What is a Card? A quick Introduction
A card, credit or debit, is a piece of plastic issued by a financial institution to make payments for goods or services purchased by the cardholder. Each card contains information such as the cardholder’s name, the card number, expiry date and the CVV (Card Verification Value). The structure and data on the card make it an attractive souvenir for fraudsters to have in their display cabinet. Understanding a card gives a financial crime analyst important information on writing Fraud rules based on these characteristics so to avoid fraudulent transactions from happening.
Anatomy of a Card: What each detail means
Card Holder Name: Name of the person whose name the card is under.
Card Number: A unique card identifier number (14-16 digits long) found on
the card.
CVV: Usually a 3-digit security code found on the card to verify CNP
transactions (few banks have started issuing dynamic CVV’s on a users phone)
Expiry Date: The month and year the card is valid until.
Magnetic Strip: A strip on the back of a card that stores encoded cardholder
data, used for swiping transactions.
Name of Financial Institution: The name of the bank or financial entity
that issued the card.
Card Processing Network: The Card Network (e.g., Visa, Mastercard, AMEX)
that facilitates card transaction authorizations and settlements between
merchants and banks
Identifying card networks or types by their number patterns:
- Visa: Card numbers begin with a “4” and are 16 digits long.
- Mastercard: Cards start with digits between “51” and “55” and are 16 digits. There are a few Master Card types that start with 2 as part of their BIN expansion; however, for now, they are a tiny population.
- Amex: Typically start with “34” or “37” and are 15 digits long.
- Discover: Card Numbers begin with a “6” and are 16 digits long.
- Diner’s club: Start with “36” or “38” and 14 digits long, those cards which start with “54” and “55” are 16 digits long.
There is a history and an interesting story behind why and which industries have their respective first digits on a card called Major Industry Identifier and how card numbers and card types (credit vs debit) are allocated to banks and other financial institutions but that’s for a different day and topic.
Please note you can combine the below features with other features or patterns, but for this article I am sticking to the occurrence of fraud only from a card perspective.
Card Fraud types and prevention techniques (not a comprehensive list)
An unauthorized use of a card to obtain services, goods or accessing money is credit card fraud. Let’s look at certain types of Card fraud and some techniques to prevent it.
1) Invalid Card Number validity check
This may sound bizarre, but do you know merchants and financial institutions have accepted transactions with invalid card numbers, right? Though it’s rare to see such events today, it’s tough to believe such transactions went through in the past when anyone can validate a card number’s validity using a simple application like Excel or even in a piece of paper, and you don’t have to be a mathematical genius to do this.
Prevention techniques
Luhn’s algorithm, all you do is place a logic for this in your fraud rules engine
Start from the rightmost and
Double every second digit,
If any doubled number is greater than 9 subtract 9,
Now Sum all the digits
Check if the total mod (modulo) 10 is 0
If the mod is 0, then it’s a valid card number; if not, then its not a valid number.
2) BIN (Bank Identification Number) Fraud:
Fraud performed through identifying the first 6 digits of a card number are termed as BIN fraud. Fraudsters generate thousands of card numbers using a card number generator after obtaining the first six digits of the card to create fake card numbers. For example, they use a valid BIN to predict the remaining digits of a card number and produce counterfeit cards.
Prevention techniques
Velocity checks to detect unusual activity for specific BINs, especially newly issued BINs,
Rules specific to a type of Mastercard, Visa, etc,
Rules specific to bank(s) (happens when cards from a specific bank have been compromised or card numbers have been sold in the dark web, etc),
Rules specific to a merchant category,
3) Card Issuance Fraud:
Fraudsters tamper with or redirect newly issued cards before they reach the right cardholder. This often occurs during the card delivery process. They intercept the card and use it for unauthorized transactions.
Prevention techniques
Multi-Factor Authentication during Card activation
Rule(s) to identify mismatch Between Card Type and Expiration Date: Credit cards typically have a 3-year expiry and debit cards 5 years; this information can also be used to identify newly issued cards.
4) Shoulder surfing Skimming and Cloning:
This involves using a skimming device such as a wedge to steal card information during a legitimate transaction, such as at ATMs, point-of-sale terminals (primarily restaurants). The stolen data is then cloned onto a counterfeit card.
Prevention techniques
Using ATMs and Gas Pumps in Safe, High-Traffic Areas (fraudsters typically tend to tamper devices at isolated locations)
Cover the Keypad When Entering Your PIN
Using a Card Protection Sleeve (RFID Blocking)
A quick Inspection of the Card Reader Before Use
5) Card-Not-Present (CNP) Fraud:
Fraud, which occurs when the cardholder is not physically present during a transaction, such as online or over the phone. Fraudsters obtain the card details and use them to make purchases without the actual card.
Prevention techniques
This is a long list, but a few are device and geolocation fingerprinting, velocity checks, 3DS authentication, detection tools such as analytics and AI, amongst many more.
6) Card Testing Fraud:
Small, unauthorized charges are made to a card to check if it’s still active. Once verified, larger fraudulent transactions follow.
Prevention techniques
Captcha or Bot Detection Systems for online card testers
velocity checks on cards following a testing fraud typology
velocity checks at certain merchant types – usually fraudsters test cards at fuel stations multiple times for a small but same amounts to avoid detection.
This is by no means an exhaustive list, there are a lot more types of card fraud, including synthetic identity fraud, account takeover fraud, phishing attacks, and many more.
Please follow either me or compply[dot]co for more content such as this; link in the comments.