Скачать презентацию ECONOMIC OFFENCES USING CREDIT CARDS Harshad S Patil Скачать презентацию ECONOMIC OFFENCES USING CREDIT CARDS Harshad S Patil

a39915958712162957cf77b12666e8ed.ppt

  • Количество слайдов: 91

ECONOMIC OFFENCES USING CREDIT CARDS Harshad S. Patil, B. Tech. (I. T. )(V. J. ECONOMIC OFFENCES USING CREDIT CARDS Harshad S. Patil, B. Tech. (I. T. )(V. J. T. I. ), PG. Dip. Cyber Crime Management 6/12/08

Agenda § § § § § Types of frauds Statistics Why is credit card Agenda § § § § § Types of frauds Statistics Why is credit card fraud more disastrous and damaging than others? Glossary What credit card numbers signify Working What is Credit Card fraud (CCF) Modus Operandi and scope of fraud in it Common Types of CCF Tools for CCF Factors contributing to CCF Suggested Precautions to be taken by merchants for prevention of online CCF Credit Card Fraud (CCF) Detection Techniques Tools to control CCF Fraud Prevention Techniques Types of Credit Card frauds Cases related to Credit Card frauds Problems in fixing criminal which enhances this crime and new methods to overcome it Videos of credit card frauds Conclusion 2

Fraud Defined • Fraud is the deliberate misrepresentation (or concealment) which causes another person Fraud Defined • Fraud is the deliberate misrepresentation (or concealment) which causes another person to suffer damages, usually monetary losses. (Source: www. wisegeek. com/what-is-fraud. htm ) • Textbook Definition: All multifarious means which human ingenuity can devise, and which are resorted to by one individual to get an advantage over another by false suggestions or suppression of the truth. It includes all surprises, tricks, cunning or dissembling, and any unfair way which another is cheated. (Source: Black’s Law Dictionary, 5 th ed. , by Henry Campbell Black, West Publishing Co. , ) Examples of Fraud • • • Producing Fraudulent Financial Statements Larceny – unlawful taking and removing of property with intent of permanently depriving the owner Skimming – taking of property before it is recorded on the books Fraudulent Disbursements Kickbacks and bribes Unauthorized or illegal use of confidential or proprietary information 3

Types of Fraud Auction Fraud ¡ Internet auction fraud occurs in several ways, but Types of Fraud Auction Fraud ¡ Internet auction fraud occurs in several ways, but the most common is the failure to deliver the purchased item. • International Auction Fraud • Escrow Services Scam ¡ Internet auction fraud involves nondelivery, misrepresentation, triangulation, fee stacking, blackmarket goods, multiple bidding, and shill bidding: ¡ Identity Fraud ¡ The victim signs up with the phony escrow service and sends payment to the service and receives nothing in return. ¡ In what many are calling America's fastest growing type of robbery, crooks use your name, social security number or that blank, preapproved credit application you tossed out. • Hacking • Identity Theft • Phishing/Spoofing • Spam • Spyware ¡ Financial Fraud Any non-violent offense committed by or against an individual or corporation and which results in a financial loss. • Cross-Border Fraud • Advanced Fee Scams • Charities Fraud • Investment Fraud • Job Scams • Debt Elimination • Nigerian "4 -1 -9" Scams • Ponzi Schemes The most common cross-border frauds involve: – – Online Pharmacy Fraud incorporates numerous crimes and potentially dangerous health considerations. ¡ Thousands of American consumers receive sweepstakes promotions but if you have to pay to play or pay to receive your "winnings" the promotion is a scam. • Foreign Lottery Fraud • Sweepstakes/Prizes Scam Travel offer scams – ¡ Advance-fee loans – Sweepstakes Fraud Foreign lottery schemes – Pharmacy fraud Phony prize promotions Unnecessary credit card loss "protection" Counterfeit Payments Fraud ¡ The latest scam to hit American consumers involves counterfeit financial instruments. • Counterfeit Cashier's Checks • Counterfeit Money Orders 4

Causes of Fraud Rationalization Incentive Opportunity 5 Causes of Fraud Rationalization Incentive Opportunity 5

The Fraud Triangle helps explaining the human process for committing fraud Rationalization Employees, vendor, The Fraud Triangle helps explaining the human process for committing fraud Rationalization Employees, vendor, others justify fraud: § “They owe me” or “I earned it” § “I need it more than they do” § “It’s only fair” § “God will forgive me” • Rationalization is a form of denial. The person is not accepting reality. • Rationalization is the hardest area for management to influence or control. Incentive Opportunity § Incentives and Pressure can be real or imagined: § Compulsive behaviors § Gambling, alcohol, illegal drug use § Financial debts § Credit cards, health care § Family problems § Divorce, extramarital affairs, problems with children §Opportunity is the perception by someone believing they can commit a fraud without getting caught. §Management controls and influences “opportunity” more than any other factor in the Fraud Triangle. §Management tools are employment checks, internal controls, internal and external audits and a host of other techniques. These issues on employees can be reduced via Employee Assistance Plans, counseling and work assignments. EAPs are management’s tool to help control fraud. § 90% of Frauds are committed by “trusted” employees. Source: http: //www. acfe. com Fraud Indicators § Accounting anomalies § Internal Control weaknesses § Analytical anomalies § Extravagant lifestyles § Unusual behaviors § Tips and complaints – whistleblower policy 6

Fraud statistics 7 Fraud statistics 7

Why does credit card fraud matter? • The Federal Trade Commission estimates that 10 Why does credit card fraud matter? • The Federal Trade Commission estimates that 10 million people are victimized by credit card theft each year • According to the US Department of Homeland Security, the cost of credit and charge card fraud may be as high as $500 million a year • These costs ‘trickle down’ in higher interest rates and fees for all consumers • Fraud victimisation in credit card frauds – – – – 28 per cent of florists; 43 per cent of booksellers; 26 per cent of recorded music retailers; 33 per cent of toy and game retailers; 30 per cent of computer hardware retailers. Overall one-third of all retailers who had ever sold products online have been the victim of Online fraud at some stage. 8

Why is CCF more damaging and disastrous than most of the other types? 9 Why is CCF more damaging and disastrous than most of the other types? 9

CCF break up as per types http: //www. popcenter. org/problems/credit_card_fraud/images/piechart. gif 10 CCF break up as per types http: //www. popcenter. org/problems/credit_card_fraud/images/piechart. gif 10

Stats in Canada Data source: Statistics Canada, Canadian Centre for Justice Statistics, 11 Stats in Canada Data source: Statistics Canada, Canadian Centre for Justice Statistics, 11

Stats in US Source: http: //www. stargatesemiconductor. com/9003460290/Credit. Card. Fraud. bmp 12 Stats in US Source: http: //www. stargatesemiconductor. com/9003460290/Credit. Card. Fraud. bmp 12

Stats in UK Fig Courtesy: KPMG 13 Stats in UK Fig Courtesy: KPMG 13

Glossary: Skimming IMA Describes the process in which a device is used to copy Glossary: Skimming IMA Describes the process in which a device is used to copy the magnetic stripe encoding off of a card - one reason card holders are cautioned against using ATM machines that look unusual IPSP n Internet Merchant Account n This is the virtual terminal linked to the bank account; it enables the merchant to accept payment by bank card from its customers and to receive money for sales Gateway Internet Payment Service Provider or Payment Service Provider, provider supplying an online payment solution. Cashtronics is an IPSP or PSP SSL n (Secure payment gateway) • Secure Socket Layer n Its independent service • This is a security protocol for acting as an intermediary between merchant’s shopping cart and the different bank networks involved in the transaction, (the purchaser’s bank card bank and the seller’s merchant account bank) n It verifies the validity and encrypts the details of each transaction, ensures of the correct destinations for the data, and decodes the responses sent back to the shopping cart. Charge off data exchange on the Internet. Set up on a server, mitigates the chance that information exchanged between the merchant’s server and the purchaser’s browser be intercepted by a third party. A loan or credit card debt written off as uncollectible from the borrower. The debt, however, remains valid and subject to collection Chargeback A chargeback takes place when the cardholder informs his/her bank that they have not authorized a transaction or that the product ordered by him/her has not been delivered. In other words, it is an outstanding amount because the merchant is required to reimburse the cardholder. There are several levels of chargebacks, the most serious being for fraud, or if the card has been stolen. 14

For the merchants, its terrifying!! ¡ If online credit card fraud scares consumers, then For the merchants, its terrifying!! ¡ If online credit card fraud scares consumers, then it absolutely terrifies merchants! While consumers have some protection against fraud, fraudulent credit card transactions are costing ecommerce merchants many millions of dollars annually. ¡ Counting the cost of fraud. ¡ There a couple of winners when it comes to fraud. . . the people perpetrating the fraud of course, and the credit card issuing banks. The fees involved with chargebacks are horrendous - US$ 30 and upwards per transaction! Additionally, if you experience a high rate of fraud, you may wind up paying higher processing fees or have your merchant account terminated altogether. After being terminated, it's very difficult to gain processing services elsewhere. Proper fraud screening is critical in not only saving money, but it can also save your business. 15

Credit card (Front Side) ¡ An ISO 7812 number contains a single-digit Major Industry Credit card (Front Side) ¡ An ISO 7812 number contains a single-digit Major Industry Identifier (MII), a six-digit Issuer Identification Number (IIN), an account number, and a single digit check sum calculated using the Luhn algorithm. The MII is considered to be part of the IIN. ¡ The term "Issuer Identification Number" (IIN) replaces the previously used "Bank Identification Number" (BIN) 16

Credit card (Rear Side) ¡ CARD VERIFICATION VALUE (CVV) A card verification value, or Credit card (Rear Side) ¡ CARD VERIFICATION VALUE (CVV) A card verification value, or CVV, is a three- or four-digit number printed on a credit card (and encoded on the mag strip) for fraud protection. It provides a cryptographic check of the information embossed on the credit card. The use of the CVV in an online transaction is intended to signify the physical presence of the card at the transaction’s origin, e. g. in the hands of an online customer, thus reducing the occurrence of credit card fraud in card-not-present transactions. Unfortunately, as CVVs have been captured and stored in merchant databases that are subsequently compromised, the anti-fraud value of the CVV has recently diminished. ¡ CVV 2 CODE These are the last three digits (or four digits for American express) of the number found on the back of bank cards. Without this number it is often impossible to carry out a purchase in an online shop. ¡Card Security Code/Card Identification Number (CIN) is typically the last three digits printed on the signature strip on the back of the card. In the case of American Express cards, it can be a four-digit number printed (but not embossed) on the front of the card. 17

Credit card (Rear Side) 18 Credit card (Rear Side) 18

Meaning of CC digits: • The first digit of your credit card number is Meaning of CC digits: • The first digit of your credit card number is the Major Industry Identifier (MII), which represents the category of entity which issued your credit card. Different MII digits represent the following issuer categories: – – 3 - travel/entertainment cards (such as American Express and Diners Club) 4 - Visa 5 - Master. Card 6 - Discover Card • Issuer Identifier The first 6 digits of your credit card number (including the initial MII digit) form the issuer identifier. This means that the total number of possible issuers is a million • Issuer Identifier Card VISA Master. Card • Account Number Digits 7 to (n - 1) of your credit card number are your individual account identifier. The maximum length of a credit card number is 19 digits. the final digit is the check digit, this means that the maximum length of the account number field is 19 - 7, or 12 digits. Each issuer therefore has a trillion possible account numbers. Final digit of your credit card number is a check digit, akin to a checksum. Eg: 4408 0412 3456 7890 • Number 4 xxxxx 51 xxxx-55 xxxx Length 13, 16 16 • The first credit card offer showed a picture of a card with the number 4408 0412 3456 7890. • The Major Industry Identifier (MII) is 4 (banking and financial), the issuer identifier is 440804 (a VISA partner), the account number is 123456789, and the check digit is 0. • The magstripe can be "written" because the tiny bar magnets can be magnetized in either a north or south pole direction and is very similar to a piece of cassette tape. 19

 • • • • • • Credit Card Skimming is a method by • • • • • • Credit Card Skimming is a method by which encoded information from the magnetic stripe of a credit card is gathered by an electronic credit card reader (skimmer). This information is used legitimately when processing a transaction. In the hands of a criminal the electronic credit card reader becomes a handy tool to gather information to use later in illegal transactions and purchases. Usually a criminal connects this "skimmer" to the credit card machine or a portable "skimmer" could be used to swipe your card when you are not looking. If you make a purchase, your information will automatically be stored in the "skimmer". At a later stage the criminal will use this information to make unauthorized purchases or encode this information on the magnetic stripe of a counterfeit card. Credit card skimming often occurs in businesses where credit cards are used regularly, such as restaurants and other entertainment venues. In restaurants you will normally lose sight of your card when the waiter takes it to pay your bill. Some skimmers are as small as your hand, which makes it extremely easy for waiters to keep in their pouches. During 2003 a crime syndicate was detected in New York, Connecticut and Massachusetts in the USA that smuggled Chinese immigrants into the US. The immigrants were forced to work as waiters in various Chinese restaurants to pay back money they owed to smugglers that assisted them to get into the country illegally. As waiters working in these restaurants they were forced by the crime ring to carry pocket-sized credit card skimmers and collect data from the cards of unsuspecting customers. The information they gathered was then handed over to the crime ring to pay off their debt. ‘Card skimming’ is the illegal copying of information from the magnetic strip of a credit or ATM card. It is a more direct version of a phishing scam. The scammers try to steal your details so they can access your accounts. Once scammers have skimmed your card, they can create a fake or ‘cloned’ card with your details on it. The scammer is then able to run up charges on your account. Card skimming is also a way for scammers to steal your identity (your personal details) and use it to commit identity fraud. By stealing your personal details and account numbers the scammer may be able to borrow money or take out loans in your name. 20

Working (Simple Version) & Intrusion points 1. 2. 3. 4. 5. 6. Bank issues Working (Simple Version) & Intrusion points 1. 2. 3. 4. 5. 6. Bank issues credit card to Customer pays Merchant with credit card. Merchant passes credit card to Payment Processor approves Customer and gives OK to Merchant to deliver. Payment Processor bills Bank bills Customer Applies Issued by bank without demand from customer/supplied by dishonest courier Illegitimate users (criminal involvement at both ends) Stolen Illgotten card, theft, or skimmered Bank Issues Credit Card Customer Uses Card Merchant Receives Card Payment Processor Receives Card Forged request Payment Processor Bills Bank Customer Pays 21

From where do they get your information? Credit Cards or credit card information is From where do they get your information? Credit Cards or credit card information is usually fraudulently obtained through methods such as: • Card swapping at ATM’s • Theft – often out of motor vehicles or houses • Skimming • Pick-pocketing • E-mails purporting to come from the credit card service provider (Phishing) • Bogus Internet web sites • Credit card numbers are bought and sold in underground "carder" forums, which bring together the people who have stolen the credit card numbers with those who want to use them. These charitable donations are typically made by the person buying the card numbers as a final check to ensure that the numbers will work, • Thief goes through trash to find discarded receipts or carbon, and then uses your account number illegally • A dishonest clerk makes extra imprint of your credit card and uses it to make personal charges • You respond to mail asking you to call long distance number fro free trip or bargain-priced travel package. you are told you must join travel cub first and you are asked for account number. From then you receive charges on bill which you didn't make and you never get the trip 22

What is Credit Card Fraud (CCF) • CCF is a theft and fraud carried What is Credit Card Fraud (CCF) • CCF is a theft and fraud carried out using credit card or any alike payment mechanism as a fake source for fund transaction • A credit card fraud is a transaction that is completed with your credit card by someone else. Often a fraudulent transaction is made hours after the credit card or card number is stolen or lost; often before the cardholder gets the chance to report the card as missing or stolen. 23

Techniques used to carry out ATM crime • Card swapping – where a customer’s Techniques used to carry out ATM crime • Card swapping – where a customer’s ATM card is swapped for another card without their knowledge whilst undertaking an ATM transaction. • Card jamming – where an ATM machine card reader is deliberately tampered with so that a customer’s card will be held in the card reader and cannot be removed from the machine by the customer. The criminal removes the card once the customer has departed. • Vandalism – where an ATM machine is deliberately damaged and/or the card reader is jammed preventing the customer’s card from being inserted. • Physical attacks – where an ATM machine is physically attacked with the intention of removing the cash content. • Mugging – where a client is physically attacked whilst in the process of conducting a transaction at an ATM machine. 24

Modus Operandi of CCF using Identity Theft CREDIT CARD FRAUD USING IDENTITY THEFT 1. Modus Operandi of CCF using Identity Theft CREDIT CARD FRAUD USING IDENTITY THEFT 1. Physical methods (skimmers, dumpster diving etc) 2. Search engines 3. Insider attacks (eg: Video) 4. Attacks from the outside (illegal access, trojans, keyloggers, spyware and other malware) 5. Phishing and other social engineering techniques OBTAIN IDENTITY INFORMATION Sale of ID data. Goods available on underground servers: 1 Credit cards (22%) US$ 0. 50 – 1 2 Bank accounts (21%) US$ 30 -400 3 Email passwords (8%) US$ 1 -350 4 Full identity (6%) US$ 10 -150 (Symantec data for Jan – June 2007) FRAUD AND OTHER OFFENCES Assume another person’s identity to: §Exploit bank accounts, credit cards §Create new accounts §Take out loans and credit §Order goods and services §Disseminate malware 25

Common Types of CCF • • Types of Credit Card Fraud Credit fraud can Common Types of CCF • • Types of Credit Card Fraud Credit fraud can fall into one of five categories: Counterfeit credit card Lost or Stolen Cards No-Card Fraud Non-Receipt Fraud Identity Theft Fraud CC mail order fraud Chargeback fraud Skimming Statistics show that the misuse of lost or stolen credit cards is still the most popular type of credit card fraud in India. Counterfeiting credit cards are, however, increasing at an alarming rate. Fraudsters will typically use fraudulent credit cards to buy cigarettes, cellular phones and computers, jewelry, other electronic items . 26

Emerging Fraud: Online Credit Card Fraud • • • Credit card fraud has become Emerging Fraud: Online Credit Card Fraud • • • Credit card fraud has become such an issue that no precise number can truly defined the global losses. And while most financial institutions are rather sensitive about the subject, a report from the FBI indicated that credit cards were largely responsible for the $315 billion loss the U. S. endured from financial fraud in 2005. A recent study in Europe also revealed that well over 22 million consumers fell victim to credit card fraud in 2006. To truly understand the risk and likelihood of credit card fraud, you must first make yourself familiar with a brand new lingo. Terms such as "phishing", "pharming", "skimming" and "dumpster diving" may not sound malicious, but these are in fact just a few of many ways that money can be thieved from your credit card. Below you will find more details on these popular techniques and how they are used to commit credit card fraud: . Phishing Pharming This technique refers to randomly distributed emails that attempt to trick recipients into disclosing account passwords, banking information or credit card information. This one scam has played a major factor in the crisis we face today. Since phishing emails typically appear to be legitimate, this type of crime has become very effective. Well designed, readily available software utilities make it nearly impossible to trace those guilty of phishing. Phishtank, an anti-phishing organization, recently revealed that nearly 75, 000 attempts of this nature are made each month. Skimming - This new technique is one of the most dangerous of them all. Pharming involves a malicious perpetrator tampering with the domain name resolution process on the internet. By corrupting a DNS, (Domain Name System), a user can type in the URL for a legitimate financial institution and then be redirected to a compromised site without knowledge of the changes. Unaware of the background predators, the consumer types in their bank account details or credit card number, making them the latest victim of fraud. This device is usually secretly mounted to an ATM machine as a card reader. - This shameless act refers to a process in which an individual vigorously sift's through someone else's trash in search of personal and financial information. With a mere credit card approval that contains a name and address, a criminal can easily open up a credit card in your name and accumulate substantial debt in no time. 27 Dumpster Diving

Fake Security Message 28 Fake Security Message 28

A Fake Security Checkup 29 A Fake Security Checkup 29

Tools used for CCF § CC number generator site on Internet § Merchant/ his Tools used for CCF § CC number generator site on Internet § Merchant/ his dishonest agent (with or without employer consent) retaining CC numbers processed through retail outlet and using them unlawfully! § Discarded copies of CC vouchers via waste receptacles § Hacking computer where CC Numbers are stored § Stolen CC or some mobile top up cards § Some magnetic strips, Blank CC from grey markets, embossing device to emboss character on card and holograms, skimmers 30

CC generator § Command line python program using PHP script and Java. Script § CC generator § Command line python program using PHP script and Java. Script § It generates CC number (13 -16 digits VISA, Master. Card, Amex) to use in e-commerce sites conforming to the Luhn formula (MOD 10 check). § In testing situations any expiry date within the next 3 years should work www. darkcoding. net/credit-card-numbers/ Master. Card 5216888204052176 5361871831570078 5286074279331408 536803086244 3423 5396839522947938 5292133095448960 5167035421750120 5156159382388820 55 69714931432734 5428252030308191 VISA 4532939254681966 4024007136276580 4885243440090833 4929608176033892 4 532914364464397 4485479173552029 4539012558094428 4650496026227442 4716291 536495148 4623817115847754 American Express 375619651773339 376605277731560 372447156708581 348116787204085 373 589733548110 Discover 6011077158325292 6011239020479349 6011696418325048 31

CC generator Rocklegend 32 CC generator Rocklegend 32

Creditwizard site: www. Credit. Cardgenerator. org 33 Creditwizard site: www. Credit. Cardgenerator. org 33

Sale of Credit Cards: Whats the rate going on in US? § Forum. carderplanet. Sale of Credit Cards: Whats the rate going on in US? § Forum. carderplanet. net offered credit cards. § USD $200. 00 - 300 USA credit cards without cvv 2 code: credit card number, exp. day. cardholder billing address, zip, state). § USD $200. 00 - 50 USA credit cards with cvv 2 code: credit card number, exp. day. cardholder billing address & CVV code § from the back side of the card). § Also cards with SSN+DOB at $40 each. § Minimal deal $200 34

Hackershomepage. com 800 b MSR 206 MAGNETIC STRIPE CARD READER/WRITER THIS IS THE DEVICE Hackershomepage. com 800 b MSR 206 MAGNETIC STRIPE CARD READER/WRITER THIS IS THE DEVICE EVERYONE HAS BEEN ASKING FOR. This device will allow you to change the information on magnetic stripe cards It will also allow you to write to new cards. 35

From Hackershomepage. com POS (Point Of Sale) Data Logger 701 COMPUTER KEYSTROKE GRABBER Use From Hackershomepage. com POS (Point Of Sale) Data Logger 701 COMPUTER KEYSTROKE GRABBER Use this device to capture ALL keystrokes on a computer including user name and password. Password will be in plain text and not echoed like "****". This device will grab email and system passwords. 36

801 POS DATA LOGGER 37 801 POS DATA LOGGER 37

Warning signs of Credit Card Fraud (CCF) A shop assistant takes your card out Warning signs of Credit Card Fraud (CCF) A shop assistant takes your card out of your sight in order to process your transaction. You are asked to swipe your card through more than one machine. You see a shop assistant swipe the card through a different machine to the one you used. You notice something suspicious about the card slot on an ATM (e. g. an attached device). You notice unusual or unauthorized transactions on your account or credit card statement. 38

Factors contributing to CCF § § § § Be aware that most card fraud Factors contributing to CCF § § § § Be aware that most card fraud is due to factors beyond police control Security flaws in card design and production Police do not have access to the vulnerability points in the complex transactions that make up card processing. Inherent difficulty to verify a card user's identity Internet increased the opportunities for fraud, greatest impact through fraudulent card-not-present sales Information about counterfeiting, skimming, and hacking is now available on the Internet To some extent, the sheer volume of card use accounts for the increased amount of card fraud. In the United Kingdom, the United States, and Australia, debit and credit card use has increased tremendously over the last 20 years, although in the U. S. , checks remain the primary form of payment (besides cash). In Japan, credit cards have been very slow to catch on, but debit cards have gained wider acceptance. These differences are largely related to the structure of financial service markets in the various countries. The amount of card fraud committed internationally has substantially increased in recent years. For example, the proportion of fraud committed abroad on U. K. cards has doubled in the past decade. Although the rate of check fraud has decreased considerably in the past decade, the financial loss due to check fraud continues to increase, simply because of the increase in the volume of sales. There is a technological "arms race. " Each technological advance makes it harder and harder to counterfeit checks and cards. § § § Microdot printing on checks, hidden markings on checks and cards that show up on color photocopiers, holograms, magnetic strips, and now embedded chips–all these and many more advances have raised the level of skill and equipment needed for fraudsters to counterfeit checks and cards. Dedicated fraudsters quickly acquire the skills and equipment, so are soon able to produce checks and cards that are extremely difficult to identify as counterfeit. In fact, International organized crime groups that specialize in counterfeit credit cards generally lie beyond the reach of local police, although their markets certainly lie within local neighborhoods. These groups became very active in Southeast Asia toward the end of the 1990 s, and in a short time, have managed to overcome every new security feature introduced into plasticcard manufacture. Their distribution system employs Asians in large North American and European cities. Many card issuers are eager to get customers. In recent years, the competition has become very intense. The mail and Internet are loaded with tempting offers, and it is now very easy to get a credit card. Many card issuers do not hold cardholders responsible for any loss incurred through fraudulent use by another. Thus, cardholders have no real motivation to take security precautions. In fact, they may even collude with others. Retailers may bear the loss in card-not present sales, and card issuers in standard credit-card sales. Although police face these and other obstacles when addressing check and card fraud, there is much that can be done. 39

Credit Card Fraud (CCF) Detection Publish your mail server addresses (to thwart spoofing) Educate Credit Card Fraud (CCF) Detection Publish your mail server addresses (to thwart spoofing) Educate customers (employees and merchants also) Establish online communication protocols (SSL Credit card protocol) Proactively monitor for phishers and fraudsters General Characteristic of those Who Commit Fraud – They are intelligent. – They are very egotistical. – They are risk takers. – They are rule breakers. – They are hard workers. – They are under stress. – Many are married. – Many are members of management. 40

Strategies § § § Prevention is the best course of action. If fraud does Strategies § § § Prevention is the best course of action. If fraud does occur, the strategy is to detect and stop fraud in it’s early stages. Failing 1 and 2, we want to develop a strategy for what to do when a fraud does occur. Prevention § § Be PROACTIVE not REACTIVE. Think like a crook. “If I were going to do something like this, how would I do it. ” Trust, but verify. Screen your employees. This is an ongoing process, not just when they are hired. Detection § § § Establish a whistleblower policy and better yet, a hotline. Perform an Internal Audit. Conduct an External Audit or Review. 41

Fraud Prevention Techniques 42 Fraud Prevention Techniques 42

Fraud prevention techniques Tactical Guidelines Enterprises selling online should: • Assess their risk exposure Fraud prevention techniques Tactical Guidelines Enterprises selling online should: • Assess their risk exposure to online credit card fraud based on their own experiences and on the types of goods and services they sell. • Implement internal rules and procedures that can identify many potential frauds. • Consider using fraud-prevention products and services to assess each transaction attempt if the risk of fraud is significant. 43

Latest means to prevent CCF • SSL Certificate SSL is protocol developed by Netscape Latest means to prevent CCF • SSL Certificate SSL is protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http: . • 128 -bit encryption - Cryptographers consider 128 -bit encryption practically impossible to crack (it would take millions of years with the fastest computers to try all the combinations). With 128 -bit encryption you can ensure that your international customer base will be able to exchange information with you using the strongest possible encryption. • How does SSL Work? – Client requests for secure resource. – Web-server presents its certificate. – Client verifies the certificate. – Client generates a Session Key (40, 56 or 128 bit). – Client extracts the public key from the web server certificate and encrypts the session key. – Client then sends encrypted key back to the Web-server. – Web- server decrypts the session key and both now have a common key for that session. – Both the web-site and the client can now communicate securely. – When the browser closes the window or server drops the connection the session is terminated. – Next time browser comes back to the same page a new session key is generated. 44

Battery credit card to avoid fraud §MELBOURNE: An Australian technology firm has come up Battery credit card to avoid fraud §MELBOURNE: An Australian technology firm has come up with a unique battery power super card, which they believe can fight online fraud. §Company reckons that it can stop up to $1 billion a year in credit card fraud with its invention. §The card, which includes §an alpha-numeric display, §built-in microprocessor, §a keypad and §three years of battery power, and will display a one-time number with which to authenticate each online credit card transaction, whenever the user will enter the pin number. §The technology was developed by a small Deloitte-backed technology firm based in Adelaide and Melbourne called EMUE Technologies. §Each card costs around five times more than a regular credit card to produce and will be sold to bank customers for between $18 and $30 each. §The technology could also be used for verifying your bank’s identity when it calls you over the phone. “When the card is created for the user it has a unique seed on it, and that unique seed is stored with the bank along with the pin the user chooses. §If I enter the wrong pin [into the credit card] it will still generate a number for me, but when I put that into the browser [to buy something] it will reject that as a transaction. 45

Softwares for preventing Credit Card fraud • Message. Labs (service provider) is able to Softwares for preventing Credit Card fraud • Message. Labs (service provider) is able to offer a 100% virus detection service-level agreement. Outbound content inspection capabilities are above average and include dictionaries in multiple languages and credit card and SIN detection, but workflow is limited. • Sophos (antivirus) Outbound filtering capabilities include content inspection dictionaries covering credit cards, SSNs but are limited to the Unix compliance module. 46

Credit Card Fraud Detection Techniques 47 Credit Card Fraud Detection Techniques 47

AVS (Address Verification System) • • Address Verification System (AVS) codes are generated at AVS (Address Verification System) • • Address Verification System (AVS) codes are generated at the time the merchant requests credit card authorization. The code tells the merchant if the billing address provided on the order matches the billing address of record for the credit card number. Specific codes mean different levels of matching. For example, the credit card payment company Paymentech(c) (one of many such companies that offer AVS) uses the following AVS response codes (among others): • I-1 means the billing address on the order is a complete match to the billing address of record for the credit card provided. • I-5 means that only the Zip Code doesn't match; perhaps the customer has been issued a new one without updating the billing address of record. • The codes to worry about are I-4 and I-8. • AVS code I-4 means that the street address isn't a match, while the Zip Code does match. Blocking such orders may seem to be a given, but there's a slight problem. AVS logic looks for a number at the beginning of an address. Addresses that begin with a letter aren't recognized and result in an I-4 code. Too many customers use addresses that begin with a letter (P. O. Box 100, or One Rockefeller Plaza) to make this a suspect code. • AVS code I-8 means that nothing matches - the street address and the Zip Code are both different. Perhaps the customer moved and forgot to change the address, but this is probably an NCE attack, which is sending randomly generated credit card numbers with the addresses of their forwarders in both the billing and ship to address fields. Beware. Canceling I-8 orders Many companies have begun canceling orders that are coming back from Paymentech(c) with an AVS code of I-8. The customer is notified that the billing address of record didn't match the billing address entered on the order. The customer can re-order using the proper address from his credit card statement. This simple step saved the previously mentioned company $4 million in credit card "charge backs" in addition to the handling time. A charge back is the process in which the true credit card holder refuses payment for a good or service that he didn't order. The merchant's account is debited for the money unless the merchant can prove that the card holder actually received the good or service. • Internet credit card orders require the merchant to enter into a credit card transaction similar to a person coming into a store with a bag on their head and trying to make a credit card purchase without ID or bothering to sign the credit card slip. Who would allow such a thing? Internet merchants do it every day! 48

1. Pattern Detection This technique identifies a person as a fraudster if: § Multiple 1. Pattern Detection This technique identifies a person as a fraudster if: § Multiple orders are placed which are delivered to the same address, but using different credit cards § Multiple orders are being sent from the same IP address § The credit card number varies by only a few digits § User repeatedly submits same credit card number with different expiry dates 49

2. Fraud Screening It provides risk prediction scores by assessing 150 order variables These 2. Fraud Screening It provides risk prediction scores by assessing 150 order variables These variables include ¡ domestic and international address validation ¡ domestic and international IP address verification Features Benefits § It controls fraud to as little as. 5% § Detects more single event fraud as soon as it occurs § Automatically identifies whether order is valid potentially § Detects fraud trends more quickly § Minimizes time, cost of manual review fraudulent in real time § Patented global identity morphing detection § Detailed, web based reports 50

Fraud screening: screenshot 51 Fraud screening: screenshot 51

3. Cardwatch site: www. cardwatch. org. uk § To raise awareness of card fraud 3. Cardwatch site: www. cardwatch. org. uk § To raise awareness of card fraud prevention § It reduces fraud by: v fraud prevention training to staff v fraud prevention advice to customers v encouraging staff vigilance and awareness v advice and assistance to other organizations of praud prevention as in crime stoppers v running card security initiative to increase awareness among people v educating and supporting police and crime reducing officers 52

4. 3 D secure § Its authentication requires card holder to register their card 4. 3 D secure § Its authentication requires card holder to register their card to take advantage of their service § One time process taking place on the card issuer's site and involves the cardholder answering security questions to whihc issuer and cardholder only have the answer § Its online version of Chip and Pin Technology where cardholder has personalized passwrod registered with his card that is entered during checkout process Limitations of 3 D Secure § Not be used as complete fraud prevention tool, but used in conjunction with existing fraud checks as AVS and CVV 2 to help minimize your risk § Chargebacks can still occur even when they have been fully authenticated by 3 D Secure 53

Fraudlabs § XML based service validating online credit card transactions § web service screens Fraudlabs § XML based service validating online credit card transactions § web service screens and detects online credit card fraud § Its proven solution to prevent chargebacks and reduce fraud for online merchants 54

Fraudlabs 1 55 Fraudlabs 1 55

Fraudlabs 2 56 Fraudlabs 2 56

Fraudlabs 3 57 Fraudlabs 3 57

CHIP AND PIN METHOD site: http: //www. chipandpin. co. uk/ § CHIP AND PIN METHOD site: http: //www. chipandpin. co. uk/ § "Chip and PIN" is the used for the new EMV Card Payments System designed to augment and eventually replace magnetic stripe payment cards in Europe. § designed by Europay, Mastercard and Visa, Microchip technology The ease with which credit cards with magnetic stripes are used in defrauding companies, financial institutions and individuals have necessitated banks and other card issuing companies to implement microchip card technology. This is due to the fact that cards with magnetic stripes can to easily be cloned. The cardholder’s information will be stored on a microchip, which will be much safer than the magnetic stripe. The new standard, to which all role players must adhere to, will come into operation on the 1 st January 2005. This new standard was dubbed EMV, which was taken from the first letter of the three companies that initiated it, namely Europay, Visa and Master. Card. This technology was introduced in France more than 10 years ago. According to the credit card industry in this country card fraud dropped by 80% after the new technology was introduced. This new prevention method does not come cheap and banks are spending millions changing from the old magnetic stripe cards to the new generation microchip cards. It is estimated that the conversion process in South Africa will entail issuing new cards to 16 million users, upgrading 9000 ATM’s throughout the country, upgrading 130 000 point-of-sale terminals and upgrades on back-end processing systems to handle the new technology. This will come at a price tag of between R 1, 5 bn and R 2 bn extended over a period off 10 years. Converting a top of the range ATM can cost as much as R 30 000. This technology will, however, require the customer to pin in a code every time they use the credit card. This is safer due to the fact that merchants or cashiers will no longer have to verify signatures. Studies in Europe have shown that signature based products are more susceptible to those that are PIN based. One advantage of smart card technology is that a credit card will be able to hold a considerable amount of information. This will ensure that even merchants in rural areas will be able to accept payments without telephonic access to a bank. Some of the major banks have started issuing the new cards to their employees for internal trials and to certain clients. 58

Difference between normal and Chip n Pin Method 59 Difference between normal and Chip n Pin Method 59

Limitations of CHIP and PIN § § § Offline Counterfeiting Chip and PIN counterfeit Limitations of CHIP and PIN § § § Offline Counterfeiting Chip and PIN counterfeit cards can still be used offline in terminals that are not connected to the bank's network or have been temporarily disconnected. The fraudster does not even need to know the PIN. Cross-Border Fraud one easy fraud will be replaced by another when Chip and PIN fails close off important avenues from fraud. The customer gets all the hassle and gains nothing. Fallback: The same old fraud can continue because magnetic stripe technology is not on the way out for a long time. Devices for breaching CHIP and PIN § § Tamper resistance of Chip & PIN (EMV) terminals Chip & PIN (EMV) Interceptor : It does not copy the chip! It only gains enough information from overhearing the conversation to make a magnetic stripe counterfeit. Chip & PIN (EMV) relay attacks § terminal sends the card a random number, known as a challenge. § customer then enters their PIN into the terminal and it is sent to the card. § card computes a cryptographic response, that incorporates the challenge, whether the PIN was entered correctly, and a secret known only to the card and the bank which issued it (the terminal does not know this secret). § purpose of including the challenge is so that the terminal can detect whether an old response is being replayed. § response is sent back to the terminal which then goes on-line and sends the challenge and response to the bank, who will verify them. PIN Entry Device (PED) vulnerabilities § By tapping these communications, fraudsters can obtain the PIN and create a magnetic strip version of the card to make ATM withdrawals in the UK and abroad. § Two popular PEDs, the Ingenico i 3300 and Dione Xtreme, fail to adequately protect card details 60

Credit Card Fraud Management § IAS (Internet Access System) supports the built-in fraud protection Credit Card Fraud Management § IAS (Internet Access System) supports the built-in fraud protection services provided by the processing network, including AVS (Address Verification Service) and Card Verification Value. In addition, IAS provides enhanced tools and services to help you maximize revenue and profit potential— actually helping you to convert more orders to sales and reduce chargebacks. Key Features § Supports Verified by Visa and Master. Card Secure. Code services (3 D Secure standard) § Additional fraud screen available to control risk on non-Visa or Master. Card transactions § Works with any payment system § Single connection provides access (also available as a software component) Key Benefits § Minimize online credit card fraud and customer disputes § Receive chargeback protection on qualifying transactions § Implement easily via single Internet connection or single software component § Obtain relief from fraud liability (pending compliance) 61

Deploy a Spam and Malware Catchers 62 Deploy a Spam and Malware Catchers 62

1, 333 Intruders Caught in one Week 63 1, 333 Intruders Caught in one Week 63

The need? A trusted environment with: § § § Privacy Policy Member verification (for The need? A trusted environment with: § § § Privacy Policy Member verification (for online transactions e. g. : ecommerce) Customer Support Profit and competitive advantage Record keeping and audit trail 64

Suggested Precautions to be taken by merchants for prevention of online CCF Geolocation by Suggested Precautions to be taken by merchants for prevention of online CCF Geolocation by IP address Comparison of the IP address country with the billing address country Know the online buyers geographic information to prevent fraud. Identify locations where the probability of fraud is the highest. It allows additional authentication measures or identification for those transactions which show a great difference of distance. Legitimate customers welcomes legitimate authentication measures, which will protect them from credit card fraud also and keep the costs of doing business on the Internet down, especially if the customer is properly informed and advised by the merchant of these protection measures. §An IP address is a unique network identifier issued by an Internet Service Provider to a user’s computer every time they are logged on to the Internet. Make sure the IP address country and the billing address country are the same. §Clear. Commerce® survey: The top 12 international sources for online fraud are Ukraine, Indonesia, Yugoslavia, Lithuania, Egypt, Romania, Bulgaria, Turkey, Russia, Pakistan, Malaysia, and Israel. §The same survey also showed that the 12 countries with the lowest fraud rates are Austria, Check whether the country is a “high risk” New Zealand, Taiwan, Norway, Spain, Japan, Switzerland, South Africa, Hong Kong, the UK, country France, and Australia. Pay more attention if the card or the shipping address is in an area prone to credit card fraud. §Since, alien to us (Pakistan), they will never cooperate in investigation and so, it becomes a perfect crime, impossible to detect and beneficiary of fraud is guaranteed to go scot-free Check whether an anonymous proxy server was used to place the order §The main purpose using a proxy server is to remain anonymous or to avoid being detected. While well known businesses use this to protect internal networks, fraudsters hide themselves behind anonymous proxy servers. It is not easy to detect anonymous proxy servers because they appear and disappear from time to time. §Fraud. Labs™ provides a hassle free method to keep the always up-to-date anonymous proxy server 65 list as web service.

Tools to control CCF • • • Public Key Encryption Secure Socket Layer and Tools to control CCF • • • Public Key Encryption Secure Socket Layer and new layer for CCF prevention Biometrics/Smartcards Firewalls and upgrades (for online CCF) Digital Certification IP verification Cookies Pattern anomalies Collateral evidence But, as cost increases, with increase in tools used, it is not economically feasible and therefore fraudsters are fortunate and get the opportunity to rob people by plastic money and go scot-free due to legal lacuna in the system. (Suggestion: There should be strict liability and burden of proof should be on accused like food adulteration laws and custom laws). Protect yourself! From Skimming § Keep your credit card and ATM cards safe. Do not share your personal identity number (PIN) with anyone. Do not keep any written copy of your PIN with the card § Check your bank account and credit card statements when you get them. If you see a transaction to be suspicious, report it to your credit union or bank § Choose passwords that would be difficult for anyone else to guess 66

Credit Card Fraud Cases 67 Credit Card Fraud Cases 67

1. Indian jailed for Britain's biggest credit card fraud Oct 2008: An India-born computer 1. Indian jailed for Britain's biggest credit card fraud Oct 2008: An India-born computer specialist who was the mastermind behind Britain's biggest fake credit card racket has been jailed for six years. • Anup Patel (30) and his accomplices had amassed nearly £ 2 million (over $3 million) by making counterfeit credit cards and using them in several countries in Asia and Europe. Police believe they would have cheated people of 16 million pounds by now had they not been caught. • A computer sciences graduate from Kingston University, Patel stole original credit card numbers and PIN (Personal Identification Numbers) and engraved them on counterfeit cards. • The fake cards were transported by one of his accomplices, Anthony Thomas (jailed for 2 years), to countries in Asia like Thailand eastern Europe where the chip-and-PIN security system is not in use. Local members of the gang withdrew money using those cards by faking signatures of the original card holders. • The police launched an investigation after motorists using the M 25 petrol pumps started receiving credit card statements citing purchases and cash withdrawals in various countries. • Patel managed to steal details of nearly 19, 000 cards. Police suspect that Patel's gang collected the data from petrol pumps on the M 25 motorway near London with the help of secret cameras and data card readers. They still do not have a clue as to how these gadgets were installed. Thousands use these pumps for fuel daily and payment is almost always through credit cards. • The operation was busted in October, 2006 when the police, acting on an intelligence tip off, raided Patel's rented office premises at the Croydon House Business Centre in south London. • They found a literal computer factory inside the premises: Thousands of magnetic strips and blank plastic cards, a library of 19, 000 skimmed card and PIN details, holograms, card printers, corrupted payment terminals and £ 20, 000 in cash. • Patel gave himself up to the police after learning that his accomplices had been arrested in Thailand at London's airports. • When the case came to court, prosecutor David Povall told the jury at the Croydon Crown Court that both men had previous criminal record. Patel was jailed for two years for a credit card fraud in France 10 years ago, and Thomas had 65 previous convictions. During investigation, the police found they had links with criminal gangs in other countries, including Thailand Turkey. • Patel, who lived in Thornton Heath in South London, was born in India and came to Britain at the age of two. He obtained a degree in computer sciences from Kingston University in 2006, leading police to believe that he was trying to beat the chipand-PIN system even as he was studying. 68

2. Busting of Fake Credit Card racket near Toronto makes this a good time 2. Busting of Fake Credit Card racket near Toronto makes this a good time to revisit Credit Card Fraud! § A fake credit card racket was busted in the last week of January this year in Markham near Ontario. Using specialized equipment, the fraudsters were converting ordinary plastic cards to credit cards, health cards, social insurance cards and whatever else you can imagine. § In the second week of this month, the State Attorney General of Oklahoma warned residents of the state that internet fraud was on the rise in the area. While the two incidents may not be related, it will do us good to heed these as a warning. § A resident of the state in fact, alerted the police after he received a phony credit card in his ordinary mail. The card came along with a letter requesting the recipient to confirm his bank details to enable activation of the card. The letter also directed the resident to a website where the relevant details could be submitted. § Having the advantage of being familiar to such scams, the alert resident’s suspicions were immediately aroused. Immediately, he reported the matter to the police. § What the scammers were aiming at, was to get hold of such critical information as bank account number and/or social security number and to misuse it for personal gain. In internet fraud parlance, this is commonly known as Phishing and identity theft. 69

3. 45. 6 million cards hacked in biggest ever credit fraud § § § 3. 45. 6 million cards hacked in biggest ever credit fraud § § § Eleven people have been indicted in Boston for stealing and selling 41 million credit and debit card numbers they obtained by hacking into the computers of nine major US retailers, the US Justice Department said. In what the department believes is the largest hacking and identity theft case it has ever prosecuted, the stolen numbers were sold via the Internet to other criminals in the US and Eastern Europe and used to withdraw tens of thousands of dollars at a time from ATMs. The eleven defendants include three US citizens, three from Ukraine, two from China, one from Belarus, one from Estonia and one whose place of origin is unknown, the department said in a statement. The indictment was returned Tuesday by federal grand juries in Boston, Massachusetts, and San Diego, California. The indictment alleges that after they collected the data, the conspirators concealed the data in encrypted computer servers that the defendants controlled in Eastern Europe and the United States. From there, the stolen numbers were “cashed out” by encoding card numbers on the magnetic strips of blank cards, and then used to extract cash from ATMs, the Justice Department said. The defendants were allegedly able to conceal and launder their fraud proceeds by using anonymous Internet-based currencies both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe, it added. “So far as we know, this is the single largest and most complex identity theft case ever charged in this country, ” said US Attorney General Michael Mukasey. “While technology has made our lives much easier it has also created new vulnerabilities, ” said US Attorney for the District of Massachusetts Michael Sullivan. The 11 people — including three Americans — allegedly targeted such retailers as TJX Companies, BJs Wholesale Club, Office. Max, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. Prosecutors say the defendants hacked into the computer networks of nine major U. S. retailers, including TJX. The Framingham-based company disclosed a massive computer security breach in late 2006. The indictments were handed down by federal grand juries in Boston and San Diego. U. S. Attorney General Michael Mukasey says the hackers were able to gather enormous amounts of personal financial data, which they allegedly sold to others or used themselves. Mukasey says its "impossible to quantify" the total dollar amount of theft, which caused widespread losses for banks, retailers and consumers. Those named in the indictment allegedly sold the information to criminals abroad and in the U. S. , or encrypt blank credit cards to withdraw money from ATMs, officials said. Prosecutors say three of the defendants are U. S. citizens from Miami, while others are from China, Estonia, Ukraine and Belarus. The scheme is believed to be the largest identity theft case ever prosecuted by the federal government. 70

Delhi Police busts credit card racket- arrested five in Delhi and UK NRI is Delhi Police busts credit card racket- arrested five in Delhi and UK NRI is on the run § § § New Delhi, April 02, 2008 Santosh Kumar Delhi Police Crime Branch arrested five people- Vivek Prasad, 27, Nafees Ahmed, 37, Raju Khan, 27, Brijesh Yadav, 27, Dildar Hussain, 32, in south Delhi and recovered 21 fake credit cards from them. The racket has exposed the negative side of the technology advancements. Deputy Commissioner of Police, Crime Branch, Anil Shukla told media in New Delhi: More than 20 UK residents were cheated of Rs. 3 million (30 lakh with the help of cloned credit cards) after the gang obtained information encoded on their credit cards issued by seven British banks such as Barclays Bank and. Lloyds TSB Bank. . . The police intercepted a Maruti Wagon car at Netaji Subhash Place and arrested the persons. A case of cheating (Sec 420) and fraud (Sec 25) has been lodged against them with Saraswati Vihar police station. NRI Loknathan in UK used to swipe his victim credit card on a skimmer, a small portable device like a pager that records all the information encoded in the microchip of the card. Loknathan has been operating the scam for the past three months. In UK, the owner of credit card does not pay if any fraud involved. The loss was either borne by the bank or by the insurance company. Since the fraud occurred in India no one pursues the matter from UK According to the police, the group had at least eight such transactions in the past three months. They carefully used a credit card once and never visited the shopping area again. . They used to swipe the cloned credit cards with the help of shopkeepers and owners of the swipe machines. Mostly they bought jewelry, laptops and mobiles worth lakhs of rupees and collected cash return by paying 5 -6% commission to the swipe machine owners Vivek Prasad, Banglore University graduate, worked as business development executive in a firm in Hyderabad is the mastermind of the racket. He used to procure information on credit cards from one of his associate, Loknathan in UK. Loknathan used to visit India often for the past six months. Vivek then collaborated with Ahmed, who used to run a call centre for the HDFC Bank. Ahmed and his recruits to run these cards on swipe machines in Delhi. With the help of swipe machines owners, they used the card depending on its credit limit. Ahmed and his friend were keeping 10 -20% of the amount. Vivek transferred 40% of the transaction to Loknathan in UK. 71

72 72

Florida Police: Credit card racket case: § § § § Case Synopsis: Operation began Florida Police: Credit card racket case: § § § § Case Synopsis: Operation began in November, 2006 when Seattle, WA United States Secret Service (USSS) office requested Jacksonville USSS office to locate and interview suspects identified in credit card fraud scheme with Magic Online (an online gaming company). Carreras located and initial interview conducted on 11/16/2006. The investigation revealed that in January of 2006, Carreras had met a subject on-line through a spam email offering a job opportunity designing web pages. That subject then in turn started him in a scheme that used stolen credit card numbers to purchase "event tickets" for use in the Magic Online game, which were then sold on EBay and the profit split between the two. Sometime during the summer of 2006 Carreras and his partner quit the Magic Online account scam and began engaging in direct credit card scams, by purchasing "packets" of credit card data from persons on underground chat rooms. With the information obtained on the chat rooms, and online background checks bought through legitimate online companies, the two then began purchasing money transfers from Western Union online. Western Union requires that for any purchase made online the purchaser has to call Western Union and validate the transfer by answering several questions about themselves, which is why it was necessary to purchase the backgrounds on the people whose credit card information had been purchased. Carreras eventually began operating on his own and ultimately ended up recruiting other local persons to assist him in his illegal enterprise, listed below. Carreras initially cooperated with the authorities in their attempts to positively identify his source and initial partner. But, even while cooperating he was still conducting his fraudulent activities. Carreras, and two other suspects Melissa Renee Caraballo and Michael Duane Widrig II, fled the northeast Florida area in January of 2007. Arrest warrants were obtained for him, and the other two suspects. On May 7, 2007, Carreras, Caraballo, and Widrig were located by Secret Service Agents, and members of the Las Vegas Metropolitan Police SWAT team at a Las Vegas, Nevada Suzuki Motorcycle Dealership. Agent Rohrer and Detective Brown traveled to Las Vegas and interviewed all three suspects, again. On May 22, 2007, they were returned to Florida and booked into the Putnam County Jail. Carreras remains in jail without benefit of bond, Widrig is still in jail with a $75, 000 bond, and Caraballo was released from jail on 5/30/2007 with a $10, 000 bond. There are, at this time, eight known unnamed co-conspirators in this northeast Florida organization. There has been in excess of $50, 000 worth of illegal wire transfers attributed to this one group. This northeast Florida organization is tied into a much larger nationwide organization, which is responsible for even more illegal wire transfers, totaling hundreds of thousands of dollars. . The investigation continues, with more arrests anticipated. 73

Florida Police: Credit card racket case: contd. . Arrested people § Simon Peter Carreras, Florida Police: Credit card racket case: contd. . Arrested people § Simon Peter Carreras, 23 years of age, Charged with: Violation of Racketeer Influenced and Corrupt Organization Act (similar to MCOCA in Maharashtra) and Organized Scheme to Defraud in excess of $50, 000 § Melissa Caraballo, 18 years of age, Charged with Organized Scheme to Defraud in excess of $300. 00 § Michael Duane Widrig II, 21 years of age, Charged with Organized Scheme to Defraud in excess of $300. 00 § Amy Leigh Bishop, 21 years of age, Arrested on 5/31/2007, charged with Organized Scheme to Defraud in excess of $300. 00, still in Putnam County Jail, bond $50, 000 § Randall Karry Ritchie Jr, 31 years of age, Arrested on 5/24/2007, charged with Organized Scheme to Defraud in excess of $300. Released from jail on 5/24/2007 on $75, 000 bond. § Edward Bruce Dodd, 36 years of age, Arrested on 5/7/2007, charged with Organized Scheme to Defraud in excess of $300. Still in Putnam County Jail, bond set at None by 1 st appearance judge. § Eddie Ramon Renta-Aler, 27 years of age. Arrested on 5/3/2007, Organized Scheme to Defraud in excess of $300. Released from jail on 5/4/2007 on $15, 000 bond. § Amber Dawn Renta-Aler, 26 years of age, Arrested on 5/3/2007, Organized Scheme to Defraud in excess of $300. Released from jail on 5/4/2007 on $15, 000 bond. 74

Distinct modus operandi of Identity Thieves • Be warned when stuff you never bought Distinct modus operandi of Identity Thieves • Be warned when stuff you never bought arrives at your doorstep. As a new scam uncovered in Utah revealed, identity thieves have tweaked their modus operandi to literally have victims handover to them, goods purchased online with their victim’s card money. In a new move, fraudsters are using card holders’ addresses to receive goods purchased using their compromised credit card accounts. • Such frauds are known to be mostly committed by fraudsters from overseas. Until now, the fraudsters were seen to be employing people as ‘money mules’ to do this service. They would hire people online to work as re-forwarding or re-packaging agents for them on commission basis, on every package they safely send across. • If and when the scam gets busted, the real fraudsters would go scot-free while the local agents would have a hard time explaining how they came to be in possession of the stolen goods. • Fraudsters are not only stealing from the card but also using the owner’s address for receiving the goods bought using it! • Card owners would naturally be surprised when items they never purchased turn up at their doorstep. They would immediately mean to send it back. So, they wouldn’t be surprised when the same day or the day after, somebody comes to pick the package saying it was all a mistake. Folks who turn up to collect the goods claim they were hired by the seller to have the goods sent back. Card owners wouldn’t realize they were really accomplices of fraudsters come to take away stolen goods. • The fraudsters are counting on card owners not discovering the scam early. Card owners would only come to know of the scam, if they check their credit card account statements and discover the suspicious transactions. • This gives one more reason to keep a close watch on your account statement. Noticed early, it can become an opportunity to set a trap for the fraudsters and turn the tables on them. 75

What to do if you are victim of CCF • When you use credit What to do if you are victim of CCF • When you use credit card, you can be vulnerable to fraud, whether you pay online, over phone, or even in person at your neighborhood grocery store • If you think you have been the victim of fraud or a scam, immediately follow these steps: – – – Close any affected accounts Change the password on all your online accounts Place a fraud alert on your credit reports Contact the proper authorities Record and save everything 76

How to make out counterfeit cards: • Crime syndicates use the latest technology, including How to make out counterfeit cards: • Crime syndicates use the latest technology, including computers, embossing and lamination to create more realistic looking credit cards. Today’s counterfeit credit card will often have a complete hologram and a fully encoded magnetic strip. Most of the tools used to create counterfeit cards are manufactured in the Far East and smuggled to developed and developing countries throughout the world. To the untrained eye these cards will appear to be completely legitimate. • Hologram of different cards are unique: In most instances the hologram on a counterfeit card is fixed on top of the card, whereas the legitimate hologram is embedded in the plastic during the manufacturing process. • The white strip that carries your signature on the card should never be plain white. It always has ‘Visa’ or ‘Master. Card’ printed across in small print, many times over. • It is a clear sign of a fake card even if this print is unclear or smudged. • When placed under UV light, a large image of a white dove or the letters MC show up respectively on the card, according to it being a Visa or Master. Card. • Genuine cards also feature micro printing on them: what looks like a thin line to the naked eye turns out to be really fine printing when looked through a magnifying glass. This feature is especially important as it’s very hard to imitate using ordinary printing equipment. 77

Why people don’t report credit card frauds 78 Why people don’t report credit card frauds 78

Problems in fixing criminal which enhances this crime and new methods to overcome it Problems in fixing criminal which enhances this crime and new methods to overcome it • • The challenge with credit card fraud is that as it is typically an interstate fraud, meaning happening from one state to the next, the cost and time to prosecute is typically beyond the crime itself!!! as it would cost more to extradite a person even across country for a crime typically no more than a few thousand (for small scale Indian fraudsters) if not a few hundred dollars. The reality: Identity theft and online credit card fraud are reaching epidemic proportions and the local law enforcement, no matter how much they want to, just don’t have the resources to enforce interstate crimes. Online Credit Card Offence & Indian Law: – Indian legal position: Any offence pertaining to online payment through credit cads will come within the purview of Information Technology Act, 2000 read with relevant provisions of Indian Penal Code, 1860. Section 378 of the Code defines the term “theft” as follows: – “Whoever intends to take dishonestly, any property, out of the possession of any person without the consent of that person moves the property in order to such taking, is said to commit theft. ” In order to commit theft following ingredients are required to be satisfied: – (a) The intention must be dishonest. – (b) Such property must be movable in nature. – (c) Such property must be taken out of the possession of its owner. – (d) Such property must be taken without the consent of the owner. – (e) Such property must be removed from its original place to another. Now we have to examine whether online credit card theft satisfies the abovementioned requirements in order to book the offender to justice. This definition, if interpreted in strict sense, does not include the online theft of credit card information. But, if a merchant dishonestly obtains the blank purchase slip and forges the signature of the cardholder’s signatures on it and thereafter obtains the payment from bank, he can be booked under the offence of forgery (discussed later). Thus, if there is no intention (intention is difficult to prove) to deceive or secrecy, the act though dishonest is not fraudulent. Intend to defraud: not a bare intent to deceive but intent to cause person to act or omit to act, as a result of deception played upon him, to his disadvantage. 79

IT Act 2000 for action against CCF: • To deal with CCF, our Parliament IT Act 2000 for action against CCF: • To deal with CCF, our Parliament has been enacted the Information Technology in the year 2000. Following penal provisions of this statute are relevant to mention here. • Section 66 - This section provides the following penalties for hacking with computer systems: – Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or – deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hack. Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both. • The offence under this Section is cognizable and non-bailable. • Section 43 - Clauses (a), (b) and (g) of Section 43 state that if a person has unauthorized access or secures access to computer, computer system, computer network or downloads copies or extracts any data from such computer, computer system, computer network or even assists another person to facilitate access in the aforesaid manner respectively, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. • It is quite apparent from the above that besides legal protection it is necessary to carefully examine the technological and contractual protection existing within the system because law is not an alternative to other security measures required to be taken by the cardholder while making online payment. 80

Definitions in IPC • • This offense also attracts provisions of Maharashtra Control Of Definitions in IPC • • This offense also attracts provisions of Maharashtra Control Of Organized Crime Act (MCOCA) Counterfeit (28) – Ingredients: • Causing 1 thing to resemble another thing • Intending by means of that resemblance to practice deception • Knowing it to be likely that deception will thereby be practiced • E-record (29 A)- 2(1)(t) of IT Act 2000 Criminal conspiracy ingredients There should be agreement between 2 and more persons who are alleged to conspire The agreement should be to do/caused to be done An illegal act An act which may not itself be illegal, by illegal means • Injury (44) • Property-movable (22)-credit card • Dishonestly (24) – Whoever does anything with intention of causing wrongful gain to one person or wrongful loss to another person is said to do that thing dishonestly – Wrongful gain and wrongful loss (23)-person who acquires wrongfully is wrongful gainer and person deprived wrongfully is wrongful loser • Fraudulently (25) – As defined in Law of contract Three ways to do fraud: 81

Definitions in IPC Dishonestly Sec 24 Fraudulently Sec 25 Counterfeit Sec 28 § Whoever Definitions in IPC Dishonestly Sec 24 Fraudulently Sec 25 Counterfeit Sec 28 § Whoever does anything §As defined in Law of contract §Forged § with intention of causing Three ways to do fraud: §Ingredients: wrongful gain to one § Deprive man of his right, • Causing 1 thing to resemble person or wrongful loss to either by obtaining another thing another person is said to something by deception or • Intending by means of that do that thing dishonestly taking something resemblance to practice § Wrongful gain and wrongfully without deception wrongful loss (23)-person knowledge or consent of • Knowing it to be likely that who acquires wrongfully is the owner deception will thereby be wrongful gainer and § To withhold wrongfully practiced person deprived wrongfully from another what is due is wrongful loser to him § To defeat or frustrate wrongfully, wrongfully another’s right of property E-record (29 A) [2(1)(t) of IT Act 2000] Any record in electronic form CCF also attracts § Criminal conspiracy which has ingredients § There should be agreement between 2 and more § § § • Provisions of Maharashtra Control Of Organized Crime Act (MCOCA) persons who are alleged to conspire The agreement should be to do/caused to be done an illegal act An act which may not itself be illegal, by illegal means Injury 82

Sections of IPC attracted for CC Fraudsters • • • Sec 21 defines public Sections of IPC attracted for CC Fraudsters • • • Sec 21 defines public servant i. e. any employee of public sector undertaking (under control of State/central govt. ) (r. w. article 12 of Constitution of India)i. e. employees of all scheduled banks and co-operative banks are public servant Sec 34 (act done by several persons in furtherance of common intention) – Each person is liable in same manner as if it were done by him alone Sec 201 (Causing disappearance of evidence of offence or giving false information to screen offender) – If less than 10 years then 1/4 th of longest term of imprisonment for offence and/or fine. Sec 407 (criminal breach of trust by carrier) – Punishment- 7 years imprisonment and fine Sec 420 (cheating and dishonestly inducing delivery of property) – Punishable up to 7 years imprisonment and fine Sec 466 (Forgery of public register- any data or electronic records (as defined in clause ‘r’ of section 2(1) of IT Act 2000)(cc number in eform) to be kept by the public servant (banker)) – Punishable for 7 years RI and fine Sec 467 (Forgery of valuable security- bill etc) – Punishment: life imprisonment or 10 years imprisonment and fine Sec 468 – Punishment 7 years RI and fine – Cognizable, non Bailable offence, triable by Magistrate of 1 st class, non compoundable Sec 470 defines forged document or e-record – wholly or partly • Sec 471 (using as genuine a forged (document or e-record)) – Punishment same as if he has forged (467) • Sec 474 (having possession of document described in sec 466 and 467, knowing it to be forged and intending to use it as genuine) – Punishment • 7 years Imprisonment and fine or • life imprisonment Sec 475 (possessing counterfeit marked material (plastic card) ) – Punishable for Life imprisonment or 7 years imprisonment and fine – Non-cognizable Sec 476 counterfeiting device or mark used for authenticating documents other than described in sec 467 – NC, NB – Possesison of any such device counterfeited punishable for 7 years and fine Sec 477 -A Falsification of accounts with intent to defraud (i. e. e-record etc) by clerk, officer, servant – punishable for 7 years and fine Sec 409 (criminal breach of trust (defined in sec. 405 IPC) banker/agent/merchant) – Punishment is prescribed (for misappropriation of funds) as: • Life imprisonment or • imprisonment of 10 years and fine • • 83

Problems in fixing criminal which enhances this crime and new methods to overcome it. Problems in fixing criminal which enhances this crime and new methods to overcome it. . contd (due to Criminal Jurisprudence) § § § Any quantum of suspicion cannot be substitute for evidence (SC ruling. . and supreme court ruling is law of the land under article 141 of constitution of India and judge is duty bound to decide the case based on law Benefit of doubt must go to accused in criminal proceedings. Therefore, the strategy of defense counsel is to shed doubt on the evidence and take out his client from clutches of law. Every link between crime and criminal must be established. strength of the chain is just from the weakest link in the chain. It must be proved beyond shadow of reasonable doubt which is very difficult task for the prosecution. The burden of proof is totally on the prosecution If there is circumstantial evidence only, then it must be of such a nature that it should lead to one and only one inescapable inference about criminality of the accused. This is also very difficult to prove) Accused should be treated innocent till proved guilty- principle of criminal jurisprudence should be changed to strict criminal liability principle i. e. burden of proving innocence should be on the accused like food adulteration cases 84

Future!. . If no proactive steps taken Courtesy: (Niculae Asciu) 85 Future!. . If no proactive steps taken Courtesy: (Niculae Asciu) 85

Videos of credit card frauds tools 86 Videos of credit card frauds tools 86

Conclusion • As this crime is spreading like jungle fire throughout the world especially Conclusion • As this crime is spreading like jungle fire throughout the world especially developed countries, India is developing country, and we should prevent this epidemic to economy timely and vigilantly. • In India, credit card fraud is mostly limited to the physical space. Online con jobs make up just about 1% of the total numbers here, unlike 40% in the developed world. • All parties to credit card transactions are at risk when it comes to the hacking of credit card numbers. It is incumbent on the credit card associations to implement and enforce stricter rules regarding security and data protection practices by card issuers, merchant acquirers, processors, merchants and any other entities that manage or store card numbers on their servers. The card associations should also implement and enforce new rules that protect consumers from identity theft and credit reporting misinformation that can result from credit card fraud. Otherwise, consumer groups will force protective legislation in a lengthier and costlier process. • But, as consumers graduate to the shop-easy internet and pay with their cards, instances of fraud are bound to rise. As access to the web increases, reported cases of card fraud are estimated to rise at 20 -30 % every year. In online transactions, contracts are one-sided and the customer is always held responsible in case of fraud. • Phishing is a commonly-used defrauding mechanism. To top it, people are careless in offering their card details. • Thus, we can conclude that with the help of the legal remedies available as cited earlier in the paper, legal action can be brought against the offenders who are held liable for credit card frauds and misuse and they can be bought to books. 87

Thanks! 88 Thanks! 88

89 89

90 90

Source Links • • • www. visa. com/secured www. cyberfraudsolutions. com www. cybersource. com Source Links • • • www. visa. com/secured www. cyberfraudsolutions. com www. cybersource. com http: //news. com/2100 -1017 -966835. html www. celent. com http: //www. securitystats. com/reports/Symantec Internet_Security_Threat_Report_v. III. 20030201. pdf • http: //www. cert. org/stats/cert_stats. html • http: //www. usatoday. com/money/perfi/credit/2003 -02 -19 credit-card-hacker_x. html 91