MasterCard, Visa Fighting Fraud
MasterCard International and Visa U.S.A. are mandating online merchants meet more stringent security standards when cardholders purchase goods or services electronically—making online purchases safer in attempts to quell concerns of identity theft and fraud. Yet, new types of Web-based fraud and hacker ingenuity may defy such standards.
MasterCard required that its large Web merchants—those that process more than $125,000 in monthly MasterCard gross volume—meet the new standards by June 30. Visa has set a Sept. 30 deadline by which its large merchants—which it defines as Web vendors that process more than 6 million Visa transactions annually—must enact and maintain higher security standards. Other deadlines follow for smaller merchants, and within one year the vast majority of vendors on the Internet must be compliant, or face fines.
Both Visa and MasterCard are demanding that these Web merchants—which include travel vendors—install firewalls, protect stored data, encrypt any sent data, assign unique ID codes to track access to data and implement security policies, among a series of other criteria. While the card networks for several years have recommended such security standards for Web-based merchants—and many large online vendors already meet the criteria—the payment networks expect the initiatives to help further diminish instances of fraud.
American Express said it has similar security measures, such as data encryption and firewall standards, that for years have been in place with its merchant network, particularly those processing transactions online. An Amex spokesperson said penalties for noncompliance range depending on contracts with specific merchants.
While corporate cardholders and general consumers both are at risk, companies face a unique problem: They have more cards in force—often thousands versus the few owned by the average consumer—and typically have higher or even unlimited spending limits—which could prove to be the mother lode for a fraudster. Yet, depending on the circumstances of the fraud, it typically is the merchant or the issuer that pays for its cost.
"It's important to note that most large companies have a number of efforts in place to safeguard and protect data, not just cardholder data, but information in general," said Joe Majka, vice president Visa U.S.A. fraud control and cardholder information security program. "We met with all of the largest online travel agencies or travel companies, and they're very familiar with our program. If they are not already in compliance, they are working aggressively to make sure they meet our deadlines."
Merchants on Visa and MasterCard's online networks will have to report their compliance annually. If such standards are not met, the vendors will have to pay fines.
In 2002, there were nearly 10 million victims of identification theft, the majority of which were through credit card or charge card accounts, according to the U.S. Federal Trade Commission. Yet, the rate of Web-based credit card fraud actually has been on the decline in recent years—although the actual dollar volume of online fraud has climbed and is expected to climb in approaching years.
A Visa representative said incidents of overall card fraud actually have gone down as card volume has gone up, and fraudulent spending accounts for only 7 cents per $100 of all Visa transactions.
Bob Lichtman, a principal of travel consultancy Corporate Solutions Group based in Menlo Park, Calif., said security standards have become much better since the dawn of the Internet, yet new fraud techniques not addressed by Visa and MasterCard's mandates have emerged. "This fraud isn't because of anybody intercepting data transmissions, it's because they send e-mails to cardholders targeting their password, account numbers and things of that sort," Lichtman said. "That's where the diligence now needs to be aimed."
What hackers have dubbed as 'phishing' has erupted in recent years as the newest way to acquire information from charge card accounts. Taking on the guise of established banking institutions, hackers spam e-mails to account holders, luring them to seemingly authentic sites to update or correct account information, and then extract that information.
According to the Computer Crime Research Center, an independent institute that researches cyber crime, nearly all major banks and charge card issuers have been used in phishing scams. These include all of the major players in the commercial card and corporate banking spaces: American Express, Bank of America, Bank One, Citibank and US Bank, among many others.
While incidences of traditional hacking—defying firewalls to steal such data—have gone down, phishing as a hacking discipline has gone up. Market research firm Gartner Group Inc. in April estimated that 57 million adults in the United States have received an e-mail, through which fraudsters have attempted to extract charge card data. Gartner estimated nearly one in five of those followed phony links from an e-mail, and up to 1.78 million people gave fraudsters their personal, financial or credit card data.
The numbers probably are even higher now. According to data from the Anti-Phishing Working Group—an industry association focused on eliminating this form of identity theft and fraud—there were 1,125 unique phishing attacks in April, more than a 180 percent increase over March, followed by another increase in May.
Just as the phishing attacks have become more frequent, they also have grown in sophistication. "They get better and better," Visa's Majka said. "One year ago, they were very crude and you could obviously tell it was a fraudulent e-mail. That's not the case anymore. I think we had one of the first phishing e-mails probably two years ago. It was so crude, with the misspellings, bad grammar and punctuation. The whole look of it wasn't going to fool anybody. They've come a long way with this technology."
This month, Sen. Patrick Leahy (D-Vt.) introduced a bill in the U.S. Senate that would make phishing a federal crime. "In the short term, these scams defraud individuals and financial institutions," Leahy said in a statement. "Some estimates place the cost of phishing at over $2 billion, just over the past 12 months. Just imagine the concern we would all have about a series of bank robberies involving that much money.
"The Anti-Phishing Act of 2004 protects the integrity of the Internet in two ways," Leahy continued. "First, it criminalizes the bait. It makes it illegal to knowingly send out spoofed e-mail that links to sham Web sites, with the intention of committing a crime. Secondly, it criminalizes the sham Web sites that are the true scene of the crime."
While the bill could serve as a deterrent to would-be hackers, experts say fighting phishing comes down to consumer awareness. "Education is probably the number-one thing that needs to be done here," Majka said. "The fraud or attempt to get a consumer to give up their personal banking information is nothing new. It's just a new technique and a new technology that the criminals are using, which in many cases can truly look legitimate to an unassuming consumer. The message we need to get out is you never want to give up your personal information or financial information over the phone or over the Internet to someone who is coming to you with an e-mail."
Visa last month launched a phishing education campaign with the Better Business Bureau, U.S. Department of Treasury and FTC. MasterCard in June hosted a Global Risk Management Symposium in San Diego to address phishing and other security issues.
MasterCard last month teamed with NameProtect—a digital fraud detection firm—to combat phishing schemes. MasterCard will use its partner's technology in conjunction with law enforcement officials "to dismantle the online tools and venues that are used by identity thieves before they can be used to steal personal information," according to a statement from NameProtect. "We are now at the point where fraud prevention and fraud containment are no longer enough," said Sergio Piñòn, senior vice president of MasterCard security and risk services.