Online debit card fraud, like fraud of all types, is growing as criminals become more sophisticated, and is becoming a growing concern among merchants and consumers alike.
In the industry, online debit fraud refers to fraud with PIN-based transactions, whether they occur over the Internet, or in the physical world. Online debit card fraud has the potential to compromise the customer's accounts and, as a possible result, the merchant's business, much more quickly than other types of fraud, according to Reginald Berry, SVP for HNC Software, San Diego, Calif.
It's important for ISOs to keep merchants abreast of card fraud developments so that they can catch potential fraud at their businesses and maintain their customer relationships. Fraudulent transactions are subject to chargebacks, costing the merchant money and time.
Unauthorized charges for a credit card or a debit card could come as the result of:
- The card being lost or stolen. In these instances, it's best if the card holder contact the card company immediately, but often the user might not know there is a problem until he receives the bill and sees the unauthorized charges.
- The card is "skimmed" or copied and the person responsible somehow acquires the holder's PIN number. Credit card skimmers are inexpensive and can be hidden discreetly under a legitimate credit card terminal, enabling the cashier to quickly skim the card. He may run the card through the legitimate terminal as well, then watch the holder enter the PIN number. From there, it's a relatively easy matter to manufacture another magnetic stripe card, then use it to get cash from ATMs and to make purchases. The cost of the equipment to skim and to remanufacture the card have both come down in price, making it easy for someone to attempt this type of fraud.
Another possibility, though rare, is when an unscrupulous merchant works with a cardholder to copy the card and make unauthorized purchases at a third merchant, says John Wolf, Atlanta, Ga., a veteran of the credit card processing industry.
For example, a criminal can use a remanufactured credit or debit card, combined with a PIN, to make unauthorized purchases or to get quick cash from ATMs. Purchases can be made up to the card's limit, by the fraudulent user of cards.
In the case of using the cards to get money from ATMs, there are some advantages and disadvantages for the criminal. The major advantage is that the fraudulent user doesn't need to confront a live person. However, the bank owning the ATMs may limit the amount of cash that can be withdrawn from an account during any single transaction, or on any single day.
The problem of debit card fraud is that, unlike credit card fraud, the money for the purchase is transferred almost immediately out of a person's bank account. With a credit card, on the other hand, the bill comes about a month before payment is due, giving the user the opportunity to dispute, and, if necessary, challenge any questionable charges before paying for the questionable items.
Offline debit fraud, which also requires the fraudulent user to forge a signature, is more difficult due to the extra step though how carefully cashiers inspect signatures is certainly suspect. So, given equal opportunity, a criminal is more likely to commit online debit fraud than offline debit fraud.
"One of the major problems with online debit fraud is that there's no way to confront a customer with a signature," says Jeanne Capachin, research director with Meridien Research, Newton, Mass.
Though debit cards, like credit cards, are covered under Regulation E, the credit card issuer still has up to 60 days to reimburse consumers. The amount of reimbursement depends on when the issuer is notified of the theft or loss. If he notifies the issuer within the first 48 hours, the consumer's liability is limited to $50. If notified in more than 48 hours, but in less than 60 days, then the consumer liability is limited to $500. If notified quickly, most issuing banks historically have taken the full liability for credit cards, even though they're not required to. For signature-based cards, both card associations have zero liability policies that protect the cardholder if:
- The account is in good standing.
- The user has exercised "reasonable care"
- The user hasn't reported an excessive amount of unauthorized events (e.g., successive months of unauthorized purchases.)
What constitutes "reasonable care" isn't clearly defined, points out Jeff Green, Editor of ATM & Debit Card News. Additionally, PIN-based transactions may not be corrected as quickly as signature-based transactions. The issuer may not accept partial or full liability for the PIN-based transactions.
Again, it's the method of payment an immediate deduction from the cardholder's account that poses potential major problems. Even if the issuer reimburses the holder, it could be as much as 60 days before the money is back in the account. That's still plenty of time to be without the money. With many American's living from paycheck to paycheck, a $500 loss will mean unpaid bills, bounced checks and a negative credit rating.
The checks or automatic payments (e.g., utility company monthly payment plans) are particularly troublesome because the account could be cleaned out quickly. The owner may not know until he receives the first default payment notice, then needs to go through the challenge and wait 60 days until recovering lost funds assuming he's successful in the challenge.
Even though merchants aren't generally liable in instances of debit card fraud unless they're found to be committing the crime themselves‹ they can suffer serious consequences. In addition to the chargebacks, customers can have real or imagined concerns that the merchant was to blame for the error, and for the customer's ensuing challenges in getting reimbursement.
If the word gets out that a merchant, particularly a small one, has been the subject of widespread card fraud, consumers will avoid doing business with him, Berry added.
Steps are being taken to guard against online debit card fraud. Requesting a driver's license or another form of identification is on unobtrusive way to further confirm the identity of a cardholder. Additionally, companies provide technology that quickly identifies suspect transactions, enabling the merchant to deny immediate acceptance of an order until further verification can be made.
The card associations and vendors also offer software to merchants and processors that help them detect fraud through the use of neural networks and profiling which look for fraud trends to flag potentially fraudulent transactions.
Debit Fraud On The Internet
Fraudulent PIN-based transactions are bigger concerns in the virtual world than in the physical world.
Fraud concerns negatively affect Internet shopping demand, according to a survey conducted by Mindwave Research, Austin, Tex. Almost half of the survey respondents all merchants had an Internet and physical presence. Those respondents agreed that Internet fraud was the same or higher than brick and mortar fraud.
Survey respondents said they lost 4% of their revenue due to Internet card fraud. Individual estimates ranged from 0 to 40%. Most respondents also expect online fraud to increase.
These are some of the reasons consumers should use credit cards, instead of debit cards, to make Internet purchases. However, consumers are unlikely to use debit cards for physical world purchases and credit cards for Internet purchases.
HNC recommends that consumers "deal with reputable merchants you're familiar with. If the merchant makes an unusual number of mistakes, if the Web site has an extraordinary number of problems...don't buy there." Fraudulent debit card charges would fall under the definition of mistakes or problems.
CyberSource added that merchants walk a delicate line between reducing fraudulent transactions and rejecting valid orders. The latter, like being a known (by consumers) target of fraud, can jeopardize good will and cost the merchant significant sales.
Visa's 'Verified by Visa' program helps ensure that only the cardholder can use the card to buy on the Internet by requiring the user to enter a password in addition to the credit card number. However, not all issuers participate in the program. Additionally, passwords may add only a minor level of additional security. Passords are often relatively simple so they're easy for the user to remember so entering commonly known or easily acquired information can often get past any password protection feature.
Meridian Research, Newton, Mass., projects annual Internet fraud (for debit and credit cards to rise $9 billion by 2001 and $60 billion by 2005. In addition, a study by Datamonitor, London, found that almost 50 percent of all card fraud occurs on the Internet.