Electronic Commerce Insecurity
RSnake
October 10, 2002
Credit cards, and wire transfers constitute an ever-growing percentage of monetary exchange. It is becoming less and less common to see people using cash for transactions. In fact, printing cash is expensive for the government and untraceable during exchange. Even having large quantities of cash is suspicious. Getting pulled over on the freeway with $10,000 in cash on you raises eyebrows, while a wallet full of credit cards, or a checkbook goes unnoticed. It would behoove the US government to push towards electronic forms of currency, while more and more that is becoming reality.
The problems lie in the electronic interchange safeguards, or lack thereof. The problems are vast, and the government has been slow to devise new regulations or security measures that combat the problem. Rather the government spends most of its time combating the individual crimes themselves. Building better laws to stop credit card fraud is only half the problem. It is the infrastructure itself, which is flawed.
As technology increases and the amount of people using the new means to transmit money expands, it becomes increasingly more complex to fix the problems. This has lead to a few optional security precautions while opening the average US citizen to a worldwide landscape of new criminals.
Credit Card Fraud
The most common form of fraud is one of the leading causes for uncertainty by citizens to participate in electronic commerce. Simple credit card fraud is dangerous, and do not yield high returns, but so prevalent that it is worthy of mentioning. Credit card companies have made a business out of mitigating risk, through countermeasures, and assuming a certain amount of losses, before resorting to investigation.
In some cases the victim has simply misplaced a credit card and the criminal picks it up. In other cases the numbers are stolen while in use at gas stations, or point of sale terminals at your local merchants. In still others, the card is intercepted or stolen from the merchant website and used by the criminal. There are so many different ways to get credit card information that the issuing banks simply cannot eliminate it. So the issuing banks instead look for countermeasures.
One countermeasure is to ask the consumer to read off the three or four digit number that does not typically get sent in normal credit card transactions. MasterCard calls this number is called the Credit Validation Code (CVC) and Visa calls it a Card Validation Value (CVV) and usually is only in print on the signature box on the back of each credit card. Since CVC and CVV numbers are not really a standard, and are more of a best practice, they do not work for all transactions.
Another countermeasure is called Address Verification System (AVS) where the merchant can validate with the customer that they are shipping to the same address where the bills are sent. This method of validation is again up to the merchant, and not a standard or requirement, so it does not work for all transactions. When this infrastructure is not available the merchant will sometimes ask for the toll free phone number of the issuing bank, so it can verify the account information. This is security obfuscation, and not really a countermeasure, as the toll free number can be the number of the scam artist, as long as the scam artist has a convincing sounding answering service.
Most credit card fraud relies on the fact that most companies do not make sure that the shipping address is the same as the billing address and that the consumer inputs a CVC or CVV number. The only standard that works to protect the consumer for every transaction is the charge back.
Charge backs and Accountability
To combat fraud, and to protect consumers Visa and MasterCard, which are owned by member banks, have instituted charge backs. If the consumer feels they have not received the service or product as advertised, the consumer can simply charge back any charges directly to the merchant who charged the card.
Normally the consumer finds a product or service and authorizes the merchant to withdraw funds from the credit card. The merchant uses its merchant bank, which contacts the card's issuing bank to withdraw funds. The issuing bank sends the funds back down the line after deducting the funds from the individual's credit account and the funds then sit in the merchant's account, minus any wire-fees, or reserves imposed by the merchant bank.
When funds are charged back because the customer did not authorize a transaction, or goods were not delivered, the merchant contacts the card's issuing bank. The issuing bank contacts the merchant bank, which automatically pays the issuing bank after deducting funds from the merchant's account or reserves. If this happens often fines can be imposed on the merchant to reduce fraud.
Nigeria Scam
Nigeria scams (also called the 419, or Advance Fee scam) have stolen sums in the billions of dollars from the United States. According to the 419 Coalition, these scams are estimated as the third to fifth largest economy in Nigeria, the scam has the Secret Service busy trying to repatriate funds to the unwitting citizens unlucky enough to be taken in by the scam.
The Nigerian scam asks the individual to act as an intermediary party in the transferring of millions of dollars to protect the funds from being taxed or assumed by the Nigerian government. In cooperation for access to the victim's bank-account numbers, the Nigerian scam artist promises to leave a modest 10% of the fake transaction in the person's account. Of course, after some obligatory fees, they simply withdraw the sum total from the person's personal account.
The US government has requested and received some cooperation from the Nigerian government to help route out the problem by shutting down any banks taking part in the scam. This combats this particular threat, but not the overall problem. In all actuality creates another threat.
An international conference on Advance Fee fraud was held in New York on September 19th. President Olusegun Obasanjo explained that this scam has done incredible damage to Nigeria. Undoubtedly this damages Nigeria because less and less people and businesses are willing to do business with the corrupt banks that infest that nation.
Further a malicious person intent on harming a legitimate Nigerian bank could simply electronically transfer a large sum into an account in that bank, and then report it as stolen in a Nigerian Scam. This could damage reputations of the most legitimate infrastructure in that country.
The Malicious Entrepreneur
Charge backs protect the individual consumer from liability, but it does not limit the merchant from attempting fraudulent activity. The most important issue is that any merchant can take funds from any account in the form of wire-transfers. This threat has multiple forms, and can be exploited in numerous ways.
It is trivial to get a hold of major account information. Overpayment of major companies is an easy way to get refund checks from large accounts payable accounts. One instance is the IRS refunds accounts. Every year millions is available on or around the last day of the tax season. That is one instance, where funds could be removed from that account. There is high risk involved in this type of account for the average criminal, for obvious reasons.
Credit cards usually have hundreds or even thousands of dollar limits. Typically a few hundred dollars can be moved without the bank's security calling the individual consumer. Larger amounts risk security's scrutiny. The other advantage to a scammer pulling from a credit card is they have up to a full month before the consumer sees their monthly statement.
One might ask how that would help, as after a month they are still liable for any charge backs. That statement is not entirely accurate. The only thing that is subject to liability in this is the merchant himself. A merchant can also be used as a pawn in a scamming operation. All that is required to wire money is access to a bank. A merchant account is authorized by the bank to use its connections to VISA/MIPS and the EDI to transfer monies to anywhere it chooses. The only safeguard here is on the consumer services. The merchants and banks are not protected from being used.
One possible scam, which we will call a man in the middle merchant scam, only requires that the scammer have access to an offshore account and a merchant account. To scam money, the scammer must first withdraw funds from the card directly into the merchant bank. Then the funds must be wired out from the merchant bank account into another account elsewhere (offshore). When the issuing bank requests funds from the merchant bank, the merchant bank will withdraw from the reserves or from the merchant's account until there is none left. This leaves a trace to an offshore account, but the scammer could be long gone since the money was first withdrawn from the credit cards.
The merchant banks are prepared to take some loss in this regard, as they expect scamming is most likely to happen at this level of the funds exchange. There is, however, no safeguard for the merchant. If a malicious person were to utilize a merchant account, and use it to transfer large amounts of credit card funds out of the country, it is most likely that that merchant would be the chief suspect. Also, if the funds exceed the amount the merchant can cover in the account as well as reserves, the merchant bank then personally accepts the risk.
The only trace for investigators in a man in the middle merchant scam would be an offshore account number, used to move the funds outside the country. A dubious way to regain funds, at best.
The Malicious Nation
The potential for the Nigerian scam threat on a mass scale also exists, as well as terrorist activity. Because of the nature of how damaging this can be, not just to a merchant, but the merchant banks as well, a potential terrorist, or terrorist nation could use it as a form of terrorist activity.
When combined with other forms of large scale attacks, like destruction of military or civilian targets, chemical or germ warfare, flash-worms to destroy 26% of the addressable Internet in a matter of minutes, a malicious nation could further damage the US economy.
Each merchant bank could be individually targeted, not for the purpose of amassing stolen funds, but for the purpose of damaging faith in electronic banking, and the whole national banking infrastructure, with no accountability. The destruction of the World Trade Center damaged the US economy. Imagine the damage to faith in the US economy when it becomes clear how vulnerable the dollar is.
Conclusions
Electronic monetary data exchange is the wave of the future and it is inevitable that it will take over as the most common form of currency exchange. It is important to not only embrace the new technology, but also embrace the responsibility it carries.
While the United States is forward thinking, and our laws push us to be civil towards our fellow citizens, it does not protect us from other countries with a less fully developed legal system. Likewise our laws do not protect us from the flaws of the infrastructure itself.
The problem likens itself to an analogy of a community. If all locks on all doors to an entire neighborhood are broken and a kid comes in and steals or vandalizes something in one of the houses, would the community at large be better off spending valuable resources to find and prosecute the kid, or fixing all the locks?
The only answer to fixing these problems is revamping the electronic data interchange, and methods by which member banks will take electronic transfers. That can only come about by severe fiduciary policy requirements placed on all the member banks, to revamp their infrastructure. The main issue is cost as it will be exorbitantly prohibitive and will push back full consumer acceptance considerably.
Another possible scenario to help reduce Nigerian scams is to hold all transactions with all foreign nationalities that do not have an acceptable use policy with the United States in regard to electronic financial transfers. This would be similar to an economic trade embargo, although it would not stop transactions, it would simply hold them, while the details of the transfer was reviewed.
Although these drastic changes are cumbersome and difficult to implement, if the changes are slow and gradual, these issues could largely be reduced. The problem may seem out of our hands, but we are the people who it will ultimately affect.