 12.16% of all card fraud in Europe and 19.14% globally.
In the UK, due to the almost widespread introduction of the Chip & PIN program, the share of this type of fraud fell from 27.7% in 2001 (before the introduction of Chip & PIN) to 10.5% in 2007. At the same time, the level of Lost / Stolen Cards fraud fell by more than four times from 5.07 Lp to 1.24 Lp (the level of fraud is calculated from the total turnover of plastic cards)!
Unreceived cards
Cards stolen during their transfer from the bank to the client. All responsibility for fraud in this case lies with the issuer. According to leading payment systems, this type of fraud accounts for 1-3% of all fraud. In particular, according to MasterCard data for the second quarter of 2009, unreceived cards accounted for 1.1% of all card fraud in Europe and 2.33% in the world.
In the UK, due to the introduction of the Chip & PIN program, the share of this type of fraud in the period from 2006 to 2008 did not exceed 2%.
Fake cards
Fraudsters make a fake card, personalized on the basis of previously stolen details of a real card (usually the contents of a magnetic strip of a card are stolen) and perform transactions with a counterfeit card, passing it off as a real card.
Card counterfeiting began with the technology of cutting off the card numbers and rearranging them in their places on the card panel. Then they began to practice re-embossing the card number. With the advent and spread of electronic terminals, skimming - copying the magnetic stripe data of a real card - has become the main method of forging cards. The copied data is later transferred to another card, which fraudsters make on blank cards purchased in different ways (bonus cards from various retail chains are used, real bank cards with a recoded magnetic stripe, white plastic painted on a printer, blanks stolen from factories and banks) ...
Scammers get real card data using:
In the UK, according to 2008 data, counterfeit cards accounted for about 27% of all fraud.
In connection with the migration to the chip, there is a clearly faster increase in the use of counterfeit cards (especially European cards) in ATMs compared to POS terminals. Taking into account the fact that many countries are migrating under the Chip & PIN program, it has become easier to copy the data of the magnetic stripe and PIN-code and then use this data to issue cards on "white" plastic.
Card Not Present Fraud
There are three main types of CNP transactions: Mail Order / Telephone Order (MO / TO) -transactions, e-commerce (EC) transactions and recurring payments (the cardholder enters into an agreement with the merchant for regular periodic direct debit of funds from his account for received from point of sale services using a plastic card).
EC transactions account for about 60% of the total CNP fraud, MO / TO transactions - 30%, recurrent payments - the remaining 10%.
The growth rate of EC volumes in the world at the beginning of the new millennium is about 25% per year, in Europe - 40% per year. It is expected that by 2011 the volume of B2C in the world will reach 407 billion euros.
Since 2006, the EC market in Russia has been increasing annually by an average of 30%. According to the National Association of Electronic Commerce Participants (NAUET), the market volume in 2007 was $ 7.9 billion. According to NAUET estimates, in 2008 it exceeded $ 11 billion. The main market share in Russia is traditionally in the B2C sector. The B2G (Business-to-Government) sector, which reflects transactions for the fulfillment of government orders, has been growing since 2006 at a rate of only about 4% per year.
Experts associate further development of the Russian EC market with the development of the B2B segment. According to NAUET, its volume in 2007 increased by 32% compared to 2006 and amounted to almost $ 2.3 billion.
The dynamics of EC growth in Russia (turnover expressed in millions of dollars) is shown in the table below.
In Europe, the growth rate of fraud in EC is about 20% per year.
According to MasterCard data for the second quarter of 2009, CNP fraud accounted for 49.75% of all card fraud in Europe and 38.36% globally.
In Great Britain, CNP fraud increased from 23.26% in 2001 to 54.28% in 2007. At the same time, the level of CNP fraud in the same period increased from 4.256 bp to 6.4 bp, i.e., in 1 , 5 times (the level of fraud is calculated from the total turnover of plastic cards).
The European e-commerce fraud rate in 2008 was approximately 40 basis points (calculated from e-commerce turnover only).
To commit fraud in the case of a CNP transaction, it is enough to know the simplest card details - the card number, its expiration date and, possibly, the CVC2 / CW2 value. Therefore, all CNP transactions are necessarily carried out in real time, and the payment systems place the responsibility for fraudulent transactions on such transactions with the servicing banks. An exception is the case when servicing banks and their online stores use a secure EC protocol known as 3D Secure and used in leading payment systems under the MasterCard SecureCode and Verified by VISA brands.
MasterCard
^? 9
According to MasterCard, in 2008 in Europe, approximately 40% of all EC transactions were made from online stores that support the 3D Secure protocol. 60% of these operations performed cardholder authentication (Full Authentication).
Cards obtained from stolen documents or personal data (ID Theft)
To implement this type of fraud, two fraud schemes are mainly used: fraudulent applications and account interception.
Fraudulent Applications: A fraudster uses someone else's ID (found / stolen / forged) to apply for a credit bank card with an address where the card can be easily and safely received.
Account Takeover: the fraudster obtains data about the card / account details, for example, from the bank statements of the cardholder that came to his disposal, then calls the bank and informs about the change of his address, and a little later requests a new card with its delivery to " new "address.
In 2007, ID Theft accounted for about 4% of all fraud. According to MasterCard for the second quarter of 2009, ID Theft accounted for 3.74% of all card fraud in Europe and 3.77% globally.
The growth rate of ID Theft in the UK in 2008 was 39% (47.4 million pounds, or 7.77% of all fraud)!
ATM fraud
Transactions through ATMs have traditionally been characterized by increased security, since their authorization is carried out by the issuer online with the obligatory verification of the personal identifier (PIN) of the cardholder. The fact of increased security of transactions through ATMs was also confirmed by statistics - the volume of fraud through ATMs was an order of magnitude less than the same indicator for trade.
However, since the turn of the millennium, ATM fraud has grown rapidly. In 2004, the losses of UK banks alone from ATM fraud amounted to? 75 million (about 15% of all card fraud in the country). According to European ATM
Security Team, in 2008 the amount of losses only from ATM skimming of European issuers amounted to 485 million euros!
ATM fraud is not an independent type of fraud and is considered separately here due to the specifics of its implementation. The ATM fraud cases discussed below usually fall into one of two types - fake cards or stolen cards.
Most of the ATM fraud is of the “counterfeit card” type. In connection with the migration to a chip, there is a clear increase in the use of counterfeit cards (especially in EMV regions) at ATMs instead of POS terminals. This trend (migration of “fake card” fraud from POS terminals to ATMs) is a major driver of the rise in ATM fraud.
Until recently, there have been several known ways to use an ATM to commit fraud. Let's briefly describe them.
1. Unfortunately, despite numerous clarifications, many cardholders still write their PIN values on the card. According to information published by the English Association for Payment Clearing Services (APACS) in 2006, 8% of UK cardholders cannot remember the meaning of their PIN and therefore write it down. According to a sociological survey by NAFI, 11.6% of Russians keep their PIN code with their card. In Moscow, this figure is 13.8%. Obviously, in the event of theft / loss of the card, the thief has all that is required to commit fraud - both the card and the PIN-code.
This type of ATM fraud is obviously a “stolen card” type.
2. Another type of ATM fraud is the so-called “friendly” fraud. Its essence lies in the fact that once the card together with the PIN code was given to a family member or friend to perform an operation through an ATM. Later, the same card was used at an ATM without the authorization of its holder.
Obviously, this type of ATM fraud is a “stolen card” type.
3. "Looking over the shoulder." A person standing behind the cardholder can spy on the PIN-code value entered by him. After the fraudster receives the PIN-code value, the card can either be stolen from its holder, or when using the card, an unauthorized copy of its magnetic stripe can be made in order to produce a fake card later (it can be made on "white plastic").
This type of ATM fraud is referred to as “counterfeit cards”.
4. The Lebanese Loop. An almost circus method of fraud, in which an unsuspecting cardholder thrust it into an ATM previously “processed” by a fraudster. The essence of the ATM “processing” was that a piece of photographic film was inserted into the slot of the ATM card reader, the ends of which were imperceptibly fixed on the outside of the ATM. The photographic film after the operation did not allow the card to exit from the card reader. The fraudster was nearby and offered his help to the cardholder. He recommended that he re-enter his PIN-code, and when this did not work out, he entered it himself from the words of the holder, claiming that he had already seen such cases before and when the PIN-code was re-entered, the card had to leave the ATM. The card, of course, did not return, and the fraudster advised its holder to come to the bank the next day (the fraud was carried out at hours, when the bank branch was no longer working), and then the card will be returned to him without fail. After the cardholder left, the fraudster removed the film together with the card from the ATM and emptied the cardholder's account.
This type of ATM fraud is referred to as “stolen cards”.
5. Counterfeit ATMs. Fraudsters used specially made devices that emulate ATMs and are designed to read information about the magnetic stripe of the card and the PIN-code of its holder.
This type of ATM fraud is referred to as “counterfeit cards”.
6. ATM skimming. Recently, fraudsters have been actively using additional equipment installed on ATMs to carry out fraud. Such equipment includes a patch card reader and a microcamera. Sometimes an overhead keyboard is used instead of a micro camera.
A patch card reader is a device that is attached to the top of the ATM card reader and is used to read information from the magnetic stripe of the card. It is invisible to a cardholder who is inexperienced in knowing the details of the appearance of ATMs, and is able to either remember the information he reads about the magnetic stripe of the card, or transmit this information to fraudsters via a radio channel (for example, via a GSM channel).
A microcamera is an optical camera installed next to the ATM and directed at the ATM keyboard in order to record the sequence of numbers entered by the customer when dialing the PIN-code.
An alternative to a microcamera is a keyboard overlaid on top of a conventional ATM keyboard and memorizing or transmitting via a radio channel the values of the entered PIN codes.
Thus, with the help of additional equipment, fraudsters receive all the information they need to carry out fraud: magnetic stripe data and the value of the PIN code. With this data, the fraudster is able to personalize the so-called “white plastic” (a card blank that does not contain any design elements of a regular card on its surface) and use it to withdraw cash from the account of an unsuspecting holder of a compromised card.
Recently, scammers have come up with an alternative to an overhead keyboard and reader. It was malware that was installed unauthorized by fraudsters in the ATM software. This malicious program copies and stores the data of the magnetic stripe and in some cases (with the appropriate configuration of the ATM EPP keyboard) saves the values of the PIN-codes of the cardholders.
This type of ATM fraud is referred to as “counterfeit cards”.
There are other types of ATM fraud that use the specifics of ATM operation:
• re-entry of the operation (Multiple Imprints, Electronic Data Capture Fraud, including PAN Key Entry-transactions);
and / or changing the content of the slips (Altered Sales Drafts)
Unscrupulous employees of a trade enterprise make more than one card imprint on the imprinter, using them later to generate new payment documents, or change the value of the transaction size after the client has signed the slip.
Electronic Data Capture Fraud
The electronic version of the Multiple Imprints fraud, when an electronic copy of the transaction obtained using a POS terminal is used instead of card prints. The PAN Key Entry method is especially widespread, in which the information on the magnetic track of the card is not provided in the authorization request to the issuer (only the card number, its expiration date and, possibly, the CW2 / CVC2 value are presented).
Account interception
Merchant Account Takeover. Fraudsters have all the necessary details of the store (name, names of managers, Merchant ID, etc.) and, possibly, trade slips. Further, a letter / call to the bank, notifying about the change in the store's current account. As a result, reimbursements for transactions performed in a real trading enterprise go to the accounts of fraudsters. According to VISA, the average bank losses from such fraud are approximately $ 100,000.
Using the reporting of a legally existing commercial enterprise (Laundering)
In this case, store A of a certain payment system provides an opportunity for store B, which does not have an agreement with any bank to accept cards of this payment system, usually for a certain percentage, to accept cards of this payment system. Moreover, if B is a fraudster, then A, after some time, remains face to face with refusals from payments that came for operations allegedly made in store B. According to VISA, the losses of store A are on average about $ 500,000.
1.5.3. Protection methods in terms of certain types of fraud
Countering card fraud is the subject of a separate discussion and another book. The purpose of this section is to show the reader that magnetic stripe card technology has largely exhausted its potential in terms of protecting card transactions. Despite the variety of methods used by banks to protect transactions with magnetic stripe cards, there is no effective universal approach.
The system for protecting the issuer of magnetic stripe cards from card fraud uses the following elements:
Let's consider how the listed elements of bank protection help to cope with card fraud.
Stolen / Lost Cards
To combat this type of fraud, the following security elements are used:
Unreceived cards
To combat this type of fraud, the following security elements are used:
• issue of cards in a blocked state in the status of a new card (New Card) and their unblocking by clients either in branches and ATMs using a special unblocking operation that requires the client to know the PIN-code, or through phone calls
MasterCard
^? 9
to the bank by a code word (for example, the mother's maiden name). In case of an attempt to use a blocked card, the card issuer issues a response code on the need to capture the card;
Fake cards
There are two ways to counterfeit cards. The first method is for fraudsters to select a set of card details that match the details of one of the cards issued by the bank. A set of details can consist of a card number, its validity period and values CVC / CW, CVC2 / CW2. In this case, the following protection elements are effective:
Generation of random card numbers allows you to protect the issuer from the selection of the correct card number by a fraudster. Usually the card number consists of 16 digits, of which the first 6-8 are the card prefix used to identify the bank and its branch. The last digit of the card number is a function of the first 15 digits (calculated according to the Luhn Check Parity rule). Therefore, at least seven independent digits of the card number remain, the use of which allows the bank to issue up to 10 million cards.
This range of cards can be filled with any predetermined maximum filling density X <1. The filling density is the ratio of the number of issued cards to the entire range of possible values of card numbers (10 million cards). If, in this case, the card numbers are generated according to a random law, then the probability that a fraudster, choosing at random some card number, will guess it, does not exceed the maximum filling density of the range of card numbers. Obviously, this increases the overhead of implementing fraud, thereby reducing the attractiveness of this type of fraud.
Indeed, in order to guess the correct card number with probability P o , the fraudster needs to go through m values of the card number, where m is determined by the equality:
1p (1-Po) t = ---------.
ln (l -X)
In the last equality, Inz denotes the natural logarithm of a positive number Z. Since ln (l -X) ~ -X takes place for values X <0.1 , then at P o = 0.9 we have an approximate equality:
4.605 t ~.
X
To determine whether the selected value of the number is correct, the fraudster needs to additionally enumerate all possible values of the card expiration date and CW / CVC values for this value, or
MasterCard
^? 9
CW2 / CVC2 (depending on how you plan to use the fake card - for purchases in regular stores or for performing CNP transactions).
It is easy to show that the use of generating random card numbers, checking the values of CW / CVC, CW2 / CVC2, extended verification of the card's expiration date requires a fraudster who does not know the details of the issuer's cards to sort out on average about n = 24 • 1000 / X various combinations of card details , in order to achieve success - select the details of the card issued by the bank. With X = 1, it is required to sort out 24,000 different values, and with X = 1/10, on average 240,000 options.
This makes it practically uninteresting for a fraudster to try to select the correct card details. It turns out that the cost of selection is higher than the average potential production.
Now the most widespread other approach to creating counterfeit cards is based on skimming - fraudsters steal the magnetic stripe data of a real card during an operation using this card. In this case, the security elements of the issuer include:
The weakness of MagnePrint technology is that the data element encoding noise is static and independent of each specific operation. Therefore, it can be installed one day and in the future used as a means of card authentication, for example, in retail outlets aimed at fraudulent activities. In addition, the technology works only in the case of online authorization of the transaction.
Another possibility of using the magnetic stripe to combat counterfeit cards is the terminal recording on the third track of the magnetic stripe some control sequence, which depends on the dynamic card details and is formed using the issuer's key. Since the control sequence is changed by the terminal after each card operation, the theft of the current value of this sequence may give nothing to the fraudster, since at the moment the fraudster contacts the merchant with a fake card, the latter will form a control sequence for the already outdated card details.
To illustrate what has been said, we describe the following scheme. After the operation is completed, the terminal, which stores the issuer's symmetric key in its cryptographic module, calculates the card key using an algorithm known to it and with its help decrypts the current control sequence recorded on the third track of the card.
This sequence represents the number of the previous operation encrypted on the card key, and the card key is calculated from the issuer's key and the card number (when the card is issued, the issuer encrypts the zero transaction number). The current transaction number for this card is also stored in the issuer's system. After each transaction of non-cash settlements in a trade enterprise, this number is increased by one in the issuer's system.
When using symmetric encryption, the issuer key used to generate the control sequence must be stored in the issuer's system and on the terminals that accept the issuer's cards. This circumstance narrows the field of application of the proposed approach to a set of transactions of the “friend” type (the servicing bank and the issuer coincide in the transaction). To generalize the method for the case of using the card in the devices of another bank, it is necessary to use asymmetric encryption algorithms. However, in this case, you will have to transfer the signature of the transaction number on the terminal's private key to the issuer. Taking into account the size of reliable asymmetric encryption keys (not less than 128 bytes), the proposed approach will increase the volume of data transmitted to the issuer, as well as the size of the control sequence,
The option to write data to the magnetic stripe of the card is not required. Therefore, the overwhelming majority of POS terminals cannot write data to the third track of the card's magnetic stripe. As a result, most POS vendors use cheaper "handheld" readers (the card needs to be swiped along the reader with your hands), which cannot write data to a magnetic stripe.
Electronic Commerce (CNP)
Today the leading payment systems support only one secure e-commerce protocol - 3D Secure (in the VISA payment system this protocol is promoted under the Verified by VISA brand, and in the MasterCard system - under the MasterCard SecureCode brand). According to experts, the use of this protocol by merchants, servicing banks and card issuers will reduce fraud in e-commerce by about 80%, i.e. five times.
According to MasterCard, the level of fraud for EC transactions for 2008, performed in accordance with the 3D Secure protocol and with full
r L 1
MasterCard
cardholder authentication is 20 basis points, which is only half the average e-commerce fraud rate. The main reason for the unsuccessful launch of the 3D Secure protocol is the poorly organized procedure for registering cardholders to use this protocol in CNP-one-radios by issuers. Weak client authentication during registration led to the fact that fraudsters were able to obtain the right (secret password) to use the 3D Secure protocol.
Another reason for fraud in EC transactions using the 3D Secure protocol is the use of static passwords. Some methods of stealing static passwords will be described below (see section 6.1.3).
The maximum requirements of international payment systems for the security of EC transactions are formulated as follows:
To stimulate banks to implement the 3D Secure protocol, payment systems have introduced a liability shift, called the Merchant Only Liability Shift, according to which, with the support of a merchant of the 3D Secure protocol, responsibility for fraud in an EC transaction related to the refusal of the cardholder from a completed transaction is assigned to the issuer ... In the VISA payment system, the shift in the responsibility of the Merchant Only Liability Shift is global. In MasterCard, the shift in responsibility Merchant Only Liability Shift applies to all regions and interregional operations except for the US market, where responsibility for the result of the operation returns to the issuer only if 3D Secure is supported by all participants in the EC transaction - the online store, the servicing bank and the issuing bank (the so-called Full Authentication - authorization).
Recall that for CNP transactions without using a secure protocol, the service bank is liable for fraud. Thus, in the case of 3D Secure support by a merchant, the normal distribution of responsibility is restored, which is typical for all other types of payment transactions.
The 3D Secure protocol is inferior to the SET protocol from the point of view of the EC transaction protection it provides. In the general case, it does not provide the merchant's cardholder authentication and the transparency of the card details for the merchant. At the same time, this protocol is much easier to implement, and hardware and software solutions that implement 3D Secure are significantly cheaper than similar solutions for the SET protocol.
Most importantly, the 3D Secure protocol, if properly implemented, provides the required level of security for EC operations. It is expected that payment systems in the short term will take a number of steps to increase the impact of the use of this protocol. These steps include:
^? 9
Research by ClearCommerce (USA) on evaluating the effectiveness of using the AVS system shows that only 40% of transactions pass this check, while the share of fraudulent transactions among them is less than a percent. At the same time, when using AVS, 35% of fraudulent transactions successfully overcome this protection.
In addition to the checks listed above, online stores sometimes pay attention to the following facts, which statistically increase the likelihood of fraud:
Another important aspect of the fraud problem for CNP transactions is the theft of card details from the servers of mainly online stores and the processing systems of banks and processors.
To ensure the protection of information on plastic cards in the systems of retail outlets, banks and processors, the leading payment systems require their banks to participate in the VISA Account Information Security (VISA AIS) and MasterCard Site Data Protection (SDP) programs. These programs are based on the PCI DSS standard (Payment Card Industry Data Security Standard), adopted in 2005. The standard defines the security requirements for the systems of a bank, processor, merchant, providing storage, transmission and processing of card information, including requirements for:
In conclusion, it should be said that the problem of card fraud is urgent and threatens the existence of plastic cards as a business. The anti-fraud capabilities of magnetic stripe card technology are limited and have been largely depleted by now. A magnetic stripe card is only a carrier of a small amount of static information. Therefore, only the issuer and the servicing bank, which do not have their full-fledged representatives at the point of making a non-cash purchase, can counter fraud.
Even if there is an online authorization mode for all card transactions, the ability of the issuer and the servicing bank to maintain a high level of security is limited. In most cases, the issuer can only check the correctness of the static card data obtained during the processing of the transaction, and analyze how typical this operation is for a given client using the transaction monitoring program. The servicing bank is represented at the point of sale by the cashier of the merchant and cannot reliably control the correctness of the latter's actions when accepting cards.
Behind the brackets of the above considerations is the cardholder, who, thanks to such rapidly developing service delivery channels as Internet banking and mobile banking, is also able to increase the security of transactions (blocking / unblocking an account / card, setting personal limits for using a card, deeper interaction with by the issuer when traveling abroad, etc.). However, taking into account the low level of knowledge of cardholders in card technologies, as well as the slovenliness inherent in human nature, it hardly makes sense to hope for a radical improvement in the situation due to the efforts made on their part.
Microprocessor cards, which will be discussed below, can radically increase the level of security of card transactions.
How to protect your card business?
Modern tools to prevent card fraud
BPC "Banking Technologies"
Preventive and drastic measures to protect against fraud
Despite all the measures taken by the participants in the global card market to combat fraud, today it still poses a serious threat to the stability of the electronic payments industry. The market of plastic cards in Russia has increased several times in recent years. As the volume of card issuance increases, so does the number of fraudulent transactions. At the same time, criminals are using more and more sophisticated methods of stealing money: phishing and telephone fraud (vishing), interception of cards while sending and skimming, Internet fraud and fake mail orders (card-not-present fraud) - these and other methods the commission of crimes is continuously improved along with the improvement of methods of protecting cards and their owners.
In such conditions, the static (offline) models of combating fraud on the market have long lost their relevance: they detect illegal transactions after the fact and are not able to prevent theft of money. In this regard, market participants are increasingly interested in solutions that provide the ability to monitor transactions in real time. Such systems are certainly more efficient, as they provide banks with the necessary tools to detect and prevent fraudulent transactions during the authorization process, but at the same time, they are much more complex in terms of implementation and use.
Today, the most widespread are two types of online solutions - static and dynamic systems. The logic of the first type of solutions is based on the mechanism of filters, or templates, which allow you to track suspicious transactions according to certain criteria and block them. Despite the obvious advantages associated with ease of setup and high speed of operation, static systems do not allow you to quickly respond to changing trends in a criminal environment and timely implement filters to combat new types of fraud. Solutions of this type also require operator participation to analyze statistics on completed transactions, which is necessary for the development and implementation of new fraud prevention schemes.
Dynamic, or intelligent, systems allow building individual models of cardholder behavior based on the history of transactions for a specific card, group of cards or card product. These systems are self-learning and require a certain amount of time to accumulate statistics, at the same time they are the most effective in combating card fraud, as they allow for subtle analysis based on the individual behavior of the cardholder. Moreover, as statistics are replenished, the built models are constantly updated, which makes it possible to take into account both the peculiarities of the client's behavior and the changing situation on the market as a whole.
SmartVista Fraud Prevention & Monitoring - a comprehensive solution to the fraud problem
With the development of the electronic payments industry and an increase in the volume of emission, banks' losses from the actions of fraudsters have become more tangible, therefore, after assessing the changes in a timely manner, BPC offered the market a specialized module for preventing fraudulent transactions - SmartVista Fraud Prevention & Monitoring, which combines the advantages of two main approaches to building online systems to combat fraud. The solution is part of the SmartVista product line, which provides a unified technology platform for plastic card processing, electronic payment processing and support for retail business operations.
SmartVista Fraud Prevention & Monitoring provides all the tools you need to monitor online and prevent fraudulent transactions, both based on predefined rules and using an intelligent self-learning model. This provides both high performance and flexibility in a solution that can be deployed to meet the needs of the business and the wishes of a wide variety of customers. SmartVista Fraud Prevention & Monitoring is tightly integrated with SmartVista Front-End, a high-performance transaction management solution, allowing both issuing and acquiring banks to monitor transactions.
The models for detecting and blocking suspicious transactions, which can be built using the SmartVista Fraud Prevention & Monitoring module, are mechanisms of various levels of complexity that provide a wide range of functions - from simple blocking of suspicious transactions according to certain parameters to monitoring transactions in accordance with specified rules and fine assessment using a behavioral model based on artificial neural network technologies.
Mechanism for blocking fraudulent attacks
The mechanism for repelling fraudulent attacks, implemented in the SmartVista Fraud Prevention & Monitoring module, allows you to set transaction restrictions for individual cards, groups of cards or card products and is designed to automatically block suspicious transactions of the issuing bank during the authorization process. The system also implements an "acquiring" component, which provides the ability to conduct a preliminary analysis of the transaction and, if necessary, block it before sending an authorization request to the issuer, which contributes to a significant reduction in the level of chargeback operations.
To check the restrictions imposed on transactions, transactional schemes are used, which can be flexibly linked to various groups of cards, united according to a certain criterion. A transactional schema is a set of positive and negative patterns, each of which contains a specific rule according to which a transaction can be either rejected or accepted.
During the authorization process, the transactional scheme used for a given card and the type of verification are determined, according to which the parameters of the authorization message will be matched with templates and a decision will be made about the possibility of continuing the transaction.
There are four main types of transactional schemes that define the verification mechanism - positive, negative, positive-negative and negative-positive, the latter two involve sequential verification against negative and positive patterns. For a number of cards or card products, verification may not be performed, which is indicated using a special value in the transactional schema.
Thus, the mechanism for setting transaction limits allows issuing banks to perform automatic online verification and blocking of transactions in accordance with certain rules, which significantly reduces the risk of losses as a result of fraudulent activities. This scheme is especially effective in repelling massive fraudulent attacks from specific locations.
Business rule model
The business rule-based model allows online monitoring of transactions during authorization. The rules according to which the check is performed can be simple (for example, Single Alert) or based on the assessment of changes in transaction parameters in comparison with previous transactions on the same card, data about which are collected during the operation of the system. The length of the transaction history used for verification purposes can be customized for each organization.
Verification of transactions is carried out on the basis of groups of rules that are set by the security officer and characterize certain types of fraud that pose a threat to the bank. Rule groups are tied to cards, card groups united by a certain criterion, or card products, which allows you to flexibly configure the conditions for processing transactions and check each transaction for different groups. To establish rules, the system provides a user web interface, which includes a number of special forms.
Вероятность попытки мошенничества определяется путем суммирования весовых коэффициентов, которые присваиваются каждому правилу, входящему в группу. Для каждой группы проверки существует установленный предельный порог допустимого значения. В случае если сумма весовых коэффициентов превышает допустимый порог, транзакция признается мошеннической и проверка по другим группам уже не производится. Алгоритм работы системы также позволяет устанавливать исключения из групп проверки, в соответствии с которыми отдельные карты или группы карт не подвергаются оценке.
In the process of processing a transaction performed online, a list of rule groups is determined that will be used to verify it, after which, based on the information about the groups, a list of the rules themselves is selected. Risk assessment according to the selected rule is made by comparing the parameters of the transaction with information about previous operations on this card with the assignment of an appropriate weighting factor. Based on the received total result for the group, the transaction is either allowed or not allowed for authorization.
Depending on the system settings, the decision to enable or disable authorization is made automatically or with the participation of the operator. If this function is performed by the operator, then when a suspicious transaction is detected, a corresponding notification will be sent to him. SmartVista Fraud Prevention & Monitoring provides mechanisms to alert the operator via e-mail and SMS.
Statistical model
The statistical model of SmartVista Fraud Prevention & Monitoring is implemented on the basis of two components, the first of which is designed to collect and analyze information about the parameters of transactions carried out for each card, and the second is to classify transactions in online mode based on previously built patterns of cardholder behavior. The implementation of this model requires a positive history of card transactions, which is the basis for creating behavioral models that are used in the subsequent risk assessment.
The analytic, or offline, component of the model regularly collects statistics on transaction parameter values for each of the cards served by the SmartVista processing system. This statistics is used to build centers for clustering the values of transaction parameters that are most characteristic of a particular card, and to determine the permissible deviations. By comparing the data of the verified transactions with the obtained values, the online component detects suspicious transactions, the parameters of which are "not typical" for transactions previously carried out using this card.
Each transaction is assessed in terms of the "specificity" of its parameters for a "normal" (not fraudulent) transaction on the same card. The assessment is based on the weights assigned to each transaction parameter. If the values of the transaction parameters are recognized as "characteristic of a normal transaction", then it is allowed for authorization, otherwise the transaction is recognized as fraudulent.
The offline component of the statistical model SmartVista Fraud Prevention & Monitoring is a self-learning system that works automatically. In turn, the online component can function both in a fully automatic mode and with the involvement of an operator who makes decisions about blocking transactions. The method of blocking cards can be configured individually for individual cards, groups of cards or card products.
Flexibility + versatility
Fraud prevention models implemented in SmartVista Fraud Prevention & Monitoring can be deployed and operated separately or as part of an integrated solution. As the volume of card issuance increases, the product portfolio diversifies and the geography of operations expands, the bank can move from the simplest schemes for blocking fraudulent attacks to complex models for conducting a subtle analysis of the behavior of cardholders based on a single technological platform.
SmartVista Fraud Prevention & Monitoring module is a full-featured solution for combating card fraud, providing card market participants with a complete toolkit for promptly detecting and blocking suspicious transactions, quickly responding to new types of fraud, analyzing statistical information to build various risk assessment models. Thanks to an easy-to-use web-based user interface, bank employees can easily create and modify transaction verification rules without the need for technicians.
Thus, the combination of business and functional advantages of the SmartVista Fraud Prevention & Monitoring solution allows banks to significantly reduce financial and image losses from fraud, as well as to solve a number of related tasks related to optimizing the work of the security service through partially or fully automated monitoring of transactions.
According to Alfa-Bank, one of the users of the SmartVista Fraud Prevention & Monitoring solution, “if we evaluate the effectiveness of the SmartVista Fraud Prevention & Monitoring module as part of the processing center
Alfa-Bank, then, given that today the number of active cards issued by the bank is about 5 million, in some months the amount of funds saved through the use of the SmartVista fraud monitoring system reaches one million US dollars. At the same time, even at the moments of peak loads, the processing center based on the SmartVista system does not reach the level of its capacity, therefore, the possibilities of round-the-clock operation of the SmartVista Fraud Prevention & Monitoring module working within it are also practically unlimited. " (Fraud monitoring system through the eyes of a bank. Real experience in the implementation and operation of the SmartVista Fraud Prevention & Monitoring module in Alfa-Bank and PLUS. 2009. No. 8.)
About BPC "Banking Technologies"
BPC "Banking Technologies" is an international company specializing in the development and supply of technological solutions for the automation of retail financial activities.
The main development of BPC - the SmartVista family of software products - is a unified technological platform for processing plastic cards, processing electronic payments and supporting retail banking operations.
SmartVista-based solutions offer broad functionality in the areas of card management, risk management, fraud prevention, support for complex loyalty schemes and co-branding programs, payments in e-commerce and mobile commerce, integration of various service delivery channels and the organization of self-service systems.
BPC's customers are the largest dynamically developing banks and non-banking structures in Russia, the CIS, Latin America and Southeast Asia. Representative offices of the company are currently located in the Netherlands, Great Britain, Singapore, UAE, USA, Ukraine and Russia.
www.bpcsv.com
Card fraud is often called fraud (from the English, fraud. - fraud, deception).
It is customary to divide fraud into two groups: fraud from the issuance of cards and fraud from the side of their service. The first group includes frauds related to unauthorized use of the issuer's cards (stolen / lost cards, counterfeit cards, unreceived cards, cards obtained from the bank dishonestly as a result of using stolen identification data / documents of a “reliable” person, etc.). The second group includes fraud initiated by a merchant (fake / distorted slips, re-entry of transactions, etc.).
The ratio of the volume of financial losses incurred as a result of card fraud to the total volume of sales made with plastic cards (F / S, or Fraud / Sales) is considered as an indicator of the level of fraud. The unit of measurement for the F / S ratio is considered to be the basis point. One basic point refers to the level of fraud, which is 0.01% of the total turnover on bank cards. In other words, a fraud rate of one basis point (abbreviated as bp) corresponds to a loss of 1 cent for every $ 100 card turnover.
1.5.1. The severity of the problem of security of transactions using plastic cards
Over the past 10 years, the average losses of a bank from operations with plastic cards are 7-12 cents per $ 100 of card turnover (7-12 bp). This is significantly less losses of banks associated with customer lending, amounting to $ 3-4 for every $ 100 issued loans. However, banks and payment systems pay special attention to the problem of security of transactions with plastic cards. This is due to the fact that in the cases under consideration, the nature of the risks is different. In the case of card fraud, the client suffers. Even if the issuer bears the losses caused by fraud, the moral damage associated with the inconveniences arising for the cardholder will be felt. The possibility of fraud seriously undermines the confidence of bank customers in card technology in general.
To illustrate what has been said, let us carry out a simple analysis. The average person in the West uses his card for non-cash payments on average about 40 times a year, with a typical card usage rate of 0.1 per day. With the current level of fraud, equal to approximately 10 bp, the probability that the next operation on the card of our chosen master will end with a fraud is p - 0.001. In reality, this probability is lower, since several fraudulent transactions are carried out on a card compromised in one way or another, and, in addition, the average size of a fraudulent transaction is higher than usual. However, to illustrate the "magnitude of the disaster", such an estimate of the likelihood that a cardholder's transaction is fraudulent is appropriate.
Then, over 10 years of using cards, our master will make N = 400 non-cash purchases and the probability that he will suffer from card fraud is P F = 1 - (1 - p) ' v , and at the current level of fraud is close to 0.33. In other words, about one in three of those who have been using cards for more than 10 years, with the current level of fraud over the past decade, have suffered from card fraud.
The card holder we have chosen for illustration does not live in an airless space. He is surrounded by family, friends, colleagues. If we consider that the inner circle of the cardholder consists of 10 people, then it follows that the probability that at least one person from this environment has suffered from card fraud over the last decade is greater than 0.98 (N = 4000).
In other words, most of us know about card fraud not only from books and magazines, but also from personal experience. Of course, such close acquaintance with card fraud will not encourage you to use your plastic card more intensively.
Therefore, the security of transactions with plastic cards is the cornerstone of the development of the card industry, and this problem is receiving serious attention from payment systems and banks. And yet, payment systems play the first fiddle here. It is they who have the necessary resources and powers to improve the technology of bank cards, making card transactions more and more secure. Banks mainly, following in the wake of payment systems, are struggling with their own financial and reputational losses.
The absolute size of card fraud can be roughly estimated as follows. In 2007, based on the 2007 Nilson report, the turnover on transactions in the leading payment systems VISA, MasterCard, American Express, Diners Club, JCB amounted to approximately $ 5.9 trillion (VISA and MasterCard account for 85% of the total world turnover in banking maps). Taking into account the level of fraud (8-10 Lp), it is easy to find that the absolute size of card fraud in 2007 was about $ 5-6 billion.
According to the 2007 Nilson Report, banks' losses from fraud amounted to $ 5.5 billion, which indicates a fairly high accuracy of our method for estimating the volume of card fraud.
However, this is only the visible part of the iceberg called "card fraud". Experience shows that a significant proportion of frauds do not fall into the reports of payment systems, since banks, trying to protect their reputation, often do not report the occurrence of fraud in payment systems. According to the Frost & Sullivan agency, losses from fraud with bank cards in 2008 reached about $ 15.5 billion, that is, more than 2 times higher than the forecasted value ($ 6-7 billion).
In addition to direct financial losses from card fraud, banks incur indirect losses: customer abandonment and a decrease in the inflow of funds due to a blow to the bank's reputation (loss of confidence in the bank's financial products / services), the cost of maintaining personnel dealing with security issues, the cost of upgrading equipment, etc. NS.
More than 20,000 banks worldwide issue cards. Almost all of them have a card security division. Even if we assume that the average budget for such a division is $ 50,000 per year, banks spend about a billion dollars annually on personnel involved in card security.
It is difficult to accurately estimate the cost of information systems purchased to ensure security (network protection systems, operations monitoring, HSM modules, terminal security elements, equipment for card personalization zones and PCs, etc., etc.). In order, it amounts to several billion dollars, assuming that the bank spends about 100 thousand dollars on the acquisition of such systems. Taking into account the amortization period of information systems over approximately 10 years, the annual costs amount to several hundred million dollars.
As a result, the total annual losses from the consequences of card fraud, together with the costs of banks to mitigate these losses, turn out to be significantly higher than the estimates given by payment systems.
The characteristic features of card fraud include:
- In the new millennium, the average level of card fraud in the world ranges from 7-12 basis points. However, the level of fraud can vary significantly from country to country. This even applies to already established markets such as Europe. For example, in France, the level of fraud over the past 15 years has not exceeded the level of five basis points, and in the UK, even after the migration to the chip is completed, it is near the mark of 14 basis points;
- the use of the most modern hardware and software by fraudsters due to their availability, in particular, due to a natural drop in the cost of these funds. In accordance with Moore's law, the doubling of the productivity of computing equipment, the amount of memory, the bandwidth of communication channels occurs every 18, 12 and 9 months, respectively. Recently it was reported about an amendment to Moore's Law in terms of assessing the rate of growth of computer performance: a doubling of productivity occurs today in 24 months;
- migration of banks to microprocessor technology: at the end of the first quarter of 2009, approximately every fifth card (22%) and every third POS-terminal (37%) in the world supported the EMV standard; in Europe, every second card (50%) and about 2/3 of POS-terminals (68%) were hybrid (they support magnetic stripe cards and microprocessor cards). In the world and in Europe, respectively, 19% and 54% of ATMs are EMV-compliant;
- high professional level of criminal structures (their ranks often include former employees of banks, processing centers, suppliers of card solutions, who are well aware of technological processes, software and equipment used). An example of the installation of malicious software designed to steal magnetic stripe and PIN-code data on ATMs recorded at the beginning of 2009 is an excellent confirmation of this thesis;
- international character and good organization of criminal gangs in the field of card fraud - a rigid hierarchy, a clear distribution of functions, control over the work of individual links, payment based on the result;
- constant search for new opportunities for the implementation of fraud, including "ringing" cards and constant "testing" for the strength of the processing systems of banks. Such testing includes checking whether the bank has a transaction monitoring system,
analysis of the operation of algorithms for checking individual card details, assessment of the reliability of the database of card details, etc .;
high flexibility and efficiency of criminal structures: only a few days pass from the moment a weakness in the bank's defense is discovered until a massive attack is carried out;
concentration of fraud on three main types: CNP-trans-actions, fake cards, stolen / lost cards. Other types of card fraud account for no more than 6-8% of losses (!);
migration of fraud (especially in EMV regions) from one type to another. The obvious migration towards CNP fraud (in the UK in 2007 it accounted for 54% of all fraud committed on the cards of British banks), fraudulent card fraud through ATMs (ATM Fraud), fraud using cards obtained from stolen documents ( ID Theft) from such types of fraud as fake cards at POS terminals, stolen / lost cards, unreceived cards. All types of fraud listed here will be discussed below;
rapid growth of CNP fraud (about 20% per year) in EMV regions;
an increase in cross-channel fraud, where data leaks from one customer service delivery channel are used to perform fraud using another channel;
an increase in the volume of fraud and skimming through ATMs (fake ATMs, an overhead keyboard / micro camera / dispensers, malware, Lebanese loop, the use of technical problems on the side of the servicing bank / ATM, information leakage from the PC, peeping from the shoulder, etc.) ... According to EAST (European ATM Security Team), the amount of skimming via ATM in Europe in 2008 increased by 43% (!);
about 80% of all card frauds are online transactions. This is due to the desire of fraudsters to quickly empty the cardholder's account (for this they use large-value transactions performed in real time) and means that the online nature of transaction processing is not an effective means of combating fraud when using magnetic stripe card technology;
• credit cards (more precisely, cards like Pay Later) are the main target of fraudsters. Special attention is paid to "gold", "platinum" and other privileged cards. The data in the table shows that the rate of fraud on credit cards is about four times higher than on debit cards (see table);
| Product | Fraud,% | Sales, % | F / S,% |
| Credit cards | 85 | 58 | 0.12 |
| Debit cards | 15 | 42 | 0.03 |
• payment systems divide the area of their presence into geographic regions, national markets within which have common features, if only because of their geographic and cultural proximity. It turns out that the domestic level of fraud is the lowest, and the interregional one is the highest. The data below illustrates what has been said. For EMV regions, there is a migration of fraud towards interregional operations: in the UK, over the three years from 2006 to 2008, foreign fraud grew by 250%! The source of the fraud is the cloning of a magnetic stripe and PIN-code of an English bank card and the use of a counterfeit card made on "white" plastic, for example, in Malaysia or Thailand (countries with a very high level of fraud on the part of card servicing).
Distribution of sales volumes by traffic type
| Domestic operations | Intra-regional operations | Inter-regional operations |
| 96% | 3% | 1% |
Distribution of fraud volumes by traffic type
| Domestic operations | Intra-regional operations | Interregional operations |
| 70% | 21% | nine% |
Distribution of F / S by type of traffic with an average level of fraud of 7-10 bp
| Domestic operations | Intra-regional operations | Interregional operations |
| 5-7 bp | 50-70 bp | 60-90 bp |
MasterCard
^? 9
1.5.2. The main types of fraud
As noted at the beginning of Section 1.5, it is customary to divide fraud into two groups: fraud on the part of card issuance and fraud on the part of card servicing. The main types of fraud of the first group (on the issue side):
- stolen / lost cards (Lost / Stolen Cards or L / S);
- not received cards (Not Received Items, NRI);
- counterfeit cards (Counterfeit);
- Card Not Present fraud (CNP fraud);
- cards obtained by fraudsters using stolen documents / personal data (ID Theft).
The oldest and most natural type of fraud - people have lost, are losing and will continue to lose cards. Sometimes cards are stolen. In Russia, according to the National Agency for Financial Research (NAFI), about 19.8% of cardholders have ever lost them. Time passes before the detection of the loss and blocking of the card in the system, which is used by the fraudsters who have the card in their hands.
Until the bank is informed about the loss of the card, as a result of which the issuer blocks the card, the cardholder is usually responsible for this type of fraud.
For a long time, this type of fraud was one of the most popular: in the mid-90s it accounted for about 50% of fraud, and at the very beginning of this century - 25-30% of all fraud. In 2007 in Europe, according to the leading payment systems, lost / stolen cards accounted for 14-16% of all card fraud, and this share continued to decline with the expansion of migration to Chip & PIN technology. According to MasterCard data for the second quarter of 2009, lost / stolen cards accounted for 12.16% of all card fraud in Europe and 19.14% globally.
In the UK, due to the almost widespread introduction of the Chip & PIN program, the share of this type of fraud fell from 27.7% in 2001 (before the introduction of Chip & PIN) to 10.5% in 2007. At the same time, the level of Lost / Stolen Cards fraud fell by more than four times from 5.07 Lp to 1.24 Lp (the level of fraud is calculated from the total turnover of plastic cards)!
Unreceived cards
Cards stolen during their transfer from the bank to the client. All responsibility for fraud in this case lies with the issuer. According to leading payment systems, this type of fraud accounts for 1-3% of all fraud. In particular, according to MasterCard data for the second quarter of 2009, unreceived cards accounted for 1.1% of all card fraud in Europe and 2.33% in the world.
In the UK, due to the introduction of the Chip & PIN program, the share of this type of fraud in the period from 2006 to 2008 did not exceed 2%.
Fake cards
Fraudsters make a fake card, personalized on the basis of previously stolen details of a real card (usually the contents of a magnetic strip of a card are stolen) and perform transactions with a counterfeit card, passing it off as a real card.
Card counterfeiting began with the technology of cutting off the card numbers and rearranging them in their places on the card panel. Then they began to practice re-embossing the card number. With the advent and spread of electronic terminals, skimming - copying the magnetic stripe data of a real card - has become the main method of forging cards. The copied data is later transferred to another card, which fraudsters make on blank cards purchased in different ways (bonus cards from various retail chains are used, real bank cards with a recoded magnetic stripe, white plastic painted on a printer, blanks stolen from factories and banks) ...
Scammers get real card data using:
- unscrupulous store staff who, unnoticed by the cardholder, copies the contents of the magnetic track of the card using a special device (skimmer) with a magnetic stripe reader and capable of storing information about several dozen cards;
- ATM skimming (a patch reader and patch keyboard / miniature video cameras are used, or a malicious program installed in the ATM software that stores magnetic stripe data and PIN-code values);
- skimming at POS-terminals;
- theft of data from the database of processing centers and trade enterprises;
- interception of data during its transmission via communication channels;
- virus attacks to steal personal data (spyware, Trojans, worms);
- phishing and vishing, used by fraudsters to extract personal information from bank customers.
In the UK, according to 2008 data, counterfeit cards accounted for about 27% of all fraud.
In connection with the migration to the chip, there is a clearly faster increase in the use of counterfeit cards (especially European cards) in ATMs compared to POS terminals. Taking into account the fact that many countries are migrating under the Chip & PIN program, it has become easier to copy the data of the magnetic stripe and PIN-code and then use this data to issue cards on "white" plastic.
Card Not Present Fraud
There are three main types of CNP transactions: Mail Order / Telephone Order (MO / TO) -transactions, e-commerce (EC) transactions and recurring payments (the cardholder enters into an agreement with the merchant for regular periodic direct debit of funds from his account for received from point of sale services using a plastic card).
EC transactions account for about 60% of the total CNP fraud, MO / TO transactions - 30%, recurrent payments - the remaining 10%.
The growth rate of EC volumes in the world at the beginning of the new millennium is about 25% per year, in Europe - 40% per year. It is expected that by 2011 the volume of B2C in the world will reach 407 billion euros.
Since 2006, the EC market in Russia has been increasing annually by an average of 30%. According to the National Association of Electronic Commerce Participants (NAUET), the market volume in 2007 was $ 7.9 billion. According to NAUET estimates, in 2008 it exceeded $ 11 billion. The main market share in Russia is traditionally in the B2C sector. The B2G (Business-to-Government) sector, which reflects transactions for the fulfillment of government orders, has been growing since 2006 at a rate of only about 4% per year.
Experts associate further development of the Russian EC market with the development of the B2B segment. According to NAUET, its volume in 2007 increased by 32% compared to 2006 and amounted to almost $ 2.3 billion.
The dynamics of EC growth in Russia (turnover expressed in millions of dollars) is shown in the table below.
| Sectors / years | 2003 | 2004 | 2005 | 2006 | 2007 |
| B2C | 480.4 | 662 | 1020 | 2085 | 3250 |
| B2B | 316.2 | 442 | 1300 | 1723 | 2288 |
| B2G | 141 | 2130 | 2174 | 2270 | 2368 |
| Total | 937.6 | 3234 | 4494 | 6078 | 7906 |
In Europe, the growth rate of fraud in EC is about 20% per year.
According to MasterCard data for the second quarter of 2009, CNP fraud accounted for 49.75% of all card fraud in Europe and 38.36% globally.
In Great Britain, CNP fraud increased from 23.26% in 2001 to 54.28% in 2007. At the same time, the level of CNP fraud in the same period increased from 4.256 bp to 6.4 bp, i.e., in 1 , 5 times (the level of fraud is calculated from the total turnover of plastic cards).
The European e-commerce fraud rate in 2008 was approximately 40 basis points (calculated from e-commerce turnover only).
To commit fraud in the case of a CNP transaction, it is enough to know the simplest card details - the card number, its expiration date and, possibly, the CVC2 / CW2 value. Therefore, all CNP transactions are necessarily carried out in real time, and the payment systems place the responsibility for fraudulent transactions on such transactions with the servicing banks. An exception is the case when servicing banks and their online stores use a secure EC protocol known as 3D Secure and used in leading payment systems under the MasterCard SecureCode and Verified by VISA brands.
MasterCard
^? 9
According to MasterCard, in 2008 in Europe, approximately 40% of all EC transactions were made from online stores that support the 3D Secure protocol. 60% of these operations performed cardholder authentication (Full Authentication).
Cards obtained from stolen documents or personal data (ID Theft)
To implement this type of fraud, two fraud schemes are mainly used: fraudulent applications and account interception.
Fraudulent Applications: A fraudster uses someone else's ID (found / stolen / forged) to apply for a credit bank card with an address where the card can be easily and safely received.
Account Takeover: the fraudster obtains data about the card / account details, for example, from the bank statements of the cardholder that came to his disposal, then calls the bank and informs about the change of his address, and a little later requests a new card with its delivery to " new "address.
In 2007, ID Theft accounted for about 4% of all fraud. According to MasterCard for the second quarter of 2009, ID Theft accounted for 3.74% of all card fraud in Europe and 3.77% globally.
The growth rate of ID Theft in the UK in 2008 was 39% (47.4 million pounds, or 7.77% of all fraud)!
ATM fraud
Transactions through ATMs have traditionally been characterized by increased security, since their authorization is carried out by the issuer online with the obligatory verification of the personal identifier (PIN) of the cardholder. The fact of increased security of transactions through ATMs was also confirmed by statistics - the volume of fraud through ATMs was an order of magnitude less than the same indicator for trade.
However, since the turn of the millennium, ATM fraud has grown rapidly. In 2004, the losses of UK banks alone from ATM fraud amounted to? 75 million (about 15% of all card fraud in the country). According to European ATM
Security Team, in 2008 the amount of losses only from ATM skimming of European issuers amounted to 485 million euros!
ATM fraud is not an independent type of fraud and is considered separately here due to the specifics of its implementation. The ATM fraud cases discussed below usually fall into one of two types - fake cards or stolen cards.
Most of the ATM fraud is of the “counterfeit card” type. In connection with the migration to a chip, there is a clear increase in the use of counterfeit cards (especially in EMV regions) at ATMs instead of POS terminals. This trend (migration of “fake card” fraud from POS terminals to ATMs) is a major driver of the rise in ATM fraud.
Until recently, there have been several known ways to use an ATM to commit fraud. Let's briefly describe them.
1. Unfortunately, despite numerous clarifications, many cardholders still write their PIN values on the card. According to information published by the English Association for Payment Clearing Services (APACS) in 2006, 8% of UK cardholders cannot remember the meaning of their PIN and therefore write it down. According to a sociological survey by NAFI, 11.6% of Russians keep their PIN code with their card. In Moscow, this figure is 13.8%. Obviously, in the event of theft / loss of the card, the thief has all that is required to commit fraud - both the card and the PIN-code.
This type of ATM fraud is obviously a “stolen card” type.
2. Another type of ATM fraud is the so-called “friendly” fraud. Its essence lies in the fact that once the card together with the PIN code was given to a family member or friend to perform an operation through an ATM. Later, the same card was used at an ATM without the authorization of its holder.
Obviously, this type of ATM fraud is a “stolen card” type.
3. "Looking over the shoulder." A person standing behind the cardholder can spy on the PIN-code value entered by him. After the fraudster receives the PIN-code value, the card can either be stolen from its holder, or when using the card, an unauthorized copy of its magnetic stripe can be made in order to produce a fake card later (it can be made on "white plastic").
This type of ATM fraud is referred to as “counterfeit cards”.
4. The Lebanese Loop. An almost circus method of fraud, in which an unsuspecting cardholder thrust it into an ATM previously “processed” by a fraudster. The essence of the ATM “processing” was that a piece of photographic film was inserted into the slot of the ATM card reader, the ends of which were imperceptibly fixed on the outside of the ATM. The photographic film after the operation did not allow the card to exit from the card reader. The fraudster was nearby and offered his help to the cardholder. He recommended that he re-enter his PIN-code, and when this did not work out, he entered it himself from the words of the holder, claiming that he had already seen such cases before and when the PIN-code was re-entered, the card had to leave the ATM. The card, of course, did not return, and the fraudster advised its holder to come to the bank the next day (the fraud was carried out at hours, when the bank branch was no longer working), and then the card will be returned to him without fail. After the cardholder left, the fraudster removed the film together with the card from the ATM and emptied the cardholder's account.
This type of ATM fraud is referred to as “stolen cards”.
5. Counterfeit ATMs. Fraudsters used specially made devices that emulate ATMs and are designed to read information about the magnetic stripe of the card and the PIN-code of its holder.
This type of ATM fraud is referred to as “counterfeit cards”.
6. ATM skimming. Recently, fraudsters have been actively using additional equipment installed on ATMs to carry out fraud. Such equipment includes a patch card reader and a microcamera. Sometimes an overhead keyboard is used instead of a micro camera.
A patch card reader is a device that is attached to the top of the ATM card reader and is used to read information from the magnetic stripe of the card. It is invisible to a cardholder who is inexperienced in knowing the details of the appearance of ATMs, and is able to either remember the information he reads about the magnetic stripe of the card, or transmit this information to fraudsters via a radio channel (for example, via a GSM channel).
A microcamera is an optical camera installed next to the ATM and directed at the ATM keyboard in order to record the sequence of numbers entered by the customer when dialing the PIN-code.
An alternative to a microcamera is a keyboard overlaid on top of a conventional ATM keyboard and memorizing or transmitting via a radio channel the values of the entered PIN codes.
Thus, with the help of additional equipment, fraudsters receive all the information they need to carry out fraud: magnetic stripe data and the value of the PIN code. With this data, the fraudster is able to personalize the so-called “white plastic” (a card blank that does not contain any design elements of a regular card on its surface) and use it to withdraw cash from the account of an unsuspecting holder of a compromised card.
Recently, scammers have come up with an alternative to an overhead keyboard and reader. It was malware that was installed unauthorized by fraudsters in the ATM software. This malicious program copies and stores the data of the magnetic stripe and in some cases (with the appropriate configuration of the ATM EPP keyboard) saves the values of the PIN-codes of the cardholders.
This type of ATM fraud is referred to as “counterfeit cards”.
There are other types of ATM fraud that use the specifics of ATM operation:
- change in the processing center of the face value of cassettes and / or the exchange rate of currencies for client accounts;
- installation of an overlay on the window for issuing currency in order to delay it with subsequent extraction by fraudsters (Cash Trapping);
- "pinching", when a fraudster does not take the entire amount from the ATM tray, and the ATM, having discovered this fact, returns the entire amount intended for issuance to the fraudster's account, etc.
• re-entry of the operation (Multiple Imprints, Electronic Data Capture Fraud, including PAN Key Entry-transactions);
- changing the contents of the slip (Altered Sales Drafts);
- interception of the store account (Account Takeover);
- use of reports of a legally existing commercial enterprise (Laundering).
and / or changing the content of the slips (Altered Sales Drafts)
Unscrupulous employees of a trade enterprise make more than one card imprint on the imprinter, using them later to generate new payment documents, or change the value of the transaction size after the client has signed the slip.
Electronic Data Capture Fraud
The electronic version of the Multiple Imprints fraud, when an electronic copy of the transaction obtained using a POS terminal is used instead of card prints. The PAN Key Entry method is especially widespread, in which the information on the magnetic track of the card is not provided in the authorization request to the issuer (only the card number, its expiration date and, possibly, the CW2 / CVC2 value are presented).
Account interception
Merchant Account Takeover. Fraudsters have all the necessary details of the store (name, names of managers, Merchant ID, etc.) and, possibly, trade slips. Further, a letter / call to the bank, notifying about the change in the store's current account. As a result, reimbursements for transactions performed in a real trading enterprise go to the accounts of fraudsters. According to VISA, the average bank losses from such fraud are approximately $ 100,000.
Using the reporting of a legally existing commercial enterprise (Laundering)
In this case, store A of a certain payment system provides an opportunity for store B, which does not have an agreement with any bank to accept cards of this payment system, usually for a certain percentage, to accept cards of this payment system. Moreover, if B is a fraudster, then A, after some time, remains face to face with refusals from payments that came for operations allegedly made in store B. According to VISA, the losses of store A are on average about $ 500,000.
1.5.3. Protection methods in terms of certain types of fraud
Countering card fraud is the subject of a separate discussion and another book. The purpose of this section is to show the reader that magnetic stripe card technology has largely exhausted its potential in terms of protecting card transactions. Despite the variety of methods used by banks to protect transactions with magnetic stripe cards, there is no effective universal approach.
The system for protecting the issuer of magnetic stripe cards from card fraud uses the following elements:
- the card issuance policy approved by the bank's management. The issuance policy should determine the card products offered by the bank, their consumers and acceptable risks, the procedures for processing customer applications, delivering and issuing cards to the bank's customers, hardware and software and systems for protecting the bank from fraud, the distribution of responsibility between the bank's divisions and the actions of the bank's personnel and managers in if an attack is detected;
- approved procedures for receiving / processing customer applications (Application Processing), delivery and issuance of cards and PIN-envelopes to bank customers, card re-issue, destruction of unclaimed cards;
- secure personalization of cards;
- installation of the necessary checks of the parameters of the card, its holder and operations in the bank's transaction authorization systems;
- blocking and re-issuance of compromised bank cards;
- use of modern technological solutions to improve the reliability of the cardholder authentication procedure: microprocessor cards, 2-factor authentication der MasterCard resident (card and PIN-code), 3D Secure protocol on the side of the cardholder and its issuer;
- transaction monitoring systems, which allow to identify transactions suspicious from the point of view of card fraud;
- SMS-notification of the cardholder about transactions performed on his account;
- using the functionality of the mobile bank, which allows unblocking the card before performing a card transaction and re-blocking it after using the card. This mechanism is an extremely effective means of combating card fraud and has not yet been adequately appreciated by the banking community. At the same time, it should be recognized that the mass introduction of a mobile bank is still far away and it will take a long time before this protection mechanism becomes popular;
- providing the payment system with reports on cases of fraud with bank cards;
- training of bank employees on the topic of card security;
- work with bank clients;
- insurance of funds of cardholders.
Let's consider how the listed elements of bank protection help to cope with card fraud.
Stolen / Lost Cards
To combat this type of fraud, the following security elements are used:
- blocking of a stolen / lost card in the issuer's system with the issuance of a response code to an authorization request for the need to seize the card; this method is effective for debit cards, transactions on which take place in real time;
- inclusion of a stolen / lost card in the stop lists of the payment system and the system of backup authorization of the payment system; this method is only needed if the stolen card is a credit card and it can be used for offline authorization;
- placing a photograph of its holder on the reverse side of the bank's cards; this element of protection is based on the use of a psychological factor - a fraudster experiences discomfort when handling such a card in a trading enterprise, realizing that the cashier, in the most favorable case for the fraudster, may ask why someone else's photo is placed on the card;
- the use of transaction monitoring tools that allow you to determine the change in the "pattern" of transactions on the cards of the affected client (in order to bypass the possible means of the issuer's fight against the theft of the card, the fraudster tries to use the card as soon as possible and withdraw the funds on it) and contact the client for clarification about the reasons for the changes that have occurred;
- SMS-notification of the cardholder about transactions performed on his account;
- more intensive use of online authorizations (for example, using the corresponding service code for some of the bank's card products);
- using the functionality of the mobile bank, which allows you to unblock the card before performing a card transaction and re-block it after the transaction.
Unreceived cards
To combat this type of fraud, the following security elements are used:
• issue of cards in a blocked state in the status of a new card (New Card) and their unblocking by clients either in branches and ATMs using a special unblocking operation that requires the client to know the PIN-code, or through phone calls
MasterCard
^? 9
to the bank by a code word (for example, the mother's maiden name). In case of an attempt to use a blocked card, the card issuer issues a response code on the need to capture the card;
- issuing cards through the branches closest to the client (reduces the likelihood of intercepting the card on the way to the client);
- use of specialized courier services instead of regular mail;
- inclusion of the unreceived card in the stop-lists; this method is used only for credit cards, which can be used for offline authorization of the transaction;
- placing a photograph of its holder on the reverse side of the card;
- use of transaction monitoring tools;
- SMS-notification of the cardholder about transactions performed on his account;
- using the functionality of the mobile bank, which allows you to unblock the card before performing a card transaction and re-block it after the transaction is completed;
- more intensive use of online authorizations.
Fake cards
There are two ways to counterfeit cards. The first method is for fraudsters to select a set of card details that match the details of one of the cards issued by the bank. A set of details can consist of a card number, its validity period and values CVC / CW, CVC2 / CW2. In this case, the following protection elements are effective:
- generation of card numbers according to a random law;
- extended check of the card validity period;
- check in the issuer's system of the values CW / CVC, CW2 / CVC2.
Generation of random card numbers allows you to protect the issuer from the selection of the correct card number by a fraudster. Usually the card number consists of 16 digits, of which the first 6-8 are the card prefix used to identify the bank and its branch. The last digit of the card number is a function of the first 15 digits (calculated according to the Luhn Check Parity rule). Therefore, at least seven independent digits of the card number remain, the use of which allows the bank to issue up to 10 million cards.
This range of cards can be filled with any predetermined maximum filling density X <1. The filling density is the ratio of the number of issued cards to the entire range of possible values of card numbers (10 million cards). If, in this case, the card numbers are generated according to a random law, then the probability that a fraudster, choosing at random some card number, will guess it, does not exceed the maximum filling density of the range of card numbers. Obviously, this increases the overhead of implementing fraud, thereby reducing the attractiveness of this type of fraud.
Indeed, in order to guess the correct card number with probability P o , the fraudster needs to go through m values of the card number, where m is determined by the equality:
1p (1-Po) t = ---------.
ln (l -X)
In the last equality, Inz denotes the natural logarithm of a positive number Z. Since ln (l -X) ~ -X takes place for values X <0.1 , then at P o = 0.9 we have an approximate equality:
4.605 t ~.
X
To determine whether the selected value of the number is correct, the fraudster needs to additionally enumerate all possible values of the card expiration date and CW / CVC values for this value, or
MasterCard
^? 9
CW2 / CVC2 (depending on how you plan to use the fake card - for purchases in regular stores or for performing CNP transactions).
It is easy to show that the use of generating random card numbers, checking the values of CW / CVC, CW2 / CVC2, extended verification of the card's expiration date requires a fraudster who does not know the details of the issuer's cards to sort out on average about n = 24 • 1000 / X various combinations of card details , in order to achieve success - select the details of the card issued by the bank. With X = 1, it is required to sort out 24,000 different values, and with X = 1/10, on average 240,000 options.
This makes it practically uninteresting for a fraudster to try to select the correct card details. It turns out that the cost of selection is higher than the average potential production.
Now the most widespread other approach to creating counterfeit cards is based on skimming - fraudsters steal the magnetic stripe data of a real card during an operation using this card. In this case, the security elements of the issuer include:
- checking the correspondence of the bank name and the card prefix (for example, using the VISA Interchange Directory for VISA cards). Fraudsters use the information about the card available to them and the blank cards at their disposal, so such verification can be effective;
- support for stop lists of names of “holders” of fake cards. Experience shows that fraudsters use a very limited set of such names, so an additional comparison is advisable for the coincidence of the holder's name on the card with the names from the stop list;
- means of monitoring transactions;
- SMS-notification of the cardholder about transactions performed on his account;
- using the functionality of the mobile bank, which allows you to unblock the card before performing a card transaction and re-block it after the transaction is completed;
- training of the personnel of the trade enterprise on the issues of security when accepting cards;
- training of cardholders: any information about a card is valuable for fraudsters, therefore it is necessary to ensure the confidentiality of card details as much as possible; in particular, the card must not be left without personal control;
- at the level of payment systems - determination of points of compromise Common Purchase Point of card details and the use of stolen details (Collusive merchants).
- how to determine if the merchant accepts the card presented for payment;
- how to visually check the authenticity of the card;
- how to verify the cardholder;
- how to store and handle slips;
- how to use the "Response Code 10" (a special response code used by the merchant to contact the card issuer in the event that the seller found the buyer suspicious);
- how to react to the response "Capture the card" and what to do with the captured card.
- presence on the card of four printed digits under / above the embossed card number, which coincide with the first digits of the card number;
- presence of micro-printing "VISA" along the perimeter of the VISA card logo;
- the presence of a pigeon on VISA cards and the letters M and C on MasterCard cards that appear when the card is irradiated with ultraviolet light; now this security element is not used on MasterCard cards;
- when tilting the hologram of the VISA card, a flying pigeon should appear, and the holograms of the MasterCard card - the inscription “MasterCard”;
- comparison of the card number with the number printed on the terminal's receipt; in accordance with the recently adopted rules of payment systems, only the last digits of the card number should be printed on the check, therefore, the comparison of the card number values on the check and the card is reduced to comparing the last digits of the number;
- the presence of embossed secret symbols on the card (flying letters V and M in the case of VISA and MasterCard, respectively). Today, the use of secret symbols is optional.
The weakness of MagnePrint technology is that the data element encoding noise is static and independent of each specific operation. Therefore, it can be installed one day and in the future used as a means of card authentication, for example, in retail outlets aimed at fraudulent activities. In addition, the technology works only in the case of online authorization of the transaction.
Another possibility of using the magnetic stripe to combat counterfeit cards is the terminal recording on the third track of the magnetic stripe some control sequence, which depends on the dynamic card details and is formed using the issuer's key. Since the control sequence is changed by the terminal after each card operation, the theft of the current value of this sequence may give nothing to the fraudster, since at the moment the fraudster contacts the merchant with a fake card, the latter will form a control sequence for the already outdated card details.
To illustrate what has been said, we describe the following scheme. After the operation is completed, the terminal, which stores the issuer's symmetric key in its cryptographic module, calculates the card key using an algorithm known to it and with its help decrypts the current control sequence recorded on the third track of the card.
This sequence represents the number of the previous operation encrypted on the card key, and the card key is calculated from the issuer's key and the card number (when the card is issued, the issuer encrypts the zero transaction number). The current transaction number for this card is also stored in the issuer's system. After each transaction of non-cash settlements in a trade enterprise, this number is increased by one in the issuer's system.
When using symmetric encryption, the issuer key used to generate the control sequence must be stored in the issuer's system and on the terminals that accept the issuer's cards. This circumstance narrows the field of application of the proposed approach to a set of transactions of the “friend” type (the servicing bank and the issuer coincide in the transaction). To generalize the method for the case of using the card in the devices of another bank, it is necessary to use asymmetric encryption algorithms. However, in this case, you will have to transfer the signature of the transaction number on the terminal's private key to the issuer. Taking into account the size of reliable asymmetric encryption keys (not less than 128 bytes), the proposed approach will increase the volume of data transmitted to the issuer, as well as the size of the control sequence,
The option to write data to the magnetic stripe of the card is not required. Therefore, the overwhelming majority of POS terminals cannot write data to the third track of the card's magnetic stripe. As a result, most POS vendors use cheaper "handheld" readers (the card needs to be swiped along the reader with your hands), which cannot write data to a magnetic stripe.
Electronic Commerce (CNP)
Today the leading payment systems support only one secure e-commerce protocol - 3D Secure (in the VISA payment system this protocol is promoted under the Verified by VISA brand, and in the MasterCard system - under the MasterCard SecureCode brand). According to experts, the use of this protocol by merchants, servicing banks and card issuers will reduce fraud in e-commerce by about 80%, i.e. five times.
According to MasterCard, the level of fraud for EC transactions for 2008, performed in accordance with the 3D Secure protocol and with full
r L 1
MasterCard
cardholder authentication is 20 basis points, which is only half the average e-commerce fraud rate. The main reason for the unsuccessful launch of the 3D Secure protocol is the poorly organized procedure for registering cardholders to use this protocol in CNP-one-radios by issuers. Weak client authentication during registration led to the fact that fraudsters were able to obtain the right (secret password) to use the 3D Secure protocol.
Another reason for fraud in EC transactions using the 3D Secure protocol is the use of static passwords. Some methods of stealing static passwords will be described below (see section 6.1.3).
The maximum requirements of international payment systems for the security of EC transactions are formulated as follows:
- mutual authentication of e-purchase participants (buyer, merchant and its servicing bank);
- details of the payment card (card number, expiration date, CVC2 / CW2, etc.) used in the EC transaction must be confidential for the merchant;
- impossibility of canceling the transaction for all participants in the e-commerce transaction.
To stimulate banks to implement the 3D Secure protocol, payment systems have introduced a liability shift, called the Merchant Only Liability Shift, according to which, with the support of a merchant of the 3D Secure protocol, responsibility for fraud in an EC transaction related to the refusal of the cardholder from a completed transaction is assigned to the issuer ... In the VISA payment system, the shift in the responsibility of the Merchant Only Liability Shift is global. In MasterCard, the shift in responsibility Merchant Only Liability Shift applies to all regions and interregional operations except for the US market, where responsibility for the result of the operation returns to the issuer only if 3D Secure is supported by all participants in the EC transaction - the online store, the servicing bank and the issuing bank (the so-called Full Authentication - authorization).
Recall that for CNP transactions without using a secure protocol, the service bank is liable for fraud. Thus, in the case of 3D Secure support by a merchant, the normal distribution of responsibility is restored, which is typical for all other types of payment transactions.
The 3D Secure protocol is inferior to the SET protocol from the point of view of the EC transaction protection it provides. In the general case, it does not provide the merchant's cardholder authentication and the transparency of the card details for the merchant. At the same time, this protocol is much easier to implement, and hardware and software solutions that implement 3D Secure are significantly cheaper than similar solutions for the SET protocol.
Most importantly, the 3D Secure protocol, if properly implemented, provides the required level of security for EC operations. It is expected that payment systems in the short term will take a number of steps to increase the impact of the use of this protocol. These steps include:
- the introduction of a rule that an issuer wishing to service EC transactions must support 3D Secure and force its cardholders to use this protocol when making online purchases. This rule will make the 3D Secure protocol truly massive;
- mandatory replacement of static passwords of cardholders with one-time dynamic passwords;
- training banks in the procedures for implementing the 3D Secure protocol on their side.
- verification of the cardholder's address (Address Verification System);
- verification by the issuer of the CW2 / CVC2 values printed on the back of the card;
- verification of the age of the cardholder (Age Verification);
- control of the number of transactions performed from a certain IP address (IP Address Frequency Check);
- control of the number of transactions performed on the card within a certain period of time (Card Number Frequency Check);
^? 9
- • checking for the coincidence of the country of the delivery address of the goods with the country of residence of the card issuer (Country Match). The country of which the bank is a resident is determined by the value of the bank identification number (Bank Identification Number, or BIN);
- • checking the IP-address (or address grid) from which the transaction was initiated, for its presence in the black list (Block IP Address);
- • checking the location of the cardholder (by the IP-address of his Internet provider) with the geography of delivery of goods (Geolocation);
- • screening out operations for some BIN banks (Block Bank BINs);
- • screening out transactions from anonymous proxy servers (Block Proxy);
- • Screening out transactions that included email addresses from specific domains, such as domains that offer free email services.
- • checking the card number for its presence in the black list (Negative Database);
- • use of open resources that store blacklists of fraudulent card details (CyberSource Negative Database and Scoring System, SharedGlobal (First Data Merchant Services, USA) Negative Database and Scoring System), as well as authenticate the cardholder by his phone number (MyVirtualCard).
Research by ClearCommerce (USA) on evaluating the effectiveness of using the AVS system shows that only 40% of transactions pass this check, while the share of fraudulent transactions among them is less than a percent. At the same time, when using AVS, 35% of fraudulent transactions successfully overcome this protection.
In addition to the checks listed above, online stores sometimes pay attention to the following facts, which statistically increase the likelihood of fraud:
- • the customer is served in the store for the first time;
- • the size of the transaction is higher than the usual value for the store;
- • the order consists of a large number of identical items;
- • transactions are performed using cards with similar numbers;
- • the delivery address of the order is the same for purchases made with different cards;
- • several transactions on one card within a short period of time;
- • a transaction that the customer wants to pay with more than one card.
Another important aspect of the fraud problem for CNP transactions is the theft of card details from the servers of mainly online stores and the processing systems of banks and processors.
To ensure the protection of information on plastic cards in the systems of retail outlets, banks and processors, the leading payment systems require their banks to participate in the VISA Account Information Security (VISA AIS) and MasterCard Site Data Protection (SDP) programs. These programs are based on the PCI DSS standard (Payment Card Industry Data Security Standard), adopted in 2005. The standard defines the security requirements for the systems of a bank, processor, merchant, providing storage, transmission and processing of card information, including requirements for:
- 1) building and maintaining the security of the network of a bank, processor, trade enterprise (using specialized hardware and software for protecting network access (firewall));
- 2) protection of cardholder data during storage and transmission over public networks;
- 3) support in the bank, trade enterprise, processing center of the vulnerability management program for application and system software (use and regular updates of the anti-virus software, detection and elimination of vulnerabilities in the software used);
- 4) implementation of measures to control physical and logical access to hardware and software used for storing, processing and transmitting cardholder data;
- 5) scanning and performing penetration tests into information systems that store and process cardholder data;
- 6) the company's security policy, which should cover all PCI DSS requirements, contain a list of daily operating procedures aimed at improving system security, clearly assign responsibility for security issues between company employees, contain an emergency plan, etc.
In conclusion, it should be said that the problem of card fraud is urgent and threatens the existence of plastic cards as a business. The anti-fraud capabilities of magnetic stripe card technology are limited and have been largely depleted by now. A magnetic stripe card is only a carrier of a small amount of static information. Therefore, only the issuer and the servicing bank, which do not have their full-fledged representatives at the point of making a non-cash purchase, can counter fraud.
Even if there is an online authorization mode for all card transactions, the ability of the issuer and the servicing bank to maintain a high level of security is limited. In most cases, the issuer can only check the correctness of the static card data obtained during the processing of the transaction, and analyze how typical this operation is for a given client using the transaction monitoring program. The servicing bank is represented at the point of sale by the cashier of the merchant and cannot reliably control the correctness of the latter's actions when accepting cards.
Behind the brackets of the above considerations is the cardholder, who, thanks to such rapidly developing service delivery channels as Internet banking and mobile banking, is also able to increase the security of transactions (blocking / unblocking an account / card, setting personal limits for using a card, deeper interaction with by the issuer when traveling abroad, etc.). However, taking into account the low level of knowledge of cardholders in card technologies, as well as the slovenliness inherent in human nature, it hardly makes sense to hope for a radical improvement in the situation due to the efforts made on their part.
Microprocessor cards, which will be discussed below, can radically increase the level of security of card transactions.
How to protect your card business?
Modern tools to prevent card fraud
BPC "Banking Technologies"
Preventive and drastic measures to protect against fraud
Despite all the measures taken by the participants in the global card market to combat fraud, today it still poses a serious threat to the stability of the electronic payments industry. The market of plastic cards in Russia has increased several times in recent years. As the volume of card issuance increases, so does the number of fraudulent transactions. At the same time, criminals are using more and more sophisticated methods of stealing money: phishing and telephone fraud (vishing), interception of cards while sending and skimming, Internet fraud and fake mail orders (card-not-present fraud) - these and other methods the commission of crimes is continuously improved along with the improvement of methods of protecting cards and their owners.
In such conditions, the static (offline) models of combating fraud on the market have long lost their relevance: they detect illegal transactions after the fact and are not able to prevent theft of money. In this regard, market participants are increasingly interested in solutions that provide the ability to monitor transactions in real time. Such systems are certainly more efficient, as they provide banks with the necessary tools to detect and prevent fraudulent transactions during the authorization process, but at the same time, they are much more complex in terms of implementation and use.
Today, the most widespread are two types of online solutions - static and dynamic systems. The logic of the first type of solutions is based on the mechanism of filters, or templates, which allow you to track suspicious transactions according to certain criteria and block them. Despite the obvious advantages associated with ease of setup and high speed of operation, static systems do not allow you to quickly respond to changing trends in a criminal environment and timely implement filters to combat new types of fraud. Solutions of this type also require operator participation to analyze statistics on completed transactions, which is necessary for the development and implementation of new fraud prevention schemes.
Dynamic, or intelligent, systems allow building individual models of cardholder behavior based on the history of transactions for a specific card, group of cards or card product. These systems are self-learning and require a certain amount of time to accumulate statistics, at the same time they are the most effective in combating card fraud, as they allow for subtle analysis based on the individual behavior of the cardholder. Moreover, as statistics are replenished, the built models are constantly updated, which makes it possible to take into account both the peculiarities of the client's behavior and the changing situation on the market as a whole.
SmartVista Fraud Prevention & Monitoring - a comprehensive solution to the fraud problem
With the development of the electronic payments industry and an increase in the volume of emission, banks' losses from the actions of fraudsters have become more tangible, therefore, after assessing the changes in a timely manner, BPC offered the market a specialized module for preventing fraudulent transactions - SmartVista Fraud Prevention & Monitoring, which combines the advantages of two main approaches to building online systems to combat fraud. The solution is part of the SmartVista product line, which provides a unified technology platform for plastic card processing, electronic payment processing and support for retail business operations.
SmartVista Fraud Prevention & Monitoring provides all the tools you need to monitor online and prevent fraudulent transactions, both based on predefined rules and using an intelligent self-learning model. This provides both high performance and flexibility in a solution that can be deployed to meet the needs of the business and the wishes of a wide variety of customers. SmartVista Fraud Prevention & Monitoring is tightly integrated with SmartVista Front-End, a high-performance transaction management solution, allowing both issuing and acquiring banks to monitor transactions.
The models for detecting and blocking suspicious transactions, which can be built using the SmartVista Fraud Prevention & Monitoring module, are mechanisms of various levels of complexity that provide a wide range of functions - from simple blocking of suspicious transactions according to certain parameters to monitoring transactions in accordance with specified rules and fine assessment using a behavioral model based on artificial neural network technologies.
Mechanism for blocking fraudulent attacks
The mechanism for repelling fraudulent attacks, implemented in the SmartVista Fraud Prevention & Monitoring module, allows you to set transaction restrictions for individual cards, groups of cards or card products and is designed to automatically block suspicious transactions of the issuing bank during the authorization process. The system also implements an "acquiring" component, which provides the ability to conduct a preliminary analysis of the transaction and, if necessary, block it before sending an authorization request to the issuer, which contributes to a significant reduction in the level of chargeback operations.
To check the restrictions imposed on transactions, transactional schemes are used, which can be flexibly linked to various groups of cards, united according to a certain criterion. A transactional schema is a set of positive and negative patterns, each of which contains a specific rule according to which a transaction can be either rejected or accepted.
During the authorization process, the transactional scheme used for a given card and the type of verification are determined, according to which the parameters of the authorization message will be matched with templates and a decision will be made about the possibility of continuing the transaction.
There are four main types of transactional schemes that define the verification mechanism - positive, negative, positive-negative and negative-positive, the latter two involve sequential verification against negative and positive patterns. For a number of cards or card products, verification may not be performed, which is indicated using a special value in the transactional schema.
Thus, the mechanism for setting transaction limits allows issuing banks to perform automatic online verification and blocking of transactions in accordance with certain rules, which significantly reduces the risk of losses as a result of fraudulent activities. This scheme is especially effective in repelling massive fraudulent attacks from specific locations.
Business rule model
The business rule-based model allows online monitoring of transactions during authorization. The rules according to which the check is performed can be simple (for example, Single Alert) or based on the assessment of changes in transaction parameters in comparison with previous transactions on the same card, data about which are collected during the operation of the system. The length of the transaction history used for verification purposes can be customized for each organization.
Verification of transactions is carried out on the basis of groups of rules that are set by the security officer and characterize certain types of fraud that pose a threat to the bank. Rule groups are tied to cards, card groups united by a certain criterion, or card products, which allows you to flexibly configure the conditions for processing transactions and check each transaction for different groups. To establish rules, the system provides a user web interface, which includes a number of special forms.
Вероятность попытки мошенничества определяется путем суммирования весовых коэффициентов, которые присваиваются каждому правилу, входящему в группу. Для каждой группы проверки существует установленный предельный порог допустимого значения. В случае если сумма весовых коэффициентов превышает допустимый порог, транзакция признается мошеннической и проверка по другим группам уже не производится. Алгоритм работы системы также позволяет устанавливать исключения из групп проверки, в соответствии с которыми отдельные карты или группы карт не подвергаются оценке.
In the process of processing a transaction performed online, a list of rule groups is determined that will be used to verify it, after which, based on the information about the groups, a list of the rules themselves is selected. Risk assessment according to the selected rule is made by comparing the parameters of the transaction with information about previous operations on this card with the assignment of an appropriate weighting factor. Based on the received total result for the group, the transaction is either allowed or not allowed for authorization.
Depending on the system settings, the decision to enable or disable authorization is made automatically or with the participation of the operator. If this function is performed by the operator, then when a suspicious transaction is detected, a corresponding notification will be sent to him. SmartVista Fraud Prevention & Monitoring provides mechanisms to alert the operator via e-mail and SMS.
Statistical model
The statistical model of SmartVista Fraud Prevention & Monitoring is implemented on the basis of two components, the first of which is designed to collect and analyze information about the parameters of transactions carried out for each card, and the second is to classify transactions in online mode based on previously built patterns of cardholder behavior. The implementation of this model requires a positive history of card transactions, which is the basis for creating behavioral models that are used in the subsequent risk assessment.
The analytic, or offline, component of the model regularly collects statistics on transaction parameter values for each of the cards served by the SmartVista processing system. This statistics is used to build centers for clustering the values of transaction parameters that are most characteristic of a particular card, and to determine the permissible deviations. By comparing the data of the verified transactions with the obtained values, the online component detects suspicious transactions, the parameters of which are "not typical" for transactions previously carried out using this card.
Each transaction is assessed in terms of the "specificity" of its parameters for a "normal" (not fraudulent) transaction on the same card. The assessment is based on the weights assigned to each transaction parameter. If the values of the transaction parameters are recognized as "characteristic of a normal transaction", then it is allowed for authorization, otherwise the transaction is recognized as fraudulent.
The offline component of the statistical model SmartVista Fraud Prevention & Monitoring is a self-learning system that works automatically. In turn, the online component can function both in a fully automatic mode and with the involvement of an operator who makes decisions about blocking transactions. The method of blocking cards can be configured individually for individual cards, groups of cards or card products.
Flexibility + versatility
Fraud prevention models implemented in SmartVista Fraud Prevention & Monitoring can be deployed and operated separately or as part of an integrated solution. As the volume of card issuance increases, the product portfolio diversifies and the geography of operations expands, the bank can move from the simplest schemes for blocking fraudulent attacks to complex models for conducting a subtle analysis of the behavior of cardholders based on a single technological platform.
SmartVista Fraud Prevention & Monitoring module is a full-featured solution for combating card fraud, providing card market participants with a complete toolkit for promptly detecting and blocking suspicious transactions, quickly responding to new types of fraud, analyzing statistical information to build various risk assessment models. Thanks to an easy-to-use web-based user interface, bank employees can easily create and modify transaction verification rules without the need for technicians.
Thus, the combination of business and functional advantages of the SmartVista Fraud Prevention & Monitoring solution allows banks to significantly reduce financial and image losses from fraud, as well as to solve a number of related tasks related to optimizing the work of the security service through partially or fully automated monitoring of transactions.
According to Alfa-Bank, one of the users of the SmartVista Fraud Prevention & Monitoring solution, “if we evaluate the effectiveness of the SmartVista Fraud Prevention & Monitoring module as part of the processing center
Alfa-Bank, then, given that today the number of active cards issued by the bank is about 5 million, in some months the amount of funds saved through the use of the SmartVista fraud monitoring system reaches one million US dollars. At the same time, even at the moments of peak loads, the processing center based on the SmartVista system does not reach the level of its capacity, therefore, the possibilities of round-the-clock operation of the SmartVista Fraud Prevention & Monitoring module working within it are also practically unlimited. " (Fraud monitoring system through the eyes of a bank. Real experience in the implementation and operation of the SmartVista Fraud Prevention & Monitoring module in Alfa-Bank and PLUS. 2009. No. 8.)
About BPC "Banking Technologies"
BPC "Banking Technologies" is an international company specializing in the development and supply of technological solutions for the automation of retail financial activities.
The main development of BPC - the SmartVista family of software products - is a unified technological platform for processing plastic cards, processing electronic payments and supporting retail banking operations.
SmartVista-based solutions offer broad functionality in the areas of card management, risk management, fraud prevention, support for complex loyalty schemes and co-branding programs, payments in e-commerce and mobile commerce, integration of various service delivery channels and the organization of self-service systems.
BPC's customers are the largest dynamically developing banks and non-banking structures in Russia, the CIS, Latin America and Southeast Asia. Representative offices of the company are currently located in the Netherlands, Great Britain, Singapore, UAE, USA, Ukraine and Russia.
www.bpcsv.com
