If you’ve been reading the CrossCheck blog for a while, you know that as a payment guarantee company, our role is to assist at the point of sale and guarantee a payment or stream of payments to be made in the future. Thus, we make a sale happen that would otherwise not happen.

People always ask, “How do you know the money will be there?”  The answer is that we don’t, nobody can “sneak a peek” at a consumer’s checking account, see if the funds exist, and put a hold on them for transactions happening in the future. We do see fraudulent transactions such as people writing checks on a closed account. However, we generally catch them because we subscribe to a variety of services providing current information-on-account status, and we use this as part of our real-time authorization process.

It doesn’t make sense for us to guarantee a small-dollar payment (e.g. less than the typical credit card purchase of $75) because it can cost us that much to go through the collection process. However, it is quite realistic for auto dealerships (one of our key markets) to accept four $500 checks that represent a down payment to be deposited over 30 days. Dealers are happy to pay an $80 fee to make a $1300 gross profit on a new car sale or perhaps $2000 on a used car sale.

Friendly Fraud

Our real “fraud” risk is the common occurrence of consumers making large payments knowing all the while they don’t have sufficient funds. This is another example of what payment professionals call “friendly fraud,” a big problem today particularly in the online sector. 

Friendly fraud is somewhat of a misnomer, but it is used to distinguish a newbie from the mega-problem of professional cybercrime. Friendly fraud has a lot of variations, but basically it means the consumer is trying to avoid paying for goods or services he or she received, typically for low dollar payments (less than a few hundred dollars) by making fraudulent claims: they didn’t get the product, the product was not what it was promised to be, or they didn’t order it in the first place.

Some retailers will actually absorb fraud of less than $5 because it will cost them more than that to investigate. This is a huge problem. A study by the Nilson Report showed that in 2012, the US accounted for less than a quarter of the world’s payment card volume, but it incurred almost half the fraud losses!

The Hidden Data Economy

A recent study by Intel Security called The Hidden Data Economy shows that the underground marketplace for stolen data has evolved to include every type of cybercrime product for sale or rent.  Data breaches involving the theft of financial data (especially payment card information) are almost daily news. 

McAfee Labs did a study on what it costs to buy stolen credit card data in the US.  For a payment card number with the CVV2 code on the back, and all details about the owner (name, billing address, expiration date, PIN, SS, DOB, mother’s maiden name, etc.) the going rate is around $30. Of course, with this information, not only can you buy something, but you can also change the shipping or billing address and add a new address. However, if you wanted to steal money from a consumer’s checking account via an ATM transaction, you would need what is called a “Dump Track with High Balance.”  This would include tracking one and two of the cards and the PIN number with the card selling for up to $110 in the US. Like all products, even legitimate ones, prices vary based on supply, balance and validity. Data about an online payment service account with a balance of $5000 might sell for $2-300.  As the McAfee study shows, everything is available, including bank-to-bank transfers and bank log-in credentials.

As if this weren’t enough, other types of data are also for sale, including access to systems within an enterprise’s trusted network. You can also buy enterprise data such as data stolen from a medical center or university. 

In the current research report by Intel titled The Hidden Data Economy, the authors warn:

“When a stolen online account becomes compromised, the legitimate owner can be impacted in a variety of ways.  The account can be held or closed due to malicious activity by the buyer – sometimes causing weeks of support calls.  A victim could also suffer financial losses from the purchase of items with stored card information, or lose access to free perks, such as loyalty points collected during the lifetime of the account. Worse, there are circumstances in which the impact is quite disturbing.

 “The sale of a victim’s identity is the most frightening category because it is so personal. When a person’s digital identity is stolen, the buyer can take control of this person’s digital life – social media, email and more.”

Fraud Rates

But wait, there’s more. A recent study by ACI Worldwide Data shows that fraud rates by volume have increased. This year, one out of 86 transactions is a fraudulent attempt. Fraud attempt rates by volume have increased by 30% as consumers shop with more devices online while fraud attempt rates by value have increased by 33% since last year. The average fraud ticket value is $273. Some new paths to fraud include the following:

• Digital downloads (virtual gift cards or eGifting this has the highest fraud rate 9.55%)
• Next day/overnight (6.57%)
• International (2.38%)
• Buy online/pickup in store (2.15%). Retailers do not require consumers to rerun their card when they pickup in the store. 

By now, you’ve heard of the new EMV “chip card” and may even have one already.  That technology is old news — it was developed in 1994 and much of the world has been using it for years. And the US version will be chip and signature rather than chip and PIN.  Most observers feel the signature is virtually worthless as a fraud management tool. EMV doesn’t prevent card fraud; some criminals in the UK have found ways to skim and capture the PIN, for example.  Research from the University of Cambridge has shown that it is possible to hack card-reader terminals so the terminal will accept any PIN. 

What Can Be Done?

At this point, you are probably asking yourself, “What can be done?” The reality is that consumers download many apps on their mobile device.  Android allows phone manufacturers and carriers free license to use and modify the core OS, but in many cases there is little or no protection against app-level attacks.  As Gartner VP Joseph Feiman said recently, “There are too many apps, testing skills are scarce, and tools are too complex and inaccurate. The problem is that apps are not capable of security self-testing, self-diagnostics and self-protection.” 

What Are the Risks?

One big risk is that consumers assume a secure solution exists when one really doesn’t.  Some people think that using their fingerprint, coupled with an alphanumeric password, is a full-proof solution.  However, there is no central registry of fingerprints as there is with bank account data. EMV looks more secure, but initial usage shows that consumers often leave their card in the terminal. Device- fingerprinting looks like a solution, but a colossal number of phones are lost or stolen every year.  IDs without a form factor look promising, but they do not reach across different banks and merchants. 

The Vulnerabilities

You can probably guess at this point that the major vulnerability is consumer behavior.  Aside from losing their phones, consumers are always clicking links in SMS text messages and emails and downloading third-party apps without any scrutiny. The app providers themselves often have little or no security in place. Finally, unsecured wireless networks enable fraudsters to gain access and take control of a mobile device and its account information. 

How Can You Highlight Fraud

Here are some obvious points. First, fraud is higher for card not present transactions and for calls from prepaid phones. Second, it helps to determine if a mobile device is being used, the device type, and if the phone number is being forwarded from somewhere else.

Finally — and to state the obvious — car dealerships, auto aftermarket merchants, veterinarians, funeral homes or building suppliers taking a series of payments that run into thousands of dollars can take a good old paper check and have it guaranteed by CrossCheck.  Let’s face it; we are better at scrubbing checks up front or collecting on bad ones than a merchant ever will because that’s our business!