Old Fraud Scheme is BackU.S. Institution, Cards Struck by European Fraudsters
International Airline Employees Federal Credit Union of Briarwood, N.Y., reported earlier this month to the National Association of Federal Credit Unions that suspicious transactions, usually for amounts ranging from $10 to $15, have been hitting IAEFCU Visa cards.
IAEFCU President and CEO John Gebhard says the fraud does not appear to involve stolen card numbers; rather, fraudsters are likely creating cards using nothing more than the credit union's bank identification number.
So far, Gebhard says, only small charges have been made in France, usually at tolls. The volume and dollar amounts are too low for chargeback rights. "The merchant in France is somehow forcing the transactions through," forcing IAEFCU to absorb between $100 to $200 a day, he says.
The toll charges, which fall below the floor limit of 40 euros (U.S. $55), appeared over two days, and have since stopped. "We're waiting to see what happens next," Gebhard says.
IAEFCU alerted its card insurer, CUNA Mutual. "Unfortunately," Gebhard says, "there is a $100 per card deductible, so all of the charges fall below that limit." He adds that IAEFCU's payments processor also has been reluctant to do much to stop the fraudulent transactions, saying institutions have to absorb small-dollar losses in cases such as this, even if fraudulent, since those losses are covered by interchange fees institutions collect.
"Apparently, the merchants have forgotten that, in the beginning, as the credit-card payment system was developed, merchants transferred fraud risk to the issuers, and interchange was meant, in part, to cover that expense," Gebhard says. "Now, the merchants want to claw that back," not a sustainable proposition for small card issuers like IAEFCU.
Outdated Scheme Resurfaces?Visa could not be reached for comment, but Mike Urban, senior director of fraud product management at FICO, says the scheme is familiar, even if a bit dated. "The scheme has been around for several years," Urban says. "I haven't seen it since the late '90s or early 2000s."
The scheme relies on online applications, commonly known as "credit master" or "credit wizard," Urban says. Fraudsters use these applications to create legitimate card numbers for a given BIN, which is easy for fraudsters to find online. "It may not be an active card number, but it could be a possible or potential card number," he says. "They then test the BIN by just running it through. It creates an algorithm."
And that algorithm is checked when a card is run through at a point of sale, before authorization of other card details such as the CVV or CVC information and/or card expiration date. At an unattended payment terminal like a toll booth, where no card authorization is required, fraudsters have a loophole. It offers the perfect opportunity to use fake cards.
"European road tolls are normally abused by networks of truckers, who know the checks performed are weak," Urban says. "The short-term remediation at the tolls is to apply blocks to ranges of invalid card numbers on the toll road hot list," assuming, Urban adds, that no legitimate cardholder in that number range could be adversely affected by the block. "The toll road hot list is checked by the merchant/acquirer before submitting the transactions. Non-matching card numbers, i.e., invalid card numbers, should not result in any settlement."
Long-term, Urban does not believe this kind of card fraud could lead to huge losses. Without more card information, big-dollar transactions cannot be authorized. But, Urban says, "Institutions should not issue card numbers in sequential ranges, which makes applications such as credit master and credit wizard less effective."