Search results:

November 4, 2016

What are credit card frauds?

What are credit card frauds?

TL;DR: Credit card fraud happens when credit card information becomes available to unauthorized people, such as hackers, family members, or coworkers. In the last two cases, the fraud is called friendly fraud. Credit card information may leak after a merchant or an issuing bank becomes a hacking victim or after a credit card holder becomes a phishing or social engineering victim.

In this article, we’ll discuss:

  1. Payment processing principles;
  2. Payment failure reasons; and
  3. The credit card fraud process.

1. Payment processing principles

Payments are high-trust communications where the purpose is to exchange money between two people. Sometimes the money exchange occurs directly between a payer and a payee, and they conclude a sale by agreeing on a price and a currency. However, physically exchanging the money is not always possible, such as when the payer and the payee do not know each other, are in different locations, use different currencies, or speak different languages. That’s why credit cards and payment intermediaries exist.

Issuing banks (private banks) [1] print credit cards for their customers, and acquiring banks (commercial banks) [2] help merchants accept payments from customers. However, because acquirers and issuers can only make limited numbers of bilateral partnerships, e.g., within their respective countries, additional intermediaries are necessary to allow payments worldwide and to facilitate acquisitions via multiple payment methods. Hence, for international payments, settling banks [3] help issuers and acquirers conclude payments. In addition, payment service providers help merchants provide a range of payment methods, including Visa, MasterCard, American Express, Diner’s Club, PayPal, SOFORT, and iDEAL.

2. Payment failure reasons

Most of the time payments are successful, but in some cases, they are not. There are various reasons for failed payments. The first set of reasons are legitimate and the second set of reasons relates to illegitimate credit card use.

  1. The products may be damaged during delivery, they never arrive, they are out of stock, or the customer changes simply his mind. In each case, the terms of the sale, the merchant’s policy, and the legal regulations define whether the payment will be reimbursed totally or partially.
  2. These involve fraudulent scenarios. In these cases, the conditions of the payments, e.g., whether the payment is 3DSecure [4] enabled, determine each one's liabilities. Most of the time, either the issuing bank or the e-merchant is liable for the loss.

3. The credit card fraud process

Credit card fraud may occur after the card details have been shared and the card has been used without the card holder’s authorization. This may be the case if the card is shared or accessible within a family or at the card holder’s work. However, this may also be the case if hackers intercept the card information, e.g., via a data leak, phishing, or social engineering.

  • Data leaks occur when hackers penetrate the IT systems of companies that process payments. Once the hackers get into the IT systems, they can intercept information such as credit card numbers. In 2014, a massive data leak of private and business clients occurred at JP Morgan Chase; clients’ details were accessed, but their credit card information was not [5]. Earlier in 2013, Target was hacked; in that case, credit card information was leaked [6].
  • Phishing [7] is another technique to intercept credit card information. It involves sending emails or building websites that look like they are from real companies but are not. Victims follow links from emails, enter their credit card information, and in some cases, are even redirected to the spoofed company so the phishing looks innocuous.
  • Social engineering [8] involves the practice of impersonating other people to obtain confidential information such as credit card details. Those who commit social engineering collect data on their victims, e.g., date of birth, home address, or email address. They find answers to security questions and obtain the information they are looking for.

Once the card details leak, the real card holder and issuer may learn about the data leak or they may not.

  • If they learn about the leak, the primary option is to cancel the card and reprint it. However, if details leak for too many cards, this may not be economically or logistically feasible because it would take too much time to reprint, ship, and activate all the new cards. In that case, the issuing bank may temporarily or permanently take additional security measures to protect its card holders.
  • If neither the issuer nor the card holder learn about the leak, the card holder will be vulnerable to credit card fraud. Fraud may occur when the hacker who obtained the credit card details uses them to buy online services or products or, more likely, after fraudsters buy the credit card information on the black market and then purchase services or products online. Finally, so-called mules [9] are sometimes used to pick up goods that are bought online.

Fabrice | book


[1] Issuing bank - Wikipedia

[2] Acquiring bank - Wikipedia

[3] Settlement Bank

[4] 3-D Secure - Wikipedia

[5] 2014 JPMorgan Chase data breach - Wikipedia

[6] Target settles for $39 million over data breach

[7] Phishing - Wikipedia

[8] Social engineering (security) - Wikipedia

[9] Money mule - Wikipedia