Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

TABLE OF CONTENTSSummary 3Introduction 4Using of credit card in 2011 4

Types of credit card fraud 5

Definition of phishing 5

Types of phishing Phishing through Email 6

Phishing through fake website 7

Phishing through viruses 8

Effects of credit card fraud (phishing) 9

How Visa and MasterCard reduced frauds 9 - 10

How to avoid phishing 11

Questionnaire 12

Conclusion and recommendation 12

References 13 - 14

Appendices 15 to 18

LIST OF FIGUERS

Figure 1 number of cards between 2001 and 2011 4Figure 2 Visa and MasterCard accounts by fraud type for the year 2001 (January to May) 5Figure 3 phishing reported to APWG received between Jan 2012 and Mar 2012 5Figure 4 number of phishing sites detected between Jan 2012 and Mar 2012 5Figure 5 an example of email phishing 6

1

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

Figure 6 example of what happens after clicking on a phishing link 7Figure 7 example of phishing through viruses 8Figure 8 an example of card verification number 10Figure 9 an example of verified by visa method 10Figure 10 an example of secure connection 11

Summary:

Visa, MasterCard, and American Express are all considered to betypes of croft card. However, with their appearance and theirexpansion in use globally certain problems have appeared. Onemajor problem is of course fraud. Business companies andorganizations as well as ordinary customers who have been usingthese cards have faced a significant number of fraud problems.This essay will start with the number of people using thesecredit cards in 2011 and where they used it. Then it will exploredifferent types of credit card fraud and will focus on one aspectwhich is phishing. Moreover, this essay will explore differenttypes of phishing, starting with phishing through email, phishingthrough fake websites, and the last type is through viruses.furthermore, this essay will explore the financial effects ofthese fraud in business organization, and will explore a numberof methods used by Visa and MasterCard’s such as an addressverification system (AVS), a card verification number (CVN), anda verified by visa system (VBV), and will explore how to avoidthese phishing attacks through different tips. In addition, aquestionnaire is made between 60 people explains some facts aboutthe subject. Consequently, suggestions, solutions, plans, andtechniques have started to appear and develop.

2

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

Introduction:

With the emergence of credit cards, an increasing number ofpeople are choosing to use them instead of carrying large amountsof cash, and their use has increased with the popularity of theInternet. In addition, Visa, MasterCard and American Express eachdiffer in terms of the benefits and facilities they offer asmajor credit cards. However, since the use of these types ofcards has become popular, a significant number of people andorganizations are suffering from various types of fraudsperpetrated, especially through the Internet, phone and email.Fraud refers to any deliberate action that leads to the obtainingof services or money through irregular methods (Kansas StateUniversity, 2012). One of the most common types of fraud iscredit card fraud, which means using someone’s credit carddetails without their consent (Fairfax County, 2012).

3

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

Furthermore, the methods and techniques of credit card fraud havedeveloped with the progress of years, although, the methods ofprevention are also in constant evolution. Consequently, thisessay will explore the various types of credit cards fraud andwill focus on one aspect which is phishing on the Internetthrough such means as email, fake web sites or viruses. The essaywill also examine and explain the effects of this type of fraud,which are commonly faced by business organizations, and willexplore various solutions used to combat this fraud.

Using of credit card in 2011:

According to The UK Cards Association (2011), in 2011, there wereapproximately 54.5 million credit cards, 6.4 million chargecards, 86.8 million debit cards, and 17.9 million were ATM-onlycards, for a total 165.1 million cards; moreover, 18.9 millionIndividuals use their cards at least once per month in the UnitedKingdom, spending an average of approximately 117 pounds per weekusing their cards. Figure 1 show the number of credit, debit,charge and ATM-only cards issued since 2001 until the end of 2011and demonstrates that the highest number of credit card holdersexisted approximately between 2004 and 2006 and then began togradually decline for a few reasons that will be explained in thenext few pages.

Figure 1: Number of Cards between 2001 and 2011. Source: (UKCards Association, 2011)

4

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

Types of credit card fraud:There are different types of credit card fraud affectingcompanies as well as people, including using cards that have beenlost or stolen, and through practices such skimming, phishing andhacking. As shown in figure 2, a statistical study conducted in2001 found that the most common type of fraud experienced by Visaand MasterCard was counterfeiting, which representedapproximately 37% of the fraud for Visa and 32% for MasterCard,followed by fraud using stolen cards, which was 27% for Visa andapproximately 31% for MasterCard (Bahtla, Prabhu and Dua, 2003).Furthermore, this research revealed that a significant number ofpeople suffer from credit cards fraud around the world, whichmeans that it is a global challenge. Moreover, a statisticalstudy conducted in 2003 revealed that the largest number ofcredit card frauds occur in Ukraine, at 19%, followed byIndonesia at 18.3%, then Yugoslavia at 17.8%, Turkey at 9% andfinally Malaysia at 5.9% (Bahtla, Prabhu and Dua, 2003).

Figure 2: Visa and MasterCard accounts by fraud type for the year2001 (January to May).

Definition of phishing:According to Turban, King, Lee and Liang (2012), the first stepto frauds through the Internet is phishing. Phishing refers to atype of fraud in which the “hacker will send e-mail to groups ofpeople, posing as some authoritative source, and request that therecipient provide specific information” (Cross, 2008). Figure 3consists of statistics relating to a number of phishing reports

5

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

received by APWG (Anti-Phishing Working Group) in the firstquarter of 2012. As shown, the highest number of reports was inFebruary at 30,237 and that means less fraud than the all-timehigh of 2009, which stood at 40,621 (APWG, 2012).

Source: (APWG, 2012)Phishing through Email:The most common means by which fraudsters attempt to obtaincredit card details are emails, fake web sites and viruses. Emailphishing usually involves sending emails with attractive topicsto the victim, such as “YOU WIN BMW” or “YOU WIN 1 MILLION.” Inthe details of the email, users are requested to open the link toprovide credit card details or other sensitive information toreceive the promised services or rewards. Jones (2010) points outthat the peak of phishing attacks through email took place in2004, with a monthly average of 250 thousand phishing emails inthe first six months and a total of 4,500,000 in the last 6months. According to Levinson (2012), the number of emailphishing attacks recorded in 2011 was 279,580, which was a 37%increase over 2010. One challenge is when web sites such asExpedia send special offers to consumers through third parties,and when customers received it, it looks like phishing emails, sothis method of advertising is one that companies need to stayaway from (Neumann, 2006). Figure 5 provides an example ofphishing through email, with the fraudster requesting that thevictim open the link below to receive a refund (Sherry, 2010).

6

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

Figure 5: an example of email phishing. Source: (Sherry, 2010)

Phishing through fake websites:Another type of phishing involves fake websites, with the aimbeing to get sensitive information (such as credit card details)from the victim by selling a cheap, low quality product at anattractive price. Vahl (2009) indicates that the MetropolitanPolice in the UK (United Kingdom) has taken down more than 1219websites, because the customers of these websites were beingvictimized through the use of their stolen credit card details orthey did not receive any products. For example, my fatherpurchased several products from a Chinese website, and the shockwas that the credit card information is stolen and his creditcard fraudulently used to buy several books from Amazon. As can

7

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

be seen in figure 6, opening the link in figure 5 leads to afraudulent request for the victim to provide credit cardinformation (Sherry, 2010). Figure 4 displays the number ofphishing sites detected between January 2012 and March 2012, withthe highest number being found in February, at 56,859, which wasalso the highest number since the beginning of the detectionefforts (APWG, 2012).

Figure 6: Example of what happens after clicking on a phishinglink. Source: (Sherry, 2010)

Phishing through viruses:The last type of common phishing is viruses, which involve afraudster sending a specific virus to victims that will affect

8

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

their computer. This type of fraud is often made possible by thelack of adequate anti-virus protection. The U.K. police center inScotland has warned people about this type of phishing, becausefraudsters have been requesting that victims pay 100 pounds tohave their computers unlocked; in addition, the police suggestthat individual’s update their anti-virus programs to keep theircomputers secure (BBC, 2012). Two months ago, for example, acolleague logged onto his PC (Personal Computer) to check hisemail, when his computer screen suddenly displayed a warningmessage that appeared to be from the Metropolitan Policerequesting that he provide his credit card details to continuesurfing the Internet, my colleague was skeptical because no phonenumber or email address was given by which to contact the police;as a result, he discovered that this message was a new type offraud designed to steal the credit card details of victims.Figure 7 provides examples of viruses created by fraudsters todefraud victims.

9

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

Figure 7: Example of phishing through viruses. Source:http://www.met.police.uk/pceu/cyber_crime.html

Effects of credit card fraud (phishing):The huge number of phishing crimes involving credit cardinformation in recent years has had major negative financial andreputational impacts on institutions and the community. Accordingto Emigh (2005), in 2003 alone phishing crimes caused directfinancial losses for U.S. (The United State of America) banks andcredit card companies of approximately 1.2 billion dollars. Onthe other hand, indirect losses on the part of business may bemore than the direct losses for banks and credit cards companies,because of higher expenses resulting from online services,account replacement costs and customer service expenses (Emigh,2005).

10

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

In the United Kingdom, banks lost 12.2 million pounds in 2004 anddoubled to become 23.2 million pounds in 2005, these happened dueto a doubling of phishing crimes through web banks (Micro Trend,2006). Moreover, the highest losses for banks and businessorganizations in the United Kingdom occurred in 2008, whichtotaled 610 million pounds (BBC, 2012). Lythe (2012) indicatesthat a seller on a Russian Web site sells British credit cardinformation for 19 Pounds, with full details, and there is a Website selling British and German Visa cards and MasterCard withfull details and security codes for 25 Pounds. A good example ofthe effects faced by banks and commercial sites is found lookingat 2011, when a hacker from Saudi Arabia released tens ofthousands of Israeli credit cards with full details. After thistook place, happened, a group of Israeli hackers published theinformation of approximately 200 Saudi credit cards, stolen fromSaudi commercial sites such as souq.com. Therefore, not only didthe banks and companies lose money, nonetheless, they also lostcustomers.

How Visa and MasterCard reduced frauds:Eventually with the progress of years and the suffering ofbusinesses and consumers from credit card fraud, Visa andMasterCard issuers launched a new generation of credit cards,which have contributed to reductions in fraud and have enhancedprotections for consumers through various methods. The firstmethod is the Address Verification System (AVS), in which theaddress entered by the customer is compared to the address in thecustomer’s file in the issuing bank, which is sent to merchantsto help them approve or reject the transaction; furthermore, thissystem is used by 80% of merchants; however, only in the UnitedState of America and Canada thus far, because sometimes it isdifficult for the cardholder to enter street names or zip codeswithout making any mistakes (Turban, King, Lee and Liang, 2012).

11

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

The second method implemented is the Card Verification Number(CVN). According to Turban, King, Lee and Liang (2012), thismethod used by 75% of traders, and involves comparison betweenthe security code printed on the back of credit card with detailsfrom the cardholder’s issuing bank; nevertheless, if the card isstolen then the fraudster can process any transaction through theInternet, because the security code will be available to him.Figure 8 shows an example of a card verification number on theback of a credit card.

Figure 8: an example of card verification number. Source:https://store.apple.com/Catalog/irl/Images/securitycode.html

The strongest methods used to protect consumers, launched by Visaand MasterCard in cooperation with banks is verified by Visa(VBV) or MasterCard Secure Code. Using these methods, when theconsumer uses a credit card online and before it is approved bythe merchant, the cardholder needs to enter a password known onlyby the cardholder and the bank. Washington (2010) indicates thatthere are more than 70 million credit cards registered for thismethod. Visa advises its customers to enroll in this methodbecause it is the most current way to protect them (Visa, 2012).For instance, my bank in Saudi Arabia uses this method by sendinga specific password to customers through short message service(SMS). Figure 9 provides an example of verified by visa.

12

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

Figure 9: an example of verified by visa method. Source: (Visa,2010)

How to avoid phishing:Despite modern techniques used to protect Visa and MasterCardcustomers from credit card fraud, phishing crimes are on the risedue to lack of user awareness. A significant number of businessorganizations and banks provide tips on how to avoid becomingvictims. According to Indiana University (2012), a phishing emailalways includes a link to another site, so they have advisedpeople not to open links or reply to the email messages. McDowell(2009) indicates that there are a significant number of usefultips for avoiding phishing crimes on the Internet; moreover, thefirst tip is not to send any personal information online unlessyou are sure of the authority of the person sending the email;secondly, it is important to pay attention to the link site,because most malicious websites manipulate spellings, and Thelast tip is to install antivirus programs to reduce the frequencyof phishing emails and to protect the consumers from phishing.According to Cross (2008), the first step to making your computer

13

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

safe at all times is to keep the system updated to keep all userson a secure connection. There are two types of transferprotocols, which are HTTPS (Hypertext Transfer Protocol Secure)and HTTP (Hypertext Transfer Protocol). Most Web sites containingsensitive information use the first protocol, which is HTTPS. Thereason for this is that using a secure connection ensures thatthe information entered by users on the browsers is safe andprotected. For example, when the customer logs in to a bankaccount, the bank will use an HTTPS connection rather than anHTTP connection to keep information secure (Witten, Gorri andNumerico, 2007). In addition, Visa suggests checking the link ofa website before making any financial transactions, to make surethat the Web page is secure, It must be //https: rather than//http:, and the company also suggests making sure there is apadlock icon in the in browser status bar (Visa, 2010). All ofthese tips for reducing phishing on the Internet are useful, butthe problem is that a number of consumers search for phishinginformation only after the occurrence of a problem. Figure 10shows two red circles, the first for a secure connection and thesecond for the padlock icon.

Figure 10: an example of secure connection. Source: Lloyds BankLogin Page

Questionnaire:A questionnaire was given to 60 people and the results revealedthat 93.3% of respondents have credit cards and 83.3% of themused their credit cards to make purchases on the Internet. Interms of security, 48.4% of respondents make sure there is asecure connection (//https :) before make any financial

14

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

transaction, and 78.3% of respondents have anti-virus programs ontheir computers. In addition, 73.3% of people have receivedphishing emails, and the average number of such emails receivedper month is between 5 and 20. 41.7% of respondents indicatedthat the most common type of credit card fraud was phishingthrough email and fake Web sites, with 48.3% reporting that themain cause of credit card fraud is a lack of awareness on thepart of credit card users. 40% of respondents are at risk ofbecoming victims of phishing through fake Web site because theyare unaware of the importance of secure connections. 21.7% are atrisk of phishing through viruses, because they do not have anti-virus programs installed on their computers.

Conclusion and recommendation:To sum up, credit card fraud is a problem faced by a significantnumber of business organizations and communities. Although thereare multiple types of such fraud (including lost, stolen,skimming, phishing and hacking frauds), fraudsters are mostfrequently manipulating their victims through the most commontype which is phishing, either through email, fake Web sites orby sending viruses. The result is huge losses for banks andcompanies which provide credit cards to customers. In response,companies providing credit cards have cooperated with banks toemploy new technologies for credit cards such as the addressverification system (AVS), card verification number (CVN) and theverified by visa system (VBV) to reduce fraud on the Internet.Moreover, they have developed suggestions for consumers to avoidphishing and at the same time reduce losses for banks. The lackof awareness on the part of consumers has led to increasedphishing attacks. As a result, banks and businesses organizationsneed to continue working to increase awareness about the dangersof phishing through the Internet or television. Additionally,

15

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

cardholders should consider using pre-paid credit cards toconduct financial transactions, whether on the Internet or inother places, to keep them safe at all times.

References

Anti-Phishing Working Group. (2012). Phishing attack trend report.Available at:<http://www.antiphishing.org/phishReportsArchive.html> [Accessed1 Nov 2012]

Bahtla, T.,Prabhu, V., & Dua, A. (2003). ‘Understanding creditcards fraud’. TATA Consultancy Services. Available at:<www.popcenter.org/problems/credit_card_fraud/PDFs/Bhatla.pdf>[Accessed 1 Nov 2012]

16

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

BBC. (2012). Card fraud falls to its lowest level for 11 years. Available at:<http://www.bbc.co.uk/news/business-17273097> [Accessed 1 Nov2012]

BBC. (2012). Northern Constabulary warning over computer scam. Availableat: <http://www.bbc.co.uk/news/uk-scotland-highlands-islands-20007481> [Accessed 31 Oct 2012]

Cross, M (2008). Scene of the cybercrime. 2nd ed. Burlington: SyngressPublishing Inc. p395, p488–489.

Emigh, A (2005). ‘Online Identity Theft: Phishing Technology,Chokepoints and Countermeasures’. Radix Labs. Available at:<http://www.antiphishing.org/Phishing-dhs-report.pdf> [Accessed25 Oct 2012]

Fairfax County Virginia. (2012). Credit card fraud. Available at:<http://www.fairfaxcounty.gov/police/financialcrimes/creditcardfraud.htm> [Accessed 29 Oct 2012]

Indiana University. (2012). What are phishing scams and how can I avoidthem. Available at: <http://kb.iu.edu/data/arsf.html> [Accessed29 Oct 2012]

Jones, R (2006). Internet Forensics. 2nd ed. Sebastopol: ReillyMedia Inc. p3.

Kansas State University. (2012). Definition of fraud. Available at:<http://www.k-state.edu/internalaudit/reporting-fraud/frauddefinition.html.> [Accessed 31 Oct 2012]

Levinson, M. (2012). ‘How to Tell If an Email Is a PhishingScam’. CIO. Available at:<http://www.cio.com/article/703977/How_to_Tell_If_an_Email_Is_a_Phishing_Scam> [Accessed 2 Nov 2012]

Lythe, R. (2012). ‘Bank customers' debit and credit cardpasswords and PINs being sold for just £19 on Russian websites’.

17

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

This Is Money. Available at:<http://www.thisismoney.co.uk/money/cardsloans/article-2097807/Sold-19-British-bank-customers-credit-card-details-available-Russian-websites.html> [Accessed 27 Oct 2012]McDowell, M. (2009). ‘Avoiding Social Engineering and PhishingAttacks’. United States Compute Emergency Readiness Team. Available at:<http://www.us-cert.gov/cas/tips/ST04-014.html> [Accessed 27 Oct2012]

Neumann, P.G. (2006). Risks to the Public. ACM New York, NY, USA. 31(2), p6–16.

Sherry, N. (2010). ‘Beware of Phishing Scam Promising TaxRefunds’. Australian Government. Available at:<http://ministers.treasury.gov.au/DisplayDocs.aspx?doc=pressreleases/2010/015.htm&pageID=003&min=njsa&Year=&DocType>[Accessed 4 Nov 2012]

The UK Card Association. (2011). Summary figure 2011. Available at:<http://www.theukcardsassociation.org.uk/2010-facts-figures/index.asp> [Accessed 1 Nov 2012]

Turban, E.,King, D.,Lee, J.,Liang, T., & Turban, d (2012).Electronic Commerce. 7th ed. London: Pearson Education. p504–556.

Trend Micro. (2006). Phishing. Available at:<http://www.antiphishing.org/sponsors_technical_papers/trendMicro_Phishing.pdf> [Accessed 31 Oct 2012]

Vahl, S. (2009). ‘Fake websites shut down by police’. BBC.Available at: <http://news.bbc.co.uk/1/hi/uk/8392600.stm>[Accessed 5 Nov 2012]

Visa. (2010). Secure with visa. Available at:http://www.visa.ca/en/personal/securewithvisa/phishing.jsp[Accessed 31 Oct 2012]

18

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

Washington, S. (2010). ‘Fraudsters 'copying online bankingsecurity’. BBC. Available at: <http://www.bbc.co.uk/news/uk-11571873> [Accessed 31 Oct 2012]

Witten, L., Gorri, M., & Numerico, T (2007). Web Dragons. SanFrancisco: Elsevier Inc. p65–66.

Appendices

The following pictures are an example of final result for a

questionnaire made between 60 people:

19

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

20

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

21

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

22

Nasser Aldalaan (2012) Credit Card Fraud nasseriano@gmail.com

23