Remember card fraud?
I get nostalgic for the days of card fraud and the Cold War.
In his fascinating autobiography badass (which ends with his conversion to Judaism in prison!), former Gambino family mobster Louis Ferrante gives a wonderful description of card fraud in the years before cell phones, Transport Layer Security (TLS) and Tik Tok. At the time, Louis’s enterprising accomplices had discovered that it was not necessary to know how to falsify cards very well to engage in counterfeiting, provided you had the right collaborators…
For years, I’ve been fooling around with Sonny’s “dupes,” fake credit cards with real numbers. He sold them to me for a hundred dollars each. Sonny had sales people in retail stores on the spot, increasing credit card receipts…I was visiting a jeweler who was in on the scam and buying a Rolex. If the watch sold for five thousand dollars, I would tell him to touch the card for ten. I would go with the watch. He had made money. Both happy.
What the sages, as I believe they are known, really wanted, rather than Rolex watches and such, was money. Card fraud was a means to that end.
If I knew a guy selling stuff I don’t want, like Paulie Flowers, I’d do a cash split. I would show up and say “play my card for four grand, keep two and give me two when you get paid”. He would tell the card company that he had delivered arrangements for a wedding, and send them a fake bill of sale, and that was it.
Things have changed since then. When the United States Credit Card Fraud Act (1984) was passed, which provided that the use of an account number, without the card itself, could constitute credit card fraud, Petty crimes made up the majority of credit card fraud incidents, but organized crime already accounted for half of the losses.
Since then, organized crime has followed the financial sector and gone global. It’s no longer about opportunistic exploitation and getting pocket money for Saturday night fever, it’s about investment and return on investment. You have to wonder though, in a world where a single decentralized finance hack can net over $600 million and Bitcoin ransomware nets over $5 billion a year, is it still a good investment?
It seems so. In the UK, credit card fraud rates have now reached their highest level in five years as criminals increasingly exploit social media effectively. The European Central Bank’s latest report on card fraud, October 2021, calculates losses at around 3.6 basis points (80% of which comes from “card not present” transactions), which seems manageable. It all adds up though. According to The Nilsson Report, card fraud will result in more than $400 billion in losses worldwide over the next decade. They estimate that by 2030, when total payment card volume is expected to reach $79 trillion, the industry will lose about $49 billion to fraud (about six basis points).
The United States, as always, accounts for a much larger share of card fraud than card volume (although this share has declined over the years due to chip and PIN and other counter-measures). measures). Last year, it was a fifth of global card volume, but a third of global fraud. By 2030, fraud losses in the United States are expected to increase their share of the pie to $17 billion out of a total card volume of nearly $19 trillion.
These numbers seem huge, but compared to the losses of Louis’s time, they are manageable. The invention of tamper-evident chips, PINs, 3D Secure, online authorization, tokenization, etc., means that while card fraud may seem huge, it is reduced to a few basis points by compared to the 14 basis points and the escalation that we have seen in the UK. before beginning the transition to chip and PIN.
What makes me nostalgic for those early days of magnetic tapes and floor limits? Those were simpler times, and I miss them, and the times I consulted card issuers on chip strategies, just like I miss the Cold War when I consulted NATO. But, more specifically, we are now in a new era where payment card fraud is no longer the biggest problem in retail payments.
Last year, authorized push payment (APP) fraud – that is, direct fraud from the account where consumers are tricked into authorizing transfers – increased by three quarters and in the UK, losses from instant payment fraud now exceed losses from card fraud.
This, however, is a fraud I have to worry about as a consumer. The comfort offered to card users is noticeably absent in the postcard world. The New York Times reports on a consumer who lost $500 to a scammer posing as a Wells Fargo official. The consumer, a longtime Wells Fargo customer who immediately reported the Zelle-powered scam, assumed the bank would refund the money, but the bank said (correctly) that since the consumer had authorized the transaction (this he had), it wasn’t fraudulent from their point of view.
(Unfortunately, account-to-account payment has become a focal point for a variety of scammers, including dating app offenders, cryptocurrency scammers, and those prowling social media sites advertising tickets. together and purebred puppies to disappear with buyers’ money after paying – indeed a good friend of mine was surprised by such a scam last year.)
If you think instant payment fraud is a disaster, brace yourself. In the UK, card fraud and APP fraud and other endangered crimes such as check fraud did not total a billion last year, a figure that pales into insignificance in the context of the broader fraud landscape. Across the UK, fraudsters could have stolen up to £37billion Pandemic Support Funds from the Taxpayer, Analysis by Oxford University Researchers Says!
Similarly, terrifying figures can be seen in the United States, as much as $80 billion – or about 10% – of the $800 billion Paycheck Protection Program, has been stolen. This is on top of the $90 billion to $400 billion that NBC News report was stolen (at least half taken by international fraudsters) from the $900 billion Covid unemployment relief program on top of something like another $80 billion looted from a separate Covid disaster relief program . NBC quotes Justice Department Inspector General Michael Horowitz, who oversees Covid relief spending, as saying Covid relief programs were structured to make them “ripe for looting” and Matthew Schneider, a former US attorney from Michigan calling it “the biggest fraud in a generation”.
When card fraud got out of control, the industry responded with chip and PIN, EMVCo and 3D Secure. So what’s going to keep all these new frauds from spiraling out of control now? Well, I’ve always been of the view that the real issue is identity and that banks should work together to provide the crucial digital identity that society needs to transact securely. That’s why I was so interested to see that Early Warning Services (EWS) and seven of the largest banks in the United States launched Authenticatea new identity verification service for consumers and businesses.
When consumers visit a participating site, they can choose to be redirected to log in through their bank and then share their bank details with that company, providing a safe and secure means of identity verification. The bank will encrypt the data and transmit it to the company (or the ministry, or whoever) so that consumers can access the services using personal information that the receipt can trust.
This is an important announcement. As Tom Noyes succinctly responded to the launch, banks have have largely lost their data advantage in the identity of the consumer. Authentify is their opportunity to regain ground against Big Tech. As a consumer, I would much rather log in to access Pandemic Assistance using my bank ID, and since my bank is a regulated institution with some security experience, I would trust to take good care of my data and not get hacked all the time. On the other hand, the government department could be sure that I am a real person and that the data they receive is valid.
It makes sense and it is a long overdue decision. But this can have implications beyond the loan application. A bank ID is valuable, even if no personal information is shared. Imagine seeing a green tick on a social media site or on an internet dating site or on the Companies House register or on an online marketplace. This would tell you that the account is a real person who logged in through their bank. You wouldn’t know who they are, or what bank, or anything else about them, but you would know that they are real and that a bank, through rigorous KYC, knows who they are. they break the law.
The benefits of a functional digital identity infrastructure go beyond the exchange of validated personal information.