Beruflich Dokumente
Kultur Dokumente
As the existence of remote credit and debit card payment terminals become
increasingly ubiquitous, so too does the risk of fraud. In attempts to further reduce expenses and increase the bottom line, business owners and corporations continue to place these terminals and self-serve kiosks where employees once stood- where they also once served as the first line of defense against such criminal acts. Gone are the days of face-face theft, and in its place came along technology which offered speed, convenience and above all else- anonymity. According to Secret Service figures, in 2010 skimmers netted an average of $30,000 per incident while in 2011, their take rose to $50,000. By comparison, the average bank robbery might be around $3,000 to $4,000 says Doug Johnson, vice president of risk management policy at the American Bankers Association. 1 Consequently, customers, businesses and financial institutions find themselves falling victim to these schemes which are often quite sophisticated and complex operations. Not to be outdone, however, even amateur criminals are cashing in. With just a few hundred dollars, a little ambition and some ingenuity, practically anyone can purchase the hardware necessary to carry out their own scams, with surprisingly profitable results. No longer are criminals relegated to using physical skimming devices alone, either. In recent years, card issuers are increasingly using radio frequency identification tag devices inside their cards, which make data interception and breaches even easier than before. The question arising is no longer if the schemes will pay off, but where can these schemes be perpetrated to be most effective. As a result, criminal syndicates have plenty of devices and destinations at which they can exploit unsuspecting victims. While ATM terminals and Internet merchants are typically regarded by consumers as the usual suspects for the theft of financial data, thats not always the case. Routine, unsuspecting transactions at places like the grocery store, neighborhood coffee shop and local gas station are also hotbeds for fraud. This paper examines the emerging predicament of credit and debit card skimming at gas stations and its effects. This paper also discusses practical solutions that financial institutions can implement in an effort to monitor for, and combat such acts to minimize potential losses.
Debit cards are immensely popular and allow consumers the ability to make purchases without writing cumbersome checks. Debit cards also level the playing field between businesses and consumers located in different countries and jurisdictions that typically buy and sell goods in different currencies. And as time progresses, banks are offering more than just traditional credit and debit cards to their suite of product offerings by introducing more forms of pre-paid and stored value cards. The chart to the left illustrates the size and yearover-year growth of debit and credit card penetration for select card types.
2011 Global Debit and Credit Card Penetration Source: The Nilson Report, April 20122
Needless to say, this data illustrates the future of commerce with an enthusiastic consumer base following in its wake. Traditional Card Readers In the past, most crude forms of card skimming took place at ATMs, where thieves concealed the real card slot with their own device, which was designed to look like the real thing. Similarly, perpetrators would install a small device either in front of, of behind the actual card reader slot. The devices read all of the personal information off of the card's magnetic strip, while a secret camera simultaneously filmed the victims entering their PIN numbers. Some of the newer, more sophisticated card readers are making it nearly impossible to even detect such devices. According to recent reports from the European ATM Security Team (EAST)3, a non-profit international network dedicated to fighting cross-border international crime, newer card skimmers are physically inserted into point of sale terminals and ATMs to steal card and PIN data. Some of these devices are wafer-thin, and do not present some of the more obvious characteristics such as bulkier hardware modifications or changes to physical appearance of the terminals. RFID and Contactless Payment According to the Smart Card Association4, contactless payment changes the way debit or credit payments are handled when making a purchase. Contactless payment transactions require little to no physical connection between the card and the checkout device. Rather than physically swiping or inserting a card into a card reading terminal or device, the contactless card is tapped on or held within centimeters of a machine that reads a smart card chip embedded in the card instead, and the payment information is sent to the merchant wirelessly. Copyright 2012 George M. Martin All Rights Reserved.
4 Visa calls its technology payWave; MasterCard calls its PayPass; Discover Card named its RFID card Zip; and American Express calls it ExpressPay. Regardless of the marketing push behind each of these products, the underlying technological RFID concept is the same. The stolen information is then copied onto a removable storage device such as a SD card, or can even be transmitted wirelessly to the perpetrators. Once they have the data, they can use it for fraudulent purchases or, as is the case with debit cards, for the manufacture of clone cards so they can be used at ATMs and other points of sale to drain cash or make purchases from victims' accounts. Unlike traditional card readers, some RFID readers even capture a one-time CVV number used by contactless cards to authenticate payments. According to industry experts, those codes can only be used for one transaction, and in the order they are generated. If a payment processor detects multiple transactions with the same code or even codes being used to make transactions in the wrong order, it will disable the card. Consequently, a contactless card scammer will likely only be able to use each stolen number once. 5
People dont expect that when they swipe their credit card at a gas station, they are handing over their credit card information to crooks.
6 In December 2008, law enforcement officers executed search warrants at two locations in Alpharetta, GA where Toumasian was known to have lived. They found over 44 gift cards fraudulently encoded with credit and debit card information, over $50,000 in cash, multiple skimming devices used to collect card data, a laptop computer with stolen account information, false fronts for ATMs and gas station pumps, a device used to encode cards with account information, and a pinhole camera used to video customers entering their PINs. (Source: US Department of Justice, August 24, 2012) Inside Job, Part Deux July 2012- Santa Ana, CA Some criminals have the moral gumption to just allow the criminal activity, not necessarily carry it out on their own. Take the example of a Santa Ana, CA Shell gas station employee, Bhavesh Vithalbhai Lakhani, who ultimately confessed to have taken over $50,000 to allow other criminals to plant ATM card skimming devices inside gas pumps. According to the United States Attorney, Lakhani allowed his conspirators to insert the skimming devices inside the gas pumps at his station on at least 10 occasions. The devices allowed the criminals to gain access to credit card numbers and ATM PINs. In an ironic twist showing that Lakhani was not such a hard core criminal after all, he had also been asked to let other criminals place a hidden camera in the gas station office ceiling so that they could steal ATM access codes, but he reportedly refused that request. (Source: OC Weekly) Dont Mess with Texas July 2012- Fort Worth, TX A California man, Aleksandr Goukasian, was convicted in July 2012 of participating in a nationwide theft ring that "skimmed" consumers' account information from automated gas pumps. According to prosecutors, Goukasian and his conspirators placed high-tech skimming devices inside gas pumps and then used them to obtain credit and debit card information and PIN numbers when consumers used the pumps. They then used the information to create new cards, which they used to withdraw cash from accounts and to purchase items. A total of 13 skimmers were found in North Texas, while others were found in Houston, TX, California and Nevada. Investigators suspect the ring collected 38,000 card numbers and stole more than $100,000. (Source: Fort Worth Star-Telegram)
7 However, these forms of electronic payment offer speed and convenience to both consumers and business, and as evidenced by the emergence of self serve payment kiosks, have become the preferred payment method in the industry. Consequently, it has become the responsibility of the financial institution- the creator of such payments- to solve these problems. In addition to whatever measures fueling stations and their owners undertake to protect their customers, financial institutions need to ensure an effective transaction monitoring system is in place to not only identify and stop debit and credit card fraud, but to also limit future security breaches. When designing and implementing an effective monitoring system, the following areas of detection should be considered: 1. Common Point(s) of Compromise/Purchase- This is determined by identifying a set of accounts with legitimate debit or credit card holder usage, that possess a) a single common merchant identifier prior to any fraudulent activity and b) is not associated with a previously observed data compromise event. Geographical Correlation- Often times, subsequent card fraud will occur within close geographical proximity to the original point of compromise. This is more difficult to discover when the fraud is perpetrated by more sophisticated groups or organizations, where the extent of fraud conducted could be inter-state, or in some cases international. Geographical Segmentation- In an effort to properly ascertain the extent of the potential fraud, and mitigate any future losses, examine where the fraudulent activity occurs. Does the fraud occur in a certain metropolitan area? Is the activity relegated to a geographical region with common business or economic characteristics (e.g., trucking/shipping lanes, agricultural regions, business parks). Also determine if the activity was specific to a certain county or state, depending where your financial institution does business. Common Customer Characteristics- Examine if any of the affected customers exhibit any occupational correlation such as employer, occupation, or transaction location such as financial institution, common branch location of activity, etc. This helps establish the potential source of a data breach, but not necessarily the actual point of card compromise. In one such real life instance, this author was able to identify a bank employee selling customer information to conspirators, who then used ATMs throughout the state to perpetrate fraud on those customer accounts. Compromise Time Frame- Pin point whether the card compromises occurred within a certain time period. Typically in such fraud cases, time is of the essence. Criminals know that once the customer card information has been obtained, time works against them. In order to maximize their bounty, they will strike fast and furious. If your automated systems allow, attempt to work in as real time if possible. Also work as closely as possible with decision makers within your institutions operations department. Typically a few tweaks of your institutions core processing system allow for immediate data extracts
2.
3.
4.
5.
8 that will prove helpful in any immediate investigation or risk mitigation effort. 6. Unsuspecting Fraud Amount- Todays sophisticated criminal enterprises are very knowledgeable about the amounts and frequency of fraud to perpetrate without causing alarm. Suspicious Activity Report (SAR) and Monetary Instrument Log (MIL) filing thresholds are public knowledge and criminals pay close attention. If your automated surveillance system allows you to establish monetary thresholds, look for transactions and trends below the SAR filing and MIL reporting thresholds. Criminals are greedy indeed, but they wont sacrifice a good thing all at once. They will often times conduct multiple, low-dollar fraudulent transactions referred to as micro-payment fraud, if they think they can extract more money without detection over longer periods of time.
Future Threats
While this paper focuses on gas pump fraud and associated risk mitigation efforts, there are budding trends likely to compete with this type of activity. For example, the emergence of other mobile, low cost payment systems such as Square and GoPago, also present new challenges to the fraud prevention landscape. As has been seen with remote payment kiosks such as gas pumps, industry practitioners can be assured criminals will be working hard to also take advantage of these mobile payment systems.
Conclusion
As the financial services industry continues to innovate and make transactions more convenient for the customer and cost-effective for business, it is a foregone conclusion that criminal enterprises will work diligently to exploit any perceived weaknesses in the system. As has been demonstrated, gas pumps present criminals with the means (simplicity), motive (high volume of transactions) and opportunity (anonymity) to steal card information and commit identity theft to perpetrate fraud. The advent of technology through advanced hardware, software and data transmission only make this type of fraud more attractive to the aspiring criminal or sophisticated criminal enterprise. While businesses such as gas stations may undertake efforts to combat this type of fraud at the point of sale through employee and consumer education and awareness, its apparent that it has become increasingly incumbent upon financial institutions to do their part to combat such activity themselves. Through several initiatives, including those outlined in this paper, banks and industry practitioners can implement sound, effective monitoring programs tailored to identify and mitigate respective fraud risks. Advanced monitoring software systems, coupled with sensible, practical approaches in surveillance design, will certainly cause effective results.
About
George M. Martin, MBA, CAMS, is an expert in AML surveillance, Fraud detection and compliance risk mitigation. He has been involved in AML, Fraud and regulatory compliance for over ten years. His risk management experience spans several areas of the financial services industry including securities, insurance, banking and money service businesses. He is a member of the Association of Certified Anti-Money Laundering Specialists (ACAMS) and Association of Certified Fraud Examiners (ACFE). For more information, visit www.georgemmartin.com, or e-mail george@georgemmartin.com.
End Notes
1
Gallagher, Shawn. Automated robbery: how card skimmers (still) steal millions from banks. June 24, 2012. Retrieved from: http://arstechnica.com/security/2012/06/automated-robbery-how-cardskimmers-still-steal-millions-from-banks/ 2 The Nilson Report. Worldwide Purchase Transactions on General Purpose Cards with Global Brands. April 2012. Retrieved from: http://nilsonreport.com/issues/2012/992.htm 3 EAST. EAST Research Results. June 2012. Retrieved from: https://www.european-atmsecurity.eu/ATM%20Research/ 4 Smart Card Alliance. Retrieved from: http://www.smartcardalliance.org/pages/smart-cards-faq#whatis-contactless-payment 5 Greenberg, Andy. Hacker's Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets. Forbes Magazine. January 30, 2012. Retrieved from: http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-creditcards-can-be-read-through-clothes-and-wallets/