CREDIT CARD "SKIMMING" IS A FORM OF FRAUD that hurts consumers, wreaks havoc with merchants and costs the industry hundreds of millions of dollars every year, according to sellers of anti-fraud technology.
Visa, however, counters that this type of fraud is being controlled better than ever before and that it isn’t as much of a problem as some make it out to be.
Though they disagree on the extent of the skimming fraud, they agree that it exists and that those who are affected are hurt by it.
“The truth lies somewhere in the middle between what the card associations and [the technology vendors] say,” said Theodore Iacobuzio, Senior Analyst with TowerGroup, a research and consulting firm based in Needham, Mass.
Credit card fraud of all types is remaining relatively constant, Iacobuzio added, though there is growth in online fraud (see accompanying story).
According to TowerGroup, the fraud rate for all types of fraud in 2001 is expected to be .09 percent off all transactions, or a total of $1.6 billion, figures that have remained relatively steady for the last few years. Thirty-seven percent of those amounts is attributable to skimming.
Skimming fraud takes many forms, but most often involves a cardholder turning over physical possession of his or her card to a retail or restaurant employee, who then swipes the card through a small, illegal card reader called a “skimmer.” The skimmer copies the data encoded on the card’s magnetic stripe. This information is then used to manufacture counterfeit cards that are used to rack up illegal charges. Some estimate that the average skimmed credit card will generate some $2,000 in fraudulent charges before being detected.
According to Visa, 70 percent of skimming occurs in restaurants (ranking them number one among retail establishments). The reason is largely due to the nature of making payments — the waiter or waitress takes the card and the bill from the patron for payment. It takes only a few seconds to run the card through a “skimmer” that captures the credit card number, personal identification and any other information that is located on the magnetic stripe.
The technology to do this is available for less than $200 at typical retail electronics stores, according to Iacobuzio. Even though the technology is relatively cheap, the actual use of the information and manufacture of fraudulent cards is somewhat involved, so the skimming tends to be conducted by organized crime, rather than an unsophisticated retail employee doing everything himself.
There are more sophisticated skimming practices as well. A new and far more dangerous variant of skimming involves implanting sophisticated skimmer bugs into card payment terminals. All legacy terminals of the current installed base are susceptible to this type of attack. There is no discernible pattern toward any brand of terminal. This form of skimming attempts to wipe out the Common Point-of-Purchase (CPP), which is used today by the card associations’ neural network software to pinpoint those merchants where most skimming originates. Visa, however, is hesitant to confirm alarmist warnings about certain new skimming practices as we have no evidence that these techniques are prevalent.
Although skimming from a point-of-sale terminal is possible, Visa has found it to be the exception rather than the rule. In Visa’s experience, small hand skimmers are still the tools of choice for most criminals.
Visa still maintains that its neural networks are effective at identifying fraudulent activity. Skimmer “bugs” cannot prevent the identification of CPP because they’re largely unrelated, according to John Shaughnessy, Senior Vice President, Risk Management, Visa USA. “We’ve seen skimmed data held for extended periods of time and we can still pinpoint CPPs effectively,” he added.
The problem is much worse overseas, particularly in Eastern Europe, where merchants themselves are often operating their skimmers in their retail establishments, Iacobuzio said. In the U.S., credit card issuers will revoke a merchant’s right to accept credit cards if there are patterns of excessive fraud coming from his establishment.
Though Visa wouldn’t discuss skimming in much detail because it didn’t want to alert criminals to some of the ways they could be caught, the association centers much of its anti-fraud effort around the routine monitoring of all fraud trends including skimming and counterfeit, according to Shaughnessy. While there are no silver bullets that can stop all fraud from occurring, Visa has implemented cost-effective measures to minimize fraud’s growth over the years.
Education is vital in fighting skimming — this includes educating restaurant owners, managers and other merchants. The card associations provide educational materials (e.g., videos, booklets, etc.) to show merchants how to recognize suspicious cardholder activity, how to monitor unusual activity among employees at the point-of-sale, etc.
The associations also offer incentives for merchants to report suspicious activity. Merchants can receive up to $1,000 for information leading to the arrest and conviction of anyone involved in the manufacture or use of counterfeit cards.
This has led to the development of neural networks, databases and other technologies to fight fraud. That’s a far cry from 20 years ago. Back then, the consumer would present his or her card to a merchant, who would check the card number against a warning bulletin of lost and stolen credit cards, then call a customer service number to authorize the purchase. That marked the beginning of a weeks-long carbon paper trail of bundled credit card receipts that led through the merchant’s acquiring bank, to the consumer’s issuing bank and back again.
Basically the fact is that the practice of skimming won’t stop while the magnetic stripe cards continue to be used, according to Iacobuzio. “The only thing that will stop it are chip cards,” he said. But chip cards, also called smart cards, are in their very embryonic stages in the US.
American Express and Visa have issued a select number of chip cards, which include a computer chip that can be encrypted to prevent the type of counterfeiting done via skimmers. However, there are a few drawbacks:
- Much of the cost of adding chip card technology will be borne by merchants, according to Iacobuzio. Many merchants already operate on thin margins and don’t want to add to their overhead costs. So they won’t add terminals capable of reading chip cards until forced to by their customers. Their customers won’t seek to get chip cards from Visa, American Express, et al, until they see a value over their current cards. So Iacobuzio predicts it will be as many as 10 to 13 years before smart cards and smart card readers are as ubiquitous as magnetic stripe cards and magnetic stripe readers are today.
- The magnetic stripe won’t go away, but it will be included on the card along with the chip and the embossing, Iacobuzio predicted. Even today, when most merchants who accept charge cards have magnetic stripe readers, there are still thousands that use the “knuckle-busters,” which is why cards continue to be embossed. Even when chip cards come into play, they probably won’t stop fraud entirely. There have been new technologies over the last several years designed at least in part to deter fraud, including the magnetic stripe. But almost as soon as someone develops a new technology, someone else finds away around the security features.
ISOs can provide a customer service for their merchants, especially newer ones, by alerting them to the practice of skimming and some steps to prevent it, including preventing:
- Anyone from using a device in your workplace that is not part of day-to-day activities.
- Anyone from offering you money to record account information.
- Anyone asking for customer account information over the telephone — unless that’s a normal procedure, such as in a credit card call center.
"Online" Fraud Article