.
TOC Notes on
Credit Fraud
Case
Case Analysis:

-1- Criminals are put on notice: verifications are routinely made by organizations to protect themselves against the consequences of ID theft.
It is important to understand that this is independent from the measures which can be taken to prevent ID theft in the first place.
This is nothing new. Thefts of ordinary property are often found and solved when the stolen property comes on the market, after the original thief is long removed from the case.

-2- The task faced by organizations falls in a field of engineering called "pattern recognition". This field covers every type of detection, such as typographical characters in optical readers, cancerous cells in automated breast X-rays analysis, enemy submarines in naval warfare or , in the case at hand, ID theft related activity.
Pattern recognition in real life is never 100% accurate. Central to its methodology is the fact that its errors fall into two very distinct categories:

  • - false positives, when the wrong pattern is recognized
  • - false negatives, when the correct pattern is ignored
According to this classification, the "road story" is obviously a false positive, an alert for potential credit card theft for what amounted to valid transactions.
One can also see the "taxing case" as another false positive.
But let us assume for the sake of argument that Mr Coveignoux did exist and was different from Mr Coueignoux. Then it would be an example of a false negative made repeatedly in the past by the IRS, allowing Mr Coueignoux to have gotten away with ID theft for many years.
As one can see in this example, there is a direct trade off between the two types of errors. If one tries to decrease false negatives (and catch more criminals), one will trigger more false positives (and annoy more people). Going from human judgment to computer processing at the IRS and Social Security had exactly this effect.

-3- When verifying a user's identity, one can see two very different practices at work.
In the "taxing case", the IRS decided to rely on a trusted third party, Social Security, for checking identifying characteristics (name and SS number) against the records of this third party.
In the "road story", the credit card issuer was relying on suspect behavior analysis (sudden travel from stay at home people), based on expert knowledge derived from accumulated internal data, both statistical and historical.
All methods used to combat credit fraud will use one or both approaches.
The cases underline the difficulties of either approach:

  • - identifying characteristics are prone to be foiled by seemingly small typographical inaccuracies, like the one committed by reading a hand written U as a V
  • - behavior outside of the expected is to be expected from any human being once in a while

-4- More subtle is the difference between stealing a credit card and stealing an ID.
On the one hand, a credit card is one piece of ID. The criminal who uses my credit card number is fraudulently acting in my capacity, guilty of stealing my ID.
On the other hand, a credit card is a means of payment and what the merchant cares about is not who the customer is but whether he, the merchant, will be paid in full. The risk is that the credit card legitimate owner will contest the charge and burden the merchant with the loss of the goods or services billed for plus a charge back fee from the credit card company.
From this perspective, what counts is how deep is the ID theft. Ordinary credit card thefts can be thwarted by requesting additional ID information and looking for discrepancies. In case of more complete ID thefts, behavioral analysis might be more reliable.

-5- Ordinary merchants cannot hope to solve all the difficulties mentionned above without external help. In particular, suspicious behavior is hard to track down without an extensive amount of historical data to use in setting up the detection system. A motel operator on route 80 cannot indulge in suspecting all out of state travellers. It would cripple its business. Yet this operator cannot know that the Coueignoux have a stay at home profile and that a card in their name presented in Iowa can reasonably be considered as suspect.
However caution must be taken:

  • - an ordinary merchant is still in the best position to analyse surprising changes in a remote repeat customer's behavior relative to the sales at this merchant's and thus detect potential fraud
  • - fortunately for the privacy concerns of consumers, profile data is not yet entirely aggregated and some conclusions can still be misleading. On the basis of his American Express credit card records, Mr Coueignoux is not such a stay at home body after all !

-6- The previous point is about scale: the more the activity, the better ID verification processes and behavioral knowledge become. But decision time is another key variable.
In the "taxing case", the IRS can take all the time necessary to ensure the correctness of a taxpayer identity as taxpayers cannot claim interest on their refunds, nor can they easily take their business elsewhere.
In the "road story", the motel owner must decide on the spot whether to grant access to the room to the weary traveler and need to be nice to the potential customer. Indeed the ID verification in this case was not done by the owner, but by the issuer bank, a few days after the fact.
Real time, user-friendly solutions cannot be as good but are very useful to the economy nonetheless.

General Comments:

-1- The Id theft chapter lists three ways of finding out "whom" one deals with:

  • - credit record checks
  • - employee criminal background checks
  • - user access control to information systems
Implicitly the person responsible for such checks have both time and proper authority to perform them.
How should merchants, especially Internet merchants, who have no time and little authority, go about accepting or not a credit card from a customer ?
One way is to rely on so called merchant service providers (MSP) to help avoid bad debt and charge back fees through real time checks.
The credit card networks themselves as well as the major credit reports agencies have also developped real time solutions to better identify fraudulent card users.

-2- While verification services do decrease false negatives, they are subject to intrinsic limitations which boost false positives.
Take for example the common verification based on checking the address declared by the customer versus the address kept on file by the issuer. While a mismatch reasonably raises some concern, one knows that spelling mistakes do occur (see the "taxing case") and that customers do move.
Handling address discrepancies is such an issue that, when it occurs in conjunction with credit reports, it fairs a whole page in FACTA, section 605 (h) (15 USC section 1681c).
Notice also that one of the leading reasons for customers to refuse a legitimate transaction is because the customer monthly report sometimes alters the original merchant name and address beyond recognition.
To avoid the customer backlash which would be associated with too many rejections from false positive, merchants often split false positives into two categories, straight "rejects" and "cases for review". One must of course budget additional expenses for processing the latter cases.

-3- One way to analyse the benefit of real time user verification is to adopt quantitative risk management.

For example.
Assume the merchant generates N transactions per month, with an average size of US$ P and an average gross margin of m%.
Assume the probability of servicing a fraudulent order is F.
The monthly gross of this merchant is US$ (N.P) from which one must deduct an average of US$ (F.N.P) above base costs of US$ ((1-m).N.P).
Assume now that an MSP offers this merchant a card verification service which cuts fraudulent order down to f, while creating a probability v of voiding good sales.
Assume the cost for this service is a monthly flat fee of US$ p, plus a per transaction fee of US$ r.
The monthly gross stays at US$ (N.P) from which one must now deduct US$ ( f.N.P + v.N.m.P + r.N + p ) above base costs.
The relative gain (or loss) delivered by the service is therefore:
(a) 100 x {[(F - f - v.m).P - r].N - p} / (1 - F).P.N %
Application:
P= $ 25 N= 5,000 m= 50% F= 2% f= 0.5% v= 0.4% r= $0.10 p= $ 20 gain of 0.90 % of revenues
P= $ 10 N= 12,500 m= 50% F= 2% f= 0.5% v= 1.5% r= $0.10 p= $ 20 loss of 0.27 % of revenues
Notice that the result flows directly to the merchant's bottom line. A good operation in the first case, frustration in the second.

The example above is but a very crude example. Notice in particular no mention has been made of charge back fees.
Assume then that the merchant bank charges US$ C per rolled back transaction. The formula above becomes:
(b) 100 x {[(F - f - v.m).P + (F - f).C - r].N - p} / (1 - F).P.N %
Application: C= $20
P= $ 25 N= 5,000 m= 50% F= 2% f= 0.5% v= 0.4% r= $0.10 p= $ 20 gain of 2.12 % of revenues
P= $ 10 N= 12,500 m= 50% F= 2% f= 0.5% v= 1.5% r= $0.10 p= $ 20 gain of 0.96 % of revenues
Notice that the existence of chargeback fees make decreasing false negatives even more attractive, especially when the average transaction price is low.

The previous examples have been engineered for the sake of illustration, in particular the interplay between multiple factors. The only conclusion to be drawn is that: when the model used to capture a specific merchant risk reflects reality, the merchant can optimize business profitability in the face of uncertainty and adjust controlable factors over time.

-4- The best verification services encourage greater model complexity by giving more control over the decision back to the merchant.
While the final decision remains a binary (accept/reject) or ternary (accept/review/reject) answer, the decision is reached as a result of applying multiple business rules programmed by the merchant. See for example pages 7-9 of CyberSource Decision Manager.

-5- Some merchants prefer to lessen the need for real time credit card verification by enrolling the customer in their own database.
This allows a merchant to conduct its own verification step at the beginning, with enough time to do a good job, in particular to recover from false positives.
Afterwards user identification is done using the merchant's own card, which can be a simple fidelity card or even a store credit card.
The downside of such a solution is that the protection against theft of ID is not much better unless users are given a password and that users must be rewarded for carrying an extra card. As it tried in the eighties to enforce the use of its Discover card by making it the only acceptable credit card in its stores, Sears turned away all the customers who wanted to keep the number of their credit cards to a minimum. The Discover card is no longer owned by a retailer.

-6- While the remarks above reflect the point of view of the merchants, who bear the brunt of the financial risks in credit card transactions, they must not ignore the needs of the other parties in the payment system, especially the banks and the consumers.
Visa and MasterCard, for example, have developped an industry standard, called PCI Data Security Standard, which they impose on participating merchants and services providers. See the relevant documentation in the reference section. Discussion will be delayed till Part III.
In fact if a merchant makes use of consumer credit reports, they also come under the scope of FCRA, amended with FACTA, for example the requirements upon adverse actions (FRAC section 615) and the disposal of records (FCRA section 628) (see III-2 Disposing of Digital Information ).
And if a merchant establishes his own credit card, it also falls under the scope of GLBA as behaving as a financial institution (see guidance from the FTC)

-7- The credit card networks have their own strategy to strenghten user verification beyond real time checking. Instead of processing user data at each transaction, both Visa and MasterCard are trying to issue the user a password, as done in better system access control (see chapter on I-1 ID theft).
However, from the point of view of the merchant, the Verified by Visa and the MasterCard SecureCode solutions suffer from a major drawback: they are dependent on volontary user enrollment and continuing use of a password, a change in user habits which will take time. The merchant is left meanwhile to deal as usual with the majority of credit card holders, who are not enrolled.
The credit card networks present these programs as a kind of insurance by lowering charge back liabilities of enrolled merchants .

One should notice that the so called smart cards, popular in Europe, fall under the same principle, since they require the user to enter a password, just like an ATM or debit card.
The issue is that smart cards need special readers, which are not available for Internet purchases.

-8- Financial institutions offer merchants user verification services for a fee. However financial institutions have their own reasons to fight user ID theft. In particular, they are not insulated from the bad feelings generated by customer dispute resolutions and the need to re-issue credit cards to customers who fera ID theft for the sake of public relations.
In view of their size, large issuers have more choice than small merchants as they can have direct access to pattern recognition technologies used to detect fraud.
But again, banks and their suppliers of services must make sure to conform to GLBA (see chapters II-2 Marketing Campaigns and III-1 Protecting Digital Information)

-9- A final word must be added for those besides merchants who handle consumer credit reports, whether to supply them (the credit reporting agencies), to use them (insurance companies, lenders, landlords, employers...) or to provide information for them (lenders..).
While these entities have generally more time to resolve the identity of the customer than ordinary Internet merchants, they can be lulled into a false sense of security by the very fact of having an abundance of data on the customer. More data does not mean higher degree of certainty since this very data can have been stolen or corrupted in the fisrt place as part of an ID theft.
And here again they have been targeted for the sensitivity of their actions relative to the victims of ID theft and must conform to FCRA and FACTA (see Part III), including for example the to be published Red Flag regulations mandated by FCRA section 615 (e).

Solutions:

Chapter I-1 ID theft has stressed that one should take a global, extensive view of the Information Systems at hand. There are two major reasons behind this principle.

One is practical. One protects oneself from liabilities and vulnerabilities by erecting a fence between one's system and the threats against it.
Just like a physical fence stretching over fields and pastures, this protection obviously does not apply to what is left outside. But there is worse to come: today's Information Systems are so integrated, that leaving part of a system outside automatically creates the need for some traffic between the system and this part. This leads to the equivalent of gates in the fence, when this traffic is recognized or, even worse, underground holes when the traffic is ignored. In both cases this usually creates weak points in the fence and again like for physical fences, the protection obtained is worth no more that its weakest point.
Defining systems extensively means that the inevitable tradeoffs to consider between security versus cost and convenience will be approached in an optimal way.

The second reason for taking the broad view has to do with legal trends. One has only to look at the so-called statements of purpose which justify new laws and regulations (e.g. FCRA section 602). The economic importance of global systems is used to burden parts of such systems with duties which are meant to protect the other parties. In other words, the persons responsible for part of a system are asked by law to consider the whole system.
Notice that such mandates are not blind to economic realities. A key concept of all recent laws is that the persons or entities encumbered with a new legal duty are not asked to shoulder extraordinary charges, only to "take reasonable all steps". The law understands economic tradeoffs and will not dictate detailed operational decisions but makes three kinds of demands:

  • - consider the issues
  • - take relevant operational decisions
  • - document the reasonable character of such decisions
In order to respond in a prudent and forward looking manner, economic entities must at least take two steps, without which risk, both actual and legal, cannot be contained:
  • - designate a person responsible for the issues
  • - apply appropriate methodologies
Appointing a compliance officer is not an end in itself. For example creating a powerless scapegoat won't do. But without this person, how can an economic entity prove it had given due consideration to the issues ?

The same can be said of following a methodology. Consulting companies and leading business gurus have been known to develop methodologies as if they were in the high fashion business. Yet again, without a methodical approach, how can an economic entity prove its operational decisions were reasonable rather than reckless and self-serving improvisations ? Methodologies will be examined in more detailed in parts II and III.

For a starter, the first key legal issue to consider and an entry point in the methodology, will be to list all the laws, regulations and contractual obligations which apply to a particular economic entity. For example we have seen in this chapter that a major retailer using credit reports and issuing its own credit card will fall under both FRAC and GLBA and, if this major retailer is a public company, it will also falls under SOX. Since it is likely that this retailer accepts major credit cards, it will also be held to the PCI Data Security standard.

Tools available:

Credit Card verification services:
All but the simplest verification service are based on transmitting to the third party extra information taken from the customer, either from the credit card itself (e.g. security code) or added by the customer at the time of the transaction (e.g. billing address).
Here are some of the types of services:

  • - credit card number: is it valid ?
  • - address verification services (AVS): does the billing address on record matches with the one declared by the customer ?
  • - security code (CVV2 for Visa, CVC2 for MasterCard) the security code is nothing but an extension of the card number not recorded by embossing machines
  • - geolocation checks Interner user for higher risks (free email service address, IP from foreign country...)
  • - advanced fraud detection based on behavior:
    • - order amount
    • - so called velocity factors (size of order flow, recent changes of billing address)
    • - and more unlimited potential for checks based on pattern recognition techniques (see below)

These services are available through an agreement with service providers engaged in a variety of businesses:

Pattern Recognition (aka data mining) technologies:
Such technologies require a two step approach:

  • - the so-called training or learning phase, wherein historical data is used to develop pattern recognition rules, whether implicitly (neural networks...) or explicitly (expert systems...)
  • - the recognition phase, wherein the new data is processed to determine its classification
The case of credit fraud is, fortunately for the industry, typical of so-called "rare case detection" problems, as the ratio of fraud cases is small compared to the total number of cases.
For a tutorial on the different approaches available to a sophisticated fraud detection department, please study Data Mining for Analysis of Rare Events by Aleksandar Lazarevic et alii University of Minnesota, 2004.

A further aspect of credit card fraud is the size and distributed location of historical data.
A solution can be found by adopting a distributed architecture. See Distributed Data Mining: Philip K. Chan and alii (IEEE Intelligent Systems Vol 14, no 6, Nov/Dec 1999) and JAM: Java Agents for Meta Learning over Distributed Databases: Salvatore Stolfo and alii, Columbia University March 1997.

For more commercial leads, please consult Dinkla's site

a link to an organisation, public or private, does not represent an endorsement
and no compensation has been received nor sollicited by the author for its inclusion.
July 2005
Copyright © 2005 Philippe Coueignoux. All rights reserved.