1 / 41

Credit Card fraud on the Internet

Credit Card fraud on the Internet. “But we already solved this”. The engineer, the physicist and the computer security guru. CC Fraud. The myth The reality Who gets hurt?. The myth.

terah
Download Presentation

Credit Card fraud on the Internet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Credit Card fraud on the Internet

  2. “But we already solved this” • The engineer, the physicist and the computer security guru

  3. CC Fraud • The myth • The reality • Who gets hurt?

  4. The myth • Wily hackers stalk cyberspace, sniffing packets and assembling them to get your credit card number so they can steal from your account • The customer loses money

  5. The reality • Inadequate narrative • Kids making up numbers • Repudiation • The merchant loses money

  6. The CC system • Designed for retail • Adapted for Mail Order • Adapted for Phone Order • Adapted for Net Order • A bridge too far

  7. Inadequate narrative • I bought some stuff from Starship • I got a CC bill (no invoice) • Two months later, I got another bill • From American Computer Products • Who are they???

  8. Adequate narrative • Merchants should be given 120 characters for narrative • Carried through to the statement • So the customer knows what it’s for

  9. Kids making up numbers • To buy software • To buy access • To buy music CD Roms (www.MP3.com) • To buy other virtual goods/services

  10. Making up numbers • Six digit bin number • Any nine digits • Luhn check (mod 10) • Why is it so easy? • Because the banks don’t see the cc number as a password, they see it as a username (account number)

  11. Creditmaster • 4000 13 AT&T Universal • 4013 … Baltimore Bank • 5100 … Southwestern States • 5172 … First Bank Card Center • 5419 87 • etc

  12. Creditmaster • I phoned up the 4013 bank • Told them about it • Gave them a dozen examples • They don’t seem to see it as their problem • They don’t care

  13. Chargebacks • Merchants have no defence • Imagine you sold a newspaper for £1 • Two weeks later, the customer comes back • Takes £1 out of your till • You watch, and wonder why this is allowed

  14. Chargebacks • Or nine months later ...

  15. Chargebacks • Merchants need non-repudiable transactions • Technically easy • Whoever does it first, will become the currency of the internet

  16. Non-repudiability - the NR-card • Limit liability up to £50 • If you lose your money, tough luck • Just like losing £50 in your wallet • Merchants will offer deals that persuade customers to use the NR-card

  17. Non-repudiability - the NR-card • Merchants will prefer them - no chargebacks! • “NR-price, 25% off!” • “Free gift if you buy with NR” • So customers will prefer them too

  18. Non-repudiability - the NR-card • NR-card comes with a CD Rom. • CD Rom has dual key cryptosystem and your two keys • The CD Rom becomes your digital signature for that card • I don’t need to tell you folks what’s on that CD Rom!

  19. But that’s the future • What about now? • We’re stuck with a CC system designed for retail. • We have to do the best we can with what we have

  20. Risk management • Get a lot of detail from the customer • Name, address, post code, etc • Name of issuing bank • Customer support number

  21. Risk management • Check the country he’s from, against the IP address • Check the Zip code against the state • Check the phone number against the location • Check for creditmaster numbers

  22. Risk management • Check the bank name • Check the bank support number • Buy the $5000 list of bank names/bin numbers • Or make your own

  23. Risk management • Offer a high-price option that no-one should ever want … • … except someone who doesn’t care how much he’s spending

  24. Risk management • When you get a fraud, don’t give a refusal to the customer • Say “Hello, Mr Customer, here’s what you ordered …” … • “… there might be a slight delay …” • “ … please be patient …” • “ … you’ll get it within 48 hours …”

  25. Risk management • “ … we’re doing the best we can …” • “ … due to a computer crash, there will be a slight delay …” • “… the recent problems in New Orleans has meant …” • “ … we value your custom and thankyou for being patient …” • “ … your business is important to us”

  26. Risk management • I call this the “inefficient bumbler” • The grammatical mistakes are to make it look more authentic • Many companies do this anyway, so he won’t realise he’s getting a run-around

  27. Risk management • Why? • Well, if you say “That card was no good, please try again …” • What do you suppose he’ll do?

  28. Risk management • If you can, give him something a bit like what he ordered • But which doesn’t work very well (slow, or less functionality) • Since you won’t be billing his card, you aren’t defrauding him • He’ll stop trying to defraud you

  29. Authorisation • What most people think is “It doesn’t guarantee payment, it only checks that there sufficient funds in the account” • This isn’t quite correct

  30. Authorisation • In fact, if it’s outside the UK, auths go through Visa-net • If the amount is small, Visa-net can just check the first six digits (bin number) and the modulo • Whoopee.

  31. Authorisation • So, authing doesn’t give the merchant the risk reduction he thought it did • But it can lead to higher costs, via referrals • Here’s how

  32. Authorisation • Authorisation eq “Go ahead, bill” • Decline eq “No way, Jose” • Referral eq “Maybe. Phone us up and we’ll talk about it.” • This takes 5 to 10 minutes, and requires two people • This is the “Modern Electronic Credit Card System”

  33. Referrals • One-in-N; banks choose one in three or one in 20 and do a referral • If you have a lot of customers, then you’ll get a lot of referrals • Each referral is 5-10 minutes, two people

  34. Referrals • Why wasn’t this a problem before? • Because merchants had floor limits • Below the floor limit, no need to auth • With the “Modern Electronic Credit Card System” all billings must be authed. Even $1.00 • Even though authing doesn’t ensure that the card even exists!

  35. Referrals • When the amount is $10, the bank gets $0.40. Can they hire people for £1.50 per hour? • The current system for internet commerce in the UK is about to break down

  36. Chargebacks • Visa is about to introduce penalties for chargebacks • If you exceed 5%, you pay $100 per chargeback • The current system for internet commerce in the UK is about to break down

  37. So where will it go? • To wherever the business requirements are met. • Probably the US. • Bye bye, Tony

  38. Credit Card fraud on the Internet

  39. Questions ?

More Related