Blog: Emerging Trends in Prepaid Card Fraud
By Lori Breitzke, E&S Consulting LLC
It’s no secret that measuring prepaid card fraud continues to be a challenge, but no matter what the actual numbers are, industry insiders need to be vigilant, dedicating resources to keep up with the latest schemes and best fraud prevention practices as they evolve. Fortunately, some of the most important practices that can mitigate prepaid card fraud risks are surprisingly simple to implement.
Skimming
Consider the tried-and-true scheme of skimming magnetic stripe cards. Thieves steal card packages from prepaid card malls, remove the cards, skim the mag stripes and put the cards back. An unsuspecting consumer then purchases and activates the card, while the thieves repeatedly check online to determine when one of the cards whose data they’ve skimmed has been activated.
Thieves typically perform these checks with bot malware, running software that uses an auto dialer or enters card numbers on a Website every few minutes to check the account activation status and balance. Checking activations this frequently enables thieves to exploit the period of time between when the card is activated but before the customer uses it. The thieves spend the balance by using a counterfeit card with the same mag stripe data that was skimmed. By the time the legitimate cardholder goes to spend the money he thought was on the card, the account is empty. This scheme can be cost effective only if thieves are doing this on a large scale.
Fraudsters continue to demonstrate creativity and aptitude at exploiting even the most subtle vulnerabilities. |
Processors have gotten wise to this skimming trick. They now consider repeated value checks a red flag for fraud for an unactivated card. Once a processor determines there are too many value checks, it doesn’t allow the card to be activated.
But, if the fraud is successful, the burden falls on the consumer to prove he actually paid for the card, typically by showing a receipt. If the consumer doesn’t have the receipt, the money on the card is lost to him.
The practice of shutting down a consumer’s prepaid card account when it receives too many value checks is an important layer in prepaid card fraud prevention, but it isn’t enough. A multi-layer approach should be implemented that includes fraud prevention practices that occur far earlier in the life of a prepaid card to reduce potential negative consequences for legitimate consumers. Tamper-resistant packaging, while costly, is an important frontline defense against skimming fraud. This kind of packaging, however, is only effective if sales clerks are trained to identify signs of tampering and understand they never should activate cards that show signs of tampering.
Fake Barcodes
These same frontline layers of prevention also help mitigate the risk of prepaid card fraud involving fake barcodes. In this scenario, thieves apply barcoded stickers over the genuine barcodes of prepaid cards in-store. When a sticker is scanned, it redirects activation to the thief’s blank card, rather than activating the card the consumer is purchasing. If this fraud happens, the consumer gets a card that is not activated, which he will discover only after he attempts to use the card. To recover the money, the consumer must show his receipt to prove he paid for activation. Without a receipt, the money and, potentially, a happy customer, are lost.
Once again, tamper-resistant packaging and well-trained sales clerks could prevent or significantly reduce this form of fraud. If a sales clerk notices a prepaid card package shows signs of tampering or that a sticker has been placed onto the package, the card should be destroyed before activation is attempted. Unfortunately, fake barcode stickers can be difficult to identify visually.
Another layer of prepaid card fraud prevention to combat fake barcodes is to implement a simple dual-scan process during activation. During activation, the sales clerk scans the window that shows a number imprinted on the plastic card. Then, the clerk keys in the code printed on the prepaid card packaging. A mismatch flags the possibility of a fake barcode. This mismatch would result in rejecting the activation request and prompting management to check its prepaid card inventory to determine if fake barcode stickers or other tampering has occurred with other cards.
Cyberattacks
Cyberattacks on and breaches of retailers’ databases—think Target, Nordstrom, Michaels and P.F. Chang’s China Bistro, to name a few—have been a point of entry to prepaid card fraud. There’s no way for the hacker to tell if a stolen card number represents a credit card account or a prepaid card account. Hackers take the stolen card numbers and, depending on the extent of other information received, create fraudulent “white” cards to be used at the POS. These perpetrators also take stolen credit card numbers and use them to pay for gift cards.
One problem all issuers have in common when addressing this type of scheme is that many online merchants simply do not have proper checks in place, making it easier for fraudulent card numbers to be used in cyberspace. These checks include not only collecting the CVV2 and billing address information during the purchase, but also sending the CVV2 check and/or address verification information in the authorization request and responding to declines by taking appropriate action, such as withholding shipment of the product purchased.
While issuers do receive lists of stolen card numbers and can decide whether to block or reissue them, the latter can be an expensive proposition, especially for network branded prepaid cards, where margins are slim and cards may be used only once or twice. So, rather than bear the expense of reissuing all cards involved in a breach, issuers often flag less lucrative accounts and reissue only after the account’s next use. This slow reaction opens the door to fraud, especially if fraudsters have a prepaid card number and an online store isn’t performing the best practices for fraud prevention mentioned earlier.
Intermediary Accounts
One practice used since the start of prepaid cards is falling by the wayside to close a window to fraud—the use of intermediary account numbers to load prepaid cards via cash. Prepaid cardholders go to a retail location and purchase an intermediary account sold in the form of a cardboard chit hanging at a prepaid card mall. After purchasing the intermediary account, the prepaid cardholder must move the funds from the intermediary account to his actual prepaid card account by calling a phone number. This loading process started because there was no direct connectivity between prepaid cards issuers and retailers.
Fraud occurs when the prepaid cardholder is validated, but the “money-in” is not “good” money. Networks that manage prepaid cards are now implementing direct connectivity, enabling prepaid cardholders to go to a retailer and load money directly onto their prepaid card with a swipe at the POS. The prevailing sentiment holds that by eliminating intermediary account numbers and directly loading money onto cards, much of this type of fraud will be thwarted. As an added bonus, by eliminating intermediary accounts, prepaid cardholders are finding it much easier to load their cards.
Reg. E Error Resolution: Easy Pickings for Fraudsters
Many issuers follow Regulation E error resolution procedures for reloadable cards, even though they’re not required to (except for payroll cards and some types of government-administered cards). The fraudsters’ game here is to abuse the provisional credit portion of the regulation, which requires temporary redeposit of funds onto cards if a consumer dispute cannot be investigated and resolved within specific time frames, which are as short as 10 business days.
This is how it works. Fraudsters with prepaid cards dispute a transaction, receive from the issuer a good-faith credit to their prepaid card account (the provisional credit), spend the money, and never use or load the card again. Before the issuer has a chance to determine that the dispute is not legitimate and take the money back, the money and the cardholder are gone. Prepaid card issuers have no recourse in these scenarios.
It’s the temporary nature of some types of prepaid cards, such as those that are not reloadable or aren’t active, that makes the provisional credit an opportunity for fraud. With 30 different categories of prepaid cards, it’s clear that a broad brush doesn’t work when applying the provisional credit.
The CFPB has the potential to aggravate this type of fraud if it extends the provisional credit requirement to more types of prepaid cards, as it’s expected to propose in its upcoming Notice of Proposed Rulemaking for general use prepaid cards.
What’s Being Done
Target’s massive database breach, coupled with fallout from other attacks and a fear among industry players that the trend will continue, has spurred Visa to create VPCS, a prepaid clearinghouse service for aggregating and reporting on cyberattack trends. Through VPCS, issuers are notified about trends before and after they occur—a practice that increases the industry’s overall knowledge about cyberattacks and enables constituents to be more proactive in their approach to cyberattacks and, by extension, fraudulent activities that can result from them.
In other efforts to thwart prepaid fraud, MasterCard issued best practices for payroll cards, and Visa has created a new designation for general purpose reloadable cards.
These latest fraud prevention and reporting efforts are only the beginning of an ongoing contest between thieves and prepaid card industry stakeholders. Fraudsters continue to demonstrate creativity and aptitude at exploiting even the most subtle vulnerabilities. Industry insiders, therefore, must continuously share, discuss and understand new methods of prepaid card fraud as it evolves as well as the industry’s reaction to them. Only then will our ability to measure and mitigate prepaid card fraud improve.
As founder of E&S Consulting, Lori Breitzke’s commitment to “perfecting payments” has led her and her associates to be regarded as leading experts in the payments, banking, retailing and POS industry sectors. Lori is co-founder and co-chairman of the Prepaid Financial Crimes Task Force of the Network Branded Prepaid Card Association (NBPCA) and a member of the ETA Technology Committee. In 2012, Lori co-authored The Fraud-Tax Handbook, published by the NBPCA. Contact Lori at [email protected].