Card Not Present Fraud: understand, detect, and prevent

Card-not-present (CNP) fraud is on the rise, but it's no surprise, as this type of fraud has been a persistent issue. More than just a significant proportion of all card fraud, CNP represents an area of growing operational intelligence and methodology amongst fraudsters. Their modus operandi is constantly improving, their ability to use social engineering and automation for more effective results is only increasing, and places like the dark web only further fuel this efficiency.

Here's where it gets tricky, as you might feel in a bit of a bind. On one side, you don’t want to risk letting these fraudsters slip through. On the other side, you don't want to reject good customers. And this balancing act leads to all kinds of problems, like unhappy customers and poor conversion rates. 

To avoid falling behind the curve, you need intelligence and technology that match your anti-fraud strategy mix against the crafty card not present fraudsters. Let’s see how we can accommodate for a real-life scenario where the ones who move their business elsewhere are the fraudsters and not your valued customers.

Card not present fraud typically occurs online or over the phone, where fraudsters exploit sensitive information - the card number, CVV security code, and expiration date, as well as personally identifiable information of the cardholder, such as their name and billing address - to carry out unauthorized transactions on the cardholder's behalf. 

Card not present fraud vs card present fraud

Its counterpart, card present fraud, refers to fraudulent transactions using counterfeit or stolen cards. As such, when it comes to online fraud, the greater emphasis is very much on card not present (CNP) fraud.

However, the key difference that businesses need to know is that is them who usually bear the loss that comes with CNP fraud, as card issuers do not typically hold their cardholding customers liable for fraudulent transactions.

Card not present fraud represents a significant risk for both merchants and credit card companies. Between 2018 and the end of this year, card not present fraud is predicted to account for USD 130 billion in losses.

In the US alone, card not present fraud will cost businesses almost USD 9.5 billion in 2023, accounting for as much as 73% of all card fraud. Similar percentages have also been reported in Europe, so it’s a global concern.

In order to combat card not present fraud, it's important to understand how the process works. In short, as mentioned above, card not present fraud occurs when a fraudster is able to successfully make a purchase using stolen credit card information. However, while the exact methods may vary from case to case, we can categorize a number of key steps in the CNP process:

1. The fraudster steals or otherwise acquires the credit card details and the necessary personal details of the cardholder.
2. The fraudster identifies a target website or business to make fraudulent transactions through.
3. The fraudster then uses these details on target websites, apps or other online services to make fraudulent purchases.

From collecting the valuable credit card information through to the actual purchase, card not present fraud also comes in various levels of complexity for fraudsters to succeed.

Novice

This tier typically involves low-value transactions under EUR 50, such as restaurant bills, taxi rides, or food orders. Fraudsters often need only the credit card number and its expiration date. The effort is low, as the absence of additional security features like CVV or billing address verification makes things relatively easy for fraudsters.

Expert

This level of fraud targets moderately-priced items or services. Fraudsters need the credit card number, expiration date, CVV code, cardholder name, and full billing address to carry these out. Gathering all this info might present a higher hurdle for unauthorized transactions.

Master

At the highest level, we’re talking about luxury items or, generally, high-value purchases. Fraudsters need the credit card number, expiration date, CVV code, cardholder name, full billing address, and date of birth, and above all, they need to know how to bypass 3DS, or any other extra authentication and verification steps.

For card not present fraud to be committed, fraudsters need accurate and correct details for both the card and its cardholder. It should also be noted, however, that the person committing the CNP fraud might not be the same person who gained access to the data. Such information is readily sold and traded on the dark web, so once leaked, it can quickly spread across multiple criminal networks and be used by anyone with the means to purchase it. 

For the sake of wider data protection, it's still important to know where these original leaks may have come from:

• E-commerce accounts. Online retailers are a key target, as fraudsters naturally hold all the necessary details to make fraudulent transactions on similar websites. This includes credit card details such as the card number, CVV, and card expiration date, as well as the name and address of the cardholder.
• Banks and card issuers. Both these types of companies contain key financial information on their customers, including their cards and account numbers. A data breach in either of these can leak personal details for thousands of cardholders, which is why such financial institutions invest heavily in cybersecurity and fraud detection.
• Physical card theft. If a card is stolen, fraudsters naturally have access to the details printed directly on the card. They don't, however, have the pin code in order to use it directly, so online shopping becomes a key target.
• Skimming devices. These machines are implemented on top of an ATM, passing all the details through whilst logging records of the cards used and their various details. This differs from physical card theft in that the card itself is not stolen and, as such, the card holder is less suspicious that their sensitive data has been exposed.

Fraudsters purchase large volumes of compromised card credentials, known as "card dumps," and put them to use on online business websites. These compromised credentials are typically bought in bulk on the dark web, resulting in sudden surges of fraudulent transactions.

There are a number of ways for criminals to make a profit from CNP fraud. Of course, smart fraudsters gravitate to methods that are the least likely, if possible at all, to lead back to themselves. This leads to a number of common options.

• Many cybercriminals opt to buy gift cards, as these are very difficult to trace. Indeed, they can also be simply traded for physical cash to someone else, ensuring that there is no trace.
• Others, alternatively, prefer to buy expensive items, such as luxury retail goods, as they have a strong cash value, similar to gift cards. It's often assumed that making one singular fraudulent transaction will bypass common fraud prevention rules but, as we'll discuss, modern fraud prevention measures are considerably more advanced.

In both cases, fraudsters are able to acquire desirable goods, and, since they acquired them for next to nothing, they can sell them on at a slight discount. This further impacts the business, as their goods are then on the market without any revenue going to the original seller.

It’s not about the e-commerce vertical or a specific field. If you show any sign of vulnerability, you become a target. Since card not present fraud relies on websites with fewer barriers - i.e, no multi-factor authentication or additional data requirements - this immediately makes less protected services more attractive.

Bear in mind that credit card fraud, such as CNP, is not necessarily linked to account takeover fraud. The criminal, especially if buying data en-masse from the dark web, may not have information on individual user accounts, histories of their online purchases, or even their login details.

It's also not synthetic identity fraud, as the criminal in question is only seeking to use real, verified information in order to bypass simple security measures. At its core, CNP fraud is more of a direct attack against weak defenses.

Ultimately, CNP fraud costs businesses the most damage in the form of chargebacks and a loss of returning customers. Once the original cardholder finds out about the fraudulent transaction, they typically request chargebacks through their card issuer to get the money back. By that point, you have likely sent the goods, and so have essentially lost stock.

It's also worth noting that this form of chargeback fraud is not "friendly fraud" where the cardholder is responsible. In these cases, credit card issuers often side with the cardholder and automatically issue a chargeback. In such situations, the merchant usually can't dispute the chargeback because the store allowed fraudulent charges without verifying the person using the card in any way.

The risk of false positives

If you allow fraudulent payments to go through, it can also cause a mess in the other direction. It's an inherent risk with any solution that there will be false positives and the failed transactions that occur as a result. Someone shopping on a new phone, or in a new location, could still be an existing customer, but they could also equally be a criminal using stolen data.

The system gets it wrong sometimes, and this could negatively impact customers. This is why we advocate for risk detection. By assessing the risk level for each transaction and watching for specific indicators, businesses can gain a more accurate assessment of the likelihood of each occurrence.

This includes checking data points that are unique to each user, as well as behavioral data, built up through historical data on each specific user. This covers a range of factors and values that criminals would be hard-pressed to successfully replicate, thus ensuring the final solution can better filter out false positives early on.

Fraud detection vs customer experience

Another key concern that fraud managers need to consider is the impact on customer experience. It's a known fact that, the more steps and processes that are implemented, the more likely some users are to leave. In other words, overtly complex processes can also impact a business' bottom line.

Card not present fraud, much like the wider credit card fraud, it is an ever evolving landscape. To address this evolving threat, it's crucial to stay updated with the latest techniques employed by fraudsters. 

Before we dive into how our card not present fraud prevention solution gets the job done, let’s see the key criteria that really matter when choosing such a solution. 

1. It works constantly and passively in the background, adapting to any unusual changes. More than learning about user behavior, it can also be set to take certain actions at certain risk levels. Whether it's an unusually high purchase, a questionable IP address or even multiple failed attempts or recurring payments that don't match historical data, these solutions can flag them.
2. It’s built and implemented by cybersecurity experts who understand the fraudsters’ mindset. Whether it's keeping tabs on the dark web to learn about new techniques or reverse engineering them into our solutions, we actively take the time to learn about changes in the cybercriminal world and then adapt as quickly as possible. We can also provide you with dedicated reports based on our research on the dark web highlighting all of these key changes, ensuring you're always kept in the loop.
3. It’s automated and doesn't impact the customer experience, except when the risk of fraudulent charges is high enough to warrant additional measures.

Other preventative measures

None of this is to say, of course, you should still invest in authentication solutions, secure accounts, or address verification services. These tools can still detect fraud and, more importantly, make businesses less attractive as targets.

However, these are long-standing solutions that smarter fraudsters can either replicate or otherwise spoof. They do not adapt or evolve as machine learning does. In short, while these more traditional solutions still hold a place in today's fraud detection arsenal, you need something that's constantly learning - both in a wider sense and at the individual shopper level.

To properly fight payments fraud without impacting the customer experience, you need to turn to adaptive solutions that operate and react not only in real time, but also at a level of detail below simply checking information in a database or checksums on a customer's credit card.

Dark web research is key because the intelligence gathered from the least accessible places on the internet is valuable not only to inform and take action, but also to build strategies that result in detecting fraud with high precision. For example, fraudsters usually use network anonymization tools such as VPNs, SOCKS, and residential proxies to hide their IP address and geo-location and spoof device information. They also use bots to automate their actions, and make small purchases for swift gains. Our response to their tactics is a constantly improved risk detection suite that can unveil even the shadiest VPNs, residential proxies, and clever bots. 

Moreover, as fraudsters become increasingly crafty and adaptable, behavioral biometrics offer an effective approach by analyzing and learning from the unique patterns in which individuals interact with their devices. Any deviation from this standard pattern can indicate suspicious activity related to card not present fraud. Knowing the usual behavior of the rightful cardholder can alert or block transactions that don't match the norm.

And let's not forget that such solutions are not just limited to card not present fraud. Whether it's account takeover fraud, identity theft, or more, modern smart solutions look for any suspicious behavior and rate its risk accordingly, preventing numerous issues. With digital fingerprinting, specific risk signals, and a thorough analysis of various data points coming from the user network, browser, and hardware, you can recognize suspicious activities and block fraudsters without worrying about false positives.

Book a call with us, and you can get three things: a deep dive into how our solution works beyond the industry benchmarks, a customized demo, and if curious, we can also give you some dark web gems on how fraudsters operate.