Monday, October 26, 2015

Recent patterns of credit card fraud

The U.S.A. is finally in the process of introducing credit cards containing microchips, in addition to the use of magnetic stripes. These have been widely available elsewhere for a number of years, particularly in the European Union. These chips are used to verify the PIN code entered during transactions, and thus provide an extra level of security against fraudulent use of the cards (in preference to the use of magnetic stripes plus signatures). Unfortunately, the U.S. is introducing a watered-down level of security, in which a signature can be used instead of the PIN code— this achieves very little in the way of extra security (see That big security fix for credit cards won’t stop fraud).

Even in the face of chip.and-PIN security, card fraud cannot be completely stopped, of course. For example, a recent pre-print by Houda Ferradi, Rémi Géraud, David Naccache and Assia Tria (When organized crime applies academic results: a forensic analysis of an in-card listening device) describes a 2011 case where the in-card chip was by-passed by an extra chip, which approved any entered PIN (for a non-technical explanation, see X-ray scans expose an ingenious chip-and-pin card hack). Nevertheless, such cases currently seem to be the exception rather than the rule.

We can investigate recent patterns of credit and debit card fraud using the U.K. as an example. There are regularly updated data in the annual "Fraud The Facts" booklets produced by the UK Cards Association and Financial Fraud Action UK. I have compiled the data for the years 1999-2014 inclusive, so that we can look at the past 16 years using a phylogenetic network. The data include five type of fraud (listed in order of decreasing average frequency):
  • Remote purchase (card not present) = phone, internet and mail-order purchases
  • Counterfeit card
  • Lost or stolen card
  • Card ID theft
  • Card non-receipt = card stolen in the mail

As usual, the network is being used as a form of exploratory data analysis. I first used the manhattan distance to calculate the similarity of the different years, based on the frequencies of the five fraud types. This was followed by a neighbor-net analysis to display the between-year similarities as a phylogenetic network. So, years that are closely connected in the network are similar to each other based on their fraud frequencies, and those that are further apart are progressively more different from each other.

The pattern is basically an increasing incidence of fraud through time from top to bottom in the network, due almost entirely to a rapid increase in Remote-purchase fraud. However, this trend was reversed after 2008, followed by a return from 2011 onwards.

However, the time trends are not the same for each fraud type. The incidence of fraud involving Card-ID theft remained relatively steady through time. On the other hand, the incidence of both Card non-receipt fraud and Lost / stolen card fraud dropped after 2004 and they have stayed low since then. Counterfeit-card fraud dropped after 2008, and has stayed low since then. Finally, Remote-purchase fraud also dropped after 2008, but rose again in 2012 and has continued to increase. The latter has been almost entirely due to e-commerce fraud (rather than phone or mail-order).

The drop in certain types of fraud in 2004 seems to have been due to increasing use of sophisticated fraud-screening detection tools by retailers and banks, such as the integrated chip and PIN technology. These help deal with counterfitting and loss / theft. From 2008, there was growth in the use of the American Express SafeKey, MasterCard SecureCode and Verified by Visa systems, by both online retailers and cardholders. This helps deal with e-commerce security. Finally, a "Be Card Smart Online" campaign was launched in the U.K. at the end of 2008, which provides consumers with straightforward practical tips to help them shop safely on the internet.

The recent drammatic increase in e-commerce fraud is attributed to criminals changing their strategies to target this opportunity. For example, they now need to obtain both numbers cards and PINs, and are applying methods to do so. Hardware modifications can also be used, such as the one mentioned above.

Not unexpectedly, the greatest amount of both overseas fraudulent use of U.K. cards, and fraudulent use of foreign cards in the U.K., involves the U.S.A. This is because Americans have only belatedly started using chipped cards, as noted above.

Good, practical advice about minimizing fraudulent use of your cards is given in the current (2015) booklet, irrespective of which country you live in.

No comments:

Post a Comment