CRIMINALS AND PAYMENT SYSTEMS

1
CRIMINALS AND PAYMENT SYSTEMS

• Michael Levi
• Professor of Criminology
• Cardiff University

2
Risks and Prevention Strategies

• Analyse interaction between
• Outcome of free development of services in a
  market society
• Behavioural opportunities of those who are
  motivated to defraud
• Payment system fraud is and will remain only a
  small proportion of fraud losses
• Different frauds require different technical,
  cognitive and social skills, and networks

3
Whose Security Needs Assurance?

• Current and future consumers using payment
  methods
• Issuers of cards and other methods of payment
• Acquirers of merchant transactions
• Retailers (Card-Not-Present unguaranteed cheque
  acceptors)
• Actual or potential victims of crime committed in
  order to get cards or other forms of payment

4
Survey data on computer fraud

• 74 acknowledged financial losses (Computer
  Securities Institute 2000)
• 273 (42) were willing and/or able to quantify
  their financial losses, totalled 265.6 million
• most serious financial losses occurred through
  theft of proprietary information (66 respondents
  reported 66.7 m.) and financial fraud (53
  respondents reported 56 m.)

5
Net-fraud on individuals

• Internet Fraud Watch alarming rise in the number
  and proportion of Internet frauds arising from
  on-line auctions where goods are generally paid
  for by cheque or money order rose from 26 of
  frauds in 1997 to 68 in 1998 and 87 in 1999
• total fraud complaints rose tenfold 97-99
• In 1999, the IFW reported that consumers lost
  over 3.2 million to Internet fraud.
• FSA - no on-line investment fraud yet.

6
Public/Private Interests

• Global utilisability leads to vulnerability if
  uneven fraud reduction measures
• Some frauds do not affect direct consumer
  insecurities and interests
• Card nos. generated by Internet schemes
• Fraud applications from wholly fake ID
• But conflicts between retailers, acquirers and
  issuers over who pays
• Other frauds include theft of consumer ID and
  impersonation or account take-over
• Real personal trauma for victims
• Insecurity about internet card payments

7
The Criminal Business Plan

• Get hold of cards or card-like instruments
• Applications fraud to obtain genuine cards
• First party fraud on existing card
• Steal unsigned card before receipt
• Steal card in course of crime or finding one
• Collect card details in course of business
• Use Internet generator for valid BINs
• Counterfeit card to level to deceive an honest
  reasonably vigilant merchant
• Counterfeit card to deceive remote terminal/person

8
Criminal business plan II

• Use card/card ID/cheque for cash, goods, and
  services
• With knowledge of merchant
• Without merchant collusion
• Exchange goods for cash, drugs and social credit

9
Displacement/Expansion Risks

• Cognate criminal transferable risk arenas
• Business cheque fraud
• Other credit/loan applications
• Mobile phones - using stolen or counterfeit cards
  to make calls and access rapidly growing range of
  services
• Mortgage fraud
• Social security fraud
• Upwards trend in no. of attempted frauds
• Same fraudsters engaging in a range of
  application fraud activities

10
Fraud Losses UK 91-99
11
(No Transcript)
12
(No Transcript)
13
Fraud Security - Plastic Non-Plastic Fraud
                                               
                                                  
                                                  
             
14
Key Issues in Fraud Reduction

• We will never eliminate payments fraud
  altogether because of global risk and cost
  effectiveness considerations, but
• Increase the perceived effort of crime
• Increase the perceived risks from crime
• Reduce the anticipated rewards from crime
• Reduce the excuses for crime

15
Key Reduction Initiatives I

• Encourage applications data sharing across
  private and public sector
• Share all stolen ID documents on common checkable
  database (e.g. Netherlands system)
• Smart cards to reduce counterfeit cards utility
• Random BIN issues to make fraudsters work harder
  to get valid number
• PIN/biometrics to authenticate users in person
  and remotely for Internet buying
• Check merchant integrity/solvency/fraud rates
  incapacitate by blacklisting
• Better information to merchants to check ID for
  Card Not Present cases

16
Key Reduction Initiatives II

• Speed up reporting by card theft victims
• Speed up and extend stolen hot card files
  internationally
• Proactively monitor transaction patterns to check
  if card stolen/counterfeited
• Increase downside risks for fraudsters to make
  crime more of a gamble

17
The Impact of Technology

• Validate the card in person or on the net
• Validate the user (ID scoring) w/out paper
• Validate creditworthiness
• Where prevention fails, link persons to events by
  forensic methods or stored CCTV (data protection
  rules on length)
• But doesnt work well for remote transactions
• Blackmail/collusion with insiders remains
• But technology cannot prevent authorised senior
  executives from transferring large sums to their
  nominees overseas!