Unequal Rewards & Penalties: Do Issuing Banks Really Have Nothing to Lose to CNP Fraud?
Posted by Keegan Johnson on Wed, Aug 25, 2010
 A million small frauds equals one big take. The New York Times detailed an unusual case of credit card fraud and an injunction filed by FTC, but missed that card issuers bear the costs of fraud too. CNP fraud is a pernicious problem for merchants, cardholders, issuers, and other parties in the payment chain. |
KISS (Keep It Small, Stupid) proves an effective fraud strategy
The NY Times reported this weekend on an unusual case of credit card fraud filed by the FTC in a Chicago federal court involving more than 1 million cardholder accounts and over 100 fake merchant accounts over a period of at least 4 years. It’s a sign of how much the internet and automation have changed the fraud game, enabling massive scams by employing the KISS (Keep It Small, Stupid) Principle.
More than $10 million stolen through <$10 fraudulent charges
The suit claims that more than $10 million was stolen by placing just a single fraudulent charge for less than $10 on more than 1 million different credit and debit cards.
Card-not-present transactions (i.e. online sales) were recorded by 16 shell companies operating under more than 100 different merchant IDs.
The fake companies, set up with bogus websites and phone numbers to look real when they applied for merchant accounts, were created using stolen identities, and the money was quickly moved out of the US to bank accounts in several different east European countries.
Few complaints due to plausability of charges
The interesting vulnerability exposed is how easy it is to fly under the radar if you make everything plausible and seemingly random, and don’t do anything to stand out.
Criminals carefully set up fake companies with familiar sounding names so that nothing would stand out on the cardholder statements. By only attacking each card once, and for a small amount, it’s a safe bet that the majority of consumers didn’t even notice.
The one dumb error was posting a number of transactions for as little as 20 cents. According to the FTC, there were more complaints about the 20-cent charges than the 9 dollar ones because they appeared odd -- again, it’s about plausibility.
FTC investigates after a million transactions
There were incredibly few complaints of any sort though, because it took nearly a million transactions before the FTC had enough complaints registered to start an investigation. The lesson: KISS.
You can read the full stories here:
Average cost to card issuing bank: $15 per transaction
My main point for this article was to focus on a throwaway comment from Gartner analyst, Avivah Litan. She is quoted:
“If a credit card is physically swiped in the transaction, the bank that issued the card is on the hook for fraudulent charges. If it is a phone or Internet purchase — called a card-not-present transaction — the bank that hosted the merchant account that received the ill-gotten charges must make restitution.”
And the writer of the article draws the conclusion that because the acquiring bank is on the hook for the fraudulent charges, that the issuer has “little motivation to be greatly concerned about online fraud”.
Really? The acquirer is indeed stuck with many charges of between 20 cents and 9 dollars, since none of the merchant accounts were legitimate, but is there really no cost to issuers in this case?
On the contrary, our analysis shows that it costs the card issuing bank an average of $15 per transaction in labor and paper trail costs (getting consumers to file affidavits, issuing chargebacks, etc), plus fees assessed by the card scheme for each chargeback. More, in fact, than the maximum $10 charge that the acquirer had to eat.
Across more than 1 million fraudulent transactions in this single case, that’s over $15 million – not exactly chicken feed, and certainly not “little motivation” to seek a solution.
CNP fraud affects all parties in the payment chain
The takeaway is this: CNP fraud is a pernicious problem, and it affects, inconveniences and costs everyone involved. Merchants for sure, but also issuers and cardholders.
The $15 in overhead costs may not compare to a $500 loss taken by a merchant of electronics goods, for example, but the issuers are getting hurt on each and every fraud. Consider that if a bank the size of JPMorgan Chase could eliminate these costs, that would represent by our guesstimates a savings of $1.5 – 2.5 million annually – a savings that is pure profit to the bottom line.
I’d argue that that’s plenty of motivation for any issuer, and it is an achievable target with more industry collaboration.
And, that would be good for everybody.