Assignment on Credit card fraud & RBI

guidelines.

Submited by :-

Mitesh.S.Jain (E0714)

Reff :
http://en.wikipedia.org/wiki/Credit_card_fraud

http://comparecreditcard.wordpress.com/2008/09/15/important-rbi-guidelines-on-credit-cards-for-the-
help-of-customers/

http://www.scambusters.org/CreditCardFraud.html
1. Introduction

Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or
any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose
may be to obtain goods without paying, or to obtain unauthorized funds from an account.
Credit card fraud is also an adjunct to identity theft. According to the Federal Trade
Commission, while identity theft had been holding steady for the last few years, it saw a 21
percent increase in 2008. However, credit card fraud, that crime which most people associate
with ID theft, decreased as a percentage of all ID theft complaints for the sixth year in a row.

Contents

 1 Origins
 2 Stolen cards
 3 Compromised accounts
o 3.1 Card not Present
o 3.2 Identity theft
 3.2.1 Application fraud
 3.2.2 Account takeover
o 3.3 Skimming
o 3.4 Carding
 4 Profits, losses and punishment

o 4.1 Detection and Punishment

o 4.2 Credit card companies
o 4.3 Merchants

Origins

The fraud begins with either the theft of the physical card or the compromise of data
associated with the account, including the card account number or other information that
would routinely and necessarily be available to a merchant during a legitimate transaction.
The compromise can occur by many common routes and can usually be conducted without
tipping off the card holder, the merchant or the issuer, at least until the account is ultimately
used for fraud. A simple example is that of a store clerk copying sales receipts for later use.
The rapid growth of credit card use on the Internet has made database security lapses
particularly costly; in some cases, millions[4] of accounts have been compromised.

Stolen cards can be reported quickly by cardholders, but a compromised account can be
hoarded by a thief for weeks or months before any fraudulent use, making it difficult to
identify the source of the compromise. The cardholder may not discover fraudulent use until
receiving a billing statement, which may be delivered infrequently.
Stolen cards

When a credit card is lost or stolen, it remains usable until the holder notifies the issuer that
the card is lost. Most issuers have free 24-hour telephone numbers to encourage prompt
reporting. Still, it is possible for a thief to make unauthorized purchases on a card until it is
canceled. Without other security measures, a thief could potentially purchase thousands of
dollars in merchandise or services before the cardholder or the card issuer realize that the
card is in the wrong hands.

The only common security measure on all cards is a signature panel, but signatures are
relatively easy to forge. Some merchants will demand to see a picture ID, such as a driver's
license, to verify the identity of the purchaser, and some credit cards include the holder's
picture on the card itself. However, the card holder has a right to refuse to show additional
verification, and asking for such verification is usually a violation of the merchant's
agreement with the credit card companies. Self-serve payment systems (gas stations, kiosks,
etc.) are common targets for stolen cards, as there is no way to verify the card holder's
identity. A common countermeasure is to require the user to key in some identifying
information, such as the user's ZIP or postal code. This method may deter casual theft of a
card found alone, but if the card holder's wallet is stolen, it may be trivial for the thief to
deduce the information by looking at other items in the wallet. For instance, a U.S. driver
license commonly has the holder's home address and ZIP code printed on it.

Card issuers have several countermeasures, including sophisticated software that can, before
a transaction is authorised, estimate the probability of fraud. For example, a large transaction
occurring a great distance from the cardholder's home might seem suspicious. The merchant
may be instructed to call the card issuer for verification, or to decline the transaction, or even
to hold the card and refuse to return it to the customer. The customer must contact the issuer
and prove who they are to get their card back (if it is not fraud and they are actually buying a
product).

Compromised accounts

Card account information is stored in a number of formats. Account numbers are often
embossed or imprinted on the card, and a magnetic stripe on the back contains the data in
machine readable format. Fields can vary, but the most common include:

 Name of card holder

 Account number
 Expiration date
 Verification/CVV code

There have been high profile examples of companies being compromised resulting in large
scale identity theft, the largest to date being TJX.

[edit] Card not Present

The mail and the Internet are major routes for fraud against merchants who sell and ship
products, and impacts legitimate mail-order and Internet merchants. If the card is not
physically present (called CNP Card Not Present) the merchant must rely on the holder (or
someone purporting to be so) presenting the information indirectly, whether by mail,
telephone or over the Internet. While there are safeguards to this, it is still more risky than
presenting in person, and indeed card issuers tend to charge a greater transaction rate for
CNP, because of the greater risk. To many people's surprise, telephone ordering is the most
risky, far more risky than the Internet

It is difficult for a merchant to verify that the actual cardholder is indeed authorizing the
purchase. Shipping companies can guarantee delivery to a location, but they are not required
to check identification and they are usually not involved in processing payments for the
merchandise. A common recent preventive measure for merchants is to allow shipment only
to an address approved by the cardholder, and merchant banking systems offer simple
methods of verifying this information. Before this and similar methods were introduced, mail
order carding was rampant as early as 1992.[6], using a method in which the carder obtains
the credit card information for a local resident and intercepts expensive computer equipment
he ordered using the stolen card and shipped to the address, often by staking out the porch of
the residence.

Small transactions generally undergo less scrutiny, and are less likely to be investigated by
either the card issuer or the merchant. CNP merchants must take extra precaution against
fraud exposure and associated losses, and they pay higher rates for the privilege of accepting
cards. Scam artists[who?] bet on the fact that many fraud prevention features are not used for
small transactions.

Merchant associations have developed some prevention measures, such as single use card
numbers, but these have not met with much success. Customers expect to be able to use their
credit card without any hassles, and have little incentive to pursue additional security due to
laws limiting customer liability in the event of fraud. Merchants can implement these
prevention measures but risk losing business if the customer chooses not to use the measures.

Identity theft

Identity theft can be divided into two broad categories: Application fraud and account
takeover.

Application fraud

Application fraud happens when a criminal uses stolen or fake documents to open an account
in someone else's name. Criminals may try to steal documents such as utility bills and bank
statements to build up useful personal information. Or they may create counterfeit
documents.

Account takeover

Account takeover happens when a criminal tries to take over another person's account, first
by gathering information about the intended victim, then contacting their card issuer
masquerading as the genuine cardholder, and asking for mail to be redirected to a new
address. The criminal then reports the card lost and asks for a replacement to be sent.
Some merchants added a new practice to protect their consumers and their own reputation,
where they ask the buyer to send a photocopy of the physical card and statement to ensure the
legitimate usage of a card.

Skimming

Electronic-type credit card skimming

Skimming is the theft of credit card information used in an otherwise legitimate transaction.
It is typically an "inside job" by a dishonest employee of a legitimate merchant. The thief can
procure a victim’s credit card number using basic methods such as photocopying receipts or
more advanced methods such as using a small electronic device (skimmer) to swipe and store
hundreds of victims’ credit card numbers. Common scenarios for skimming are restaurants or
bars where the skimmer has possession of the victim's credit card out of their immediate
view.[7] The thief may also use a small keypad to unobtrusively transcribe the 3 or 4 digit
Card Security Code which is not present on the magnetic strip.

Instances of skimming have been reported where the perpetrator has put a device over the
card slot of a ATM (automated teller machine), which reads the magnetic strip as the user
unknowingly passes their card through it. These devices are often used in conjunction with a
pinhole camera to read the user's PIN at the same time.[8]

Skimming is difficult for the typical cardholder to detect, but given a large enough sample, it
is fairly easy for the card issuer to detect. The issuer collects a list of all the cardholders who
have complained about fraudulent transactions, and then uses data mining to discover
relationships among them and the merchants they use. For example, if many of the
cardholders use a particular merchant, that merchant can be directly investigated.
Sophisticated algorithms can also search for patterns of fraud. Merchants must ensure the
physical security of their terminals, and penalties for merchants can be severe if they are
compromised, ranging from large fines by the issuer to complete exclusion from the system,
which can be a death blow to businesses such as restaurants where credit card transactions are
the norm.

Carding

Carding is a term used for a process to verify the validity of stolen card data. The thief
presents the card information on a website that has real-time transaction processing. If the
card is processed successfully, the thief knows that the card is still good. The specific item
purchased is immaterial, and the thief does not need to purchase an actual product; a Web site
subscription or charitable donation would be sufficient. The purchase is usually for a small
monetary amount, both to avoid using the card's credit limit, and also to avoid attracting the
card issuer's attention. A website known to be susceptible to carding is known as a cardable
website.

In the past, carders used computer programs called "generators" to produce a sequence of
credit card numbers, and then test them to see which were valid accounts. Another variation
would be to take false card numbers to a location that does not immediately process card
numbers, such as a trade show or special event. However, this process is no longer viable due
to widespread requirement by internet credit card processing systems for additional data such
as the billing address, the 3 to 4 digit Card Security Code and/or the card's expiration date, as
well as the more prevalent use of wireless card scanners that can process transactions right
away.[citation needed] Nowadays, carding is more typically used to verify credit card data
obtained directly from the victims by skimming or phishing.

A set of credit card details that has been verified in this way is known in fraud circles as a
phish. A carder will typically sell data files of the phish to other individuals who will carry
out the actual fraud. Market price for a phish ranges from US$1.00 to US$50.00 depending
on the type of card, freshness of the data and credit status of the victim.[citation needed]

Profits, losses and punishment

The examples and perspective in this article may not represent a worldwide view of the
subject. Please improve this article and discuss the issue on the talk page.

Who pays for credit card fraud? In the US the short answer is the merchant; in other countries
it is the card issuer, and in others the cardholder.

But even if the cardholder does not lose money, the inconvenience can be quite costly and
tiring. And credit card companies have to pay for preventing fraud while maintaining a good
customer experience.

Credit card companies like Visa and MasterCard receive revenue from every transaction,
typically 2% to 4% depending on the payment method. So they are motivated to increase total
volume of transactions, consequently pursue policies to increase number of transactions. This
creates conflict of interest for the credit card companies. On one hand they are obliged to
fight credit card fraud, but on the other hand policies against credit fraud may impose certain
restrictions that may negatively affect number of transactions and cumulative transaction
volume. Besides fraud investigation costs tend to be higher than costs of write-off

Detection and Punishment

In the US, people that commit credit card crime largely go unpunished and repeatedly
victimize consumers and businesses. The Secret Service handles crimes involving the U.S.
money supply; they have a limit of $150,000 before investigating each crime.[citation
needed] Most credit card criminals know this and keep purchases from any one business
below $150,000. Credit card fraud can be reported to the Federal Trade Commission (FTC)
and to local and regional authorities. It is the standing policy of the FTC not to investigate
reports where the value of fraud does not exceed $2,000. Local law enforcement may or may
not further investigate a credit card fraud, depending on the amount, type of fraud, and where
the fraud originated from

Credit card companies

The examples and perspective in this article or section might have an extensive bias or
disproportional coverage towards one or more specific regions. Please improve this article
 or discuss the issue on the talk page.

To prevent being "charged back" for fraud transactions Merchants can sign up for services
offered by Visa and Mastercard called Verified by visa and MasterCard SecureCode. This
requires consumers to add additional information to confirm a transaction.

Often enough online merchants do not take adequate measures to protect their websites from
fraud attacks, for example by being blind to sequencing. In contrast to more automated
product transactions, a clerk overseeing "card present" authorization requests must approve
the customer's removal of the goods from the premise in real time.

Credit card merchant associations, like Visa and MasterCard, receive profit from transaction
fees, charging between 2% and 4% on each transaction.[citation needed] Cash costs more to
bank up, so it is worthwhile for merchants to take cards. Issuers are thus motivated to pursue
policies which increase the money transferred by their systems. Many merchants believe this
pursuit of revenue reduces the incentive for credit card issuers to adopt procedures to reduce
crime, particularly because the cost of investigating a fraud is usually higher than the cost of
just writing it off.[citation needed] But in the US credit card issuers do not take these costs;
they are passed on to the merchants as "chargebacks". This can results in substantial
additional costs: not only has the merchant been defrauded for the amount of the transaction,
he is also obliged to pay the chargeback fee, and to add insult to injury the transaction fees
still stand.[citation needed]

Merchants have started to request changes in state and federal laws to protect themselves and
their consumers from fraud, but the credit card industry has opposed many of the requests.
[citation needed] In many cases, merchants have little ability to fight fraud, and must simply
accept a proprortion of fraud as a cost of doing business.[citation needed]

Because all card-accepting merchants and card-carrying customers are bound by civil
contract law there are few criminal laws covering the fraud.[citation needed] Payment
transfer associations enact changes to regulations, and the three parties— the issuer, the
consumer, and the merchant— are all generally bound to the conditions, by a self-acceptance
term in the contract that it can be changed.[citation needed]

Merchants

The merchant loses the goods or services sold, the payment, the fees for processing the
payment, any currency conversion commissions, and the chargeback penalty. For obvious
reasons, many merchants take steps to avoid chargebacks—such as not accepting suspicious
transactions. This may spawn collateral damage, where the merchant additionally loses
legitimate sales by incorrectly blocking legitimate transactions.

Credit Card Fraud Prevention Tips:

1. Keep an eye on your credit card every time you use it, and make sure you get it back as
quickly as possible. Try not to let your credit card out of your sight whenever possible.
2. Be very careful to whom you give your credit card. Don't give out your account number
over the phone unless you initiate the call and you know the company is reputable. Never
give your credit card info out when you receive a phone call. (For example, if you're told
there has been a 'computer problem' and the caller needs you to verify information.)
Legitimate companies don't call you to ask for a credit card number over the phone.

3. Never respond to emails that request you provide your credit card info via email -- and
don't ever respond to emails that ask you to go to a website to verify personal (and credit
card) information. These are called 'phishing' scams.

4. Never provide your credit card information on a website that is not a secure site.

5. Sign your credit cards as soon as you receive them.

6. Shred all credit card applications you receive.

7. Don't write your PIN number on your credit card -- or have it anywhere near your credit
card (in the event that your wallet gets stolen).

8. Never leave your credit cards or receipts lying around.

9. Shield your credit card number so that others around you can't copy it or capture it on a
cell phone or other camera.

10. Keep a list in a secure place with all of your account numbers and expiration dates, as
well as the phone number and address of each bank that has issued you a credit card. Keep
this list updated each time you get a new credit card.

11. Only carry around credit cards that you absolutely need. Don't carry around extra credit
cards that you rarely use.

12. Open credit card bills promptly and make sure there are no bogus charges. Treat your
credit card bill like your checking account -- reconcile it monthly. Save your receipts so you
can compare them with your monthly bills.

13. If you find any charges that you don't have a receipt for -- or that you don't recognize --
report these charges promptly (and in writing) to the credit card issuer.

14. Always void and destroy incorrect receipts.

15. Shred anything with your credit card number written on it.

16. Never sign a blank credit card receipt. Carefully draw a line through blank portions of the
receipt where additional charges could be fraudulently added.

17. Carbon paper is rarely used these days, but if there is a carbon that is used in a credit card
transaction, destroy it immediately.

18. Never write your credit card account number in a public place (such as on a postcard or
so that it shows through the envelope payment window).
19. Ideally, it's a good idea to carry your credit cards separately from your wallet -- perhaps
in a zippered compartment or a small pouch.

20. Never lend a credit card to anyone else.

21. If you move, notify your credit card issuers in advance of your change of address.

Important RBI guidelines on credit cards for the help of customers :

1.RBI in its guidelines has advised the banks that they can issue a credit card or any other
product only after getting a customer’s explicit consent-meaning that it cannot be processed
on an implied understanding. And by chance such a card is lost and misused; it shall be the
bank’s sole responsibility and not yours. On the contrary, if a bank rejects your application
for a credit card, it has to provide to you in writing the reason for doing so. You can also
choose the chards with options of photos, PINs and laminated signatures, as advised by RBI
to reduce the risk of stealing or misuse of cards.

2. In case you find that you are paying a higher rate of interest than your neighbor, you can
ask for the explanation regarding this from your bank – whether it’s due to your poor
payment and default history or some other reason, as banks have been advised to publicize
through their Website and other means the interest rates charged for various categories of
customers.

3. If you have always worried about the constant delays in receiving bills or statements,
expect online dispatches in future if you are not getting them already then RBI has instructed
banks that customers are entitled to at least 15 days’ time to pay the credit card bill before the
interest begins to be charged

4. There are very few customers who have not had to spend hours stuck to a phone to correct
a billing fault. If you have been one such discontented card-holder, RBI has provided some
respite. RBI has asked the banks to have qualified call centre staff members who can deal
with all complaints competently, and also to automatically forward the unresolved complaints
from a call centre to higher authorities.

5. In case you inform the bank that you want to close your credit card account, banks will
have to honor your request immediately. More significantly, if you’ve lost your card and
want to block it, the banks have to follow your instructions and do it the minute you inform
them, and the formalities, if any, including the lodging of an FIR, should follow within a
reasonable period of time.

conclusion :

If one go through the above mentioned guidelines one can avoid fraudulent use of one’s credit card.
Bank are now looking for more secure ways to protect their customer.