Credit Card Payment Fraud & How to Avoid Theft

Security and compliance often appear to go hand-in-hand these days. Problematically, many companies start with compliance then reverse-engineer security in a nearly futile attempt to protect data. In the payment card industry, the Payment Card Industry Security Standards Council (PCI SSC) established PCI Data Security Standard (PCI DSS) which sets the “gold standard” for compliance. Meanwhile, despite meeting the compliance standard, cardholder data (CD) remains a primary target for cybercriminals. By understanding the seedy underbelly known as the Dark Web and the way Cybercrime-as-a-Service (CaaS) works, merchants and payment card processors can better secure CD from fraud and theft.




What is payment card fraud and why is card information so valuable?

Payment card fraud, also known as credit card fraud, is defined as the unauthorized use of a credit card, debit card, or similar payment tool. Cybercriminals often fraudulently utilize payment data to steal money or property from their victims. Credit and debit card numbers can be taken from unsecured websites or can be obtained via identity theft schemes like phishing or social engineering.

Cardholder data is defined as the primary account number (PAN) in conjunction with either the cardholder name, expiration date and/or service code. Considered personally identifiable information (PII), the data that cybercriminals extract from breaches can allow them to create fraudulent accounts, engage in fraudulent purchases, or steal identities.



Payment card fraud statistics

The statistics indicate that while overall fraud decreased in 2018, evolved threat methodologies continue to undermine merchants and vendors’ data security measures.

  • New account fraud increased from $3 billion in 2017 to $3.4 billion in 2018
  • Worldwide payment card fraud losses reached $27.85 billion in 2018 and are forecasted to reach $35.67 billion in five years and rise to $40.63 billion in 10 years
  • The U.S. accounted for $9.47 billion in fraud losses in 2018
  • The United States lead fraud losses reporting 38.6 percent of global losses
  • Credit card fraud accounted for 35.4 percent of all identity theft fraud in 2018
  • Mobile phone account takeovers increased from 380,000 in 2017 to 679,000 in 2018
  • Data breaches resulting in record exposure increased 54 percent year over year in 2019

Thus, while merchants, vendors, and payment card processors attempt to protect cardholder data, they continue to find themselves at the mercy of cybercriminals.

Types of credit card fraud

In-person card theft strategies

  • Physically stealing a credit card
  • Finding and utilizing a lost or misplaced card
  • Making counterfeit cards using skimmer technology to steal legitimate card information and create duplicate cards

Digital payment theft strategies

  • SQL injections
  • Malware infections
  • Social engineering attempts
  • Phishing schemes
  • Leveraging unprotected backups
  • Targeting vulnerable third-parties for purposes of a data breach
  • Account hacking and account takeover
  • Committing identity theft using fraudulent credit applications to apply for new credit in the victim’s name using stolen data

What is the value of payment card data on the Dark Web?

As CaaS becomes more popular, cybercriminals no longer need to be highly technical. On the Dark Web, cybercriminals can purchase tools that simplify data breach attacks.

For example, account checkers are software that can be purchased on the Dark Web to validate a username. Meanwhile, phishing kits are a downloadable tool that contains prebuild code so that cybercriminals can more easily deploy an attack. Additional tools include merchant checkers, automated attack scripts, and leaked shop scripts.

PII and CD remain valuable underground commodities because they are low cost and high impact. According to Privacy Australia, different information levels have different values:

  • Credit Card Details:
    • With CVV: $5
    • With Bank Identification Number: $15
    • With Full Information: $30
    • Untested Card: $10-20
  • Online Payment (i.e. PayPal) Login Information: $20-$200

The different types of information bought and sold on the Dark Web can enable different levels of fraud. CVV, the three-digit code on the back of a credit card, allows the cybercriminal to access funds or buy items for resale later. Meanwhile, online payment login information often links to bank accounts or social media accounts which can enable cybercriminals to not only engage in fraudulent purchases but identity theft and other login/password information as well.





Comments

Post a Comment

Popular posts from this blog

Internet Safety Rules

Image
  Most of us rely heavily on the internet to enjoy social media, online education, remote work, and all sorts of entertainment. So, CYBERCLICK is sharing some information about " Internet Safety Rules " .   Rules To Be Followed: 1.  Keep your confidential data offline Identity theft cases made up the biggest single category of  crimes reported to the FTC in 2020 .     But cybercriminals cannot access or steal your personal information if it’s nowhere to be found on the internet.     That’s why some data — such as your Social Security Number — should just never go online. However, when you still have to share it, be sure to send it as an email attachment and   encrypt the file   before sending.   2. Check a website’s reliability As of January 17, 2021,  Google had registered more than 2 million phishing sites . But how do you tell a reliable site from a fishy one? First, look at the address line: It should have a little padlock at the beginning — this means the connection is
Read more

Spam and Phishing

Image
  Malicious Email A malicious email can look just like it comes from a financial institution, an e-commerce site, a government agency or any other service or business. It often urges you to act quickly, because your account has been compromised, your order cannot be fulfilled or there is another urgent matter to address. If you are unsure whether an email request is legitimate, try to verify it with these steps: Contact the company directly – using information provided on an account statement  on the company’s official website or on the back of a credit card. Search for the company online – but not with information provided in the email. Spam Spam is the electronic equivalent of junk mail. The term refers to unsolicited, bulk – and often unwanted – email. Here are ways to reduce spam: Enable filters on your email programs:  Most internet service providers (ISPs) and email providers offer spam filters; however, depending on the level you set, you may end up blocking emails you want. It’
Read more