Introduction
Every year corporations and card holders lose billions of dollars in credit card fraud and the tactics in which it's carried out are evolving. Let's take a look at the statistics in the USA alone. In 2010, 8.6 million households experienced some form of identity theft. In 2012, a staggering 16.6 million households reported one or more identity theft cases. Why did the number double within just 2 years? This doesn't include the millions around the globe that are victims of an evolving unethical dilemma we find ourselves in with in-app purchases. Merchants want your money just as much as the criminals. The difference is that it is unethical for the merchants, but unlawful for the criminals. Let's take a look back in history.
History has shown that the criminal masterminds and merchants are evolving faster than the industry's security systems and government regulations. Just as legitimate workers go to work daily, criminals do the same but they play by a different set of rules. Just as legitimate workers gain knowledge and skills, criminals do the same, nonetheless, they become criminal masterminds. Nonetheless, not only have criminals evolved, but merchants have too with in-app purchases that employ hidden fees and lure tatics.
Ladies and gentlemen today I want to bring you up to speed on the latest criminal tactics targeting credit card fraud and my view on how to defeat it with Two-Factor Credit Card Authentication, Product Classification & Underlying Merchant Data, Recurring Payments Fraud Alerts, and In-app Encrypted Biometric Authentication. All of the aforementioned features are not in use today by any credit card issuer, and are the ideas of Brandon Lee to combat the latest trends in credit card fraud.
In addition, I will explain why services such as LifeLock are mere organizations looking to capitalize on American's concern rather than offer real protection and why it may not be a good long term investment for investors.
The Trend
Previously, criminals and merchants were just interested in minimal credit card data but they've self-educated based on banks legacy systems and the charge back process. From a criminal's point of view, they know that if the address doesn't match, this sets off alarms. If purchases are made outside your typical locations, this too sets off alarms. On the other hand, merchants know that their revenue increases when they can better hide fees and/or lure you into in-app purchases.
Therefore, instead of just collecting your credit card information, they're now collecting historical purchase data, demographics, billing info, IP addresses and social media content to aid in increasing revenue. Why? Criminals and merchants understand that they can profit more by profiling and understanding their victims rather than not.
Where does it start? For criminals, it all starts with a legitimate purchase you've made at a well-known merchant and your purchase information is obtained via big data breaches. In 2014 alone, some of the biggest organizations were all hit with big data breaches such as UPS, Home Depot, and JP Morgan Chase to mention a few out of over a dozen impacted.
Secondly, you may find that your stolen credit card was not only involved in one fraudulent transaction, but multiple transactions over time.
Third, when you find out about this fraud, you proceed to submit a dispute thinking it's going to be easy-breezy and that's when things go from a mere inconvenience to a possible lifestyle change. Wait, that just happened. Oh no, how could that happen? I didn't make those purchases, I'm innocent, honesty this is identity theft.
Now, how did I lose my dispute, the facts always prevail right? No, if the information submitted to the bank is accurate in its entirety, you lose. Remember, someone has to pay and it's going to be either you or the merchant. How did I not notice this on my credit card? You're the target of an evolving credit card fraud tactic I refer to as profile-based credit card fraud.
Profile-Based Credit Card Fraud: The Evolution.
In the early years of credit card fraud charges were easily identifiable and easily rectified. For example, a $300 charge appeared on your credit card bill sets off alerts as your spending history doesn't support this type of charge--a deviation from the norm. Therefore, credit card fraud has evolved to profile-based credit card fraud. This is when the mastermind elects to charge amounts between $10 and $50 instead of $200 as your spending history shows your average credit card purchase is between $10 and 50 per transactions. This way, you don't see a big charge on your credit card that is easily identifiable by the human eye or the bank's fraud protection thus making the transaction easier to overlook.
Also, criminals may elect to make purchases at places and locations you're spending history suggests, allowing them to avoid today's security measures. But wait, it doesn't stop there, merchants want in on the action as well.
Merchant-Based Credit Card Fraud: The Evolution.
Merchant-based credit card fraud is evolving too. This is when shady merchants charge you for additional products and/or services you did not agree to purchase or was not made aware of. This is common with subscription based services and in-app purchases that keep your credit card on file after you've made a legit purchase. For example, alarmmonitoringservices.com may sell you an alarm service, which is paid in full for the entire year. However, after a few months you may come to find they charged you upwards of $200 for services you did not order or was made aware of. "The BBB wrote, BBB has received a pattern of complaints from consumers alleging consumers sign up for alarm monitoring service for a specified rate, and are later charged a higher rate without warning.”
Additionally, with in-app purchases, you may lured in with one price, but later come to find that to unlock certain features or to add credits you have to pay additional money.
How do merchants like this stay in business? As long as their chargeback rate is lower than their agreed threshold with their payment processor, they can continue to operate under the radar. What do I mean by under the radar? Payment processors allows merchants to continue to conduct business as long as their chargeback rates do not exceed an agreed percentage. Meaning, the larger the merchant volume, the more chargebacks will be allowed--it's a number game. The number of chargebacks go up, the merchant cuts back on its shady dealings, and when it goes down, they increase.
How is Social Media Being used to Aid in Credit Card Fraud?
Everyday millions of users are posting content, pictures and their whereabouts on social media sites such as Facebook, Twitter, Instagram and others. Criminals are now leveraging this data to determine typical areas a cardholder may be or things a cardholder may buy. This allows criminals to make purchases in places that doesn't set off the bank's security systems or for things the cardholder might buy bypassing the bank's security measures and the human eye.
What are credit card companies doing to combat this?
I particularly like one of the features American Express introduced that allows you to get real-time text messages of transactions based on predefined rules. This allows us to quickly review who's charging our cards and possibly prevent years of credit card fraud. However, criminal masterminds and merchants have already adapted in such a way that they can slip charges by the everyday consumer and this feature was just released in 2014--it's not enough.
How can technology solve these problems? The solution.
Two-Factor Credit Card Authentication
I would implement an optional feature that would allow card members to enabletwo-factor credit card authentication. The way this would work is when your credit card is charged, you would get an alert on your device (e.g. mobile phone, computer) that allows you to approve or reject the charge. By implementing such feature would eliminate over 99% of credit card fraud in similar cases. This would also uncover those merchants that are billing customers based on that legendary hidden fine print allowing for prompt resolution. I believetwo-factor credit card authentication is the future.
Spending Pattern Behavior Algorithms
Next, I would introduce better spending pattern behavior algorithms to detect charges that deviate from the card holder's norm. This would work by categorizing/classifying merchants and product purchases while analyzing cardholder historical spending to flag possible fraudulent transactions. For example, if the cardholder has never purchased a porn subscription that would be a good indication that it could be fraud and the cardholder should be alerted.
Today that is not possible. Why? When a merchant submits a transaction for processing via payment processors such as FirstData they are not required to classify product purchases and in many cases they don't have insight into the underlying merchant.
Product Classification & Underlying Merchant Data
Criminals know that purchases made at places the cardholder is not familiar with may set off alarms. For example, you receive a text alert from American Express stating you made a purchase at an unfamiliar merchant.
Therefore, they may make purchases through merchants who employ payment processing vendors such as Epoch who mask the underling merchant. This undermines credit card issuing banks fraud protection systems as Epoch on the surface seems like a typical transaction. But that doesn't mean that Epoch done a good job on screening their merchants. And, to the cardholder, they may have other charges from Epoch that they did in fact make. Combined with a complete cardholder's profile, makes for a persuasive way to pass the charge off as legit. In this case, I would require payment processors to expose the underlying merchant data including product classifications allowing better tracking of transactions--modernize payment processing.
Recurring Payments Fraud Alerts
Recurring payments add up, and it's easily overlooked as it appears normal once the initial payment is processed successfully. To combat this, I would deploy another feature that allows customers to setup recurring fraud alerts which will trap unauthorized recurring billing charges. One can then leverage certain cards for recurring transactions vs. one-time transactions. Think of this like a spam trap. The way this would work is that a cardholder would flag a credit card as non-recurring, and if the same merchant processes the same fee each month, it would alert the cardholder and require the cardholder to approve the charge--pro-active instead of re-active.
In-app Encrypted Biometric Authentication
I believe that in-app fraud can be significantly reduced with the introduction ofencrypted biometric in-app authentication. This would require a buyer to authenticate the purchase with a biometric signature that is encrypted and can only be decrypted by the bank. Additional, I would require the merchant to display all possible charges (today and later) vividly on the screen with a tamperproof watermark. Upon confirmation of purchase, order details with watermark, encrypted biometric authentication, and product information would be submitted to the bank for approval. The importance of the tamperproof watermark is so that the bank can verify what was really shown to the buyer--no more hidden fees.
What problems does this resolve? The problems that this solves is that no merchant or criminal would be able to process an in-app purchase without the consent and presence of the cardholder. Whereas now, if you have access to the device and password (could be your child), you can authorize that transaction from anywhere in the world. Furthermore, this would eliminate those notorious hidden fees as if they are not visible on the watermark provided fee schedule, the bank would simply ping the buyer for authentication prior to approval of payment—preventative fraud protection and no more hidden fees. The ping can simply be a popup on your device that can be authorized via a biometric endorsement at any time.
Why services such as LifeLock simply don't work and not a good long term investment for investors?
LIfeLock and services alike are re-active. Meaning, they monitor your credit report, and accounts for charges that seem out of the ordinary. This means the damage is already done, and you still have to clean it up and prove your innocents. Even more, given the level of sophistication in your identity theft case, and the guarantee that LifeLock offers, it can still be a lengthy experience. The world needs preventative security, not re-active security and preventative security must happen at the source, not the middle man--pro-active rather than re-active.
Why LifeLock may not be a good long-term investment for investors?Simply put, as banks and organizations modernize their security systems, the demand for services such as LifeLock will dimension--simple economics, supply and demand.
What would I say to cardholders given today's technology?
Together we must raise awareness and we must "not wait to strike till the iron is hot; but make it hot by striking," as stated by William Butler Yeats.
Issuing banks will listen to our concerns if we together press the issue. Please, share this article with them and government to raise awareness and demand these features be put in place immediately. Get involved, don't wait till you or your loved ones are affected by this evolving unethical dilemma, take action now. And remember, real change must happen at the source to be preventative protection, and not re-active.
Also, watch your bills and leverage all available features offered at your issuing bank. If you find yourself in a similar situation, the goal is to catch and stop it before it gets too costly.
About Brandon Lee
Brandon Lee is the CTO of Circuit ID (www.circuitid.com) who possess over 15 years of active computer programming, network management, business administration, law enforcement and telecommunications knowledge. Formerly responsible for protecting NASA against all threats, foreign and domestic, Brandon Lee has extensive knowledge in the field of technological-anything.
No comments:
Post a Comment