Card Not Present Fraud: Prevention & Detection Strategies

Global card fraud losses saw a notable rise of over 10% from 2020 to 2021, marking the most substantial increase since 2018. The total estimated losses incurred by merchants and card acquirers surpassed 30 billion U.S. dollars during this period, with approximately 12 billion U.S. dollars attributed to the United States alone.

In this article, we will explore Card Not Present fraud and discuss how to detect and prevent it. Let’s find out how criminals can use someone else’s credit card without having it.

What is Card Not Present Fraud?

Card Not Present fraud (AKA CNP fraud) is a type of unauthorized financial activity where fraudulent transactions are conducted without the physical presence of the credit or debit card. This often happens in situations where the cardholder's details, such as card number, expiration date, and security code, are used to make illegitimate purchases, particularly in online or remote transactions where the card itself is not physically presented.

Criminals may obtain this information through various means, including phishing, data breaches, or other forms of identity theft, enabling them to exploit the cardholder's financial accounts without the need for the actual card.

Access valuable insights and techniques for fraud prevention in our Fraud Prevention E-Book.

7 Types of Card Not Present Transactions

There are different types of Card Not Present transactions; here are the most common types:

1. Online Purchases: Buying goods or services over the internet, where the cardholder enters their card details manually.

2. Phone Orders: Transactions conducted over the phone, where the cardholder provides the necessary card information verbally to the merchant.

3. Mail Orders: Payments made through traditional mail, where the cardholder sends their card details in written form to the merchant.

4. Recurring Payments: Automatic charges set up for subscription services, memberships, or ongoing bills without the need for physical card presence.

5. Mobile or Digital Wallet Transactions: Payments made using mobile payment platforms like Apple Pay, Google Pay, or Samsung Pay, where the card is stored digitally on a mobile device.
   Digital wallets are becoming more popular, and thus fraudsters exploit vulnerabilities in digital wallet systems. Digital wallet fraud is unauthorized activities, exploiting digital wallets for illicit transactions. This may include using stolen credit card information or creating fake digital wallets through tactics like phishing, malware attacks, and social engineering. 

6. Virtual Terminal Payments: Merchants manually enter card details into a virtual terminal for transactions, often used in phone or mail order scenarios.
7. ‍Fax Orders: Though less common today, some transactions may still occur through fax, where the cardholder sends their card details to the merchant.

Card Not Present Fraud: How It Works?

Card Not Present (CNP) fraud transpires when a perpetrator gains access to critical cardholder information like the account number, name, billing address, three-digit CVV security code, or card expiration date—details that can be electronically pilfered without the need for the physical card. This form of theft is commonly executed through online phishing schemes or dishonest employee actions, with occasional instances of merchant database hacks.

In the event of Card Not Present fraud, it is the merchant who bears the financial loss. This impact can be particularly substantial for retail establishments with narrower profit margins. Unlike card-present fraud, where the credit card issuer typically absorbs the loss, Card Not Present fraud places the burden on the merchant. According to credit card terms and conditions, cardholders are generally not held liable for fraudulent charges, whether arising from card-present or Card Not Present fraud.

Tactics employed by cybercriminals include:

1. Social Engineering

Social engineering involves deceptive practices where criminals manipulate individuals to disclose personal information or grant access to restricted systems. This category encompasses techniques like phishing, spear phishing, baiting, pretexting, tailgating, and quid pro quo attacks.

2. Spyware

By utilizing social engineering, scammers convince victims to download attachments that install spyware, such as keyloggers, on their devices. Keyloggers record keystrokes, enabling fraudsters to access sensitive details like user logins, account numbers, and payment credentials.

3. Data Breaches

Hackers frequently target merchants and banks to expose personal and financial information. In 2023, the count of patient records exposed in data breaches doubled compared to the preceding year, despite a marginal decrease in the overall number of breaches, as indicated by a report from cybersecurity firm Fortified Health Security.

4. Card Skimming

Scammers use skimming devices, discreetly installed in ATMs or point-of-sale terminals, to capture information from a card's magnetic strip during usage. 

5. Public Wi-Fi Networks

Cardholders accessing accounts or reviewing sensitive documents on public Wi-Fi networks without a VPN face an elevated risk of Card Not Present fraud. Scammers actively monitor these networks to pilfer cardholder credentials.

Card Not Present Fraud Example

Let's assume Alex is an online shopper. One day, she receives an email claiming to be from her favorite online store, offering an exclusive discount. Excited, she clicks the link provided and enters her credit card details to grab the deal.

Unbeknownst to her, this email was a phishing attempt by a fraudster. They now have her credit card information. Soon, she notices unauthorized transactions on her card for things she didn't buy. She reports it to her bank, but it takes time and effort to sort out the mess and recover the stolen money.

This scenario illustrates how criminals can trick people into sharing sensitive information online, leading to financial losses and inconvenience.

Card Not Present Fraud Risks on Consumers

Card Not Present fraud poses risks to both consumers and merchants. What risks does it pose? Let's explore:

1. Financial Losses: CNP fraud can result in unauthorized transactions, leading to direct financial losses for consumers. Fraudsters may make purchases or conduct transactions using stolen card information, causing monetary harm to the cardholder.

2. Identity Theft: The information obtained during CNP fraud, such as credit card numbers, names, and addresses, can be used for identity theft. Criminals may open new accounts or engage in other fraudulent activities, causing long-term damage to the victim's credit and financial reputation.

3. Compromised Personal Information: CNP fraud exposes consumers to the risk of their personal and sensitive information being compromised. This information can be exploited for various malicious purposes beyond financial fraud, impacting the individual's privacy and security.

4. Disruption of Daily Life: Dealing with the aftermath of CNP fraud, such as reporting unauthorized transactions, disputing charges, and securing compromised accounts, can be time-consuming and disruptive to a consumer's daily life. It may require significant effort to resolve the issues and restore financial security.

5. Reduced Trust in Online Transactions: Experiencing CNP fraud can erode a consumer's trust in online transactions and digital payment methods. This may lead to hesitancy or reluctance to engage in online shopping or other activities that involve the use of payment cards.

6. Potential Legal Consequences: In some cases, consumers may face legal consequences if they are unable to resolve fraudulent transactions promptly. While credit card issuers often have policies to protect cardholders from liability, delays in reporting fraud could complicate the resolution process.

7. Emotional Distress: The discovery of being a victim of CNP fraud can cause emotional distress, including feelings of violation and vulnerability. The psychological impact of such incidents can linger even after the financial aspects are resolved.

You might also be interested in reading about An In-depth Analysis of Fraud Risk Management in 2024

9 Tips for Detecting and Preventing CNP Fraud

Detecting Card Not Present fraud and conducting fraud investigations involves implementing various strategies and tools to identify and prevent potentially fraudulent transactions. Here are some effective methods for CNP fraud prevention and detection:

1. Advanced Analytics and Machine Learning

Employ advanced analytics and machine learning algorithms to analyze transaction patterns, identifying anomalies and potential fraudulent activity. 

2. Behavioral Analysis

Monitor user behavior and transaction history to establish a baseline, detecting deviations that may indicate Card Not Present fraud.

3. Geolocation and Device Recognition

Implement geolocation tools to verify transaction locations, cross-referencing them with user profiles. Recognize and track devices to identify unfamiliar or suspicious activity.

4. Address Verification System (AVS)

Use AVS to compare billing addresses during transactions, flagging mismatched addresses as potential fraud indicators.

5. 3D Secure (3DS)

Implement 3D Secure protocols for an additional layer of authentication in online transactions, ensuring the legitimate cardholder makes the purchase.

6. Velocity Checks

Set up velocity checks to monitor transaction frequency and volume, identifying unusually high rates indicative of fraudulent activity.

7. IP Address Analysis

Analyze device IP addresses for sudden changes or transactions from known high-risk locations, serving as potential fraud signals.

8. Real-Time Transaction Monitoring

Implement real-time transaction monitoring systems to assess transactions instantly, using automated alerts to flag and investigate suspicious activities.

9. Customer Authentication Techniques

Employ multi-factor authentication methods, such as one-time passwords or biometric verification, to enhance online transaction security and confirm the cardholder's identity.

Additionally, merchants should consider the following technologies:

• Digital Identity Services: Collects data from diverse sources, employing machine learning and profiling techniques to authenticate customer identities and assess transactional risk.

• Strong Customer Authentication (SCA): Implements multifactor authentication for additional security in CNP transactions, complying with Payment Services Directive 2.

• Tokenization: Replaces sensitive data with unique tokens, adding a layer of security to CNP transactions.

• Network Intelligence: Analyzes data packets in real-time to identify potential fraud signals, leveraging packet capture, data, and advanced machine learning algorithms.

• Incremental Machine Learning: Utilizes historical and live data for dynamic responses to behavioral changes, automatically updating models in real time to recognize emerging threats.

Conclusion

In conclusion, fraud monitoring is a surveillance tool that detects and mitigates fraudulent events in credit cards, debit cards, and Internet banking by analyzing real-time transaction trends. Using advanced algorithms, it identifies unusual activities based on predefined patterns, promptly notifying authorities or customers of potential risks.

Frequently Asked Questions Related to Card-Not-Present Fraud

Q1. How can someone use my credit card without having it?

Unauthorized individuals can use stolen credit card details obtained through various means, such as data breaches or phishing, to make fraudulent online transactions.

Q2. How to reduce fraud while improving customer experience?

Employ advanced authentication methods, monitor transactions for unusual activity, and enhance data protection measures to reduce fraud while enhancing the overall user experience.

Q3. Is Card-Not-Present a type of card fraud?

Yes, Card-Not-Present (CNP) is a type of card fraud where transactions occur without the physical presence of the card, typically in online or remote transactions.

Q4. How to detect online shoplifting or friendly fraud?

Implement real-time transaction monitoring, analyze customer behavior patterns, and use advanced algorithms to identify indicators of online shoplifting or friendly fraud (AKA Chargeback Fraud), allowing for timely intervention and prevention.

Learn more about the difference between chargebacks and refunds. 

Q5. How can I protect myself against Card-Not-Present fraud?

Secure personal information, use strong, unique passwords, enable two-factor authentication, monitor account activity regularly, and be cautious about sharing sensitive details online.

Q6. How can online businesses increase sales without compromising their fraud defense?

Implement secure payment gateways, employ advanced fraud detection tools, verify customer identities, and balance sales growth with strong fraud prevention strategies to maintain a secure online environment.

Q7. Who bears the loss for fraudulent Card-Not-Present transactions?

In Card-Not-Present transactions, the merchant typically bears the loss, facing chargebacks and financial impact unless they can prove the legitimacy of the transaction and shift liability to other parties involved.