Fraud Newsletter

September 2007

September 28, 2007

Forward| Bancard Site| Subscribe
Today's Headlines:
Credit Card Thieves Donate To Charity While Avoiding Suspicion
Vishing for Civic-Minded Fraud Victims
Magstripe Fraud: Old Technology Still Valued by ID Thieves
Recent Data Breach Reinforces the Need for Robust Fraud Strategies
High-Tech Success: Anti-Fraud Software Proves Itself
Credit Card Processing and Employee Fraud - The Threat Within
Real-Time Falcon Statistics
Improperly Secured Wireless Networks
Getting Merchants to Comply with PCI: Major Incentives
Credit Card Fraud Trends: The Good News & the Bad

Credit Card Thieves Donate To Charity To Test Card Verification While Avoiding Suspicion

According to the prominent Internet security firm, Symantec there has been an increase in the use of stolen credit cards to make charitable contributions as a way to test whether card numbers are valid and active before the thieves attempt to sell them or make large purchases with them.

If the cards prove usable, the criminals can use them without worrying whether they will be declined or attract law enforcement attention.

Key: The thieves donate small amounts to the charities to avoid raising suspicion among credit card fraud teams that monitor transactions that fall outside normal patterns for individual card holders.

Because legitimate charitable transactions are not everyday occurrences for individuals, they likely wouldn't raise any flags, especially if they are for relatively modest amounts.

According to Symantec, testing to determine if a card is active is so important that thieves have set up a specific Internet relay chat command to handle it. A thief types in a card number and the script automatically makes a small transaction.

Thieves also have scripts that use the credit card numbers to tap into the user's name, Social Security number credit limit.

Bank investigators will surely become attuned to the charity donation scheme and try to react to it. However, according to Symantec, this is tricky because issuers don't want to overreact and start blocking or verifying legitimate donations, which would create separate issues of its' own.

Back to Article List

Vishing for Civic-Minded Fraud Victims

In the relatively new "Jury Duty Scam," a fraudster telephones prospective victims, posing as a local court official and states that the victim has failed to report for jury duty. The perpetrator then explains that the victim's failure to report has resulted in a warrant being issued for their arrest.

Response: Most people will legitimately claim they never received any jury duty notifications.

To "clear things up," the fraudster then asks for either personal identifying information such as SSN and DOB for "verification" purposes, or payment information such as credit card number, bank account details, etc. for collecting alleged "fines".

Background: The "jury duty" scheme is a variation of phishing—the practice of using social engineering or manipulation techniques to trick victims into divulging sensitive information that is later used to commit credit card fraud and other crimes. While phishing usually is perpetrated via E-mail scams, similar fraud schemes, including the "jury duty" version can take place over the telephone. This is referred to as "vishing" or voice-phishing.

Though not a new concept, this scam is a classic example of a vishing scheme with a new twist— exploiting civic-minded individuals.


Visa, the FBI and all advise consumers to never give out confidential or personal information in response to unsolicited phone calls or E-mails.

With specific regard to the "jury duty" scheme, consumers should be informed that legitimate court personnel will never ask for private information over the phone and typically only communicate via traditional mail.

Additional Precautions:

  • Always verify the legitimacy of the caller by asking for official company or agency contact information, and then using directory assistance to verify and cross-reference the information given.

  • Never rely solely on the phone number the caller provides as a means of verifying the authenticity of the call. "Vishers" will often have an accomplice answer the phone and pose as a representative of the legitimate organization in the event of a return call.


Click here for additional tips on identity theft prevention.


Back to Article List

Magstripe Fraud: Old Technology Still Valued by ID Thieves
Source: USA Today

Consisting of magnetized particles embedded on a thin band, the black stripe on the back of all credit and debit cards illustrates the decades-old technology that makes the billions of daily credit, debit and gift card transactions possible.

In addition, magstripe technology is still widely used on employee access cards, public transit passes, phone calling cards, even hotel card keys.

Unfortunately, the magstripe continues to be a favorite tool of identity thieves. The only difference now compared to several years ago is the advanced innovativeness of card fraudsters.

Example: The recent arrest of a suspected identity thief in Edmonton, Canada has shed light on one such inventive scam. Acting on a tip, Edmonton police arrested a 26-year-old man sitting in a restaurant typing on his laptop, and in possession of flash drives and computer printouts of credit card account data stolen from hundreds of U.S. and Canadian bank customers.

According to news reports, the arresting officer, Edmonton Detective Bob Gauthier stated that the suspect also had several prepaid bank gift cards issued by Visa and MasterCard, and a device for embedding data on a magstripe, called a "magstripe reader-writer".


By altering the magstripes of authentic bank gift cards, the Canadian suspect bypassed a cumbersome step many other magstripe scammers take—manufacturing counterfeit credit cards.

The cards could then be used as any other legitimate bank gift cards to purchase goods and services at millions of retail outlets.

While the Canadian case makes this form of card fraud sound simple, Visa USA says that the fraudsters must defeat a security code on the magstripe as well as automated systems that watch for and alert the credit-issuing bank to suspicious transactions.


Yet crooks clearly are not being deterred. Gift cards issued by Visa, MasterCard and American Express have become especially attractive fraud targets because they are much more widely available and can be used at more places than merchant gift cards.

Additional problem for fraud fighters: Acquiring a bank gift card is as easy as buying a pack of gum at the grocery store or ordering a CD on-line. Thousands of banks, credit unions, supermarkets, drugstores and convenience stores offer them. They can be picked up at a grocery checkout line or ordered from online banking websites or sites such as

And they work at millions of restaurants and shops, using exactly the same magstripe  payment system used for regular credit and debit card transactions.


Like merchant gift cards, bank gift cards are flat, with no embossed numerals and no cardholder name anywhere on the card. No proof of identity is required to use them.

Altering the magstripe to convert a bank gift card into a credit card "is a way to convert small-value cards into big-value plastic," says John Pironti, information risk strategist at tech consulting company Getronics.

Pironti notes that it takes several thousand dollars worth of equipment to produce counterfeit credit cards from scratch. "But if I whip out a generic Visa gift card, with an altered magstripe, with no name on it and no way to trace it, as long as I display confidence while making the purchase, no sales clerk in the world is going to stop me," he says.

Visa, MasterCard and American Express have begun rolling out "contactless" payment cards that use a computer chip to speed transactions and is said to be significantly more difficult to compromise than a magstripe. But magstripe payment cards are expected to continue in wide use for decades.

Back to Article List

Recent Data Breach Reinforces the Need for Robust Fraud Strategies

Card-issuing institutions attempting to combat fraud received another jolt when Visa USA announced the TJX data breach. The result was the compromise of a large number of accounts, causing anguish throughout the industry. The angst rang especially true for small issuers where internal resources are often limited to the extent that only one or two people must spearhead the crisis management. It is instances such as the TJX crisis that emphasize the importance of a comprehensive approach to the credit and debit card fraud problem.

  • Fraud prevention—the first line of defense— The true first line is the authorization system. There are critical strategies that can be applied within the authorization system such as AVS (Address Verification Service), CVV/CVC, CVV2/CVC2, and exact expiration date matching. In all cases, authorizations should be declined when mismatches occur. Other less-common controls should be considered, such as name matching, daily limits and parameters to block suspicious transactions. These may include merchant category codes (MCC), country codes and dollar amounts.

By now, most institutions understand the importance of a 24/7 fraud detection system. These neural networks should include rules-based processing, predictive fraud scoring and the ability to block authorizations in real time. The ability to decline transactions at the point of purchase is paramount, because fraudsters typically stop using stolen cards when they receive the first declined transaction.

  • Investigation, challenge and recovery— Every issuer should pursue all avenues of recovery by reviewing fraudulent transactions to ensure they were authorized, if above the floor limit; requesting copies of the draft, and obtaining affidavits of fraud from the cardholder. Procedures should also be implemented to challenge incidents of friendly fraud and negligence, such as disclosure of a PIN.

In large scale compromise events, issuers should be cognizant of Visa's Account Data Compromise Recovery Process (ADCR), which can help issuers offset compromise-related costs and recover losses associated with the re-issuance of cards. Issuers should also pressure merchants to be responsible with data storage and to comply with industry standards.

  • Analytics on confirmed fraud— It is important that issuers have the ability to analyze broad ranges of data in an effort to spot flash fraud patterns and possible points of compromise. This data can consist of neural network scores, authorization level information, monetary and non-monetary data, and fraud trend information. The database can then be queried to more effectively write rules for processing and proactively react to large compromise events. Because time is of the essence, a solid analytics strategy can provide an early warning system, allowing mitigation strategies to be developed ahead of the curve.

While the largest institutions have spent millions to develop advanced fraud mitigation strategies, smaller issuers need the ability to take advantage of similar tools. Many processors are responding by developing multi-pronged solutions, such as FIS Secured from Fidelity National Information Services. FIS goes a step further by guaranteeing their services so the institution can receive reimbursement for fraudulent transactions. For information, call 877-482-8786.

Back to Article List

High-Tech Success: Anti-Fraud Software Proves Itself

Four Eastern European crooks who stole bank card numbers in Rhode Island plead guilty to multiple counts of conspiracy to traffic in unauthorized access devices and aggravated identity theft, thanks to fraud detection software from an Omaha, NE company combined with fast work by bank and law enforcement authorities.

The case, which resulted in $130,000 in bank losses, demonstrates how technology is beginning to gain ground against the increasingly sophisticated thieves who quickly turn stolen card information into cash.

Details: According to court documents, during overnight hours at 24-hour Stop & Shop grocery stores in New England, the crooks—who had traveled from California--replaced PIN-pad terminals with nearly identical devices that had been electronically altered to capture customers' account numbers and PINs.

As they entered a store, one of the defendants would distract a clerk while others swapped terminals which they achieved in as little as 12 seconds. Several days later, they returned to the store, replaced the original terminal, and made off with the altered one containing numerous customers' account information.

According to legal documents, Secret Service agents confirmed that unidentified individuals in California and Arizona fraudulently used at least 238 compromised account numbers that had been captured at two of the New England grocery stores.

The cost: Investigators have confirmed that, as a result of the scheme, $132,018 in fraudulent charges were made against accounts at several financial institutions.

The bust: An investigator at one of the institutions, Citizens Bank, detected a common point in a rash of unauthorized ATM withdrawals--all of the compromised accounts had been used by their legitimate owners at specific Stop & Shop stores in Coventry and Cranston, RI.

The pattern was detected through use of software from ACI Worldwide Inc of Omaha, NE called Proactive Risk Manager.

Stop & Shop security personnel subsequently reviewed store surveillance tapes and saw the defendants switching the PIN-pad terminals.

Police later arrested three of the men inside the Coventry store, after employees recognized them from surveillance photos. As one of the perpetrators was being arrested, a PIN-pad terminal fell out of his jacket. One of his co-conspirators was arrested in a car parked outside the store.

A search of hotel rooms in Manchester, CT, where the men were staying, produced materials used in skimming credit and debit card information, including credit card readers. A laptop computer seized during the search contained thousands of credit and debit card account numbers and PINs, stored in folders labeled "Stop & Shop."

It is believed that the men who stole the card numbers probably sold them to another group of criminals who specialize in imprinting cards with stolen numbers. The cards and accompanying access cards may have been sold to a third group of "specialists" who carried out the actual transactions.


Back to Article List

Credit Card Processing and Employee Fraud - The Threat Within

Employee theft of customer information is a growing challenge for businesses and merchant service providers. Advances in technology have made it easy for dishonest merchant employees to steal customer credit information. Lax security procedures are also providing opportunities for employees to pilfer or misuse personal identifying information (PII).


  • Fraudulently crediting card transactions to their own accounts. Here, employees issue credits to their own credit card accounts or to an accomplice's card from the merchant's credit card processing terminal using funds meant for the merchant's direct deposit account.

  • Recording card numbers. POS employees steal sales receipts left behind by cardholders or copy card numbers onto a separate piece of paper.

    Heplful: Credit card processing terminals that truncate the card number on the customer's receipt can help your business avoid this type of fraud.

  • Using a card skimmer. This all-too-common and costly crime occurs when dishonest employees steal electronic data right off a customer's card through use of a small, battery-operated "card skimmer."

    These easily concealed hand-held devices "read" a card's magnetic stripe and record the cardholder data for later download to a computer. From there, the data can be used to make fraudulent purchases or produce counterfeit cards.


  • Monitor credit card processing activity daily.

  • Password-protect the credit function on the credit card processing terminal.

  • Secure the credit card processing terminal during non-business hours.

  • Ensure that all credits have accompanying internal documentation of customer information (name, and contact information) and reason for the return or dispute.

  • Match credits to returned or disputed goods or services, verify with customers that they did actually return / dispute goods or services.

  • Have more than one person review monthly merchant service provider and bank statements.

  • Thoroughly review credit card processing batches with negative dollar amounts (more credits than sales).

  • Track credits by card number, terminal number, employee, frequency, and dollar amount.

  • Use exception-based reporting to identify volume spikes in credit/return/dispute activity.

  • Protect all passwords and verify internal access controls for on-line account reporting, and checking account change requests.

Source: NTC Texas, Dallas, TX-based merchant service provider,

Back to Article List

Real-Time Falcon Statistics

# of Actual Fraud Cases
#of Actual Fraud Accounts
Fraud $'s Saved*

* Potential loss if entire credit line had been compromised

For more information on Falcon statistics and ways that you can protect your bank from fraud attacks, contact Alan Nevels, Senior Vice President of ICBA Bancard at 1-800-242-4770 or visit ICBA Bancard's Online Risk Management & Prevention Center.

Back to Article List

Improperly Secured Wireless Networks

The backbone of the modern payment processing system is the network, where sensitive data travels over networks connecting the many entities involved in the payment process. Proper installation, configuration, management and monitoring are essential to preventing possible data compromises. To minimize the threat of compromise, it is critical for all payment system participants to ensure their respective networks are properly managed and not susceptible to known vulnerabilities.

The availability of always-on high-speed connectivity brings a new level of efficiency to payments processing, but unfortunately, this connectivity also introduces vulnerabilities if not properly secured. For example, if an intruder breaches the outside perimeter of a network, the systems within this network can be compromised and lead to a loss of Visa account data. It is important to ensure adherence to the Payment Card Industry Data Security Standard ("PCI DSS") anywhere cardholder data is stored, processed or transmitted, including the point-of-sale ("POS") and processing environments.

The adoption of wireless technology is on the rise among participants in the payment industry – particularly retailers, many of whom use wireless technology for inventory control systems or checkout efficiency. Because wireless technologies have unique vulnerabilities, all users must carefully evaluate the need for the technology and understand the risks, as well as the security requirements, before deploying wireless systems.

Wireless networks should always be considered "untrusted," and it is highly recommended that security controls be implemented on all such networks, regardless of their purpose. Nevertheless, if wireless technology is used to transmit cardholder data or if a wireless LAN is connected to a part of the cardholder environment; wireless security features must be implemented.


Payment system participants should be aware of the methods often used to attack wireless networks. All of the following exploits are widely documented on the internet and are easily learned by fraudsters. Eavesdropping occurs when an attacker gains access to a wireless network just by "listening" to traffic. Radio transmissions can be freely and easily intercepted by nearby devices or laptops without the sender or intended recipient knowing whether the transmission has been intercepted. If a wireless LAN is part of an enterprise network, a compromise of that LAN may result in rogue access (compromise of the enterprise network). An attacker with a rogue access point can fool a mobile station into authenticating with the rogue access point, thereby gaining access to the mobile station. This is known as a "trust problem," and the only protection against it is an efficient access-authentication control. Additionally due to the nature of radio transmission, wireless LANs are vulnerable to denial-of-service ("DOS") attacks and radio interference. Such attacks can be used to disrupt business operations or to gather additional information for use in initiating another type of attack.


To safeguard wireless networks there are several strategies that payment system participants are encouraged to adopt. To begin, the payment-processing environment must be segmented from public networks, including wireless networks, so that in the event of a network problem, the issue is isolated to the affected subnet. Furthermore strong Access Control List ("ACL") router rules should be implemented. ACLs will help to block traffic on known ports, which should not be present on the protected network. Wireless transmissions must be encrypted using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS per PCI DSS requirements.  Never rely exclusively on wired equivalent privacy ("WEP") to protect confidentiality and access to a wireless LAN. Additionally vendor-supplied default passwords for wireless devices should be changed as they are well known to hackers and are often available on the Internet. The default Service Set Identifier ("SSID") on the wireless Access Point ("AP") should also be changed, as the SSID can be sniffed in plain text from a packet and does not supply any security. When changing the character strings the SSID should not reflect a name or company identifier. Finally solutions should be implemented that centrally manage wireless networks, including logging, monitoring and periodic wireless scanning to identify rogue or insecure wireless devices. These mitigation strategies should ensure that improperly secured wireless networks are managed within the network and provide strong and secure access controls.


Back to Article List

Getting Merchants to Comply with PCI: Major Incentives

Failure by merchants to comply with the 12 requirements of PCI DSS is potentially catastrophic. At the very least, a fine of $500,000 will be assessed by the credit card companies. Potentially boosting that financial hit could be the costs associated with civil liability, not to mention the substantially higher costs of the audit process for compliance verification and other outlays.

The good news is that there are significant benefits to PCI compliance, including:

  • "Safe harbor" status in the event of a compromise of customer data. If a merchant's protected data is stolen, but the company is in full PCI compliance, it will receive no fines.

  • Exemption from the stipulation in Visa's PCI Compliance Acceleration Program (CAP) allowing acquirers to pass on to non-compliant merchants the higher interchange rates that Visa will start charging as of October 1 for non-validation of PCI compliance on the part of their merchant clients.

  • Peace of mind that the company's IT infrastructure and business processes are essentially as secure as possible. There is even a secondary benefit in being able to market the fact that the company is in compliance, thereby giving customers confidence that their sensitive data will not be compromised.

Source: PCI Compliance. Implementing Effective PCI Data Security Standards, edited by Tony Bradley, Guide for the Internet/Network Security site at

Back to Article List

Credit Card Fraud Trends: The Good News and the Bad

Credit and debit card fraud losses totaled $4.84 billion in 2006, according to the respected card industry newsletter, Nilson Report. That equaled 4.8 cents per $100.

The good news: According to the latest Nilson Report, substantial progress has been made in cutting "opportunity" fraud losses resulting from lost or stolen cards, as well from cards stolen from the mail and fraudulent card applications.

Thanks to the use of neural networks, chip cards and PIN verification systems, fraud from lost or stolen cards has plummeted to approximately 2.3 cents per $100 from nearly twice that amount ten years ago.

The bad news: Fraud losses continue to increase in the card-not-present (CNP) area. According to the latest Nilson data, CNP accounted for 34% of total fraud losses in 2006. The loss rate on CNP transactions has nearly tripled over the last 10 years, measuring approximately 3.5 cents per $100 in 2006. The boom in on-line retailing has no doubt played a significant role in exacerbating the CNP fraud problem.

On the positive side, according to Nilson, Verified by Visa, MasterCard's SecureCode along with the widespread use of address verification services in the US and Canada along with 3-digit security code verification have helped to keep CNP fraud from "running out of control".


Back to Article List

You are receiving this e-mail because you are a participant of ICBA Bancard or you registered to receive it. Note: When available, Web links are provided as a convenience. However, the location or accessibility of links may change during or after publication.

To change your e-mail address, please
go here. If you wish not to receive ICBA "Bancard E-News", please opt-out here. If you prefer not to receive any future e-mails from ICBA Bancard, please unsubscribe here. View our Privacy Policy.

Calendar & Events:

Fraud Training Calendar:
(FIS Clients Only)

Oct. 11
Risk Management Tools & Services
Register Now

Oct. 25
Lost, Stolen, Fraud & Disputes
Online Course

Register Now

November 6
Lost, Stolen, Fraud & Disputes

Online Course
Register Now

December 11
Computer-Based Fraud
Online Course
Register Now

December 18
Lost, Stolen, Fraud & Disputes
Online Course
Register Now

Register for ICBA Bancard's
Card Conference and Expo

Mark your calendars, because ICBA Bancard's Card Conference and Expo is coming to St. Petersburg, FL from November 11-13, 2007...and you're invited!

The annual event will once again bring community banks and card issuing experts together in one venue so that you can learn about the newest card trends and what strategies other community banks are adopting. On-site portfolio analysis and consultation with ICBA Bancard's specialists make this a can't-miss event for any community bank looking to optimize card operations.

Click here to register or for more information.

Product Hightlights:

Visa Security ToolKit

Visa USA's Marketing, Corporate Relations and Risk team has created a security breach response toolkit entitled: "Understanding a Data Compromise and How to Respond." Effective communications can in fact make the difference between a data-breach incident that is contained and managed and one that could threaten your organization's core relationship with your customers.

Download the Toolkit

Real-Time Processing for eNFACTSM is Generally Available (FISERV EFT Clients Only)

The Fiserv EFT neural network transaction fraud detection system, eNFACT, utilizes Falcon software technology to detect the likelihood of a transaction being fraudulent. eNFACT fraud case management has previously been available in a near real-time environment.

eNFACT Real-Time is an add-on product offering that can be added to a client's existing Case Management or Near-Time program. eNFACT Real-Time allows clients to set filters at the card base that determine which transactions will be scored in real-time and potentially denied during authorization processing based on the score. These filter options are:

  • ATM Amount – Any ATM debit transaction equal/greater than this amount will score in real-time.
  • POS Amount – Any POS debit transaction equal/greater than this amount will score in real-time.
  • International – Transactions that originate from a country other than the issuer's domestic country will score in real-time.
  • TranBlocker Denote & Continue – Transactions that "bump up" against a TranBlocker rule but are not denied will be scored in real-time.
  • CardTracker Compromised Card – Transactions for card numbers that are flagged as compromised via CardTracker will score in real-time.

No additional support on your business unit's part is required beyond what is required for Case Management or Near-Time product support. (FIS Clients Only)
This newly developed website will allow for better communication between clients, company partners, and processor regarding recent fraud trends as well as the latest products and services FIS is using to combat fraud and maximize recovery. (Available NOW!)

Merchant Statement Program
(FIS Client Only)

Merchants who accept credit cards are required to be compliant with PCI Data Security Standards. The critical focus of these security standards is to help merchants:

  • Improve the safekeeping of cardholder information by enhancing their security standards.
  • Tighten these standards to help reduce the likelihood of experiencing breaches and financial losses.
  • Avoid the possibility of fines and penalties levied by Visa and MasterCard.

In an effort to better educate merchants about compliance and validation requirements of these standards, the FIS merchant team recommends the inclusion of a brief message in each monthly merchant statement. We encourage you to submit your own unique message or authorize us to include a message informing your merchants of the importance of being responsive to Visa and MasterCard compliance mandates, deadlines and other related information.

The administrative cost of this campaign is a monthly flat fee of $25 per bank (or per your agreement) regardless of the number of merchants. In order to facilitate the delivery of this statement message, we ask that you submit your approval to your merchant representative via email. If you have any questions, please feel free to call 727 227-5088.

Fraud Loss Protection Plan

This "Members only" program assists your bank in recouping losses that would otherwise be unrecoverable.

Coverage included for cards:
• Lost & Stolen
• Not Received Issued
• Counterfeit
• Skimmed Counterfeit
• Account Take Over
• Identity theft

More information

Confirm coverage

Online Fraud Claims Tool

Allows ICBA Bancard Fraud Loss Protection Plan participants to track status of reimbursement claims.

• Track claims from date of
   receipt to completion
• View processing comments
   entered by analysis
• View compensation amounts
   processed for your bank
• Examine or print any claims
• Secure login access

View claims

Custom Portfolio Consultation:

As a dedicated resource to all community banks, ICBA Bancard offers risk, marketing, and operational consultations at no cost to community banks.

Request a free consultation today

TCM Bank

This limited purpose credit card bank is designed to position community banks in the credit card business, promoting the bank's identity while limiting or eliminating the bank's exposure to risk and marketing costs.

More Info About TCM


PCI Security Standards
Merchant 911
Visa (CISP)
MasterCard Online
Fidelity (FIS)
Fiserv EFT
Visa Online

Prevention Hightlights:

Web-based Fraud Awareness Training for Bank Employees:

FraudAware is the leading customizable on-line course that equips employees with the knowledge to prevent, detect and report:

• Credit card fraud
• Debit card fraud
• Check fraud
• Internal theft
• Other financial crimes 
   affecting issuing banks.

More information


This technology makes use of Behavior-Metrics science that individually or concurrently authenticates that the correct people are accessing and/or receiving information in a secure and efficient environment.

More Info

Bancard Fraud Quarterly
Published by ICBA Bancard
© 2007 ICBA

Contact Editors of
Bancard Fraud Quarterly

1615 L Street NW
Suite 900
Washington, DC 20036
Ph: (202) 659-8111