Credit Card Fraud Protection

Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account.

CP
CNP
CP
Get a signature. Ask the customer to sign the imprinted sales draft.

Check the signature. Be sure that the signature on the card matches the one on the sales draft. Do not accept an unsigned card.
If you suspect fraud, immediately make a Code 10 call to your voice authorization center.
Six warning signs of fraud
Certain customer behavior could point to card fraud, but it doesn't necessarily indicate criminal activity. You know your customers, so let your instincts steer you in the right direction.
Watch out for customers who:
Purchase a large amount of merchandise without regard to size, style, color, or price.
Ask no questions on major purchases.
Try to distract or rush you during the sale.
Make purchases and leave the store, but then return to make more purchases.
Make large purchases just after the store’s opening, or as the store is closing.
Refuse free delivery for large items.
CNP
Take these steps to accept Visa CNP payments:
Verify the card’s legitimacy:
Ask the customer for the card expiration date, and include it in your authorization request. An invalid or missing expiration date might indicate that the customer does not have the actual card in hand.
Use fraud prevention tools such as Visa’s Address Verification Service (AVS), Card Verification Value 2 (CVV2), and Verified by Visa.
If you receive an authorization, but still suspect fraud:
Ask for additional information during the transaction (e.g., request the financial institution name on the front of the card).
Contact the cardholder with any questions.
Confirm the order separately by sending a note via the customer's billing address rather than the “ship to” address.
To report suspicious activity, contact your merchant financial institution.
potential signs of CNP fraud
Keep your eyes open for the following fraud indicators. When more than one is true during a card-not-present transaction, fraud might be involved. Follow up, just in case.
First-time shopper: Criminals are always looking for new victims.
Larger-than-normal orders: Because stolen cards or account numbers have a limited life span, crooks need to maximize the size of their purchase.
Orders that include several of the same item: Having multiples of the same item increases a criminal's profits.
Orders made up of “big-ticket” items: These items have maximum resale value and therefore maximum profit potential.
“Rush” or “overnight” shipping: Crooks want these fraudulently obtained items as soon as possible for the quickest possible resale, and aren’t concerned about extra delivery charges.
Shipping to an international address: A significant number of fraudulent transactions are shipped to fraudulent cardholders outside of the U.S. Visa AVS can't validate non-U.S., except in Canada and the United Kingdom.

Transactions with similar account numbers: Particularly useful if the account numbers used have been generated using software available on the Internet (e.g., CreditMaster).
Shipping to a single address, but transactions placed on multiple cards: Could involve an account number generated using special software, or even a batch of stolen cards.
Multiple transactions on one card over a very short period of time: Could be an attempt to "run a card" until the account is closed.
Multiple transactions on one card or a similar card with a single billing address, but multiple shipping addresses: Could represent organized activity, rather than one individual at work.
In online transactions, multiple cards used from a single IP (Internet Protocol) address: More than one or two cards could definitely indicate a fraud scheme.
Orders from Internet addresses that make use of free e-mail services: These e-mail services involve no billing relationships, and often neither an audit trail nor verification that a legitimate cardholder has opened the account.
ADDRESS VERIFICATION SYSTEM (AVS):
The Address Verification System (AVS) is a system used to verify the identity of the person claiming to own the credit card. The system will check the billing address of the credit card provided by the user with the address on file at the credit card company
AVS verifies the numeric portions of a cardholder's billing address. For example, if your address is 101 Main Street, Highland, CA 92346, AVS will check 101 and 92346

CARD VERIFICATION METHODS (CVM):
Card Verification Methods (VISA = CVV2, MasterCard = CVC2, and American Express = CID use a security code of 3 or 4 extra digits imprinted on the card, but not embedded or encrypted in the magnetic stripe. This verification code does not appear on credit card receipts. Since most fraudulent transactions result from stolen card numbers rather than the actual theft of the card, a customer that supplies this number is much more likely to be in possession of the credit card. VISA claims that the use of AVS with CVV2 validation for card-not-present transactions can reduce chargebacks by as much as 26%.

Merchants that accept Internet, mail-order, and telephone orders must be prepared to request the verification code when the cardholder is not present to help validate a transaction. Even if a merchant cannot confirm the CVV2 number, they can still ask for it, or provide a space for the number on their web order form. If the crook does not have the number, they could look somewhere else to commit their fraud. The merchant is not allowed to store the CVM numbers. The merchant should never keep the customer's credit card "on file". Each transaction should be treated as a new order. We've all seen too many reports of computer files being compromised by hackers.
PAYER AUTHENTIFICATION PROGRAMS
SecureCode enable cardholders tocreate a PIN (or "secure code") and assign itto their credit card. During checkout, theCustomer is prompted to enter their PIN andthe cardholder's identity can then be con-firmed by their Card Issuing bank. The CardIssuer provides additional data elements toconfirm the cardholder's identity
REAL-TIME AUTHORIZATION:
Credit card information is sent to the processor for immediate approval (usually 5 seconds or less). This method ensures that the credit card has not been reported as lost or stolen and that the number is valid. The customer is still in contact with the merchant, and incorrect information can be corrected. There is an additional cost for real-time authorization. Authorization does not tell you if the person using the card is authorized to use the card.
BIN CHECK:
The first 6 digits of the credit card are called the Bank Identification Number (BIN). You can determine if the credit card holder and the issuing bank for the credit card are located in the same country. Legitimate users sometimes use a credit card from another country. You can enter the BIN of a credit card number at http://all-nettools.com/toolbox,financial . The site provides the bank name, card type, and a 3 character code for the country.

CALLING THE CARD-ISSUING BANK:
When you call the card-issuing bank, have your merchant number, your phone number, the customer's full name, address, and phone number ready. You can ask the card-issuing bank to make a courtesy call to your customer to verify the charge.
DIFFERENT BILL AND SHIP TO ADDRESSES:
Use Google to search for the numeric street address, street name, and zip code. The web site at http://www.anywho.com integrates telephone numbers, maps, and email addresses. Check for bogus billing addresses like 123 Main Street. Use resources like http://maps.yahoo.com to see if the address can be verified. If the billing and shipping addresses are different, request telephone numbers for both addresses. You can also establish a company policy and charge an extra fee to recover your costs to require a delivery signature (UPS, Federal Express, post office)
NEGATIVE HISTORICAL FILE:
Keep a database of prior fraud attempts, problem customers, charge back records, and customers receiving refunds. This file should include the customer name, shipping/billing addresses, phone numbers, credit card numbers, IP addresses, and email addresses, and merchant comments. Incoming orders can be searched for matches in this database. This method reduces the incidence of repeat offenders, has a relatively low cost, but does not stop new fraudsters.
SHARED NEGATIVE HISTORICAL FILE:
Several merchants combine their negative historical database. Since this database has fraud data from several merchants, using this file should reduce fraudulent hits. Pattern-specific fraud should be reduced. One drawback is that a bad customer for one merchant may not be a bad customer for other merchants.
POSITIVE DATABASE FILE:
This file contains a list of good customers, for example, customers eligible for upgrade purchases. Customers who purchased successfully in the past will more than likely not committing fraud. This file can contain the same types of information as the negative file. You must have some limits to people accessing the information in this file. This file should also be encrypted.
CREDIT SERVICE DATABASE
A credit database service, such as Equifax ( www.equfax.com ), Experian ( www.experian.com ), and Trans Union (www.tuc.com) are most appropriate for high-dollar value items, The customer would be asked to verify some very specific information such as the mother's maiden name or their social security number. This can be expensive and time consuming.
CUSTOMIZABLE MERCHANT RULES:
Some E-commerce merchants feel this is the best method to catch fraud. The merchant sets up rules to stop or flag specific orders for review. For example, the merchant could set up rules to review all orders from a specific IP address, specific country or if a certain dollar amount is exceeded, or shipping to a specific address. This method may flag valid customers for review, but it will reduce repeat or pattern-specific types of fraud.
FRAUD SCORING SYSTEMS:
The merchant assigns points for different elements of a transaction (IP Address, free-email account, time of day, AVS results, amount of sale, type of products ordered, shipment method, different shipping/billing addresses, certain zip codes, etc) to generate a fraud score to indicate the likelihood of fraud. Points could also be added back for other factors such as previous orders, length of time as a customer, etc. The merchant decides what point levels should be used to approve, reject, or review the order. The merchant can adjust these values based on trends and time of the year.
Large merchants have built their own scoring model based on their historical data of fraud and charge backs. This very targeted model should catch more fraud, but requires additional time and/or money to implement the new software.
PATTERN DETECTION:
Check if multiple orders are placed shipping to the same address, but different credit cards were used. Check orders for an unusually high quantity of a single item.
If the credit card numbers vary by only a few digits, it is very likely these numbers were generated by software.
Identify users who repeatedly submit the same credit card number with different expiration dates. Often the crooks have the credit card number, but not the expiration date, so they will just keep submitting that number with a different expiration date until they hit the right combination,"
Most fraudulent orders in the US are made between midnight and 2 a.m.
PREVENTATIVE MEASURES:
Check the data fields to determine if the buyer is a real person. Check if the ZIP Code the customer listed really exists. Check if the customer's e-mail address formatted properly. Check for incomplete names like Mr. Smith or bogus information like as Joe Smith or John Doe for the customer's name, or an address like 123 Main Street. Checking http://www.ussearch.com/consumer/index.jsp can give the merchant some idea of the customer's age. Your suspicions should be raised if the latest video game was ordered by an 80 year-old card holder.
FREE EMAIL ACCOUNTS:
There is a much higher incidence of fraud from free email services. Many businesses refuse to accept orders from any free email accounts or any web-based, non-ISP email domains. (I've seen numbers indicating there are over 3000 available free email accounts.) Virtually everyone who has a free, web-based, or email forwarding address also has a traceable ISP address. Many legitimate customers use free email addresses. Many fraudsters use free email addresses to remain anonymous. Most businesses purchasing a business product would not use a free email address.
Depending on the value of the purchase, the merchant may want to request additional information from the customer either by phone or emai

The merchant can ask the customer for their business or local email address (not a free email account such as Hotmail), the name and phone number of the bank that issued the credit card (located on the back of the card), the CVM code imprinted on the card, the exact name with middle initial on the credit card, and the exact billing address (nine digit zip code instead of five digits in the US), and the customer phone number. If you get a reply to your email request, you should be able to verify the additional information. A fraudster most likely will not reply to your request for more information.
Your customer will not have a local ISP if they do not have a computer. This customer could be required to telephone the merchant or fax the order.. The merchant should also have caller ID.
DOMAIN NAME RECORDS:
Manually review the domain name of the email address on the order form. Look at the web site to determine if it is legitimate. Check if the web site offers free or low cost email accounts. A web site that doesn't exist or is under construction should raise your suspicions. Check if the delivery address on your order form matches the contact information displayed on the web site.
Use the Network Solutions database at http://www.networksolutions.com/cgi-bin/whois/whois to search for domain ownership information. The information may not match exactly (business versus a home address). If the customer uses their own domain name, the city or state should at least match the information in the database

Unfortunately, Network Solutions has allowed fake contact names, telephone numbers of 000-000-0000, and contact addresses of 123 Main Street, Anytown, USA 00000. They also provide a service to 'hide' the owners from a search. Be suspicious if the whois information indicates registration in a country (such as Indonesia or Malaysia) with a high fraud rate.
REVERSE IP ADDRESS CHECKS:
A unique IP (Internet Protocol) address is issued by an Internet Service Provider every time a user is logged on to the Internet. Your server logs can be analyzed to match information on order forms. On your order forms, add a tracking code with a hidden field called the Environment Report field. The syntax used by the different form handlers (FormMail, sendmail, blat.exe, etc,) varies. One example is . The IP information will be included when the order is submitted.
Check if the IP address matches the email address and physical billing address of the customer. The IP address identifies the location of the server where the order was placed. Numerical IP addresses can be checked through programs such as WsPing32. The IP address database is constantly being updated, so it is sometimes incomplete and inaccurate. Matches may not occur if the card holder is traveling, or using a business card from a company branch located in a different city or country. The merchant should be concerned if a server address is located in one country, and the card holder's address is in another country. Check if the billing address, for example, findme@aol.com, matches the IP address from the block of IP numbers owned by AOL. If the fraudster is using an AOL address, the merchant can call the fraud department at AOL directly at 1-800-265-8003

The web site http://www.all-nettools.com/ can be used to check IP addresses. SmartWhois finds information about an IP address or hostname, including country, state or province, city, name of the network provider, administrator, etc. Traceroute determines the path between your website and the person placing the order. It matches each machine along the path to a destination host and displays the corresponding name and IP address for that hop.

ANONYMOUS AND OPEN PROXY IP ADDRESSES:
Unfortunately, IP addresses can also be forged. These forged IP addresses hide the true location of the fraudster. Organized credit card fraud rings often use anonymous proxies. When a computer is infected by a virus, it can be used by spammers and credit card thieves to place fraudulent orders. A legitimate order could come from from an infected computer. The IP address sent by the infected computer can be an open proxy IP address instead of their real IP address. The customer can visit the web site http://www.all-nettools.com or www.openrbl.org to check if the IP address their computer is sending to the Internet is an open proxy IP address.
CHECKING TELEPHONE NUMBERS:
The web site at http://www.freeality.com/finde.htm and http://www.theultimates.com/ provides plenty of tools to match the telephone area code to a postal zip code, reverse telephone directories, search for email addresses, maps, directions, etc. The web site at http://www.anywho.com integrates telephone numbers, maps, and email addresses. The web site http://nt.jcsm.com/ziproundacx.asp also provides zip code and telephone area code matching. Any telephone book is out of date as soon as it is sent to the printer. The Baby Bells update as many as 500,000 records every day.
For under $10, the merchant can purchase a Rand McNally book each year titled the ZIP Code Finder, which includes telephone area code maps and ZIP codes for more than 120,000 places. You can also purchase a set of CD-ROMS which have address and telephone numbers. Use caller-ID to match names and telephone numbers. The merchant can call directory assistance to determine if the number on the order phone matches their number.
FAX ORDERS:
When a credit card order is received by fax, require the customer to also fax copies of both sides of the credit card. This at least provides proof that the customer has possession of the credit card at the time of the order. You could also require a copy of their state-issued ID, or drivers license. It also provides additional proof the person authorized the purchase, preventing a chargeback.
INTERNATIONAL ORDERS:
Some countries have very bad reputations for fraud. Your bank or credit card processor can provide a list of high-risk countries. Different sources will likely have different lists of high-risk countries. High risk countries include developing nations like Indonesia, Malaysia, Benin, Nigeria, Pakistan, Israel, Egypt, and Eastern European countries. Placing an international phone call to the issuing bank may make sense for large orders.
Another strategy to use with international orders is to ask the customer to contact you by phone or email for shipping costs. A fraudster may consider this too much contact, and decide to go elsewhere.

Yellow and white page telephone directories for 30 countries can be located http://www.anywho.com/international.html Net2Phone allows anyone to call any phone in the world from their Internet connection at a fraction of the cost of a conventional long-distance distance phone call. Non-US business can use Net2Phone to verify US purchases. There are also many phone calling cards that offer extremely low rates for overseas calls. Contacting your foreign customers, and the card issuing banks is not that expensive, compared to the financial risks of delivering a fraudulent order. When contacting the card-issuing bank, keep a record of the name of the person you talked to.
CALLING THE CUSTOMER:
Calling customers is not only an excellent way to detect fraud, but it can also be a valuable part of your customer service. The telephone call also gives the merchant the opportunity to welcome the customer, answer their questions, and build a solid relationship.
Sometimes the fraudster will submit the actual phone number of the person whose card was stolen. If the card holder did not authorize the charge, suggest that they call their credit card company to report their card as stolen.
WEB SITE INFORMATION:
If your order form includes places to enter the CVV2 verification code imprinted on the credit card, the name of the card-issuing bank, and the bank's toll-free telephone number printed on the card, and the customer's telephone number and email address, your additional verification can be quicker, and you may scare potential fraudsters away.

Indicate incomplete information will delay their order. State you may need to contact the customer if there are any problems with their order. A fraudster will not reveal their telephone number as he/she can be traced, and the number would most likely not match one of the on-line phone directories.
Place prominent warnings on your site indicating that all orders are screened for fraud before processing.
Indicate that you will report all fraud to the FBI Internet Fraud Complaint Center at http://www.ic3.gov/ Even though federal investigators usually pursue larger fraud cases, knowledge of smaller frauds can reveal patterns to possibly break up larger fraud rings.

PROCESSING ORDERS:
The merchant should have a policy of not shipping any order until the charge can be verified by their additional checks. The merchant can send an immediate email confirmation of the order, and explain additional checks are being performed to reduce fraudulent orders. The additional checks may take 30 minutes, or can take days if telephone and email exchanges are necessary. The processing delay may cause the fraudster to go elsewhere. Many fraudsters want instant gratification, and wish to remain anonymous, so they will not reply to your emails requesting additional information. These extra steps create an extra step for the customer and merchant, so it can also lead to lost sales.
Fraudsters need to have their transactions approved, and take delivery of the goods before the fraud is discovered. Be wary of orders with immediate or overnight delivery. Crooks don't care about the increased costs, since they aren't planning on paying for it anyway. If the order is being shipped overnight, require a delivery signature (UPS, Federal Express, post office). The fraudster may be using an innocent person's house as a drop-off point
ANTI-FRAUD GROUPS:
Educate yourself by attending a seminar offered by credit card companies and card processors.

Some merchants are joining fraud-screening organizations and beginning to use extra security software that determines the risk assessment. The merchant can decide to accept the card number or not based on that fraud rate value. Some organizations such as www.antifraud.com offer less expensive help ($10 per month). These groups also offer tips, databases of stolen credit cards, and web look up tools.

The cat-mouse game will never end

The Indian Penal Code contains provisions to check economic crimes such as Bank Fraud, Insurance fraud, Credit card fraud, stock market manipulation, etc. The local police deal with the IPC crimes falling under the broad categories of ‘Cheating’ (Section 415-424), ‘Counterfeiting’ (Coins & Stamps Section 230-263A and Currency Section 489A-489E) and ‘Criminal Breach of Trust’ (Section 405-409).

Online Credit Card Offence & Indian Law:
Indian legal position is concerned, any offence pertaining to online payment through credit cads will come within the purview of Information Technology Act, 2000 read with relevant provisions of Indian Penal Code, 1860. Section 378 of the Code defines the term “theft”
Hacking has become an important tool in the hand of cyber criminals to take away the confidential information relating to credit cards and use it illegally for their personal advantage i.e. purchasing goods or online transaction of money etc.
To deal with this menace, our Parliament has been enacted the Information Technology in the year 2000.

Section 66- This section provides the following penalties for hacking with computer systems:

(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hack.
(2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
The offence under this Section is cognizable and non-bailable.
Section 43-Clauses (a), (b) and (g) of Section 43 state that if a person has unauthorized access or secures access to computer, computer system, computer network or downloads copies or extracts any data from such computer, computer system, computer network or even assists another person to facilitate access in the aforesaid manner

Thank U

Credit Card Fraud Protection

Credit Card Fraud Protection

Post Comment: