Posts Tagged ‘CNP fraud’

The importance of card not present fraud is growing as more commerce moves online. The major card networks have reacted with systems to control the risks but the coverage of these defences is still limited. However, since chargeback rules generally protect the issuer from direct fraud losses it is common to see efforts to control this type of fraud being de-prioritised.

But the cost of fraud doesn’t only include direct, financial losses; the full impact of card not present fraud can only be seen when indirect costs are also considered. These indirect costs are both financial in nature as well as reputational. The indirect financial costs of card not present fraud include the cost of replacement plastics, the cost of the admin staff needed to manage chargebacks, the cost of funding the charges until the refund is received, etc. Reputational costs, on the other hand, are incurred when customers are inconvenienced by the forced closure of their accounts and the re-issuing of new plastics.

Both of these costs are relatively minor when card not present fraud happens on an irregular and fairly random basis. Most customers understand that fraud does happen and will not be too upset if the bank contacts them to replace a card once fraud has been detected, unless they have incurred a financial loss in the process (unlikely on credit cards if there is a decent detection system in place due to the delay between transactions and payments but fairly common for debit cards).

However, both types of indirect costs can be significant if the card issuer finds themselves under attack from a persistent fraudster. Due to the electronic nature of card not present fraud, a common weakness in the card issuing process can be exploited to make this a realistic threat. That weakness is the sequential issuing of card numbers.

Credit card numbers conform to a certain format in order to convey the specific information needed to enable international interoperability. One key part of this universal format is that the numbers are all validated by the Mod 10 check. I’m not going to discuss the mechanics of that algorithm here, the only important take-away is that it uses all the previous numbers in a fixed way to set the final number in the credit card sequence. So, working backwards it is possible to calculate whether any purported credit card number is a potentially valid one. I say ‘potentially valid’ because the algorithm cannot establish whether this number has been issued, just that it conforms to the pattern.

Unfortunately, this does not just enable international commerce it also enables fraud. If a fraudster wants to create potential credit card numbers they need only use this algorithm and a bit of basic knowledge about the other numbers to do so.

The numbers created have one major gap though, that stops them being useful – they don’t have an expiry date. Note, they also don’t have the 3/ 4 digit CVV number but not as many online transactions validate this. Without the correct expiry date the fraudulently created card number will not work, even if it matches an existing open account. Fraudsters can use trial-and-error in an attempt to establish the correct expiry date for a given number but multiple incorrect attempts will usually trigger an alert at the issuer and since there is no way for the fraudster to know for sure that such a number actually exists, the process can be interminable. As a result, card not present fraud using created numbers is not usually a major problem.

Unless card numbers are issued sequentially that is. A typical 16 digit credit card number may appear a random selection of numbers at first but as I mentioned they conform to a standard format. The first few digits identify the card network and issuing bank, the next few digits are usually used by that issuer to identify the sub-product while the last six to eight digits before the final check digit remain available for any use and it is these digits that are sometimes issued sequentially.

In an example I have seen before, the last six digits were split in two and issued sequentially so that the first card issued in a new product would end 001001X where X was the check digit, the next one would end 001002, the thousandth card would end in 002001X and so on.

This system had been used for years without problem until a specific online attack revealed its inherent weakness. A fraudster need only find one match between a valid, issued card number and its expiry date to be in the position to create the next card in the sequence knowing full well that the expiry date was almost certain to be the same. They could continue this process until the expiry date no longer worked in which case they could assume with much certainty that the expiry date had now moved up by one. So, be it through chance or trial-and-error, if a fraudster knows that card number XXXX XXXX XXXX 123X expires in May 2012 then they can be sure that card number XXXX XXXX XXXX 124X does too – using the Mod 10 algorithm to calculate the new check digit being the only other required step.

This knowledge allows the fraudster to create thousands of credit card numbers with a high probability of validity (around 80% once closed accounts, re-issued numbers, etc. are taken into account) and to use these for a large-scale attack. It is under such an attack that a card issuer can suffer significant financial and reputational costs. In the case I alluded to earlier, the premium card portfolio had been compromised in this manner and at one time cards were being compromised so quickly that some affected customers were contacted were issued new plastics only for those to be compromised too before they had even been delivered. Given that this was the premium card product it is easy to see how large the reputational costs were despite actual financial losses being insignificant.

To prevent a repeat of this situation, the issuer in question switched to randomised numbering thus breaking any logical link between the card number and its expiry date. In the new system batches of ten thousand numbers were created at a time, ordered randomly and then assigned in that order. At the same time there has been a drive to increase the coverage of Visa and Mastercard’s respective online fraud defence tools and to use the CVV code in online authorisations – something which had not been technically possible in the past. Both of these other projects address the same problem and so, to the extent that they’re implemented, will negate the benefits of random number issuing. However, where they are not widely used, random number issuing remains a low-tech but pro-active defence.


Read Full Post »