Fighting Credit Card Fraud

Banks in Latin America and the Caribbean are losing the battle against credit card fraud, particularly the old fashioned, low-tech variety, where employees and vendors are typically the culprits.

John Price , Miami

In August this year, an extraordinary case of identity theft and credit card fraud came to light in the United States.  It involved 130 million credit and debit card numbers stolen between 2006 and 2008. According to government investigators, the culprits, including 28 year old master hacker Albert Gonzalez, infiltrated the computer networks of Heartland Payment Systems – a leading credit card payment processor – and several major retailers. The case focused attention on the increasingly complex cyber war between criminals and the credit card industry, and will likely spur new firewalls, new state-of-the-art software solutions, and more IT security consultancies.

Although such a response is necessary – the fastest growing forms of card fraud are of the high-tech kind – mature market banks and their IT security teams are winning this war.  In percentage terms, credit card theft rates in the U.S. and Europe have steadily declined over the last decade.  Banks in emerging markets, however, continue to lose their battle with credit card fraud, particularly the old fashioned, mundane, yet ultimately more costly type.

In 2007, card fraud globally took in an estimated $5.5 billion. It’s a startling number, but just 0.05 percent of the total card transaction volume, 2.0 percent of what card companies charge for their services, and an even smaller fraction of what issuers earn in interest and fees from customers.

While card fraud losses are a mere pin prick for U.S. card issuers, losses in emerging markets are far more substantial.  In Brazil in 2008, according to Kroll’s analysis, card fraud reached an estimated $300 million, or 0.15 percent of the total transaction volume – three times the global average and five times the U.S. average of 0.03 percent. In Colombia, where banks are arguably less sophisticated than in Brazil, losses approach 0.25 percent of total card volume or eight times the U.S. average.

This year’s annual Latin American Tarjetas y Medios de Pago (Cards and Payments Systems) conference, held in Miami in July, attracted leaders from the region’s burgeoning card industry.  At one workshop, about 50 participants recounted their most recent fraud war stories.

One Brazilian bank’s outsourced ATM maintenance supplier had inserted data stripping devices to copy pin numbers and other bank data from cards used in the machines.  A retailer in Colombia explained how corrupt employees had installed devices at the register to copy data from swiped cards and sell it for the production of cloned cards.  One Caribbean bank – a leading issuer – explained how members of its own IT department had downloaded card holder identities from its computers.  A Mexican bank described how its ATMs were being ripped out of walls by forklifts, after which the computers inside the machines were hacked and the numbers stolen.

What these stories highlight is that most of the fraud was committed by employees or vendors. Moreover, all the guilty parties had some criminal record that had not been discovered in the internal background checking process of hiring or contracting.  In the case of the “smash and grab” forklift theft, the surveillance equipment and systems were not functioning, victims of budget cuts.  The most galling conclusion reached by seminar participants was how preventable most of these episodes were.

While the arms race between hackers and IT security may involve strategies incomprehensible to most card industry decision-makers, issuers and processors can prevent the majority of frauds by following disciplined protocols in areas such as third-party administered background checks, due diligence on key vendors, the handling of sensitive data, and third-party audited IT security. Furthermore, a regular, external vetting of operations for vulnerabilities will help root out the largely internal sources of fraud. High-tech defenses alone cannot beat low-tech crime. 

The author: John Price ( jwprice@kroll.com )is a Managing Director of Business Intelligence in Latin America and a leading case manager on political risk investigations throughout Latin America.

Note: A version of this article appears in Kroll’s annual Global Fraud Report. To view or download the full report, visit http://kroll.com/about/library/fraud/