CNP credit card fraud...? Verified by visa vulnerability

C_Mababejive

Hello,

I am just wondering, have you ever been a victim of CNP credit card fraud and if so,what were the circs?

I strongly suspect that a large proportion of such fraud is initiated or assisted by people who actually work in the industry.


CNP= Customer not present so the purchase is remote be it via the phone,internet or whatever...in essence,you are not physically there and inputting a pin into a sales terminal.

m_13

Cardholder Not present (CNP) fraud has been responsible for the highest proportion of plastic card fraud since Chip and Pin was introduced.

I'm sure some does involve people responsible for taking the payments but PCI compliance means that your three digit security code will no longer be able to be stored by any company other than your bank and so is required to be re-entered when you make a repeat transaction. This in theory, along with masking the full card number other than to supervisors and stopping the recording of the card details when audio recordings are made for quality purposes (all part of PCI compliance) should all reduce your exposure.

Has your card been used for CNP and you don't know about it? Where were the goods delivered?

izools

C_Mababejive wrote: »

Hello,

I am just wondering, have you ever been a victim of CNP credit card fraud and if so,what were the circs?

I strongly suspect that a large proportion of such fraud is initiated or assisted by people who actually work in the industry.


CNP= Customer not present so the purchase is remote be it via the phone,internet or whatever...in essence,you are not physically there and inputting a pin into a sales terminal.

Does this constitute fraud?

My friend ordered chinese takeaway for home delivery last week and paid by card over the phone. The receipt from the PDQ states "Customer Present - Signiature Authorised" despite him obviously not being present

m_13

Forgot to say that Verified by Visa and Mastercard Secure on Internet purchases have also made a difference to fraud levels as it adds an extra level of security.

If a company don't use any kind of address verification (to match the delivery address to the cardholder's billing address) and accept the 16 digit PAN (card number) and expiry date only then they are an easy target for fraudster who have only the 16 digit PAN and expiry number but not the security code.

izools - I would be suspicious of your friend's transaction as he was obviously not there!

hippey

izools wrote: »

Does this constitute fraud?

My friend ordered chinese takeaway for home delivery last week and paid by card over the phone. The receipt from the PDQ states "Customer Present - Signiature Authorised" despite him obviously not being present

Not fraud, but I suspect the take-away may not be authorised to accepted CNP transactions.

C_Mababejive

I have not been the victim of CNP fraud but i know of a number of cases..

a) A person had applied for a new affinity CC ,the card arrived and the only thing that the person did was open the envelope,look at the card,put it back in the envelope and put it in the cupboard. The card remained glued to its backing letter and was never used and yet a few month later a bill arrived with a CNP transaction for a Western Union transfer for quite a few hundred pounds ISTR.

This points to me that it was an inside job either within visa ,or the distribution chain. I suspect much fraud also occurs within the post office i.e stealing from the mail,opening and resealing envelopes and rubbing up envelopes.



b) A person received an auto email from Verified by visa telling them their verification code had been changed. The email was genuine and of course,the card user hand not changed the code. Card user immediately phones card issuer to alert them. Call handler checks and blusters saying there seems to be no record on the system and that it must be a glitch. Card holder still concerned and a few days later sees big transaction with on line retailer on account (on line). Phones card issuer again to alert,they check,yes it has happened...give details of merchant and ask card holder to phone merchant! .Card holder phones merchant and they hold back delivery of item and give some indication of name/address that it was going to go to(only name and town). Question-why didnt card merchant be more vigilant when first alerted?,Why did retailer accept an order to be delivered apparently to another address other than the card holders?


I suspect that there is still a lot of fraud going on and that the so called security measures are not as tight as they would have us believe. Card companies are happy to tolerate/manage losses because of the vast profits and also because they can off hand them to retailers.

I can think of ways to bypass the verified by visa check and I'm not an expert!

chexum

hippey wrote: »

Not fraud, but I suspect the take-away may not be authorised to accepted CNP transactions.

Then how did they do it? I would think a card/cardholder present transaction would need a physical swipe so that they access the magstripe data to prove it was there, or have a top copy/imprint of the card, neither of those should have been available to them when they printed the receipt... :eek:

C_Mababejive

Further to my posting above...

I have been doing some hacking around.

Do people think that Verified by visa is secure and the last word in online security..?

No....

In order to change your VBV password,all that is needed by the hacker is to have sight of your card and then do a little homework on the internet.


They can then change your VBV password and go shopping.

But if the password is changed,what happens? Does your card issuer email you?

I only ask as ive just changed mine and not had any notification whatsoever of the change.

Also a quick google reveals many people receiving such change notifications from [EMAIL="cardprovider@securesuite.net"]cardprovider@securesuite.net[/EMAIL]

The domain securesuite.net resides at an address in Virginia and purports to be associated with EMC2/RSA and yet EMC/RSA on their corporate website doesnt list that address.

The mystery deepens..

EDIT..i have now come to the conclusion that Verified by Visa/ Mastercard Securecode are a joke,simple to bypass and just act as another layer of protection for the card issuers,not the card holder. Far better NOT to sign up for them and simply memorise your CVV number,then cross it off with a black felt tip pen to stop scamsters noting down your details.

hippey

chexum wrote: »

Then how did they do it? I would think a card/cardholder present transaction would need a physical swipe so that they access the magstripe data to prove it was there, or have a top copy/imprint of the card, neither of those should have been available to them when they printed the receipt... :eek:

But you can normally key enter any card number into a terminal and as long as it is correct it will accept it, it is a fall back method. You normally get the option of entering CP or CNP before the amount.