Credit and debit card payment and online fraud are highly profitable criminal activities that are increasingly dominated by card-not-present transactions.
As a form of cybercrime, card payment fraud is one of the nine EMPACT priorities, Europol’s priority crime areas, under the 2013-2017 EU Policy Cycle.
Card-not-present fraud involves the unauthorised use of credit or debit data (the card number, security code and expiry date) to purchase products and services in a non-face-to-face setting, such as via e-commerce websites. In the majority of cases, the victims are unaware of the unauthorised use of their cards, which remain in their possession .
Often referred to as carding, this type of illegal activity has grown steadily, as compromised card details stolen by means of data breaches, social engineering attacks and data-stealing malware become more readily available and are traded internationally.
According to the most recent (2013) data, card-not-present fraud accounts for 66 % of the EUR 1.44 billion in fraudulent card transactions in the 35 countries of the Single Euro Payments Area (SEPA).
One of the main ways in which card-not-present fraud is committed is the purchase of airline tickets, a crime at the focus of Europol’s successful Global Airline Action Days.
The growth in card-not-present fraud is also driven by the effectiveness of measures against the more traditional card-present fraud. Commonly called skimming, this activity involves the duplication of a card’s magnetic strip, often through devices hidden within compromised ATMs and point-of-sale terminals.
In the EU, the almost universal implementation of EMV technology (chip and PIN), anti-skimming ATM slots and geo-blocking across the banking industry has drastically reduced card-present payment fraud, which in 2013 accounted for a third of all card fraud.
Cardholders’ confidential data is more secure on a chip-embedded payment card than on a card with a magnetic strip. However, as some parts of the world have been slow to embrace EMV, card-present fraud has migrated, chiefly to the Americas and Southeast Asia, Indonesia and the Philippines in particular, where criminals use cards cloned in Europe to withdraw money in non-EU countries. The rollout of EMV technology in the United States is likely to increase the focus of criminals on card-not-present fraud.
Did you know? Payment card transactions are the most widespread form of non-cash payment in the EU. In 2012, the total value of transactions made by debit and credit cards issued within the Single Euro Payments Area (SEPA) amounted to EUR 3.5 trillion. In the same period, criminals acquired EUR 1.33 billion [2013: 1.44 billion] from payment card fraud. This represents EUR 0.38 lost to fraud for every EUR 1 000 worth of transactions.
In most of the card-not-present fraud investigations Europol has supported, the primary source of illegal data is breaches within private industry, often facilitated by insiders, malicious software, or both.
Europol has organised courses on the forensics of payment card fraud. Topics include the examination of skimming devices, ATM logical attacks and, especially, malware attacks, which are a developing threat.
Europol’s Joint Cybercrime Action Taskforce (J-CAT) has supported several high-profile cybercrime operations, such as Operation Imperium, which targeted an organised crime network active in payment fraud. In addition, Europol has worked with law enforcement agencies in such countries as Indonesia, Colombia and Singapore to combat payment card fraud.