Credit card fraud is a form of white-collar fraud in which forged or stolen credit card information is used to cause financial harm to account holders and/or merchants involved. In addition to the physical theft of the card, for example by pickpockets, credit card details are increasingly being stolen using electronic methods. To do this, the perpetrators make use of various possibilities, such as:
- Fraud through e-mails (Phishing)
(Example: the perpetrator pretends to be an employee of a credit card company or a bank and asks for the data of the card)
- Fake Internet Services and Shops
(the perpetrators lure online shops with very low-priced offers and seduce the victim into disclosing his data.)
- Access to e-mail correspondence
- Exploitation of data leaks or security vulnerabilities
(Crackers use security vulnerabilities and usually insider knowledge to gain access to customer files, which often also contain credit card data.)
- Hacker attacks on department store chains in which credit card data is stolen
- Skimming of card data including PIN by means of manipulated readers in shops (skimming).
- Occasionally, there are also reports of cases in which the victims are put under knockout drops in order to take advantage of their lack of will to plunder their bank accounts.
- Exploiting delays in data analysis. For example, by making coordinated cash withdrawals using all the stolen records in a very short period of time, in a different country than the bank that issued the original cards, on a day when the bank is closed.
The method of forgery takes advantage of the fact that most credit card issuers assign ascending credit card numbers. If the perpetrator comes into possession of a card with an expiry date, he can easily guess the next card numbers. The included check digit does not provide sufficient protection here, as its calculation using the Luhn algorithm (according to ISO/IEC 7812-1) is publicly known.
In addition, there are credit card number generators that create a valid virtual credit card by using the brute force method and matching parameters. These are modeled after the credit card number generators of the credit card companies.
Credit Card Fraud Protection
Customers must check the correctness of the delivered invoices within a period of time (usually 30 days). Inconsistencies must be reported immediately to the credit card company in writing (even if other statements are sometimes made by telephone). The amount will then be transferred back, as no binding signature on the part of the card owner can be proven.
Merchants, on the other hand, have so far borne the full risk of credit card fraud. Although the prior authorization was done without any problems, the money was reclaimed from the merchant in case of fraud. This was done because the authorization only checked whether the card number provided was valid and covered, but not whether the identity matched the card owner. This is justified by data protection.
The introduction of the new 3-D Secure security code deceives customers into believing that their security will be increased. In reality, however, the customer loses the security that has been available so far. Nevertheless, the new security code 3-D Secure provides increased protection against credit card misuse. In contrast to the mere use of the supposedly secure standards of the CVC2 or CVV2 code, the new procedure makes it much more difficult to use an illegally appropriated credit card for profit. If the perpetrator is not in possession of this personal password, it is almost impossible for him to pay by credit card. However, if the perpetrator is in possession of the credit card holder’s account number and date of birth, the password can be reset. A transaction is now possible.
Online payment service providers such as PayPal offer a so-called guest payment. Thus, perpetrators can pay immediately with a data record. This is made possible because PayPal does not verify identity before allowing a transaction. Although cent amounts are transferred to the credit card account to ensure that the rightful holder of the credit card makes the transaction, the perpetrator can buy it unhindered, as PayPal grants a limit of 1500 dollars without confirmation of the verification. PayPal also allows the data to be used without knowing the 3-D Secure password.
Because the password of the 3-D Secure code is not transmitted to the online retailer and stored there, perpetrators do not have the opportunity to obtain a complete data set by penetrating such a dealer database. The trader should therefore take note of the following advice:
- Additional CVC2 or CVV2 code verification.
- Address verification, if possible
- Increased caution if the customer orders with a different card number than the last time.
- Increased caution if the customer orders with a card number that someone else has already used.
- Setting up order value limits (especially for new customers)
- Goods must only be handed over against a signed delivery note. The customer’s signature on the credit card receipt does not replace the written confirmation that he has received the goods. After the purchase, the customer can complain that he did not receive the goods. Since the burden of proof lies with the retailer, he must refund the purchase price if he cannot prove proof of delivery.
- In addition, merchants are obliged to comply with the regulations of the PCI Data Security Standard when holding the data of credit card holders.