Credit Card Fraud Detection: The Complete Guide

Credit card fraud is on the rise and, according to the Nilson Report, it’s projected to reach a staggering $38.5bn by 2027. So how do you detect credit card fraud? And why is it so common? Find all the answers below.

What Is Credit Card Fraud Detection?

Credit card fraud detection is a set of methods and techniques designed to block fraudulent purchases, both online and in-store. This is done by answering two key questions:

• Am I dealing with the right cardholder?
• Does the purchase seem to be legitimate?

Depending on the kind of detection tools your company uses, you may answer these questions in real-time or retroactively. In that sense, credit card fraud detection can be either a prevention measure or a way to investigate previous transactions. 

How Does Credit Card Fraud Occur?

Credit card fraud can happen for one of two reasons:

• A criminal got hold of someone else’s credit card details.
• The cardholder is not being honest.

The latter is called friendly fraud, and it can be challenging to detect. In some scenarios, the cardholder will say that the card has been stolen whereas, in fact, they were the one who made the purchase but claim otherwise.

If this happens too often, it can ultimately result in high chargeback rates.

How Do Fraudsters Get Credit Card Numbers?

It’s easier and cheaper than you might think to acquire credit card numbers online. There are thousands of marketplaces dedicated to selling and buying them, both on the clearnet and darknet. In fact, a report by The Guardian claims you may find prices as low as $17 per card.  

The reason so many sets of numbers are available is that criminals have plenty of options for acquiring them. Here are just a few.

Theft

The first method is plain and simple theft: Criminals steal or gain access to physical cards and use them. 

Contactless payments require no verification, so it’s easy to use someone else’s card without a PIN or signature. Criminals also sell the credit card details online, to be used in card not present fraud scenarios. 

Skimming and Cloning

Card skimming and cloning is the act of making unauthorized copies of credit card details. This is done with special equipment known as a skimmer. 

The skimmer machine is designed to capture card details and can be installed on top of a legitimate card reader. Once the details are captured, they can be used to make purchases online, or physical duplicates of the original card. 

According to Nilson Report, card skimming and cloning cost cardholders an average of $28.65bn per year. 

Account Takeover

An account takeover happens when a fraudster gains unauthorized access to someone else’s account. The problem is that the account may have a credit card linked to it and from there, fraudsters can extract the details and initiate online payment frauds. 

The problem is even worse if the account acts as an ewallet. Accessing a BNPL, crypto or neobank account, for instance, means that fraudsters can withdraw or transfer funds pretty much directly.

Phishing/Social Engineering

Phishing and social engineering are methods designed to take advantage of people in order to extract key information. When it comes to credit card details, they may be stolen by sending official-looking emails or SMS. 

The messages prompt cardholders to share their card details, make an urgent payment, or update their information. The details are thus stolen by fraudsters and used elsewhere.

Sophisticated phishing takes on many forms these days, including entire fake online shops. Criminals set up whole ecommerce operations with attractive prices in order to grab credit card details from unsuspecting customers. 

Infiltrating Legitimate Online Shops

Another advanced form of theft is gaining popularity with online fraudsters: infiltrating legitimate online stores. 

By injecting scripts on existing online store websites, criminals have managed to capture credit card details. It is effectively a form of online skimming, which can be done with sophisticated tools such as MageCart. 

Credit Card Fraud Detection Methods

Since fraudsters have plenty of ways to acquire credit card details, how can businesses know when these details have been stolen? With the following tools and techniques. 

Card Security Features

Credit card networks have developed a number of security features designed to prevent fraudulent purchases. These include:

• Address Verification Service (AVS): A service designed to confirm the cardholder’s identity by looking at their registered address. The address is confirmed against the bank’s records.
• 3-D Secure (3DS): A security layer that prompts users to enter a code to complete a purchase. Different card operators offer the service under different names, such as Visa Secure (Visa), SecureCode (Mastercard), or SafeKey (American Express).
• CVV: A CVV, or Card Verification Value, is a three-digit number located on the card. It is designed to verify that the card is indeed in possession of the customer at the time of purchase.

It’s worth noting that these card security features add a certain level of friction. This is why Amazon, for instance, doesn’t ask for a CVV at the checkout stage, as the company has determined that it slows down the process, impacts the customer experience negatively, and has other defenses in place to make sure it is in fact you logging in. 

Risk Scoring

Risk scoring is a standard risk management method, which uses rules to gauge risk. They help people make educated guesses about a certain user action. For instance, you can use a risk score to determine whether a payment should be allowed on your site or not.

For credit card fraud detection, risk scoring tends to rely on heuristic rules, also known as heuristics. They are shortcuts designed to deliver quick decisions using if-then logic. For example:

• If the IP address points to a different location from the shipping address, then the risk score should go up by 1 point.

When the risk score reaches a certain threshold, an automated system can decide to block or allow the transaction.

A more advanced form of risk rule is called a velocity rule, which looks at data points within a certain time frame to score human behavior. For instance:

• If the user fails to enter the right password five times within one minute, then the account should be temporarily blocked.

By combining multiple risk rules, you can create decision trees that allow for more accuracy in the scoring system.

Note that risk scoring may be transparent or opaque. That is to say, risk managers can control and customize the rules, or rely on preset algorithms. The former is referred to as a whitebox system, the latter is called a blackbox system. 

Whether you prefer a whitebox or blackbox system depends on your ability to monitor credit card detection. 

Companies with fewer resources may prefer relying on an out-of-the-box solution. Those with a dedicated risk management team tend to favor whitebox systems, as they allow for more customization and flexibility. 

You can read more about risk rules and best practices in our post on CNP fraud.

Data Enrichment

How do you confirm someone’s online identity before a transaction? You could ask them to submit ID documents. You could use video verification. But is it really worth it for a low-value transaction? 

This is the key challenge faced by companies who need to detect fraudulent credit card payments: verifying customers without increasing friction. Too many obstacles between customers and their purchases will create churn, and shoppers will turn to your competitors. 

This is why data enrichment is one of the most exciting and effective ways to confirm an identity. It’s an invisible security layer that works by getting more information from a single data point. For instance:

• Device fingerprinting: Learn if the user has connected to your site with the same device in the past. Are they attempting to spoof their connection details?
• IP analysis: Does the connection come from a VPN, a suspicious proxy or Tor node?
• BIN lookup: Is the payment card the right kind? Would it make sense for a customer in APAC to have a prepaid card, for example?
• Reverse social media lookup: Has the phone number or email address been used to register to a social media website? Does the user bio seem consistent with the transaction details?

The main point is to build a user profile without asking the customer for extra information. You can then feed all this data to your risk scoring system, which will help you determine if you are likely to be dealing with credit card fraud or not.

Data enrichment also helps log more information about users. This may come in handy when disputing a chargeback and presenting evidence of friendly fraud, for instance. 

How SEON Does Credit Card Fraud Detection

SEON offers fast, effective, and frictionless credit card fraud detection via risk scoring and data enrichment. You can build a complete profile of your website visitor, even before they reach the checkout stage. 

This helps you protect existing users’ accounts, and only accept payment from visitors who meet your risk criteria. Best of all, you get completely transparent pricing and a free 30-day trial. 

“With SEON, I can see that the address has been around since 2012 because it appeared in data breaches. I can see it’s been registered on these 15 other social websites. From then I can just manually match the relevant information to make my case.”

Rick Hiltbrunner, Senior Manager of Fraud Operations at Patreon

FAQ

Sources

• Juniper Research: Online Payment Fraud
• The Guardian: Stolen credit card details available for £1 each online
• Nilson Report: Card Fraud Losses Dip to $28.58 Billion
• Magecart: A Deep Dive Into Magecart