In today’s New York Times there is an article (http://nyti.ms/ms4F9K)
about the recent Citigroup breach. It contains a twisted bit of logic about credit card fraud that is equal parts disturbing, irresponsible, and laughable. The article points out that according to the annual report put out by Verizon and the Secret Service, in 2008 360 million personal records were stolen, mostly credit and debit files. In 2010 the number decreased to 3.8 million. Is this due to better early identification of fraud? Or, perhaps that fraud has moved to other areas? No, according to a forensics “expert” quoted in the article, fraud is going to jump in 2011 as the accounts compromised in the “vast 2008 thefts expire.” The logic, if it can be called that, is that fraudsters hold on to and presumably continue to use compromised cards from the moment they are issued until they expire. In other words, no bank or customers notices the fraud for three years.
Full disclosure here: I was once responsible for fraud analysis and reporting for one of the two large card brands. But I don’t think that such experience is required to be stunned at just how wrong-headed such a statement is or that it makes its way into the media. At a high level fraud is either “friendly” or criminal. By friendly I mean nice, otherwise clean living people, who take advantage of circumstances to commit a crime of opportunity. Think of the person who finds the card of a previous user on top of a gas tank and thinks to themselves, “Jesus loves me and must want me to have free gas today.” Or, as I saw once, a woman’s card had been compromised and four pieces of jewelry purchased; each for around $1,200. She then went and purchased a similarly priced piece of jewelry for herself and claimed it was fraudulent as well. She must have felt it was owed her for the inconvenience. I caught her when I happened to be reviewing the signed authorization slips and noticed that the signature on her fraud claim matched one of the receipts and was wildly at variance from the signature on the receipts for the four fraudulent charges.
I was once told by a very large issuer that their policy was that every customer was entitled to one “free” fraud claim. For example, think of the business man whose wife happens to pay the credit card bill when he is away on a particularly long trip. She may call the card company to complain that her husband would never spend $500 on porn or gambling and dispute such charges. All the while the bank representative is looking at a history of such charges on his/her computer screen. What is customer service told to do? Eat the charge and tell the spouse something to the effect of, “Oh yes miss, your husband would never do such a thing. I will back the charge out right away.” The bank will then gladly process next month’s porn related charges, make its money, and not lose a solid customer.
I have done studies of the behavior involved in true criminal use of credit cards and friendly, or opportunistic, fraud. The results showed two very clear but different patterns that turned out to be exactly what you would expect if you sat down to think about the problem. Crimes of opportunity are generally low dollar, are for staples (food, gas, etc), low volume (just one to three things) and short term (all over the course of a few hours). The pattern fits someone who is nervous, inexperienced, doesn’t want to get caught, and does not understand the law and card processing as well as a professional criminal.
On the other hand the criminal wants high dollar purchases, high volume, purchases different type of items (instead of staples the criminal wants jewelry and electronics that they can fence) and will space their purchases over days as they know fraud detection techniques better than the average consumer who just happened to find someone else’s card. But the time between a first purchase on a compromised card and the last purchase is never, ever, more than thirty days. To claim it is three years is ludicrous.
My point is that maybe this “expert” is just stupid or maybe very poorly informed, but what is scary is that he is out there spreading this type of foolishness that is not productive to fighting fraud issues. The real issue at Citigroup is poor coding. There is just too little emphasis on proper code review vs. time and cost. The PCI DSS does call for code review, but IT too often views the control as something to work around and not as a good practice to follow.