New Technology Can Reduce Plastic Card Losses Due to `Skimming'

Technology has enabled “skimming” to become one of the most prevalent types of plastic card fraud, causing troubles for card issuers and cardholders alike. Fortunately, new technology, such as “name matching,” is emerging as an effective tool in reducing this type of fraud. Skimming is a popular high-tech counterfeit technique used by thieves to copy encoded information on the magnetic stripe of a member’s debit or credit card. Stolen information is later replicated on a blank plastic card that the thief will use to purchase luxury merchandise or services at retail locations. Scams to capture magnetic stripe data range from telephone taps that intercept data during authorization or terminal downloads to false storefronts or “spoof shops,” set up for the express purpose to steal data. Thefts also occur frequently at retail locations, such as restaurants, or ATMs. Merchants considered high risk for skimming are those businesses where the card is temporarily out of the cardholder’s sight, such as restaurants, hotels and gas stations. Crooks are often collusive merchants and employees who use hand-held skimmers to quickly capture the data off a card’s magnetic stripe. Skimming at ATMs usually occurs during legitimate transactions. Data theft likely takes place through a laptop computer or other electronic device linked to an ATM terminal as a legitimate card is swiped for authorization. Data can also be stolen on a larger scale by criminals who hack into data storage systems that house valid account data. The highly-publicized BJ’s Wholesale Club incident that occurred earlier this year is an example of such an intrusion. Merchants that utilize an electronic data terminal have a leg up in thwarting counterfeit cards. When a card’s magnetic stripe is swiped at a terminal, information such as the cardholder’s name, account number and card expiration, are sent electronically to the card issuer for authorization. The advent of magnetic stripe information provided improved security that did a good job of validating and matching up the cardholder’s name, account number and expiration date. Unfortunately, technology has also availed itself to fraudsters who have not only figured out how to steal magnetic stripe information off legitimate cards, but also manipulate and manufacture such data on bogus cards they create. In the plastic card world of magnetic stripe transmissions, there are two types of authorizations a merchant can use to verify data: Track 1 and Track 2. Track 1 includes the cardholder’s name, account number, expiration date, plus other discretionary data. Track 2 contains the identical information as in Track 1, except the cardholder’s name. Merchants have total discretion over whether they transmit Track 1 or Track 2 authorizations. According to the card associations, about 70% of merchants transmit data using Track 2, although more are opting for Track 1 as a means to prevent card authorization fraud. The next time you make a plastic card purchase, check to see if your name is printed above or below the signature line. If it appears, the merchant is transmitting Track 1 data for the authorization. In most cases, a thief does not know which track the merchants will transmit, which is why the perpetrator will change the cardholder’s name that is encoded on Track 1. Otherwise, the true cardholder’s name could be printed on the receipt, which could expose the fraud, particularly if there’s an obvious discrepancy in the person’s sex or nationality. Instead, thieves use the legitimate account number and expiration date but change the name on Track 1 of the magnetic stripe to match a bogus name embossed on a counterfeit plastic card and perhaps a fake ID card they’re carrying. Here’s a simple example of this type of fraud. While dining out, Jane Doe has her credit card skimmed. The crook uses Jane’s legitimate card account number and expiration date to manufacture a counterfeit credit card in the name of John Smith. The crook then uses the card to purchase a deluxe entertainment system at a retail store. If the merchant in this example transmits Track 2 data (without the name), chances are good the transaction will go through and fraud will occur, because the account information is correct. However, if the merchant uses Track 1, the fraud can be detected using what’s known as “Name Mismatch.” Here’s how it works: When the merchant transmits Track 1 data to the credit union’s authorization system, the name on the incoming authorization will be compared to the name on the credit union’s master file. In our example, the system will show Jane Doe’s name, rather than John Smith. That’s a big red flag. If the credit union has implemented Name Mismatch with a response code set to decline for a name discrepancy, the counterfeit transaction will be declined, and the fraud will not occur. Because more merchants are transmitting Track 1 data in their authorization message, this relatively new loss prevention tool will help further combat skimming fraud. Therefore, it’s vital for credit unions with plastic card programs to utilize the Name Mismatch security feature. Credit unions that use their own system to perform authorizations need to have the Name Mismatch security tool built into their system. If a credit union uses a third- party card processor to perform authorizations and maintain the credit union’s cardholder master file, the third party needs to deploy Name Mismatch. If the card processor does not offer name matching, CUNA Mutual recommends it be offered. By utilizing Name Mismatch, you can decline any Track 1 authorization where the cardholder name being transmitted does not match the cardholder name on your master file. While not 100%foolproof, this added level of security can help prevent a fraudulent transaction or string of transactions, thereby reducing fraud losses.