27 June 2014
Trends in Payment Fraud
SEPA, e-commerce, mobile payments and bitcoins are just a few of the many shifts and innovations that dominate the payments industry. Whenever new technologies and practices evolve, there is an ongoing battle between organisations working to adapt the new reality and criminals trying to take advantage of early adaptors who are paving the way.
To summarise, businesses should be highly aware of fraud and cybercrime when integrating new payment procedures and technologies. The above three trends should be high on the security agenda for any finance professional.
While many organisations are still focusing on SEPA compliance before August 1, this is the perfect moment for SEPA scammers to seize the opportunity. According to SEPA for Corporates, the most important threats include:
1. Trojan Horses / Malware: McAfee recently identified an incident in Germany where malware was developed specifically to target high value SEPA accounts.
2. SEPA Direct Debits: An Experian survey revealed that one third of European treasurers is worried about SDD fraud. Limited information is required to complete a SDD CORE transaction and checks are minimal. This potentially leaves room to issue a fraud transaction between two countries with very little intervention or notification.
3. Migrating data to IBAN: When organisations are using spreadsheets or flat files to migrate data to IBAN, there is an open security threat where cybercriminals could access these documents and change IBAN details.
4. Phishing: Fraudsters are using IBAN to lure people into entering their bank account details into fake websites.
5. XML files: In SEPA it is more important than ever to make sure that XML data are encrypted, or to prevent unauthorised changes to a SEPA Credit Transfer file. Should criminals be able to access an XML file, it is very easy to identify and alter supplier information, the amount and supplier bank details.
Money laundering is not a new phenomenon. However, recently there is a new trend emerging where instead of transferring large amounts of money through various accounts, criminals are increasingly laundering smaller amounts through so-called ‘money mules’.
Laundering illicit funds in small amounts makes it more difficult to detect. Criminals are using large networks of hundreds of accomplices, who transfer amounts of up to 50 euros from one account to another. Don’t be mistaken, these small transactions amount to large sums. For example, 300 transactions at 50 euros each amounts to 15,000 euros.
Existing payment types, like prepaid debit cards, can be of great use for micro laundering. Some online platforms (wallets) allow clients to open an online virtual account and link pre-paid debit cards to that account. Because of the international nature of these online services and absence of identification of the account holder, it is quite easy to use a fake or stolen identity where it’s impossible for an organization to fully identify the user.
Cybercriminals abuse these services to upload money from stolen credit cards into an anonymous wallet, connect pre-paid debit cards to that wallet and withdraw cash anonymously from an ATM, or pay for goods at a Point of Sale terminal. With this money, usually easily transferable goods are purchased (examples: jewellery, popular consumer electronics).
Another example of a money laundering channel is Bitcoin exchangers. The fact that Bitcoin is a crypto currency and therefor is inherently anonymous, its quite vulnerable to cyber criminals.
The ECB recently published figures show that card fraud has increased in 2012, which is the first time since 2008. This trend is mainly driven by higher Internet fraud. Card fraud now represents 0.038% of a total of €3.5 trillion in transactions, the total value of fraud increased by 14.8% in 2012 compared to 2011. Some 60% of the value of fraud resulted from card-not-present (CNP) payments, i.e. payments via post, telephone or the internet. While roughly one-quarter resulted from point-of-sale (POS) terminals and about one-sixth from automated teller machines (ATMs).
It seems that most organisations do not have enough precautionary arrangements in place to prevent new fraud methods. According to a Verizon report cyber security has hardly improved over the past few years.
New technologies bring new opportunities. This is true for everyone, including (unfortunately) those who seek to abuse the vulnerabilities that come with it.
Compliance to security standards alone is not good enough. These standards often lag behind the holes criminals already have found in the payment chain. Before we implement new payment products, we should also ask ourselves what open doors they leave for criminals to walk into.