Criminals are turning to cybercrime because it’s easier, less dangerous and more profitable than armed robbery or purse snatching. Criminal groups are more sophisticated, employing different levels of skilled players and moving anonymously within clandestine computer networks.
Stolen card numbers are traded and bought on black market websites run by criminals in Russia, Eastern Europe and other localities where extradition is difficult and law enforcement cooperation lax. Using recording gadgets, skimmers are stealing credit anddebit card data at points-of-sale, restaurants, and gas stations.
Stolen numbers are available online for purchase, at restricted websites such as Rescator.so. A cybercriminal could specifically purchase online any of the 3,685 credit card numbers stolen in the Fayetteville, Ark. area.
Drop-down menus on the website marketplace list thousands of stolen numbers for sale, indexed by locality. Customers could expect to pay up to $200 each for an American Express Platinum (prepaid gift card numbers are much cheaper), payable in Bitcoin or by Western Union.
The return period for bad numbers is six hours. In that time, thieves can have the stash of stolen numbers printed onto counterfeit cards and charge up a storm of purchases at stores or online, often in the form of gift cards that are easily transformed into cash.
Eventually, a bank catches wind of the fraud and freezes the card. For the thief, it’s on to the next one. Ironically, according to Bloomberg Businessweek, the Rescator website was hacked in March 2014, probably by competitors, and rendered inoperable.
Huge Losses
Annual losses from financial card fraud total at least $2.4 billion in the United States, not including losses borne by merchants, which probably runs in the tens of billion of dollars per year, according to the Mercator Advisory Group.
Merchants absorb losses for fraudulent transactions conducted by mail, phone and online, and card issuers generally are supposed to take the financial hit for fraudulent transactions conducted in walk-in stores. But retailers report that banks often charge those losses back to them.
For credit card losses, merchants end up eating more than half of losses from fraudulent transactions, according to the Merchant Payments Coalition, a trade group representing restaurants, grocers, gas stations, convenience stores and other retailers.
In addition to hacking retail security systems, credit card numbers are stolen through the use of skimming devices (the latest versions are wireless) at retailers, restaurants and gas stations and often by employees.
Some of the losses are borne by the credit card companies, but most are accepted by retailers, translating into higher prices for consumers. Although security features are embedded into credit cards, retailers sometimes do not want to “harass” their customers by asking for identification.
How to Know a Fake Credit Card
In order for consumers and merchants to be able to protect themselves from fraud, they should be able to identify a valid credit card and spot a fake one. Let’s take a look at the security features of each major credit card brand.
Visa
All valid Visa credit and debit cards have a set of unique security features, with some of which you are already familiar. Below you will find a complete list, along with tips on how to verify each card’s validity. You should examine these features while waiting for the issuer’s response to your authorization request. Remember that an authorization approval does not necessarily protect you against fraud.
1. Visa brand mark. The blue and gold Visa logo is typically displayed on a white background in the card’s bottom right, top left or top right corner. However, the upper left placement is allowed only on chip cards.
2. Visa card number. Visa card numbers always start with the number “4” and are 16-digit long — there is no exception to this rule. The numbers must appear in one line and be clear and uniform in size and spacing.
3. BIN number. The first four digits of the card number must be printed directly below the number itself. This is the issuer’s Bank Identification Number (BIN). These two numbers must be identical.
4. Member since. Some Visa cards display the month and year in which the account was open. The date should be in the format “mm/yy” and the location is typically to the left of the expiration date and below the account number.
5. Expiration date. The card’s expiration date should be located below the account number and be in the format “mm/yy”. Expired cards are not valid and should not be accepted for payment.
6. Cardholder name. The cardholder name or a generic title may be printed or embossed on the face of the card, however on some Visa cards the field may be left blank.
7. Micro-chip. Some cards feature a chip, which, if present, is located above the account number.
8. Dove hologram. The Visa dove hologram may be located anywhere on the front or back of the card. This three-dimensional image should appear to move as you rotate or tilt the card.
9. Vertical orientation. Some Visa cards are vertically oriented and the account information is not embossed, but laser-printed. These cards have magnetic stripes and a card verification code on the back, just as their more conventional counterparts.
10. Mini-card. This is a miniature version of a standard Visa Card or Visa Electron Card.
11. Magnetic stripe. The magnetic stripe contains the card account’s identifying information. When the card is swiped through a point-of-sale (POS) terminal, the encoded data are “read” and displayed on the terminal’s screen. The displayed information should match the one on the card itself, so make sure you compare the two.
12. Signature panel. The signature panel is located on the back of the card, with the word “Visa” printed repeatedly within an ultraviolet element within it. Depending on the card’s design, the panel may have the full account number printed on it, only its last four digits or none at all. If the signature panel is scratched or erased, the word “void” appears repeatedly underneath.
13. Card Verification Value 2 (CVV2). The three-digit CVV2 number appears in a white box either to the right of the signature panel or within it. It is used in card-not-present transactions to verify that the customer is in physical possession of the card.
MasterCard
Similarly to Visa, all valid MasterCard credit and debit cards display a set of unique features which you should be familiar with. You will find that the two biggest U.S. card brands maintain very similar security standards for their cards’ designs, but there are some differences, as you will see below.
All cards must include a full-color MasterCard brand mark.
1. MasterCard brand mark. All cards must include a full-color MasterCard brand mark, which is typically displayed in the bottom right corner.
2. MasterCard number. MasterCard card numbers must always start with the number “5” and, similarly to Visa, are 16-digit long. The numbers must be clear and uniform in size and spacing and must appear on one line.
3. BIN number. The first four digits of the card number must be the same as those printed directly below — the pre-printed BIN.
4. Expiration date. A valid card’s expiration date should be in the future and in the format “mm/yy”.
5. Cardholder name. Similarly to Visa cards, MasterCard’s cardholder name is printed on the front of the card.
6. Micro-chip. Some cards carry a chip, which is located above the account number.
7. HoloMag. The MasterCard Hologram, or HoloMag, can be located on the front or back of the card. If located on the front, it will appear above the brand mark. If located on the back, it will be located next to or below the signature panel.
8. Vertical orientation. On some cards, the design and brand mark may be oriented vertically.
9. Signature panel. The signature panel is located on the back of the cards, with the word “MasterCard” printed in multi-colors at a 45?? angle. The last four digits of the account number must be printed in reverse italic letters within the signature panel.
10. Card Verification Code 2 (CVC 2). The three-digit CVC 2 must be printed in reverse italics to the right of the last four digits of the account number within the signature panel.
11. Magnetic stripe. The magnetic stripe must be present and located above the signature panel and appear smooth and straight with no signs of tampering. On some cards the HoloMag tape may be used in place of the magnetic stripe.
Now, there are different MasterCard designs in use today and some of the above identification features may not be present on some of the cards you accept. However, all security features that are present must comply with the above specifications.
American Express
American Express issues the cards with the most unique design in the U.S. and that uniqueness is mostly to be found in the cards’ security features. Yet, just as is the case with Visa and MasterCard, it would only take a few seconds for a well-trained eye to verify that these features have not been tampered with.
There are several different types of American Express designs and not all of the company’s cards will display all of the security features listed below, but most of them will.
1. Account number begins with “3”. All American Express card account numbers are embossed and begin with “37” or “34”. This rule applies to all AmEx cards.
2. AmEx card numbers are 15-digit long. They have no alterations and are spaced in groups of four, six and five digits, like this: “xxxx xxxxxx xxxxx”. In contrast, Visa, MasterCard and Discover numbers are all 16-digit long and are spaced in four groups of four digits.
3. Card Identification Number (CID). CID is AmEx’s equivalent to Visa’s CVV2, MasterCard’s CVC 2 and Discover’s CID. Unlike its competitors who all use three-digit security numbers and place them on the back of their cards, within or immediately to the right of the signature panel, AmEx’s CID is four-digit long and is printed above the embossed account number on the right or left of the card.
4. Cardholder name. The cardholder name is printed in the lower left corner of American Express cards, just as the rival brands do it.
5. Member since. The “Member Since” date is embossed to the right of the expiration date. In contrast, Visa, MasterCard and Discover all place the “Member Since” date (where present) to the left of the expiration one.
6. Expiration date. AmEx’s expiration, or “Valid Thru”, date is embossed above the cardholder name field, in the format “mm/yy”.
7. Centurion image. The Centurion image is located in the middle of most, but not all, AmEx cards and of course is unique to the brand (not to mention trademarked). It is phosphorescent and the words “AMEX” are visible under UV light.
8. Centurion hologram. Some AmEx cards feature a hologram of the Centurion image embedded into the magnetic stripe.
9. Card number within signature field. Also uniquely, the account number is printed within the signature field of most AmEx cards and, of course, must match the embossed one on the front of card and the one printed on the transaction receipt. The rival brands typically print only the last four digits of their card numbers within the signature field (but not always, as I already noted).
10. Signature field. The signature field is located below the magnetic stripe on the back of all AmEx cards, much as it is on Visa, MasterCard and Discover cards. The words “Cardmember Signature” are printed directly underneath it.
Again, let me reiterate that some AmEx cards will not display all of the security features listed above. For example, you will not see the Centurion image on American Express Blue cards and there may be other missing features. However, any security features that are present must adhere to the above specifications.
Discover
The smallest of the four major U.S. card networks uses a card design that is very similar to those of Visa and MasterCard. Of course, there are some unique features, along with the more conventional ones and I’ve listed all of them below.
1. Discover Network. The words “DISCOVER NETWORK” will appear under an ultraviolet light.
2. Discover card number. All Discover card numbers begin with “6” and are 16-digit long. Embossed numbers should be uniform in size and spacing, and extend into the hologram. Unembossed cards may display the account number and expiration date printed flat on the front.
3. Expiration date. As usual, the “Valid Thru” date, which indicates the last month in which the card is valid, is placed underneath the account number and to the right of the “Member Since” date.
4. Business name. A “Business Name” may be embossed below the account name.
5. Stylized “D”. An embossed security character appears as a stylized “D”. However, no stylized “D” is present on unembossed cards.
6. Hologram. Some Discover cards may display a hologram on the card’s face with a globe pierced by an arrow. However, if the card’s back displays a holographic magnetic stripe, there is no hologram on the front.
7. Magnetic stripe. The magnetic stripe should look smooth, with no signs of tampering. Some cards display a holographic magnetic stripe with blue circles.
8. Discover Network on the back. The words “DISCOVER NETWORK” appear repeatedly within the signature panel.
9. Last four digits. The last four digits of the card number are also displayed within the signature panel in reverse indent printing.
10. Card Identification Number (CID). The three-digit CID is printed in a separate box to the right of the signature panel on the back of the card.
11. Discover brand mark. The Discover Network Acceptance Mark will appear on the front and / or back of the card.
How to Validate Credit Card Numbers
Quite apart from spotting a fake credit card by examining its features, there is a way to verify that a card’s number is a real one. This technique is especially useful in e-commerce transactions, where you don’t have the luxury of physically inspecting the card itself. You can build a program that does it for you or just buy one that is already available.
The technique for validating credit card numbers uses the Luhn formula (also known as the Luhn algorithm or the “mod 10” or “modulus 10” algorithm). It is a simple procedure, which verifies a card number in the following three-step process:
Double the value of every odd digit of the card number you are inspecting. If the resulting sum of any given doubling operation is greater than 9 (for example, 6 x 2 = 12 or 8 x 2 = 16), then add the digits of that sum (e.g., 12: 1 + 2 = 3 or 16: 1 + 6 = 7).
Add up all the resulting digits, including the even digits, which you did not multiply by two.
If the total you received ends in 0, the card number is valid according to the Luhn formula; otherwise it is not valid.
Let’s put the Luhn formula to work and inspect a MasterCard card number: “5120415296389632”. Here is what we get when we follow the three-step process I’ve just outlined:
The end result — 70 — ends in 0, which means that our MasterCard number passes the Luhn algorithm test. Of course, the card number’s validity does not eliminate the possibility that the card may still be counterfeit, so you will still need to follow best card acceptance practices.
What to Do to Prevent Credit Card Fraud and Theft
Now that you have the knowledge to identify fake credit cards, here is what you should do to prevent fraud and theft:
Keep an eye on your credit card every time you use it, and make sure you get it back as quickly as possible. Try not to let your credit card out of your sight whenever possible.
Be very careful to whom you give your credit card. Don’t give out your account number over the phone unless you initiate the call and you know the company is reputable. Never give your credit card info out when you receive a phone call. (For example, if you’re told there has been a “computer problem” and the caller needs you to verify information.) Legitimate companies don’t call you to ask for a credit card number over the phone.
Never respond to emails that request you to provide your credit card info via email — and don’t ever respond to emails that ask you to go to a website to verify personal (and credit card) information. These are called “phishing” scams.
Never provide your credit card information on a website that is not a secure site.
Sign your credit cards as soon as you receive them.
Shred all credit card applications you receive.
Don’t write your PIN number on your credit card — or have it anywhere near your credit card (in the event that your wallet gets stolen).
Never leave your credit cards or receipts lying around.
Shield your credit card number so that others around you can’t copy it or capture it on a cell phone or other camera.
Keep a list in a secure place with all of your account numbers and expiration dates, as well as the phone number and address of each bank that has issued you a credit card. Keep this list updated each time you get a new credit card.
Only carry around credit cards that you absolutely need. Don’t carry around extra credit cards that you rarely use.
Open credit card bills promptly and make sure there are no bogus charges. Treat your credit card bill like your checking account — reconcile it monthly. Save your receipts so you can compare them with your monthly bills.
If you find any charges that you don’t have a receipt for — or that you don’t recognize — report these charges promptly to the credit card issuer.
Always void and destroy incorrect receipts.
Shred anything with your credit card number written on it.
Never sign a blank credit card receipt. Carefully draw a line through blank portions of the receipt where additional charges could be fraudulently added.
Carbon paper is rarely used these days, but if there is a carbon that is used in a credit card transaction, destroy it immediately.
Never write your credit card account number in a public place (such as on a postcard or so that it shows through the envelope payment window).
Ideally, it’s a good idea to carry your credit cards separately from your wallet — perhaps in a zippered compartment or a small pouch.
Never lend a credit card to anyone else.
If you move, notify your credit card issuers.
Fraud Victims Should Take Action
In the event that you have become a victim of credit card fraud or identity theft, you should take immediate action:
If your complaint is essentially a non-criminal dispute with a retailer or other business, you must immediately dispute the charge(s) in writing with the customer relations office of your credit card company.
Report the crime to the police immediately. Get a copy of your police report or case number to provide to your credit card company, bank or insurance company.
Immediately contact your credit card issuer(s). Get replacement cards with new account numbers and ask that the old account be processed as “account closed at consumer’s request” for credit record purposes. You should also follow up this telephone conversation with a letter to the credit card company that summarizes your request.
Call the fraud units of the three credit reporting bureaus (see their addresses below). Report the theft of your credit cards and / or numbers. Ask that your accounts be flagged. Also, add a victim’s statement to your report that requests that they contact you to verify future credit applications.Equifax Credit Information Services – Consumer Fraud Div.P.O. Box 105496Atlanta, Georgia 30348-5496Tel: (800) 997-2493www.equifax.comTrans Union Fraud Victim Assistance Dept.P.O. Box 390Springfield, PA 19064-0390Tel: (800) 680-7289www.transunion.comExperianP.O. Box 2104Allen, Texas 75013-2104Tel: (888) EXPERIAN (397-3742)www.experian.com
Keep a log of all conversations with authorities and financial entities.
Only provide your credit card number to merchants you know. Protect your Social Security number. You have to provide your Social Security number for employment and tax purposes, but it is not necessary for many businesses.
Notify the Social Security Administration’s Office of Inspector General if you suspect your Social Security number has been used fraudulently.The Federal Trade Commission (FTC) is the federal clearinghouse for complaints by victims of identity theft. If you have been a victim of identity theft, you can file a complaint with the FTC:
By phone: Toll-free 1-877-ID-THEFT (438-4338) TDD 202-326-2502.
By mail:Consumer Response CenterFederal Trade Commission 600 Pennsylvania Ave, NW Washington, DC 20580.
On the web: www.consumer.gov/idtheftFor Consumer Information: www.ftc.gov/ftc/consumer.htm.
Image credit: Visa.