Remember Card Fraud?

0

I’m getting nostalgic for the days of card fraud and the Cold War.

In his fascinating autobiography Tough Guy (which ends with his prison conversion to Judaism!), the former Gambino crime family mobster Louis Ferrante gives a wonderful description of card fraud in the years before mobile phones, the Transport Layer Security (TLS) and Tik Tok. Back in the day, Louis’ enterprising confederates had discovered that you didn’t need to be able to forge cards terribly well to enter the counterfeiting business, provided you had the right collaborators…

For years I made big wood with Sonny’s “dupes”, phoney credit cards with real numbers. He sold them to me for a hundred bucks a piece. Sonny had salespeople in retail stores on the take, boosting charge card receipts… I’d visit a jeweller who was in on the scam and buy a Rolex. If the watch retailed for five grand, I’d tell him to hit the card for ten. I’d leave with the watch. He’d made money. Both of us happy.

What the wise guys, as I believe they are known, really wanted though, rather than Rolex watches and the like, was cash. Card fraud was a means to that end.

If I knew a guy who sold stuff I didn’t want, like Paulie Flowers, I’d work out a cash split. I’d show up and tell him “hit my card for four grand, keep two and give me two when you get paid”. He’d tell the card company he’d delivered arrangements to a wedding, and send them a phoney bill of sale, and that was that.

Things have changed since then. At the time that the US Credit Card Fraud Act (1984) was passed — which included the provision that the use of an account number, without the card itself, could constitute credit card fraud — petty crimes constituted the majority of credit card fraud incidents but organised crime was already accounting for half of the losses.

Since then, organised crime has followed the finance sector and globalised. It’s no longer opportunistic exploitation and getting some Saturday Night Fever spending money, it’s about investment and return on investment. You do have to wonder though, in a world where a single decentralised finance hack can net $600 million+ and Bitcoin ransomware is pulling in more than $5 billion per annum, is it still a good investment?

It appears so. In the UK, credit card fraud rates have now reached a five-year high as criminals exploit social media more and more effectively. The European Central Bank’s most recent report on card fraud, from October 2021, calculates losses at around 3.6 basis points (of which 80% comes from “card not present” transactions) which appears manageable. It all adds up though. According to The Nilsson Report, card fraud will mean over $400 billion in losses globally over the next decade. They estimate that by 2030, when total payment card volume is expected to hit a whopping $79 trillion, the industry will lose an estimated $49 billion to fraud (around six basis points).

The US, as always, accounts for a much bigger share of card fraud than card volume (although that share has fallen over the years because of chip & PIN and other countermeasures). Last year it was a fifth of world card volume but a third of world fraud. By 2030, US fraud losses are expected to increase their share of the pie to $17 billion in a total card volume of nearly $19 trillion.

Those figures sound huge, but by comparison with the losses in Louis’ day, they are manageable. The invention of tamper-resistant chips, PINs, 3D Secure, online authorisation, tokenisation and so on mean that while card fraud might sound enormous it is down to a few basis points compared to the 14 basis points and climbing that we saw in the UK before we began the transition to chip and PIN.

New Kids

What is making me nostalgic about those early days of magnetic stripes and floor limits? They were simpler times, and I miss them and the times when I consulted to card issuers on chip strategies, just as miss the Cold War when I consulted to NATO. But, more specifically, we are now in a new era where payment card fraud is no longer the biggest problem in retail payments.

Last year, authorised push payment (APP) fraud – that is, direct from account frauds where consumers are tricked into authorising transfers – rose by three quarters and in the UK the losses due to this instant payment fraud now exceed the losses due to card fraud.

This, however, is a fraud that I as a consumer do have to care about. The comforts afforded card users are noticeably absent in the post-card world. The New York Times reports on a consumer who lost $500 to a scammer impersonating a Wells Fargo official. The consumer, a longtime Wells Fargo customer who had immediately reported the Zelle-powered scam, assumed that the bank would refund the money but the bank said (correctly) that since the consumer had authorised the transaction (which he had), it wasn’t from their point of view fraudulent.

(Unfortunately, account-to-account payment has become a focal point for a variety of grifters including dating app delinquents, cryptocurrency con artists and those who prowl social media sites advertising concert tickets and purebred puppies only to disappear with buyers’ cash after they pay – indeed, a good friend of mine was caught out by just such a scam last year.)

If you think that instant payments fraud is a disaster, hold on to your hat. In the UK, card fraud and APP fraud and other vanishing crimes such as cheque fraud didn’t add up to a billion last year, a figure that pales into insignificance when set against the backdrop of the wider fraud landscape. Across the UK, fraudsters might have stolen as much as £37billion of pandemic support funds from the taxpayer, according to analysis by University of Oxford researchers!

Similarly terrifying figures can be seen in the US, as much as $80 billion – or about 10 percent – of the $800 billion Paycheck Protection Program, was pilfered. That’s on top of the $90 billion to $400 billion that NBC News report was stolen (at least half taken by international fraudsters) from the $900 billion Covid unemployment relief program in addition to something like another $80 billion looted from a separate Covid disaster relief program. NBC quote Justice Department Inspector General Michael Horowitz, who oversees Covid relief spending, as saying that Covid relief programs were structured in ways that made them “ripe for plunder” and Matthew Schneider, a former U.S. attorney from Michigan calling out “the biggest fraud in a generation”.

Action Stations

When card fraud was spiralling out of control, the industry responded with chip and PIN, EMVCo and 3D Secure. So what is going to stop all of these new frauds from spiralling out of control now? Well, my view has always been that the real problem is identity and that banks should work together to provide the crucial digital identity that society needs to transact in safety. This is why I was so interested to see that Early Warning Services (EWS) and seven of the largest banks in the US have launched Authentify, a new identity verification service for consumers and businesses.

When consumers visits a participating site, they can choose to be redirected to log in via their bank and then share their bank-trusted data with that company, giving a safe and secure means of identity verification. The bank will encrypt the data and pass it to the business (or government department, or whoever) so that consumers can access services using personal information that the receipt can have confidence in.

This is a significant announcement. As Tom Noyes succinctly responded to the launch, banks have largely lost their data advantage in consumer identity. Authentify is their opportunity to regain ground from Big Tech. As a consumer, I’d much prefer to log in to access pandemic support using my bank log in and, since my bank is regulated institution with some experience in security, would trust them to look after my data properly and not get hacked all the time. On the other side, the government department could trust that I am a real person and that the data they receive is valid.

It makes sense and is a long-overdue move. But it may have implications beyond applying for loans. A bank log-in is valuable, even if no personal information is shared. Imagine seeing a green tick on a social media site or on an internet dating site or on the Companies House register or on an online marketplace. It would tell you that the account is a real person who logged in via their bank. You would not know who they are, or which bank, or anything else about them, but you would know that they are real and that a bank, thanks to rigorous KYC, knows who they are if they break the law.

The advantages of a working digital identity infrastructure extend beyond the exchange of validated personal information.

Read original article here

Denial of responsibility! Yours Bulletin is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – [email protected]. The content will be deleted within 24 hours.

Leave a comment