Types of Fraud

Stolen Card Fraud

When a card holder loses or has their credit card stolen, it is possible for the thief to make unauthorized purchases on that card up until the card is cancelled. Businesses that accept credit cards are not permitted to request supplemental ID from the cardholder, unless the credit card is not signed. A thief can potentially purchase thousands of dollars in merchandise or services before the card holder or the bank realize that the card is in the wrong hands. Self-serve payment systems such as gas stations are also highly prone to accepting a stolen credit card, as there is no verification of the card holder's identity, however many stations are trying to prevent this by adding a check requiring the user to key in a zip code. The zip code must match the code registered to the credit card or the transfer will fail.

Account Takeover Fraud

Fraud perpetrators call in and impersonate actual cardholders using stolen personal information. They have the address and other information of the cardholder changed to an address they control. Additional cards and possibly PIN mailers are requested and issued to the new address and used by the fraudsters to make purchases and/or obtain cash advances.

Sometimes the fraudster will attempt to add themselves or an alias that they control as an authorized user to the account in order to make it easier to commit the fraud.

Credit Card Mail Order Fraud

Using a stolen credit card number, or computer generated card number, a thief will order stolen goods.


Skimming is the theft of credit card information by a dishonest employee of a legitimate merchant, manually copying down numbers, or using a magnetic stripe reader on a pocket-sized electronic device. Common scenarios for skimming are restaurants or bars where the skimmer has possession of the victim's credit card out of their immediate view. The skimmer will typically use a small keypad to unobtrusively transcribe the 3 or 4 digit Card Security Code which is not present on the magnetic strip.

Many instances of skimming have been reported where the perpetrator has put a device over the card slot of a public cash machine ( Automatic Teller Machine ), which reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a pin-hole camera to read the user's pin number at the same time.

To prevent Cards in countries such as the UK are issued featuring a smart chip with public key encryption. The chip cannot be copied, but the card number, expiry date and security code can be, and this set of data is often sufficient to use the victim's credit card account for fraudulent purposes with so-called "card not present" transactions, e.g., manual input, over the telephone or internet.


Carding is a term used by fraudsters for a process they use to verify that sets of stolen credit card data are still valid. The fraudsters will present each set of credit card details in turn on a website that has real-time transaction processing, making a purchase for a very small monetary amount so as not to use up the card's credit limit, and so as not to attract the attention of a human reviewer to the transaction.

Often, an online donation site for a charity is used instead of an eCommerce merchant, since there is no need to find an item of a suitable price to put in the virtual shopping cart, nor to supply shipping details. The carder may do this manually with a web browser, or may write automated software to interface to the website's checkout or billing forms.

In the past, carders used to use computer programs called "generators" to produce a sequence of credit card numbers, and then test them to see which were valid accounts. However, this process is no longer viable due to widespread requirement by internet credit card processing systems for additional data such as the billing address, the 3 to 4 digit Card Security Code, and/or the card's expiry date. Nowadays, carding is more typically used to verify credit card data obtained directly from the victims by Skimming and Phishing.

A set of credit card details that has been verified in this way is known in fraud circles as a phish. A carder will typically sell data files of phish to other individuals who will carry out the actual fraud. Market price for a phish ranges from US$1.00 to US$50.00 depending on the type of card, freshness of the data and credit status of the victim.

No comments: