Card fraud overview




		TYPES OF FRAUD 2004 plastic card fraud on UK-issued cards Card-not-present £150.8m (+24% from 2003) Counterfeit £129.7m (+17%) Lost and stolen £114.4m (+2%) Mail non-receipt £72.9m (+62%) Identity theft £36.9m (+ 22%) Total: £504.8m (+20%) Contained within this total: Fraud abroad £92.5m (-11%) Cash machine fraud £74.6m (+81%) Internet fraud £117.0m Why has card fraud gone up? Plastic card fraud losses on UK-issued cards rose by 20 per cent in 2004 because the organised criminal groups responsible have increased their illegal activities before the full security benefits of chip and PIN are realised. From 2005 onwards we expect to see a decline in domestic counterfeit and lost and stolen card fraud due to the implementation of chip and PIN. Plastic card fraud losses on UK-issued cards 1995-2004 1995: £83.3m (-14%) 1996: £97.1m (+17%) 1997: £122.0m (+26%) 1998: £135.0m (+11%) 1999: £188.4m (+40%) 2000: £317.0m (+68%) 2001: £411.5m (+30%) 2002: £424.6m (+3%) 2003: £420.4m* (-1%) 2004: £504.8m (+20%) Card-not-present fraud - £150.8m in 2004 Fraud on phone, Internet, mail order or fax transactions Card-not-present (CNP) fraud is perpetrated through the theft of card details for use in non face-to-face transactions and is now the largest type of card fraud in the UK. The problem in countering this type of fraud lies in the fact that neither the card nor the cardholder is present at a till point in a shop. This means that: · CNP businesses are unable to check the physical security features of the card to determine if it is genuine · Without a signature or a PIN it is not easy to confirm that the customer is the genuine cardholder · Card issuers cannot guarantee that the information provided in a card-not-present environment has been given by the genuine cardholder A number of initiatives are available to help CNP businesses protect themselves from card-not-present fraud. What is card-not-present fraud? This crime most commonly involves the theft of genuine card details that are then used to make a purchase through a remote channel such as the phone, Internet, fax or mail order. The legitimate cardholder may not be aware of this fraud until they check their statement. (Cardholders should keep cards safe and in sight at all times and discard receipts carefully - shred or rip them up first - and always check statements for unfamiliar transactions) Card-not-present fraud losses on UK-issued cards 1995: £4.6m (+84%) 1996: £6.5m (+41%) 1997: £10.0m (+54%) 1998: £13.6m (+36%) 1999: £29.3m (+115%) 2000: £72.9m (+149%) 2001: £95.7m (+31%) 2002: £110.1m (+15%) 2003: £122.1m (+11%) 2004: £150.8m (+24%) Counterfeit card fraud - £129.7m in 2004 Counterfeit card fraud increased by 17 per cent to £129.7 million in 2004 - the main reason being an increased effort by organised criminals to commit this type of fraud before chip and PIN prevents them. Once we reach the situation where - to all intents and purposes - all face-to-face card purchases are made with chip and PIN, we expect to see significant reductions in counterfeit card fraud losses. What is counterfeit card fraud? A counterfeit, cloned or skimmed card is one that has been printed, embossed or encoded without permission from the card company, or one that has been validly issued and then altered or recoded. Most cases of counterfeit fraud involve skimming, a process where the genuine data on a card's magnetic stripe is electronically copied onto another, without the legitimate cardholder's knowledge. Skimming often occurs at retail outlets - particularly bars, restaurants and petrol stations - where a corrupt employee skims a customer's card before handing it back, then sells the information on higher up the criminal ladder where counterfeit cards are made. Often cardholders are unaware of the fraud until a statement arrives showing purchases they did not make. Since mid-2003, organised criminal gangs have adapted skimming devices for use at cash machines. (Cardholders should keep their cards in sight at all times when making a transaction and always check their statements for transactions they did not make) Counterfeit fraud losses on UK-issued cards 1995: £7.7m (-20%) 1996: £13.3m (+73%) 1997: £20.3m (+53%) 1998: £26.8m (+32%) 1999: £50.3m (+88%) 2000: £107.1m (+113%) 2001: £160.4m (+50%) 2002: £148.5m (-7%) 2003: £110.6m (-26%) 2004: £129.7m (+17%) Lost and stolen card fraud - £114.4m in 2004 Fraud on lost and stolen cards amounted to £114.4 million in 2004. This type of card fraud has remained fairly static for the past five years, but a decrease is expected once chip and PIN is fully rolled out in the UK. The banking industry has a number of initiatives in place to tackle lost and stolen card fraud: · Chip and PIN will significantly reduce this type of fraud as criminals will not be able to use a stolen card in a face-to-face transaction, as they will not know the PIN. · A retailer education programme, run by APACS since 2001, provides help for shop staff on how to detect stolen and counterfeit cards at the point-of-sale. An online version of this retailer training programme is also available. · Intelligent computer systems that can track customer accounts for unusual spending patterns. · An Industry Hot Card File enables retailers to electronically check whether a card has been reported lost or stolen. What is lost and stolen card fraud? This category covers fraud on cards that have been reported by the cardholder as lost or stolen. Most fraud in this category takes place in shops before the cardholder has reported the loss. (Cardholders should report a missing card to their issuing bank immediately to enable the card to be blocked) Lost and stolen fraud losses on UK-issued cards: 1995: £60.1m (-15%) 1996: £60.0m (+0%) 1997: £66.2m (+10%) 1998: £65.8m (-1%) 1999: £79.7m (+21%) 2000: £101.9m (+28%) 2001: £114.0m (+12%) 2002: £108.3m (-5%) 2003: £112.4m (+4%) 2004: £114.4m (+2%) Mail non-receipt fraud - £72.9m in 2004 This type of fraud increased 62 per cent to £72.9m in 2004, representing just over 14 per cent of total fraud losses. The main reason behind this large increase is the fact that the rollout of chip and PIN resulted in more cards than ever before being issued last year. In August 2004, for instance, 8.7 million cards were issued - 281,000 per day. This meant that the opportunity for this type of fraud to take place was increased. However, the cards and PINs are sent out separately making it harder for criminals to obtain both and as chip and PIN becomes more widespread the number of shops where a criminal can use a stolen card without a PIN will decrease. The banking industry is working with all the organisations it uses to deliver its cards to monitor card losses, identify fraud hot spots and take preventative action - for example asking cardholders to collect cards from a branch in person, requiring cardholders to phone their card companies before cards can be used, or using more secure couriers. What is mail non-receipt fraud? This type of fraud involves cards being stolen in transit - after card companies send them out and before the genuine cardholders receive them. Particularly at risk for this type of fraud are properties with communal letterboxes, such as flats and student halls of residence. (Contact your issuing bank if you are concerned about the safe delivery of a plastic card) Mail non-receipt fraud losses on UK-issued cards 1995: £9.1m (-24%) 1996: £10.0m (+10%) 1997: £12.5m (+25%) 1998: £12.0m (-4%) 1999: £14.6m (+22%) 2000: £17.7m (+21%) 2001: £26.8m (+51%) 2002: £37.1m (+38%) 2003: £45.1m (+22%) 2004: £72.9m (+62%) Identity theft - £36.9m in 2004 Although identity theft currently accounts for seven per cent of overall card fraud, the UK banking industry is preparing for a possible rise once chip and PIN makes its impact, as criminals will look for different ways to perpetrate fraud. It is estimated that more than 100,000 people are affected by all types of identity theft in the UK each year, costing the British economy over £1.3 billion annually. What is identity theft on a card account? ID theft on cards occurs when a criminal uses fraudulently obtained personal information to open or access card accounts in someone else's name. There are two types: Application fraud (£13.1m in 2004) Application fraud involves criminals using stolen or false documents to open an account in someone else's name. Criminals steal documents such as utility bills and bank statements to build up usable information. Alternatively, they may use counterfeit documents for identification purposes. This type of fraud decreased by 14 per cent year-on-year. Account take-over (£23.8m in 2004) By obtaining key personal information, criminals are able to take over the running of a genuine cardholder's account. By pretending to be the genuine cardholder, the criminal will try to deceive the bank or card company and arrange for payments to be taken from the account. The criminal will also instruct the bank to change various details of the account, such as the address, and then ask for new cards and chequebooks to be sent out. (Discard personal information with care - shred it if possible) Identity theft losses on UK-issued cards 1995: £1.8m (+50%) 1996: £7.2m (+300%) 1997: £13.1m (+82%) 1998: £16.8m (+28%) 1999: £14.4m (-14%) 2000: £17.4m (+21%) 2001: £14.6m (-16%) 2002: £20.6m (+41%) 2003: £30.2m (+47%) 2004: £36.9m (+22%) GLOSSARY authorisation The process whereby a merchant (or a cardholder through a cash machine) requests permission for the card to be used for a particular transaction. biometrics Biometric methods of identification work by measuring unique human characteristics as a way to confirm identity. Examples are finger or iris scanning or dynamic signature verification. card issuer A bank, building society or other financial institution that issues payment cards, cash machine cards or cheque guarantee cards to its customers. For payment cards, the card issuer undertakes responsibility to settle transactions made with the card (except in some cases where fraud is present). card-not-present (CNP) A transaction where the merchant, retailer or other service provider does not have physical access to the payment card; examples are transactions by phone, fax, mail order or Internet. card schemes Card schemes set the business rules that govern the issue of the payment cards that carry their logo. Typically, these rules apply throughout the world to ensure interoperability of cards. In many countries, domestic schemes also operate. The schemes operate the clearing and settlement of payment card transactions. In the UK, banks and building societies must be members of the appropriate scheme to issue cards and acquire card transactions. Examples of international card schemes in the UK are Visa, MasterCard, American Express and Diners Club. Switch is a UK domestic debit card scheme. Card Security Code (CSC) The last three or four digits of a number printed on or just below the signature panel on payment cards - this code was formerly called the CV2. charge card A payment card, enabling holders to make purchases and to draw cash up to a pre-arranged ceiling, the terms of which include the obligation to settle the account in full at the end of a specified period. Cardholders are normally charged an annual fee. cheque guarantee card Also known as a cheque card. A card issued by a bank or building society for the purpose of guaranteeing payment by, or supporting the encashment of, a cheque up to a specified value (£50, £100 or £250). All cheque guarantee cards in the UK Domestic Cheque Guarantee Card Scheme depict the bust of William Shakespeare in either the cheque guarantee hologram or logo on the card. chip card Also known as an integrated circuit (IC) or smart card. A chip card holds details on a secure computer microchip that can store and process information. Chip cards usually also have a magnetic stripe. counterfeit (cloned/skimmed) card A dummy or fake card that has been printed, embossed or encoded so as to appear to be a legitimate card, or a card that has been validly issued but subsequently altered or re-encoded. credit card A payment card enabling holders to make purchases and to draw cash up to a pre-arranged ceiling. The credit granted can be settled in full by the end of a specified period or can be settled in part, in which case interest is charged. In the case of cash withdrawals, interest is normally charged from the transaction date. Cardholders may be charged an annual fee. debit card A payment card linked to a bank or building society account, used to pay for goods and services by debiting the holder's account; usually also combined with other facilities such as cash machine and cheque guarantee functions. electronic commerce (e-commerce) Transactions that are conducted over an electronic network where the buyer and merchant are not at the same physical location e.g. plastic card transactions via the Internet. electronic purse Also known as e-purse or a pre-payment card. A stored-value payment card used to pay for goods and services. It is an alternative to cash. The card can be disposable or reloadable. The stored value is reduced as payments are made. EMV The internationally agreed standards for chip payment cards, originally agreed by Europay, MasterCard and Visa. EMV standards are maintained by EMVCo, an organisation owned and managed by MasterCard and Visa. encryption A method of making information secret, so that only a person who knows the necessary key or password can understand or decrypt the information. floor limit A limit on the value of each transaction, agreed between the merchant and acquiring bank, above which authorisation must be obtained by the merchant. Industry Hot Card File (IHCF) A computerised list of reported lost and stolen cards, available to merchants to assist in the identification and prevention of fraudulent transactions. intelligent detection systems Computer systems developed by the banking industry to help identify fraudulent card use. Also known as knowledge-based systems and neural networks. magnetic stripe The magnetic stripe that currently appears on the back of all payment cards issued by financial institutions. It contains essential customer and account information, most of which is usually also embossed on the card. MasterCard An international card scheme. PIN (personal identification number) A set of numeric characters, usually a four-digit sequence, used by the cardholder to verify identity at the point-of-sale or a customer activated device, such as a cash machine. The number is generated by the card issuer using a secure computerised process when the card is first issued and may be changed by the cardholder thereafter. PIN pad The numeric pad into which a cardholder enters their PIN to authorise a transaction. PIN pads may be fixed or portable. PMO Programme Management Organisation. An independent, not-for-profit body responsible for co-ordinating the chip and PIN project on behalf of the banking and retailer industries. point-of-sale (POS) The physical location, such as a check-out, till or sales point, where a customer pays for goods or services. skimming The most prevalent form of counterfeit fraud whereby a card's magnetic stripe details are electronically copied without the legitimate cardholder's knowledge and put onto another card. Visa An international card scheme. USEFUL CONTACTS APACS / Card Watch Switchboard 020 7711 6200 Sandra Quinn, director of corporate communications 020 7711 6234 07768 044656 sandra.quinn@apacs.org.uk Jemma Smith, communications manager 020 7711 6340 07811 113075 jemma.smith@apacs.org.uk Mark Bowerman, communications executive 020 7711 6251 07799 627256 mark.bowerman@apacs.org.uk APACS is the UK trade association for payments. It provides the forum for the UK's financial institutions to come together on non-competitive issues, to develop banking systems for the future and to provide innovation and developments in payments. It is also the banking industry voice on payments issues such as plastic cards, card fraud, cheques, electronic payments and cash. © APACS (Administration) Ltd April 2005 (Association for Payment Clearing Services) Mercury House, Triton Court, 14 Finsbury Square, London, EC2A 1LQ www.apacs.org.uk