Credit Card Fraud and Security
© 2009 FrontLine Security (Vol 4, No 3)

In July, two rookie police officers of the Edmonton Police Service spotted a car with stolen license plates and pulled it over. As they searched the vehicle, the officers found 80 illegal credit cards as well as drugs and fake driver licenses. The occupants, a man and woman, were arrested. A search of their rented condominium turned up more than 1,000 credit cards in various stages of creation, a credit card imprinter, a counterfeit Canada Post key and stolen computer equipment.

The following month, Winnipeg police discovered a million-dollar credit card fraud in the making while investigating a vehicle break-in. The B.C. man who rented the car tried to flee in a taxi but was caught. A search of his hotel room uncovered hundreds of counterfeit credit cards, a skimming device (used to extract account data from the ­magnetic strip on credit and debit cards), laptop computers and thousands of dollars worth of gift cards. The Vancouverite was charged with illegal possession of credit card data and possession of goods obtained by crime.

A lucrative ‘industry’    
The incidents in Edmonton and Winnipeg are recent examples of the multi-million-dollar problem of credit card fraud in this country. According to the Canadian Bankers Association, in 2008 “financial institutions reimbursed to their Canadian credit card ­ more than $400 million, representing the losses these customers suffered as a result of ­criminal activities.”

According to the 2009 Report on Organized Crime in Canada by Criminal Intelligence Service Canada (CISC), “the bulk of credit card fraud losses are attributed to counterfeiting and fraudulent purchases, suggesting an increase in organized criminal operations.” Comprising a network of some 380 law enforcement agencies, and Chaired by the Commisisoner of the RCMP, CISC “facilitates the timely production and exchange of criminal information and ­intelligence within the Canadian law enforcement community.” The Director General is OPP Inspector John Sullivan.

Hi-tech Bad Guys
People committing credit card fraud use advanced technologies that are generally not difficult to acquire. Electronic swipe units that read the data on a magnetic strip can be bought online for as little as $275, including software and a USB connector cable. For $80 more, a unit that not only reads data but also writes credit or debit card information to a magnetic strip can be purchased. Card printers vary in quality and cost, ranging from $900 to $10,000 or more.  

Detective Bob Watch, of the Newport Beach Police Department in California, explained the process of creating a counterfeit credit card in an interview with Wired Magazine in December. “The first step is to get a high-quality image of the front and back sides of a credit card,” he said. High-resolution scanners are available at electronic retailers for less than $350.

“The images then need to be printed onto a white plastic card,” Detective Watch explained. “Credit card printers use the three primary colours and print each image directly on the card.” Criminals can order sheets of credit card holograms from companies in India, China or other parts of the developing world. Another option is to learn to make holograms themselves – instructions are online, and hologram equipment retailers market their products over the Internet. It’s not too hard to find companies that provide criminals with the ­special ink used on credit cards to pass a blacklight security check.

Stamping machines – used to attach a hologram to a printed plastic card – are available in North America and abroad, as is integrated embossing/foil-application equipment. A print wheel in the embossing part of the machine adds a stolen credit card account number, “valid from” and “good thru” dates (or just the expiry date, depending on the type of card), and cardholder name. The applicator portion adheres silver-coloured foil to the raised characters.

“There are enough people out there who know how to do this that it’s a serious problem,” said Detective Watch, pointing out that criminals with hi-tech card-making equipment typically diversify by manufacturing fake driver licenses and other illegal pieces of identification.

Computer Threats Abound
According to Statistics Canada, “total private and public sector Internet sales [in 2007] hit an estimated $62.7 billion, up 26% from 2006.” Even during the economic decline of the past year and a half, billions of dollars of online transactions have occurred each month. To pay for items and services bought over the Internet, customers use credit cards, transfer funds from accounts via financial institution websites, or pay using online services such as PayPal. Such transactions involve typing in credit or debit card or bank account information.

A type of malicious program, or “malware,” used in credit card and other types of fraud is a “keylogger.” This software installs itself onto a hard-drive without the computer owner’s knowledge and creates files of keyboard strokes. Keylogger software, a type of “Trojan horse” malware, comes from infected program downloads or e-mail attachments, websites containing executable content (as a Trojan horse in the form of an ActiveX control), application exploits (flaws in a web browser, media player, messaging client or other software which can be exploited to allow installation of a Trojan horse), and social engineering (as when a hacker tricks a user into installing a Trojan horse by communicating with him/her directly).

Another type of malware is screen ­logger software, which takes “snapshots” of what the computer user sees (such as the payment webpage of a retailer’s website). Keylogger and screen logger Trojan horses typically contain remote access programming, which secretly transmits data from the target computer to a remote location such as an e-mail address, FTP account, or wireless receiver.

Phishing is yet another illegal method used to steal credit card information. Electronic communications such as e-mails are sent by criminals masquerading as trustworthy entities such as social or auction websites, online payment processors, or corporate information technology administrators. Experienced phishers set up multiple webpages through various website host countries to avoid detection. Their intent is to use one website to capture as much information, such as credit card or personal identity data, as possible in a short period and then move quickly to another site. In many cases, a phishing attack can last for weeks or longer as perpetrators register hundreds of fraudulent websites and quickly abandon them and move on.

According to Kevin Joy, vice president of Toronto-based BrandProtect, detecting and countering phishing threats has become complex and resource-intensive. “It requires sophisticated tracking capabilities,” says Joy. “Many larger financial institutions have the infrastructure and monetary resources to deploy sophisticated fraud detection systems to deal with these attacks. Community banks, however, are finding it increasingly challenging to keep up.”

Data Theft in the Skies
Since last year, major airlines have been offering wireless service on their jetliners, giving passengers Internet access and the ability to send and receive e-mails and use their Blackberry or other digital assistant while cruising at altitude. Payment for the service requires a credit card. Hackers in aircraft, as well as airports, hotels and other locations with a WiFi network, eavesdrop on wireless transmissions looking for ­valuable “nuggets” of information to steal.

Travellers using wireless laptops, smartphones and other electronic communication devices typically do not realize that hackers can monitor such electronic communications with relative ease. In November, reported that “Wireless networks are some of the most easily hacked. A moderately skilled hacker needs only a couple of minutes to crack a network’s key with an off-the-shelf wireless card.”

Even hardwired computer networks of major organizations are vulnerable to hacking. In June 2007, one of the Pentagon’s e-mail servers was hacked and 1,500 military computers had to be taken offline for a week while vulnerable points were identified and extra protection added.

In mid-August, 2009, an American and two Russian computer hackers were charged by U.S. authorities with stealing 130 million credit and debit card numbers. The data was illegally obtained using sophisticated “sniffer” programs installed on the computer systems of Heartland Payment Systems (a bank card payment processor), 7-Eleven, Hannaford Brothers Co. (a regional supermarket chain), and two unidentified national retailers. The criminals hacked into the systems and installed programs to capture payment data, erase files after valuable information was transmitted, and evade detection using anti-virus software. The U.S. Justice Department said the case was the largest hacking prosecution in its long history.

Credit Card Security Features
Credit card fraud has grown enormously since the 1950s, particularly in the past 30 years of increasing corporate and personal computer usage. Credit card companies and financial institutions work hard to stay ahead of new and evolving threats. Part of their work includes new security features to reduce illegal transactions. For example, more credit card companies are issuing “Chip and PIN” cards. A chip on the card securely stores encrypted information such as the cardholder’s account number and Personal Identification Number (PIN). Instead of signing a chit to complete a payment transaction, cardholders enter their PIN, which can be changed.

It has become commonplace for merchants doing online, over-the-phone, or mail order business to require customers to provide their three-digit security code (on the back of the credit card), and verify their address. If the buyer does not provide the code, or the address in the database of the credit card processing company does not match the one provided, the transaction is declined.

Mastercard and Visa recently introduced a holographic magnetic strip on their cards. The holomag shows continuously-linked, 3-dimensional Mastercard globes or 3-D Visa doves that appear to be flying. Visa has gone even further by introducing a new signature panel and micro text on the back of its cards. The panel contains blue and gold horizontal lines and an ultraviolet element that repeats the word “Visa.” On the holomag, “Visa” in micro text is ­displayed in several locations. These new security features are effective when cardholders pay in-person, but not online. ­Vulnerabilities still exist and criminals will no doubt strive to exploit them.

Credit card fraud has been an unfortunate reality for more than half a century and will probably be with us for many years to come. Worldwide e-commerce is expected to reach $675 billion by 2014, making credit card fraud a very attractive source of income for organized crime. Police forces, governments, financial institutions, businesses and individuals must continue to be vigilant to thwart the illegal use of credit card information.  

Blair Watson is a freelance writer based in British Columbia.
© FrontLine Security 2009