E&S PERFECTING. Prepaid Card Fraud: An Industry Primer. An E&S Consulting White Paper. April 2015 PAYMENTS

Save this PDF as:

Size: px
Start display at page:

Download "E&S PERFECTING. Prepaid Card Fraud: An Industry Primer. An E&S Consulting White Paper. April 2015 PAYMENTS"


1 April 2015 Prepaid Card Fraud: An Industry Primer 2015 E&S Consulting, LLC. All rights reserved. E&S Consulting is a payments industry consultancy that advises merchant acquirers, retailers, card marketers and issuers in a broad range of payment and financial services domains including prepaid program management, competitive research, training, marketing, POS hardware and software managment and partner recommendations.

2 PREPAID CARD FRAUD: AN INDUSTRY PRIMER Over the past few years, the popularity of prepaid cards has skyrocketed as consumers seek alternatives to checking accounts and credit cards and as the unbanked/under-banked population attempt to handle their finances in a more efficient manner. According to the Nilson Report, the top 50 largest U.S. banks and credit union issuers of general purpose reloadable (GPR) prepaid cards accounted for $ billion in spending at merchants in 2013 (the last year for which figures are available), up by 6.1 percent from Mercator Advisory Group has pegged the amount of money loaded on GPR cards as having almost tripled between 2008 and 2012, rising to $76.7 billion. That number is expected to rise to $168.4 billion by But with such growth comes the challenge of the phenomena known as prepaid card fraud. Prepaid card fraud is not only a real phenomena, it is packing a significant financial wallop. In 2013, the Federal Trade Commission (FTC) noted that Americans alone had reported collective losses of $42.86 million to schemes involving prepaid cards. By most accounts, such losses are in truth much higher: Consumers embarrassment at having fallen for such schemes, coupled with their reluctance to pursue legal recourse for prepaid card fraud based on the difficulty of doing so, has prevented many individuals from bringing these occurrences to authorities attention. Reported or not, most prepaid card fraud is perpetrated using GPR cards. These cards are issued by financial institutions and have long-term expiration dates. They can be sold at bank branches and retail stores and may be re-loaded after all or some of their initial value has been depleted. And as fraudsters become increasingly sophisticated, the types of fraud committed with these cards turns ever more complex, making mitigation, which has always been a priority, of utmost and unparalleled importance. Understanding Prepaid Card Fraud Industry players must maintain a handle on the ins and outs of established and emerging schemes alike as well as on strategies for addressing them if mitigation initiatives are to be effective. An understanding of prepaid card fraud is also imperative for all industry constituents, including issuers, prepaid program managers, and merchants: In the event that such fraud remains unaddressed, consumers may avoid purchasing prepaid products, in turn impacting revenues throughout the entire payment chain. Skimming One of the most common flavors of prepaid card fraud, skimming involves magnetic stripe cards. In a skimming scenario, thieves steal packages of cards from prepaid card malls or fixtures in stores. They then remove the cards, skim the magnetic stripes from the back, and return the cards to the display. An unsuspecting consumer then buys and activates one of the cards, while at the same time the thieves repeatedly check online to determine which has been activated and is ready to be used.

3 Skimming (cont d) Pre-skimming magnetic stripe checks are generally performed with bot malware that does the job via an automatic dialer or by entering card numbers on issuers websites every few minutes to check the account activation status and balance. Assessing activations with this level of frequency allows thieves to exploit the interval between the moment the card is activated and the time the customer first uses it, but there is more to the equation. With a counterfeit card created from the skimmed data, perpetrators spend the remaining balance after it has been skimmed and a new card created or used online--and before the actual customer tries to use it. By the time the real cardholder is ready to spend the money he thought was on the card, the account is empty. The only bright spot in this scenario: Skimming proves to be cost-effective only if fraudsters are engaging it on a large scale in other words, skimming gift cards with balances of up to $500. Counterfeit Barcodes This is another scheme perpetrated in-store. Fraudsters begin by applying barcoded stickers over the genuine barcodes of prepaid cards. When a sticker is scanned, the activation is directed away from the card the consumer is purchasing and to the thief s blank card. The consumer gets a card that is not activated a problem he will discover only after he attempts to utilize it. He has no proof of activation (and hence, no way to recover the money) because the activation scan was re-directed from his legitimate card to the thief s blank card. Misdirection Fraud Misdirection fraud is considered by some to be the dirtiest trick in prepaid, primarily because its common victims include low-income recipients of government-issued benefits. Misdirection fraud assumes many guises. Under the umbrella known as benefit misdirection, perpetrators steal victims identities and use them to open fraudulent accounts, layering the proceeds (primarily Medicare, social security or WIC payments or tax refunds) onto GPR cards. These GPR cards are obtained by passing standard required ID verification methods, and are subsequently used to withdraw cash at an ATM or to purchase high-end goods with the latter sold through ebay, Craigslist, pawn shops, and similar entities to raise cash. Another iteration of misdirection fraud is victim-assisted misdirection fraud designated as such because information harnessed to carry out the scheme is supplied by victims themselves. In both cases,fraudsters instruct victims to load money onto GPRs for seemingly legitimate reasons e.g., to immediatelypay a utility bill, thereby avoiding disconnection, or to cover the tax and shipping cost of a prize won in a contest. Once victims have done so, they are told to provide the account number and PIN of the GPR they have purchased to a representative of the entity that requested it.however, the entity does not exist. Instead, human money mules enlisted in the scheme use the supplied information to empty the card of the money that has been loaded onto it.

4 Misdirection Fraud (cont d) Of particular concern when grappling with misdirection fraud is the fact that identifying and attacking it has proven to be much more difficult than banning it. Embarrassment about having fallen for a misdirection fraud scam often prevents victims from coming forward and reporting them, especially when the sum of money lost is relatively insignificant, as can be the case. Even in instances that involve marked loss, tracing its source frequently is tricky: Perpetrators tend to execute schemes against individual victims by ordering them to purchase multiple prepaid cards in smaller denominations transactions that simply do not stand out as larger ones would. Cyber-Attacks Cyber-attacks on retailers databases, along with merchant-level data breaches have been a point of entry to prepaid card fraud. Hackers cannot determine whether a given stolen card number is associated with a credit card account or a prepaid card account. However, they do utilize stolen card numbers to fabricate fraudulent white cards to be used at the POS, as well as to purchase open or closed loop gift cards. Addressing this variety of prepaid card fraud can also be challenging because the scope of a single incident can expand quickly, making timely curtailment almost impossible. For instance, a few years ago, several perpetrators hacked into RBS WorldPay s computer network and breached the data encryption on prepaid debit cards used by WorldPay clients to pay their employees. Members of the ring loaded more than $9 million onto 44 fake prepaid debit cards, which were then employed by mules to withdraw the money from more than 2,100 ATMs in at least 280 cities around the world in under 12 hours. Fraud alerts were issued, the cards were invalidated, and the ringleader was apprehended and convicted, but the withdrawals were made so quickly that it was not possible to stem the loss. Reg. E Error Resolution With the exception of payroll cards and some types of government-administered cards, most issuers do adhere to Regulation E error resolution procedures for reloadable cards. The provisional credit portion of the regulation holds that funds must be temporarily redeposit onto cards in instances where a consumer dispute cannot be investigated and resolved within specific time frames (10 business days). Fraudsters method of abusing the provisional credit mandate involves disputing prepaid card transactions in order to receive from issuers provisional credits to their prepaid card accounts. Once issuers have granted such good-faith credits, perpetrators spend the money, and never use or load the card again. Before issuers can determine that these disputes are not legitimate and once again debit the appropriate sum from fraudsters accounts, both money and cardholders have disappeared.

5 PREPAID FRAUD CONTROLS While automated,off-the-shelf prepaid card fraud monitoring tools have yet to be developed, issuers have come to consider repeat value checks on un-activated prepaid cards an indicator of imminent fraudulent activity, and have instituted the precautionary practice of shutting down any prepaid card account for which a seemingly excessive number of such checks have been performed. However, a far more comprehensive approach to combating or at least minimizing the phenomena and its impact is needed. The elements of this approach encompass: Tamper-evident/Tamper-resistant Packaging Despite its cost, tamper-resistant packaging for prepaid cards displayed on fixtures with j-hooks constitutes an effective first line of defense against both skimming and the use of fake bar codes. In fact, it is a component of brand requirements. Merchants must maximize the potential of such packaging to deter the purchase of prepaid instruments for illegitimate purposes by training sales clerks to identify signs of tampering. This includes small tears, creasing, and similar evidence that packaging has been open and re-closed and that the replacement of cards inside a package may have occurred, as well as the appearance of stickers on packaging. Clerks should be instructed that they should never activate any prepaid card when evidence of tampering exists, but rather, to destroy it immediately or give it to a manager who can do the same. Prepaid cards also feature numbering and sequencing to prevent would-be fraudsters from replacing prepaid cards inside packages or otherwise altering packaging in order to perpetrate their schemes. Consequently, in-store procedures for detecting tampering should also involve a scan of the number imprinted on a given prepaid card itself (visible through the packaging window) with the number printed on its packaging. A mismatch flags the possibility of a replacement or fake barcode and renders card activation impossible. Customer Approval Controls Prepaid card fraud is, in most cases, identity theft. No consumer should be approved to open a prepaid card account until customer approval controls have been applied. This starts with the verification of customer addresses through USPS Address Verification; if the address provided and information on file do not match, an account should not be opened. Requesting that applicants show a photo ID, voter registration card, or recent utility bill (with a canceled postmark) can deter fraud as well. Another equally critical customer approval control is knowledge-based authentication (KBA), wherein each prospective cardholder s answers to certain questions (i.e., social security number (SSN), driver s license number) is compared to information contained in public records. Any individual who provides an SSN that is determined to belong to a deceased or imprisoned party should automatically be denied a prepaid account.

6 Additional Identity Theft Control Beyond customer approval controls, it behooves the issuing community to flag indicators that prepaid card fraud, rather than the legitimate purchase of a prepaid card, is in progress. This should entail the catching of SSNs with addresses, telephone numbers, addresses, and IP addresses. Attempts should be made to pinpoint instances in which high-risk telephone numbers (both pager numbers and invalid numbers) and addresses (non-verifiable addresses and those with oddly formatted domain addresses) have been supplied, and in which multiple recipient address changes within a user-defined period of time have been requested (such changes should, under ideal circumstances, be prohibited). Equally essential are the leveraging of IP location services to limit activations from foreign countries and the utilization of velocity controls. Velocity controls may include checks for multiple cards associated with a single address (per day, week, or month) and multiple activations per ANI, IP or device ID or cards per phone, physical address or address. Online fraud monitoring software, too, is valuable in identity theft control, as is assistance from third-party verification services. Many of the latter provide high-risk response codes when irregularities are detected during the identity verification process. Such irregularities may encompass, but are not limited to, the use of SSNs that are invalid, were never issued, belong to a deceased person, or are associated with multiple individuals; invalid telephone numbers or pager numbers; forwarding addresses; and addresses of mail drops, commercial businesses, and prisons. Money-On Controls For Tax Deposits And Benefits When tax refunds and benefits are loaded onto prepaid cards, it is imperative that the tax or benefits authority include the recipient s SSN or the last four numbers thereof on the Automated Clearing House (ACH) transfer, along with a reference that funds comprise either tax refund or benefits monies. Multiple deposits to single prepaid card accounts should be limited. Additionally, mismatches between names indicated on ACH entries and beneficiary names contained in tax or agencies records, as well as other questionable information, should trigger a return of funds using the R17 refund mismatch return code. Money-On Controls For Card Re-loads In addition to leveraging the identity verification methods covered above, money-on controls for card reloads must always entail ensuring that reloads come from a single, verified funding source. Placing limits on the value of reloads also bodes well for minimizing the use of GPR cards for fraudulent activities.

7 Money-Out Controls On Prepaid Card Spending Cardholder spending warrants careful monitoring for potentially suspicious transactions, including those initiated in foreign countries and at high-risk merchants. The spending of prepaid card funds in foreign nations can and should be limited or blocked, with these limitations/blocks instituted on a country-by-country basis should activity warrant. CONCLUSION The contest between fraudsters and prepaid card industry stakeholders will continue as perpetrators exercise increased creativity and aptitude at finding new vulnerabilities within the prepaid ecosystem and exploiting existing ones. Thus, it benefits all industry constituents issuers, prepaid card program managers, and merchants alike to familiarize themselves with emerging and well-developed prepaid card fraud schemes, and to consistently share their knowledge with those outside their own lines of business. The end-result of such cooperation and communication will render fraud a less frequent occurrence and less of a concern not only to the prepaid community, but to consumers as well. For more information, contact E&S Consulting at or give us a call at