Presented at the 2002 Australian Institute of Credit Management National Conference

Adelaide, South Australia

10 – 12 October 2002

Fraud – an International Game

Steve Mitchinson

B Digital Ltd Level 3, Sheraton Court 207 Adelaide Terrace

Perth, Western Australia 6000 Phone: 08 94463 5800 Fax: 08 9463 5955 Email: steve.mitchinson@b-online.com.au

ABSTRACT

When we think of fraud, we typically think of con men and actions against disadvantaged groups, or we think of frauds against the corporation – typically from within. These are frauds, tried and true, but they pale into insignificance against the backdrop of a new era of organised fraud; activities that know no boundary and which are bringing together credit files, e-commerce and poor privacy and security practices to perpetrate frauds on a scale never before experienced. These new age frauds are often variants on old themes, but the most serious are those that now affect the credit provider, and borrower alike. T Whilst the Internet is fuelling the growth in fraud, but importantly, it is also emerging as our strongest line of defense

INTRODUCTION Fraud was once defined as, ‘‘iinndduucciinngg aa ccoouurrssee ooff aaccttiioonn bbyy ddeecceeiitt oorr ootthheerr ddiisshhoonneesstt ccoonndduucctt,, iinnvvoollvviinngg aaccttss oorr oommiissssiioonnss oorr tthhee mmaakkiinngg ooff ffaallssee ssttaatteemmeennttss,, oorraallllyy oorr wwrriittiinngg,, wwiitthh tthhee oobbjjeecctt ooff oobbttaaiinniinngg mmoonneeyy oorr ootthheerr bbeenneeffiitt ffrroomm,, oorr ooff eevvaaddiinngg lliiaabbiilliittyy’’.. Fraud pervades every form of business and comes in many forms – internal and external to the organisation. Fraud is increasingly a fact of life, but it is manageable if we display awareness, and apply the right systems and attitude. But is fraud what it used to be? Many organisations view being the victim of fraud an embarrassment, or a demonstration of failure. This is not necessarily the truth. We must avoid denial. Fraud is not always a sign of management or process failure, it is more likely to be the result of attractive products or services (e.g. mobile phones) or new and somewhat misunderstood business processes (e-commerce). Globally, the mobile phone market place has been a fraud playground because; the product is attractive, e-commerce is the emerging fulfilment medium, and both

Formatted

Formatted

Formatted

hardware (the phone) and software (calls) can be on-sold to unsuspecting, or compliant associates. “The development of electronic commerce and the technologies have also democratized transnational economic crime. Forty years ago, transnational frauds and money laundering were relatively rare and the exclusive domain of sophisticated gangs. Today, anyone with a computer can defraud people from all over the world and target tens of thousands of victims simultaneously, immediately routing any proceeds to a jurisdiction which lacks the legislative powers, political will or technical ability to either block the transaction or identify, confiscate and return the funds…. Some believe that governments and law enforcement agencies, who must respect 19th Century rules for national sovereignty and international judicial cooperation, are no match for offenders using 21st century technologies. A much greater level of national commitment and international cooperation is needed simply to keep up with the evolution of transnational crime, let alone to achieve any real reductions.” From remarks to the International Fraud And Financial Crime Convention (IFEX), London, 28 May 2002 by Antonio Maria Costa, Undersecretary General/Executive Director, UN Office for Drug Control and Crime Prevention Most organisationorganisations today have response plans for dealing with a range of potential risks – fire, bomb attack, theft, insurance loss etc, but how many have an equally robust plan to deal with a major or systemic fraud? As credit providers we are usually experts in our area of risk. As the first steps in dealing with any risk are identifying the risk, how many of us have done our jobs in respect of the overall credit fraud risk to our organisation? The risks identified should not only include the obvious ones, to which your organisation may be particularly vulnerable, (e.g. credit fraud, false insurance claims, employee theft etc), but also the frauds to which every commercial enterprise is vulnerable. But equally, as individuals we need to guard against frauds against ourselves. Is your organization still implementing the same fraud fighting techniques it has used for years? If it is, itt may be time to re-evaluate your approach... Fraudsters have. We are probably all a bit bored with the cliched “we now work in global markets, not local markets”, but this takes on real significance in fraud – there are no boundaries. The Serious Fraud Office in the UK reports that for major frauds “Approximately 65% of our cases have an international dimension. National borders rarely prove to be barriers to determined fraudsters. Money is channelled through overseas banks and offshore companies, victims can reside anywhere in the world and suspects and evidence can hide behind the laws of different jurisdictions.” With the rapid growth in e-commerce we must not only deal with the increased ease of committing a fraud, butbut also the limitations on dealing with it due to often outmoded legislative powers. In their latest annual report, the New Zealand Serious Fraud offices made particular reference to the fact that, like Australia, E-crime has been receiving considerable publicity lately. In their case, the Crimes Amendment Bill (No 6) introduces a series of new offences dealing specifically with e-commerce and computer crimes e.g. hacking. I quote from that report: Importantly the Bill will also update the laws covering fraud offences to ensure that existing offences when committed using electronic means will not go unpunished as a result of technical arguments based on out dated definitions in the Crimes Act. There is no doubt that computers are being used more often now in the commission of crimes and that law enforcement agencies need to be able to understand how the offending occurred, how to collect the electronic evidence and how to present it in Court. But for the most part the offences themselves are not radically different. The use of computers in perpetrating fraud can be compared to the introduction of the motor car. There were some new offences but a bank robbery using a car as the getaway transport rather than a horse was nonetheless a bank robbery.” So what are the fraud risks, and what can we be doing to identify and protect against them. . If you are involved in e-commerce, a starting point might be to take the preparedness test found at http://www.merchantfraudsquad.com/pages/test.html Given the current spotlight on fraud it is a little ironic that the Association of Certified Fraud Examiners recently

held their 13th Annual Conference in Hollywood. Non the less, in their publication “”The Small Business Fraud Prevention Manual”, they identify the principal forms of fraud facing business today as: Internal Fraud Threats • Dishonest Employees • Cash Receipts Fraud • Cash Disbursements Fraud • Inventory & Merchandise Thefts • Fraud involving other Assets • Employee Fraud (Payroll & Resume fraud) External Fraud Threats • Cheque Fraud • Credit Card Fraud • Shoplifting • Vendor Fraud • Con Schemes and Scams (including Identity Fraud) They affect everybody – either directly as a victim of a scam or indirectly by having to pay more for goods as businesses recoup their losses. Most of these have been around for years, and I would expect most of the audience has experienced or observed more than one of these. Each of these is universal and capable of affecting any one of us. Whilst some of us may sit back and take the often promoted view that only “the dumb and uneducated fall for frauds and scams”, the truth is the level of sophistication in the area of frauds and scams is growing at a rate far greater than the rate of detection. Frauds are no longer just the domain of individuals and small groups, fraud is also operating both nationally and internationally on another level. Here are some of the topics discussed at the NACM’s recent conference on Loss Prevention: • Do Cloned Credit Cards Fund Terrorism and Organized Crime? • Business Credit Fraud and Terrorism: Is There a Connection? • Identity Theft: The Basis for a Business Credit Fraud But what about Australia, are we immune? Certainly not. Recent media coverage has highlighted the emerging magnitude for credit frauds in Australia. Those of us involved in e-commerce know just how well established it has become, and I will outline some chilling facts later in this paper. Each of the preceding fraud typesse is a topic in it’s own right, and I include them to demonstrate that the credit frauds I will outline today can in fact be far more than the illegal behaviour of an individual, they are, in their most sophisticated form capable of being another front for organised crime. That is why it is so important that we all take preventative steps. If one of them (fraudsters) breaks your defenses, rest assured others will seek to do likewise. There is a real parallel with credit granting – if your organisation becomes known as an easy touch, the delinquent debtors in your industry sector start lining up at your door. Fraud is no different, but the consequences can be more severe. Scambusters.com top ten scams But getting back to the list of common frauds. Website http://www.scambusters.com/ gives us an insight into the latest in scams and frauds, and lists it’s current top ten as: 10. Herbal Viagra This is really a whole category of scams, relating to the sale of medical or "alternative" medical treatments online. Usually using spam to get to the "customer." If you're lucky, these products will do nothing at all. 9. Internet Investigator "Be the first kid on your block to know all the dirty secrets your neighbors are hiding! Find out what your prospective mate has hidden in his past! Find the lost city of Atlantis! Find your lost remote control!" This one is more an annoyance than a real problem. It serves as a great example of the pure hype that you should watch out for in online advertising. 8. Pump and Dump You've probably received your share of these. The subject line or first part of the email says that this is "Highly

confidential information." This scam is based on touting "advance information" on specific stocks in an attempt to drive up the price past its true worth, so the promoters can sell at the higher price. 7. Credit Scams There are all sorts of these that prey on the desires of people to repair or establish credit. The worst are the alleged credit repair services. They promise to help you to remove accurate but negative information from your credit record – but more on these later. 6. Auction Antics You can get a lot of terrific deals through online auctions, but you need to be careful. Before buying anything that seems too cheap, or that shouldn't be on an auction site at all, ask questions. A recent survey at www.fraud.org indicated 87% of online frauds related to on-line “auction” sites 5. Chain Letters "Add your name to position X, move the name in position Y to position Z, send 200 copies of this letter to your closest personal friends, and very soon you'll have no personal friends left!" 4. Viruses Get a good anti-virus program, keep it updated, and keep it running. What are viruses doing in the ranks of scams? They're actually among the cleverer of scams, if you think about it. Deceptive subject lines, hidden code that causes you to spread them to your friends, and almost always appealing to the most common desires. 3. Nigerian Fee Scam This is an oldie, and a real baddie. They usually begin with a line like “I represent some high mucky muck who wants to get a lot of suspicious money out of my country, and, and we need help from you to do it. We'll pay you stupid amounts of cash to be a front person." Australia Post has reportedly confiscated nearly 2 million mail items linked to these scams. It has caused so much grief around the world, it now has it’s own website! Visit: http://www.home.rica.net/alphae/419coal 2. Identity Theft This is a VERY serious problem - particularly for credit providers and those whose ID is stolen. We deal with this is detail later. 1. WTC Scams The spams relating to the World Trade Center disaster began within an hour of the attacks. They range from appeals for aid to the victims, usually sent through the spammers' web sites, to fake news items concerning reported attacks. There's nothing funny to be said about these. You think you are sending a credit card payment to a worthy cause but in effect you are donating your hard-earned cash to a fraudster, and in addition you have also passed your credit card details, perhaps your tax number (for tax deductible receipts) and your personal details. You are probably about to become the victim of identity fraud. So three out of the top ten are credit related frauds, and they are amongst the credit frauds I want to concentrate on today. Simply using the term “international fraud” in a web search engine will return over 3000 sites of interest, type in “credit fraud” and you will get over 9000 web references that deal with identifying credit fraud, guarding against credit fraud or even worse, perpetrating credit fraud. The principal methods of executing a credit fraud are: • Debt Consolidation • Credit File Cleansing • Credit File Segregation • Credit Card Fraud • Identity Theft/Makeover I have excluded Cheque Fraud as thois was dealt with recently by John Tait in CMIA Vol 9 Number 5. I hope to explain what they are and how they operate, outline some typical case studies, and suggest preventative measures for not only our organisations, but also for us as individuals wanting to protect ourselves from fraud. How easy is it to perpetrate credit fraud? Consider the following examplesse three examples (all based on factual cases):

Case 1 A husband and wife team run a small business and keep their credit card terminals under the counter. They are later arrested for credit fraud. In their house, investigators find countless credit cards embossed with other people’s names. The couple is charged with identity theft and accused of charging more than $50,000 worth of merchandise to other people’s accounts. We have seen these sorts of examples reported in the media. Questions to ask? Whilst not wishing to defend the offenders, who really is to blame? Is it the credit card providers and suppliers who eagerly opened the fraudulent accounts without properly verifying the couple’s true identity? Is it the consumers who failed to protect their vital information/privacy? Is it the consumers who never questioned why the credit card machine was under the counter, or who never ensured carbon copies were torn up? Case 2. A computer enthusiast buys a couple of second hand PC’s from a liquidation sale. On the first he finds years of customer detail and payment records for a local law firm contain all the vital information. The second includes a family’sies financial records, employment application and diaries. Things have not been too good for him of late – the temptation is too great…. Questions Who really is to blame? Is it the credit card providers and suppliers who eagerly opened the fraudulent accounts without properly verifying the couple’s true identity? Is it the auctioneer for not deleting all PC contents? Is it the original owners who did not secure access to confidential information? Is it the consumers who failed to protect their vital information/privacy? Case 3 One of the above offenders applies on line or over the phone to purchase mobile phones from several providers. They duly ask for details, despatch the handsets and then note the customers are immediately thousands of dollars over their limits. They individually begin their follow up and what is the result – over $70,000 of fraud committed within 72 hours – by one person, with 16 aliases. Questions Who really is to blame? Is it the suppliers who eagerly opened the fraudulent accounts without: •properly verifying the applicants true identity •having effective validation and fraud detection systems in place. How come 16 different people can order product for delivery to the same residential address? Case 4 A telecommunications employee obtains enough knowledge of a customer in order to Iimpersonate him. He then uses the victim’s access codes and passwords to channel a considerable sum of money from the victim’s bank account to their credit card and then uses those funds to buy goods over the Internet Whilst not wishing to defend the offenders, who really is to blame? Questions to ask? Is it the credit card providers and suppliers who eagerly opened the fraudulent accounts without properly verifying the applicant’s true identity? Is it the consumers who failed to protect their vital information/privacy? Is it business owners who do not secure access to confidential information? Is it the consumers who never questioned why the credit card machine was under the counter, or who never ensured carbon copies were torn up? Is it the auctioneer for not deleting all PC contents? The telecommunications company for not having adequate controls over access to information? The telecommunications company for not doing adequate employment checks The banks and credit providers for not conducting adequate checks? The victim for failing to properly control his information? s it the consumers who failed to protect their vital information/privacy?

Formatted: Bullets and Numbering

Formatted

Prospective purchasers have three choices, in person, over the phone or over the Internet. Each channel has it’s own, unique, risk profile. With the explosion of e-commerce via both call centres and the Internet the opportunities for these forms of deception are greatly increased. Prospective purchasers have three choices, in person, over the phone or over the Internet. Each channel has it’s own, unique, risk profile. They may try all three with the one supplier! Consumer expectations are such that there is a belief is that the more “e-business” the delivery channel, the quicker the response they expect. That is not unreasonable, but from the credit perspective the biggest challenge is due to the fact that the risk of fraud is such that the more “E-business” the solution the less “sight “ you get of your customer, the greater potential for fraud. That is itself is a challenge. Consider also that during the past year, Internet usage increased to 50 per cent of the Australian population compared to 32 per cent two years ago. As you all face the prospect (if you haven’t already) of becoming internetInternet commerce enabled, you must consider what this will mean to your business and your risk prevention methods? The provision of any commodity via marketing and branding campaigns built primarily around inbound call centres or Internet fulfillment is no longer a unique concept. Typically the branding proposition requires these enterprises to have as seamless a process as possible between the response to that marketing and the confirmation to the customer that their application for credit has been approved. This need for expediency provides the opportunity for the fraudster, unless we develop and implement effective detection systems. “The Internet, especially e-commerce, has created spectacular opportunities for companies to transform the way they operate. Unfortunately, it has also revolutionised the possibilities available to the IT literate fraudster. The actual frauds are often the old tried and tested ones, but he Internet has made them easier to perpetrate (e.g. using larger than life web sites) and harder to catch (e.g. due to jurisdictional problems). Are you comfortable you have these new risk covered?” Source: The Year of Living Dangerously, by Ian Trumper & Edwin Harland, Financial News 15-21 November 1999 Unfortunately, online payment remains a major area of Internet immaturity. Payment and data transfer security are allied problems. When buyer and seller meet physically to exchange money for goods, trust is less of an issue than when two entities deal blind online. So let’s look at the principal various forms of potential credit fraud. outlined earlier. FILE CLEANSING Take this unsolicited e-mail I received after searching several websites offering to help me “clean up” my credit files and get a loan. People who cannot obtain credit because of bankruptcy or past problems with paying bills may be tempted by claims such as "make bad credit extinct" and "credit repair for $100," to use a "credit repair" company or "credit clinic." Fortunately, this is much harder to do in Australia thatn some overseas jurisdictions where the practice flourishes. For a fee that can range from $15 to hundreds of dollars, credit repair companies claim to "clean up" or "fix" your credit record even if you have been denied credit because it revealed problems in paying your bills. They often advertise that negative information will be erased from your credit report. (Fig 1)

Figure 1. – File Cleansing Credit repair companies advise you of your right to dispute the accuracy of the credit bureau's file. The firms either dispute the information for you or encourage you to challenge virtually everything in the file, accurate or not. Through this process, the credit bureau soon becomes so overwhelmed with notices of disputed information requiring reinvestigation on their part, that they may be unable to verify the information within the required reasonable amount of time. Consequently, they must remove it from your file, at least until they can reinvestigate it. Take this unsolicited e-mail I received after searching several websites offering to help me “clean up” my credit files and get a loan, which leads me into BILL CONSOLIDATION

Figure 2 – BillDebt Consolidation

The other variation of file cleansing comes under the umbrella of “bill consolidation”. Whilst this approach is often taken legitimately via financial advisers, financial counselors and others, and I hope supported by this audience, there are also the shysters who work with those whose sole intent is to get away with paying less than 100 cents in the dollar, but without “marking” their credit file. They typically scan writ lists for defaulters and then contact them offering to reduce their debts for a fee. They communicate with the creditors, purporting to be

trustees or similar in the hope creditors will compromise the debt or write it off altogether. Only the tenacious or suspicious credit provider finishes up with anything. The perpetratorsBut they are getting braver, they now advertise their services. There is a well-known operator in Perth who has operated under various guises for years, others advertise their services on Melbourne breakfast radio, and overseas, now they even operate websites. (Fig 2) such as: http://www.harfordshelter.com/free_bill_consolidation.html Guarding against this form of fraud, as opposed to genuine needs based requests, is as easy as verifying the bona fides of the requestor, obtaining detailed financial information and asking questions. But when I deliver course on collections, I am constantly surprised at the number of attendees who acknowledge being scammed by these operators. CREDIT FILE SEGREGATION

Figure 3 – Credit File Segregation You can create an entirely new credit record by a method known as "file segregation." This is so simple you can do it yourself. There are literally hundreds of web pages offering to help you (Fig 3). The issue of “file cleansing” or deliberate “file segregation” has been with us for some time, but fortunately the position in Australia is nowhere near as bad as it is the US where it is a stand alone industry, but it is the modus operandi of many a fraudster. In the US, for example, it is quite straight forwarddead easy, and usually involves securing an Employer Identification Number (EIN), a number normally used by businesses to report financial information to the Internal Revenue Service. Sometimes the file segregation companies advise you to use a new mailing address and phone number on credit applications as well. Thus your new identity will not be matched up with the old one (the one with the bad credit record). In Australia, we know there a certain number of matches required to match information provided by an applicant with the credit bureau file. If the correct number of matches is not achieved we either get a new file (often referred to as a shallow file), or if we are really lucky, a ”possible match”. Until the NEVDIS scheme is fully introduced it is possible to have a current motor drivers license in each state, each with a different address, each with a different looking photo, and if you know what to do, perhaps with a different date of birth. We can also deliberately misspell (ever so slightly) our name, our street address or our suburb, and a mismatch can occur. All the “poor credit history” is now safely locked away in one file, and the new one looks perfect, and probably will be good enough to get me around manyost credit scoring models.

So what can a credit provider do to try and protect themselves against this risk? They could: •Introduce address matching software to only allow correct AMAS compliant addresses •Have a policy of what additional information is required where a shallow file is returned. Do we celebrate an

account for an apparent perfect credit risk, or do we ask why the applicant, a 48 year old employed male has a shallow or new file?

•Ask for a paid utility account showing current address and name •Match details against an established fraud database? �Do next of kin or employment checks? Or you could simply go to http://www.platitudesinhell.com/Selfhelp/Identity/body_identity.html For some truly absurd advice. It is not that difficult to guard against file segregation isn this country if you follow steps such as those I willI suggest, and train your staff in effective fraud detection. I will cover theseat topics later. For credit providers tThe two most widespread and increasing fraud threats are Credit Card Fraud and Identity Fraud: • Both are often interwoven • Both are being assisted by the emergence of e-commerce • Both can be learnt or assisted via the Internet. • Both are aided by the explosion of available information • Both are promoted through poor privacy practices by both consumers and the corporate sector. “The Internet, especially e-commerce, has created spectacular opportunities for companies to transform the way they operate. Unfortunately, it has also revolutionised the possibilities available to the IT literate fraudster. The actual frauds are often the old tried and tested ones, but he internet has made them easier to perpetrate (e.g. using larger than life web sites) and harder to catch (e.g. due to jurisdictional problems). Are you comfortable you have these new risk covered?” Source: The Year of Living Dangerously, by Ian Trumper & Edwin Harland, Financial News 15-21 November 1999 Whilst they are very much entwined, I will attempt to separate them as much as possible, as they don’t have to steal your identity to committcommit credit card fraud (although it helps), CREDIT CARD FRAUD While both Visa and MasterCard quote overall card fraud at around 0.08 per cent of all transactions, online fraud (for which no separate figures are released) is estimated by many online traders at somewhere between three and five percent. The figures are most definitely higher than for mail order or telephone sales. The fact that neither Visa nor MasterCard will provide such figures should give all potential online retailers food for thought. While credit card companies have consistently maintained that credit card fraud is no more prevalent online than in traditional forms of commerce, a number of experts are disputing the notion. According to Alvin Cameron, Credit/Loss Prevention Manager for online fulfillment house Digital River, an estimated 20 to 40 percent of online purchases are fraud attempts The fraudulent credit card activities of J K Publications are well chronicled, perhaps nowhere better than on the website of one John G Faughnan (http://www.faughnan.com/ccfraud.html) .). Over forty million dollars and somewhere around 900,000 victims were involved, across 22 countries. This is reported as the biggest credit card fraud ever. Fraudulent credit card transactions were generated using adult web site merchant accounts, and accounted for over 4% of all Visa chargebacks for the period involved! Software to generate these well formedwell-formed numbers is available on hacker sites; the algorithms have been a part of several shareware packages for years (see http://www.creditnet.com/ccs/ccn-shareware.html for examples). According to Alvin Cameron, Credit/Loss Prevention Manager for online fulfillment house Digital River, an estimated 20 to 40 percent of online purchases are fraud attempts.

Formatted: Bullets and Numbering

The NACM website currently features an overview of last months feature article in Business Credit (the publication of the NACM). It says iof Internet credit fraud: “Despite the growing problem, many companies around the world that conduct e-commerce pay too little attention to Internet credit fraud. In fact, only a small minority of companies have included fraud protection in their e-business plans. When launchingWhen launching an e-commerce operation, companies need to address numerous aspects of fraud protection, including using fraud detection programs in conjunction with properly trained personnel, and preparing for personal and corporate identity theft. Some companies foster a narrow view that Internet fraud is limited to a specific region or country in the world. However, it is a worldwide problem. Until every e-commerce company positively identifies all of its online consumers, Internet credit fraud will remain a challenging aspect of doing effective e-commerce. Law enforcement agencies and articles about Internet fraud refer to those who steal goods, services or company information from e-commerce companies as hackers, super hackers, thieves, Internet shoplifters and bad guys. Thief’s range in age from teenagers to the elderly, and some consider their actions harmless or an income supplement. There are even a few organizations that hire people to attempt stealing as much as they can by using stolen or falsified credit information. Three-dimensional protection The Internet industry, law enforcement and government officials give two-dimensional protection in the three-dimensional online world where buyers wear gloves, ski masks, carry no identification and use any identity they wish. For example, most companies have two dimensional theft prevention like credit personnel, loss prevention personnel, fraud personnel, cameras and security personnel watching for thieves. Three-dimensional protection is the ability to use new technology and personnel to make adjustments to the ever-changing ways thieves attack an e-commerce operation. Three-dimensional protection must move swiftly, rather than at the slow speed that most businesses have become accustomed to in the offline world. The seller is now forced to be on the defensive, changing the adage of buyers beware to sellers beware. The thieves have a head start by obtaining the best equipment and software products long before companies and government agencies can buy them. Thieves network by using e-mail, chat rooms and other high-tech means to inform other thieves about the sites that are easy targets for any particular day, week or month. Unfortunately, most law enforcement agencies are under staffed and under trained when handling not only various types of Internet crimes, but also the large volume of crimes. On any given day, the number of attempted fraudulent orders prevented by an e-commerce provider can exceed 5,000 attempts. The fraudulent credit card activities of J K Publications are well chronicled, perhaps nowhere better than on the website of one John G Faughnan (http://www.faughnan.com/ccfraud.html). Over forty million dollars and around 900,000 victims were involved, across 22 countries. This is reported as the biggest credit card fraud ever. Fraudulent credit card transactions were generated using adult web site merchant accounts, and accounted for over 4% of all Visa chargebacks for the period involved! Software to generate these well-formed numbers is available on hacker sites; the algorithms have been a part of several shareware packages for years (see http://www.creditnet.com/ccs/ccn-shareware.html for examples). If I could use our own example, prior to implementing world class application processing and fraud detection processes, fraud through these made up over 60% of our bad debts incurred. And yet we were using credit-checking methods that were tried and proven in the world of face to face business, and which are probably still being used by many organisations represented here today. Though buyers - rightly - distrust online credit card payments, merchants suffer more from credit fraud. This is because most online payment is by credit or debit cards, and the payment protocols for these were originally intended for face to faceface-to-face sales where the cardholder and card are both physically present. Secondly, there can be a long delay between the initial fraud and the clawback from card providers. Some foreign cards can take as long as 5 months to notify you of the clawback. In developing solutions it is critical that they are capable of detecting fraud well before then. Physical presence offers security based on a customer signature and card imprint. But the merchant is almost always responsible for losses when sales are made on a 'Cardholder Not Present' basis even when the vendor has obtained authorisation from the card issuer

For those interested in transaction security, I recommend you visit http://www.webdevelopersjournal.com/articles/card_fraud.html And read the article “Reducing Online Credit Card Fraud” by Steve Patient. But in Australia there still exists a great deal of “ignorance is bliss”., Iif a report in “the Australian’ of 14th February 2002 is correct. “Spokesmen for ANZ, Westpac and National Australia Bank told The Australian yesterday they were not aware of any cases of fraud involving their online banking services.” Perhaps it is time for a reality check. So how do the fraudsters get hold of your credit card information? They can: • “Surf the web” for details • Interception of mail and “dumpster diving” which are perhaps the two most common, or "traditional" ways

to collect card numbers. That is, stealing card statements, or gaining access to credit card receipts (carbon copies), which provide both credit card information and expiration dates. Again see CMIA Vol 9 #5

• Land locate a ”credit card number generator” which will produce a list of valid card numbers, perhaps one of which is yours?

Interception of mail and “dumpster diving” which are perhaps the two most common, or "traditional" ways to collect card numbers. That is, stealing card statements, or gaining access to credit card receipts (carbon copies), which provide both credit card information and expiration dates.

• Use Credit card skimmers. Today’s technology now makes it much easier for fraudsters to collect credit card numbers in a much more effective manner – via devices known as credit card skimmers! (Fig 4)

Figure 4: A credit card skimming device mounted on a Palm Pilot Card skimmers are small devices, about the size of a pack of cigarettes, and so easily concealed. They are sometimes disguised as pagers or PDA’s. They can be hidden in a pocket, or even behind a tie. The purpose of the skimmer is to read the information of a card's magnetic stripe and they are capable ofknown to storinge up to 1,000 card numbers in their memory. Typically they are then connected to a PC to download the information “skimmed”. Credit card skimmers are relatively easy to find and relatively inexpensive in relation to the returns possible. The web provides plenty of underground "hacker supermarkets" advertising these devices, which can be purchased for as little as $600 (US). Skimming typically occurs in situations where a collusive employee temporarily takes control of the card at a point-of-sale device located out of consumer sight. A typical scenario for operation is this. You provide a credit card for payment at a restaurant. As the waiter walks to the terminal, they quickly swipe the card through the skimmer, collecting card number and expiration date (some skimmers can also read what is called "Track 1" data, which includes the cardholder name). This is much easier than breaking into a corporate database to access credit card numbers online, or dumpster diving. It is extremely effective as you are unaware that the card has been skimmed, and it’s security compromised. The fraudster(s) can then use it for up to a month or maybe two before you notice the unauthorized charges on your statements and can take action. Obviously, the Internet is the safest place for a criminal to use these compromised numbers as it provides anonymous worldwide access to thousands of commerce-enabled sites. Even worse, it is reported that numbers are sometimes posted on underground chat rooms and hackers web sites for rapid exchange and distribution. The more sophisticated criminals are also able to make matters worse by copying the data on to the magnetic stripe of counterfeit cards, allowing multiple cards, with your details, to be used concurrently for face-to-face transactions.

Formatted: Bullets and Numbering

Formatted: Bullets and Numbering

Formatted: Bullets and Numbering

Formatted

Formatted

Is there anything merchants can do? Thankfully the answer is yes. For starters, yYou will notice a 3-digit card validation code imprinted on the back of Visa, Master Card, and Diners cards and the 4-digit code imprinted in the front of American Express cards. These can provide significant protection as the code is not readable from the magnetic stripe and so it can'’t be skimmed. If a purchaser is asked to provide these codes in card-not-present transactions, online or by phone, a correct answer provides at least some assurance that a legitimate cardholder is using the card. IDENTITY MAKEOVERS

“We dance round in a ring and suppose But the secret sits in the middle and knows.”

Robert Frost Misuse of identity is at the core of a wide range of criminal and fraudulent activity – credit fraud is perhaps #1. How would you feel if you were stopped for a traffic offenceviolation and suddenly found yourself being questioned, or even worse, arrestedhandcuffed and taken to gaoljail for a crime you never committedknow nothing about? Or if you got a nasty call from a collection agency for a car loan you never had? Or if your application for a home mortgage was turned down because of information in your credit report about overdue bills on accounts you never opened? These are situations you could face as a victim of identity theft. While ID theft can take many complex forms, the essence of this crime is simple—someone steals personal information about you to use for fraudulent purposes. In the largest known case of identity fraud involving the Internet, the bank and credit card details of 200 of the USA’s richest people were fraudulently used. The details were taken form a listing in Forbes magazine, and the fraudster then cloned their identities and invaded their financial records, taking money from their stock brokerage and credit card accounts. Identity makeovers or stolen identities are exploding. The FBI suggests it affect over 750,000 people each year, The Privacy Rights Clearing House claim it affects over 500,000 per annum. It does not matter which figures you believe, the problem is significant! Online or e-commerce capabilities make it far easier to disguise or misrepresent ones true identity, or to assume someone else’s identity. Fortunately, in Australia the tighter controls over the use of tax file numbers, and information privacy generally, mean that the opportunities to commit identity fraud are considerable reduced in comparison to other markets, such as the USA, where the use of social security numbers is fundamental to file matching, and yet there are little or no controls over their disclosure, and apparently little in the way of number authentication protocols applied. None the less, our markets no longer have physical boundaries, so the potential exists for Australia to be struck with the same issues over time. Identity theft was overwhelmingly number one on the US Federal Trade Commission's Consumer Sentinel fraud database top 10 list in 2001, representing 42 per cent of all complaints recorded. Of the 86,168 documented reports of identity theft (involving credit fraud) from across the US, Stolen information was used to commit: • Credit card fraud in 42 per cent of all instances • Phone or utilities fraud in 20 per cent of all instances • Bank fraud in 13 per cent of all instances of all instances • Employment-related fraud 9 per cent of all instances • Government benefits fraud 6 per cent of all instances Victims reported out-of-pocket expenses of an average $A2302 Earlier this year the FTC agreed to give Australian law enforcers greater access to Sentinel to improve information sharing. Source: “Thieves steal 86,000 identities” , Karen Dearne, www.australianitnews.com.au, FEBRUARY 04, 2002 In fact, so bad is the problem in the USA that the Federal Government proclaimed the “Identity Theft and Assumption Deterrence Act 1998” in October 19998, with maximum penalties of up to 15 years in prison, and

Formatted

Formatted

Formatted

up to US$250,000 fines. This is addition to separate legislation in at least 47 states. It is argued that Australia has, through various legislative reforms avoided to this point, the need for separate legislation to deal with this issue. In Australia there is much less information available as to the magnitude of the problem, but please consider the following facts that have emerged over the past two years:

• Thieves have allegedly stolen the base stock to create over 20,000 drivers license cards, and the equipment to manufacturer what look to be authentic MDL’s from the offices of two eastern state licensing departments

• The ATO reports that there are 5 million excess tax file numbers on their books • Westpac found that in the past year, 13% of customers opened accounts with counterfeit birth

certificates. • The Victorian Attorney General warned that 70% if false passport applications involved fake birth

certificates What form of ID do we ask for to get a Motor Drivers License? Answer: A birth certificate. What document do we use to create credit file matches, and as the basis for establishing identity in Australia? Answer: An MDL. And yet the controls for seeking a duplicate Extract of Birth are, in the view of authorities, non-existent in most Australian states. Identity theft, however, is not restricted to individuals. We are seeing increasing incidence of fraudsters registering business names that are very, very similar to existing established business names. Perhaps just a letter or two different, or the name mispelt. They then open bank accounts, and credit accounts or have purchase orders printed under those names and intercept cheques destined for the legitimate business and credit them to their newly established account or alternatively buy goods (for resale) knowing they will be charged to the legitimate business. And yet so many credit providers still don’t consider we have a problem. Locally, in the July edition of Vantage, Baycorp Advantage Ltd national consultant Richelle Grant stated thatstated “In the past year Baycorp Advantage’s experience indicates the evidence of such fraud (Identity fraud) has risen around 50% in Australia” The claim that the Baycorp Advantage Fraud Database has saved corporate customers a massive $70 million since it was established two years ago, underlines the serious cost of credit fraud in this country. That figure is a small fraction of the cost – only a limited number of organizations have access to it, and there are of course many, many organisations whose internal fraud checking identifies risks internally, and even more who have just failed to report fraudulent events.. So who knows what the true cost is. Maybe we will never know, all we can do is attempt to minimise the impacts through prudent management of customer identification and applying effective privacy policies to information held. What information do the fraudsters need, and how do they get the information? • Stealing identification from the person e.g. burglary. They don’t have to steal the documentation, just the

information that is on it. So is there more to a break in where nothing is apparently stolen? • Stealing letters and documents from the letterbox • They complete a "change of address form" to divert your mail to another location. • Using family members ID without their consent • Finding ID in rubbish bins – “dumpster diving” • Copying credit card details electronically at retail outlets, and matching it with customer details provided

from other sources • From the internet • From your staff (who have access to vital information) • ASIC Searches • Electoral Roll searches • Your personal web page – does it have a photo, and other identifiers? Or they can piece together the information required from any combination of these. Think about. If you have done a workshop of “skip tracing” you might have been asked, “How could someone find you if you hasve skipped?” You are required to compile a list of readily available information sources for the trained operator.

Formatted: Bullets and Numbering

Formatted

Formatted

Formatted: Bullets and Numbering

Typically people will come up with a list of 12-16 sources. Apply that principal in reverse and you can see just how easy it is for a fraudster. HOW PREPARED ARE YOU? Charles Darwin said, “It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.” How responsive are you? How responsive is your business? If you are involved in e-commerce, a starting point might be to take the preparedness test found at http://www.merchantfraudsquad.com/pages/test.html Or you could simply go to http://www.platitudesinhell.com/Selfhelp/Identity/body_identity.html For some truly absurd advice. To be successful in the fight against the threat of fraud we must have:

• Acceptance at all levels that the threat exists - it is not something many corporations wish to admit to – just look at recent US experiences. No-on wants to be seen as a “soft touch”

• Executive management support and sponsorship • Have a risk management plan • Robust processes aimed at identifying risks and exceptions • Comprehensive training programmes • Adequate funding. Fraud defence is not cheap

Even if we employ effective prevention strategies it is almost inevitable that we are going to be caught by a fraudster at some point. Do we simply write to the debt off, along with other bad debts and put it down to experience, or do we use the information positively When our organisation is the victim of a credit fraud, we should, as a minimum:

• Review the fraudulent order for clues to what we could do better in future • We should document the fraudulent order so everyone in the business can learn from it • We should create a database of negative information gleaned form fraudulent orders (or attempts) so we

can match future orders against those criteria. A match does not guarantee another fraud, it just suggests proceed with caution

• Create a default record on credit reporting bureaus. Use your experience to help others • Report it where appropriate

PROTECTING YOUR ENTERPRISE So how do you guard against this risk? NoteableNotable fraudsters often portray themselves to be: • Security Officers • Security Companies • Government Officials or Agencies • Media Personalities • Sporting Personalities • Emergency Services Officials; or • Telecommunications Staff Because inexperienced staff react differently – they are in awe or feel threatened or vulnerable. Simple but effective preventative steps for all enterprises include: • Introduce address matching software to only allow correct AMS compliant addresses • Have a policy of what additional information is required where a shallow file is returned. Do we celebrate

an account for an apparent perfect credit risk, or do we ask why the applicant, a 48 year old employed male have a shallow or new file?

• Ask for a paid utility account showing current address and name • Match details against an established fraud database? • Do next of kin or employment checks? • Consider alternate distribution methods

Formatted: Bullets and Numbering

Formatted: Bullets and Numbering

Formatted

Formatted: Bullets and Numbering

Formatted

Formatted

Formatted: Bullets and Numbering

TEN ANTI-FRAUD TIPS FOR ON-LINE VENDORS So how do you guard against this risk? Whilst not an exhaustive list, I suggest the following ten as a start: 1. Even though it might be a hassle, insist on a mailing address, postcode and phone number of the buyer and then check them out to ensure they aren't fake. Try a reverse look-up of phone numbers to retrieve corresponding addresses – you might be surprised 2. Insist on a faxed customer signature and a faxed photocopy of the credit card (from a photocopy is fine). 3. If you can't contact the buyer by phone or the phone number is unreachable, then don't process the order. Telephone sales have CLI (Caller Line Identification) information to add to address verification 4. Use Address Verification services such as QAS or Geocoder or similar, where they're available 5. Be extremely wary of shipping overseas - it can be hard to pursue claims abroad. Eastern Europe is seen by many as a high-risk area. Ask yourself the question” Why are we so popular with overseas purchasers?” 6. Check the email address against the name on the credit card. If the real name doesn't match the email name then you definitely want more reassurance before processing the order. 7. Refuse to process orders from free email domains (such as hotmail.com or yahoo.com) unless you have indisputable proof of the buyer's identity. Various research, including that by Forde & Armstrong (2002) indicate e clear link between the level of e-mail anonymity and criminal or fraudulent activity. 8. Never ship products to postal box numbers. Always insist on a physical shipping address, or utilise Australia Post proof of identity services. No-one lives in a mail box. 9. Check the DNS table of the remote IP of the customer. Find out the remote server's geographic area and check it against the address of the customer. Few people connect to the Net using a long distance call. You also need to check the mailing address, phone number and email address of the server, though thieves can also set up servers too. This site will assist you: http://shop.visualware.com/visualroute/ 10. Be especially careful of those wanting higher priced fast delivery or otherwise being price insensitive. Thieves don't care how much it costs as they don't plan to pay. A great example ifs high priced mobile phone handsets. 11. 11. Insist on getting the 3-digit card CVV2 (Card Validation Value)validation code (fig 5) imprintedimprinted on the back of Visa, Master Card, and Diners cards and the 4-digit code imprinted in the front of American Express cards. T -– they can provide significant protection when run against authentication tables. Approval of the credit card transaction confirms that the CCV is valid, and assists with confirming that the cardholder has the card in their possession

Figure 5: Card Validation Value

HOW PREPARED ARE YOU? Charles Darwin said “It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.” How responsive are you? How responsive is yourIn your business? Even if we employ effective prevention strategies it is almost inevitable that we are going to be caught by a fraudster at some point. Do we simply write to the debt off ,off, aongalong withowth other bad debts and put it down oto experience, or do we use the onfoamtioninformation positively. We should, as a minimum: Review the fraudulent order for clues s to what we could do better inbetter in future We should document htethe fruadualentfraudulent order so everyone in the business can learn from it We should create a database of negative informaamtion gleaned form fraudulent orders (or attempts) so we

can match future orders against those criteria. A match does not gauranteeguarantee another fraud, it just suggests proceed with caution

Create a default record on credit reporting bureaus. Use your experience to help others • Report it where appropraite

CREDIIT FRAUD AND YOU “You've always had a spotless credit history. You pay your bills on time. And you live well within your financial means. But, recently you've received a few calls from collection agencies requesting payment for items you didn't buy. Before you dismiss these actions as a mistake, investigate. You could be the victim of credit fraud. Each year individuals with good credit histories fall prey to criminals who steal their identity and run up thousands of dollars in bad debt under their names. If it happens to you, through no fault of your own, you could be faced with years of trying to clear your credit history of false information.” So goes the spiel at www.gearheadcafe.com/credit. It then goes on to offer some tips for avoiding the pitfalls. In the US there are estimated to be over 900,000 new victims of identity fraud each year (source: Association of Certified Fraud Examiners) We discussed earlier how fraudsters get the information. So what are the fundamental steps you should take, and encourage your customers to take to minimise this risk or credit card fraud, or others gaining enough information to facilitate a stolen identity suitable for perpetrating credit fraud? Jerome Jackson, a professor of criminology in the USA may be the only researcher in the world to have actually infiltrated one of these gangs and got inside their operation. I am guided by his suggestions in presenting the following list. • Don't print your Drivers License number on your cheques. Only give it out if absolutely necessary. • Shield the ATM screen when using it in a public place. • Tear up pre-approved credit card offers that arrive in the mail. • Never leave a receipt with your credit card number on it in a public place. Take it home with you to a safe

place or tear it up. • Keep current with the information that is on your credit file. Don't learn about negative information when

you go to apply for a loan. Be proactive about your credit history & help protect it by checking your files on a regular basis.

If you suspect someone has used your name, driver’s, driver’s license or other information to obtain credit, do the following: • Call the fraud units of the credit bureaus, in Australia that means Baycorp at this point in time. • Report identity theft crimes to the local police or law enforcement agency in your area. Visit the AFP

website • Put a "cfreaditud alert" on your credit file.

Formatted

Formatted: Bullets and Numbering

Formatted: Bullets and Numbering

Formatted: Bullets and Numbering

• Report the possible theft to all credit card issuers. Cancel all your current cards. • Notify your bank, credit union or building society and/or savings and loan of the theft. • Request new account numbers and new ATM and Web Banking numbers and password. • Consider changing your driver's license number if you suspect someone has been using it. • Don't carry extra credit cards, your birth certificate, passport ,passport, Medicare or Social Security number

with you unless necessary. This will minimize the amount of information a thief can steal from you. HOW DOES YOUR ENTERPRISE KEEP AHEAD? Having assumed you have established a high profile of the risks of fraud across the organisation: Firstly, train your staff. Secondly, make your systems and processes secure. Appendix 1 to the paper will assist with this. Throughout the world there are various systems and legislative regimes designed to detect fraud, but fraudsters are smarter than that. Just like Australia, the Dutch have a detection system for detecting potential money laundering transactions. It has been reported that of the automatically reported transactions only 17% needed further investigation, whereas of the transactions reported by tellers who were trained in detecting behavior traits such as body language etc, 83% of transactions warranted further investigation. So you might have what you think is a great set of rules, but fraudsters don’t follow the rules. Time prevents me covering some basic but effective training tips, but I have included them as an appendix to the paper. Thirdly,Firstly, do your research. Whilst there are plenty of relevant texts available forrom bookshops, such is the rapidly changing face of fraud,fraud; the web now provides our best resources. Whilst the Internet is fuelling the growth in fraud, it is also emerging as our strongest line of defense I have attached a list of worthwhile sites in the acknowledgements to this paper, but perhaps none is better than: . http://www.merchantfraudsquad.com/ Secondly, make your systems and processes secure. Appendix 1 to the paper will assist with this. Thirdly, train your staff. Time prevents me covering the some basic but effective training tips, but I have included them as an appendix to the paper.

Field Code Changed

CONCLUSIONS The potential for fraud pervades every aspect of commercial life. The role of credit managers and credit departments in identifying potential risks, and building systems and processes to reduce or eliminate the risk is perhaps now greater than ever before. E-commerce means the magnitude of any successful fraud can go way beyond what we may have thought possible. Do everything you can to protect your enterprise, do everything you can to protect yourselves. REFERENCES Rossett, S; Murad, U; Neumann, E; Idan, Y; Pinkas, G; (2002) Discovery of Fraud Rules for Telecommunications – Challenges and Solutions. , amdocs.com Amdocs (Israel) Ltd Smith, Dr R, (2002) Examining the Legislative & Regulatory Controls on Identity Fraud in Australia. Proceedings of Marcus Evans Conferences “Corporate Fraud Strategy: Assessing the Emergence of Identity Fraud” Conference, Sydney New South Wales 25-26 July 2002 Hepworth, A (2002) What’s in a name?, Australian Financial Review, Australia October 2, 2001 Kaufman, D (2001) Stolen Identity. The Age Newspaper, Melbourne Victoria 24th July 2001. Trumper, I. & Harland E. (1999) The year of living dangerously, Financial News, London, England, 15th November 1999. Martin, B, (2002), Fraud Training for Staff, B Digital Ltd Training Courses International Fraud Symposium (2002) Web pages of International Fraud Symposium. Accessed August – Sept 2002 http://www.fraud-symposium.org Better Business Bureau (2002) Web pages of Better Business Bureau. Accessed August – Sept 2002 http://www.bbb.org/alerts/index.asp Internet Scambusters (2002) Web pages of Internet Scambusters. Accessed August – Sept 2002 http://www.scambusters.com/ National Fraud Information Centre (2002) Web pages of National Fraud Information Centre (USA). Accessed August – Sept 2002 http://www.fraud.org Serious Fraud Office (2002) The Web pages of serious Fraud Office (UK). Accessed August – Sept 2002 http://www.sfo.gov.uk/ National Association of Credit Management (2002). Web pages of National Association of Credit Management http://www.nacm.org/ State of California, Department of Consumer Affairs (2002) Web pages of State of California, Department of Consumer Affairs. Accessed August – Sept 2002 http://www.dca.ca.gov/legal/p-3.html Identity Fraud Inc. (2002) Web pages of Identity Fraud Inc. Accessed August – Sept 2002 www.identityfraud.com Consumer Info.com (2002) Web pages of Credit Matters.com. Accessed August – Sept 2002 www.stolen.identity.com www.creditmatters.com Triad Commerce Group LLC (2002) Web pages of E-commerce Times. Accessed August – Sept 2002 www.ecommercetimes.com United Nations (2002). Web pages of UN Office of Drug Control and Crime Prevention. Accessed August – Sept 2002 http://www.undcp.org John G Faughan (2002) Web links on credit card fraud from Web pages of John G Faughan. Accessed August – Sept 2002 http://www.afp.gov.au/page.asp?ref=/Crime/Fraud/ Australian Federal Police (2002). Webpages of Australian Federal Police – Fraud Topics. Accessed 9th September 2002 http://www.faughnan.com/ccfraud.html New York Times (1999). E-commerce library article. Accessed 9th September 2002. http://www.nytimes.com/library/tech/99/09/cyber/commerce/20commerce.html Merchant Fraud Squad.com (2002) Web pages of Merchant Fraud Squad.com. Accessed 25th August 2002. http://www.nytimes.com/library/tech/99/09/cyber/commerce/20commerce.html

Formatted

Formatted

Formatted

Formatted

Formatted

Formatted

Field Code Changed

Formatted

Formatted

Field Code Changed

Formatted

http://www.merchantfraudsquad.com/ European Anti Fraud Office (20020. Web pages of European Ant Fraud Office. Accessed August – September 2002 http://europa.eu.int/comm/anti_fraud/index_en.html WEB Developers Journal.com. Article “Reducing Online Credit Card Fraud” by Steve Patient. Accessed 12th August 2002 http://www.webdevelopersjournal.com/articles/card_fraud.html Federal Government (USA) Consumer Information site (2002). Credit Information page of Consumer.gov affiliation. Accessed August – September 2002 http://www.consumer.gov/idtheft/ Visa International Service Association (2002). Web information for merchants. Accessed August – September 2002. http://usa.visa.com/business/merchants/fraud_basics_cvv2.html Credit –Bankruptcy.com (USA). Web page on Bill Consolidation. Accessed 14th August 2002 http://www.harfordshelter.com/free_bill_consolidation.html

Formatted

Field Code Changed

Formatted

APPENDIX 1 Extract from “Reducing Online Credit Card Fraud” by Steve Patient. Security and PrivacySECURITY & PRIVACY FOR ONLINE TRANSACTIONS (Extract from “Reducing Online Credit Card Fraud” by Steve Patient) There are two areas of concern: ensuring the privacy of data involved in the transaction to re-assure the buyer, and ensuring the buyer is engaged in a valid transaction - for the benefit of the seller. The first is most easily solved using SSL (Secure Socket Layer) an encryption protocol built into current browsers and supported by most Web servers. Base Apache doesn't support it for patent reasons (RSA owns certain algorithms in the US) but Apache SSL does. Using SSL once it's enabled is straightforward - simply change Web page references to https:// instead of http://, like so: <form method="POST"action="https://www.a-domain.com/cgi-bin/ssl-form.cgi"> This posts the contents of a form back to you using SSL. Digital Certificates SSL is only half of the solution, though. Customers want to feel confidence in your company. This is achieved using a 'trusted third party' which begs its own questions. TTP's are simple in principle. The TTP is a public company which provides a vendor with a digital certificate. This confirms to the customer that the company they think they're dealing with is who it claims to be. Digital certificates can be bought from many companies including Verisign and Thawte. They require a fair amount of company documentation. Public Key Encryption Both SSL and the digital certificates require encryption. This is provided using asymmetrical - a.k.a. public key - encryption. This requires two keys: public and private. The public key is published and can be used by anyone to encrypt anything but only the private key can decrypt it. An SSL exchange is carried out using a public key given to your browser by the server. The digital certificate provider confirms that the key belongs to a valid certificate used by the company at the domain where the transaction is taking place. In effect, it's a three-way transaction, but each party can only access the information it needs to do its job. Trusting Customers To accept online credit card payments with a minimum level of confidence you need two services: a merchant account - either your own or access to one via a third party - and real time authorisation. Taking credit card payments online for overnight processing is commercial insanity. Anyone can create credit card details which will pass validation checks - including expiry dates - using one of dozens of freely available programs on the Net. In practice, real-time credit card transactions are pre-authorised to a set value provided the vendor checks card numbers against a supplied hot list. Transactions over the limit must be authorised. This doesn't guarantee you'll be paid but it eliminates the more incompetent criminals. Authorisation is a two-part process. First the customer sends in the order by secure form (using SSL). The details on the card and the amount are then sent from your server to the authorising company (only larger concerns deal directly with banks). The authorising company runs the check with the card-issuing bank then authorises or denies it immediately.

Formatted

APPENDIX 2 TRAINING TO PREVENT FRAUD What types of people commit fraud? All types of people commit fraud many. In order to commit fraud they must beat your systems or convince your staff they are legitimate. They often seek to improve their legitimacy, and in turn cause staff to “drop their guards” by telling you that they are somebody they are not. Notable are claims to be: Security Officers, Security Companies Government Officials or Agencies, Media Personalities, Sporting Personalities, Emergency Services Officials or Telecommunications Staff. There are ‘5 senses’ we can apply to identify fraud, either face to face, or over the phone. HEAR FRAUD • ‘Stop hearing and start listening’. We were given two ears but only one mouth – this • is because our creator knew that listening was twice as hard as talking. • One way to improve your listening skills is to ask questions. • Develop the habit of asking questions - Use questions to encourage people to talk • Open your mind and ears – be receptive to the messages the customer is giving out • Listen from the first word and give your undivided attention • Stay cool! Don’t overact to highly charged words and tones. • Hear the person out, then respond. Most people will calm down once their anger is vented. • Avoid figuring out what the customer is going to say; you may miss what he or she actually says • Never interrupt! It cuts off the flow of dialog and is rude and offensive, and does not give them a chance to

slip up Putting this into practice in identifying fraud over the telephone: • Does the customer sound nervous? • Does the customer hesitate when giving personal details? i.e. address, date of birth • Does the customer sound like the age given? • Does the customer constantly refer your questions to a third party in the background? • Does the customer place you on hold constantly? • Does the customer request delivery of the goods to an address different to home or work? • Does the person sound like they are in a hurry or impatient? • When requested, does the person state that they have no ID, driver’s license etc? • Is it obvious that the customer is fabricating his personal details i.e.. Drivers license number? • Does the customer hang up when asked to reconfirm details or send ID?

Formatted

Formatted

Formatted

Formatted

Formatted

FEEL FRAUD Give it a feel –is it a genuine MDL or Credit Card? Frauds can look like the real thing, but often they don’t fell like the real thing. Try being one of the first to use the see thru Amex card TASTE & SMELL FRAUD Do you smell something cooking – first impressions are often the best – or just call it intuition? If I could use our own example, we have developed some of the most sophisticated fraud detection mechanisms of anyone in our industry sector, and have received approaches from some of the largest players in our region for access to our intellectual property. As good as it is, a significant portion of the detected fraud from comes from alert sales and assessment staff who detect something in the voice or response of the applicant, or in the content of the internet application. Trained by our Loss Prevention Manager, these sales staff, in conjunction with our systems, have saved us over $2million in handset fraud in just over 15 months! SEE FRAUD Observation Skills Test 1 – Mr. Smith What do we see?

Observation Test 2 – ID checking -the fine detail • Check photograph on ID matches age (and sex) • Check obvious alterations to name and address • Is the ID signed? • Is the ID expired? Check credit card numbers are correct and security characters are present When examining credit cards, check to see if the card: • Is damaged? • Does not have a valid expiry date • Embossing appears altered • Hologram appears suspicious When checking the signature: Is there a signature present? Has the signature panel been altered? Does the customer’s signature match the card?

Formatted

Formatted

Formatted