General Douglas MacArthur, who led the American naval forces in WWII, once famously remarked that there is no security on this earth - there is only opportunity. MacArthur's point, that no defense will ever be impregnable, is a creed still followed closely today by identity thieves, credit card counterfeiters, and fraudsters the world over. They make their living breaching personal, corporate and bank security to steal account information, which they use to clone the victims' credit and debits cards.
The old fraud prevention model of matching the card magnetic stripe information to the name and number embossed on the card no longer works. It is in fact remarkably easy to obtain names and addresses of users to match the mag stripe. We have written extensively on the Fraud Fighter Blog about some of the more popular strategies for card user identity theft, and the subject is well worth another look to gain an understanding of the different strategies involved in identity theft and credit card counterfeiting.
One common strategy currently involves card skimmers. Fraudsters embed their own hidden card reader, called a “skimmer” on top of the actual card reader on ATMs and credit card terminals. As the photos from Krebsonsecurity.com reposted on our blog show, these skimmers can remarkably well-hidden – invisible to the casual glance, and so strongly attached that even a tug or pull, which sometimes is recommended to test for skimmers, will not dislodge it. Worse still, many of the more advanced models come with bluetooth or wireless transmitters, meaning fraudsters do not have to risk exposure by manually transferring the stolen information every time.
Other fraudsters take the high-tech route and hack through unsecured wireless networks into corporate and credit card processor servers to intercepting payment card data as it goes from the point of purchase to the issuing bank. Wireless “sniffers” that find and enter supposedly secured networks are only going to increase in popularity as both home user and corporate enterprise communications technologies move from wired to over-the-air. Worse still, hacks of this sort have a tendency to stay undetected for months and collect millions of numbers before being discovered – the largest one to date, discovered in 2009, netted at least 130 million accounts from the files of a large credit card payments processor.
And lastly, for those who want to concern themselves with the actual counterfeiting, rather than stealing the account information, it is quite simple to just go online and buy the account information from identity thieves. Some outlets sell stolen credit card numbers for the price of a lunch entree: as a former credit card counterfeiter confessed in an interview with CreditCards.com, he bought stolen accounts for $10 a pop. They can be had for even less overseas: a UK teenager arrested late last year with a laptop full of stolen credit card numbers was accused of selling them online for $4 to $5 – or even less, if they were American.
Merchants and banks would be wise to heed General MacArthur's advice and maintain a healthy dose of wariness about their security systems. They cannot stop every breach, or repel every attack. Ultimately, the only real reliable method of defending against identity fraud and counterfeits is to detect the end product, the counterfeit credit cards themselves. For all their technological wizardry, fraudsters still have found no good way of matching the UV light security features found on most genuine cards. Every detection of a counterfeit prevents a fraud event from happening, and puts all the effort the fraudsters spent into creating it to waste. That is the only way to make any progress in the war against fraud.