As e-commerce continues to grow in popularity, so do the ways in which it can be used to create fraudulent financial transactions. E-commerce and phone transactions do not require a physical payment card to be present to initiate the transaction. Instead, the customer just has to give the card number and other easily obtainable information in order to complete the transaction. As a result, these types of transactions are referred to as "card not present" transactions. The need for information and not a physical card makes e-commerce an easier avenue for initiating fraudulent transactions than those which take place in a physical store.
Global financial losses related to payment cards amounted to an estimated $24.26 billion in 2017 and are estimated to reach $34.66 billion in 2022. A 2018 study from the Federal Reserve also showed that card-present fraud in the U.S. declined from $3.68 billion in 2015 to $2.91 billion in 2016, while e-commerce card not present fraud jumped from $3.4 billion to $4.57 billion during the same period.
Here is an overview of card not present fraud; what it is, how it is perpetuated and what can be done about it.
What is Card Not Present Fraud (CNP)?
Any time a customer purchases something online or over the phone, they merely have to enter their credit card number and a few other details to complete the transaction. These details may include a CVV number that is found on the back of the card, as well as their billing address. Unfortunately, this is all information that is easily obtainable now, thanks to an ongoing series of high profile data dumps. Cybercriminals will often buy entire lists of credit card and CVV numbers, which can then be matched up to the limited amount of personal data necessary to use the number, such as a home address.
How is Credit Card Information Obtained for Card Not Present Fraud?
The reason this type of fraud is so prevalent is that many victims may not even be aware they have been victimized. Unlike stealing a physical credit card, card not present fraud only requires the perpetrator to have the card information, not the physical card. This means the victim remains in possession of their physical card and they have no idea anything has been stolen. If they were to lose their card or realize it had been stolen, they would cancel the card. Because they are unaware the information has been stolen, however, they are susceptible to becoming a victim.
There are a number of ways that cybercriminals obtain payment card information. The three most common ways of obtaining payment information is through hacking, skimming or phishing.
- Hacking: Hacking is a direct attack on computer systems that contain financial information, such as retailers, restaurants, hotels, banks and service providers. The stolen data can then be sold online to other cybercriminals who then use the information to commit other types of financial crimes.
- Skimming: Skimming is the process of stealing information directly from the card itself. In some cases, skimming devices are placed on card readers in public locations, such as a gas pump or ATM. In other cases, waiters and other service staff may carry card readers and skim your card before returning it to you at your table.
- Phishing: Phishing is an attempt to get financial information directly from a consumer by posing as a legitimate credit card company or bank. In some cases scammers will send out emails warning the consumer that their account may have been tampered with and providing them with a link to the institution. The link will actually direct them to a fake site where cybercriminals will instead steal their login information. Once they have that, they can order new cards or even open up a new account.
How is Card Not Present Fraud Committed?
Once cybercriminals have payment card information, they can use it in a variety of ways.
- Recurring payments: Some organizations will initiate small, recurring payments of $50 or less that the victim may not notice for several months, if ever. In many cases, these payments may seem like a legitimate monthly payment for something like insurance, a utility bill or a subscription service. With more and more consumer information available, fraudulent businesses can mask the payment as something similar to what the individual purchases regularly.
- Cryptocurrency: While cybercriminals can use payment card information to purchase physical items, physical items have to be both shipped and picked up, which increases the potential for exposure. Cryptocurrency, however, allows cybercriminals to essentially convert credit directly into cash, leaving no digital trail.
- Gift cards: Gift cards are another form of currency that are gaining popularity in the world of cybercriminals. Whenever stolen information is used to purchase physical items online such as clothing or electronics, it increases the potential for the cybercriminal to be tracked. Gift cards, however, can be sent digitally to a fake email address within minutes or even seconds of purchase. Cybercriminals can then use gift cards to purchase whatever they want or even sell the cards themselves online. There are a number of online gift card exchange services that will purchase gift cards anonymously for up to 60% or more of the value of the card.
How To Prevent Card Not Present Fraud?
Unlike many other types of fraud, the main burden of stopping card not present fraud lies with merchants and card issuers. Merchants can use a growing variety of authentication tools to ensure the buyer is a legitimate cardholder or agent. Multifactor authentication requires buyers to verify their identity by either receiving a code sent to a verified phone number or email address or use biometric scanning to confirm their identity. Tokenization also helps prevent data theft by generating a temporary, one-of-a-kind digital identifier, or "token" rather than submitting account numbers to be stored, which can then be subject to theft. Merchants can take advantage of this protection by accepting payments via Apple Pay and other products that create these tokens and also use biometric scanning for verification.