In Skyfall, James Bond put aside the invisible cars and exploding pens from previous films, and set about defeating the villain with old-fashioned guns and handmade bombs. This gadget-light approach also characterizes the real-world villains who are perpetrating credit card fraud.
At a recent meeting of the FICO Fraud Forum — our fraud consultants, modellers and product specialists from around the world — it was observed that criminals in the U.S. and Europe that have been thwarted by the sophistication of anti-fraud technology are going back to some very basic techniques. As my colleague Martin Warwick noted, there is more trickster and confidence fraud today, as criminals look to get good information out of unsuspecting cardholders.
We have seen a rise in phishing and vishing in both regions. Social engineering is seeing a sharp increase in Europe and the US too — in other words, getting the cardholder’s data from them directly, or even from a bank’s offshore service providers, who may not have the same level of fraud prevention measures in place.
One of the relatively prevalent schemes in recent times demonstrates this low-tech approach. You get a phone call from a person who says they are a representative of your bank, and that there has been suspicious activity on your card. The person then asks some “security questions” before divulging any specific account information. Some unsuspecting customers provide answers in good faith; others unwilling to do so are encouraged to phone their bank back on a telephone number the customer trusts. You hang up — but the other person doesn’t, they just wait for you to pick up again, they play a dial tone sound, and when after you dial you are “connected” to your bank – only it’s the same call. The person (or a substitute) takes the call, and asks for your card and personal security to identify you. They can then use this information to access the customer’s true account records, to fabricate cards for use in non-chip-and-PIN environments, and even to make large payments. In the worst, and most insidious cases, fraudsters specifically target elderly and wealthy customers and even make arrangements to send an accomplice to the home address to collect the card and the PIN for “forensic investigation” purposes whilst promising that a new card and PIN is on the way — a surprisingly simple and effective ruse to gain access to the customer’s money.
As I noted in a recent post, authentication is the new currency — if the thieves have enough information on you to pass a bank’s authentication measures, they can raid your accounts. Banks have a duty to let their customers know that they themselves are quite often the weakest link in the anti-fraud chain.
