In part 1, I shared several studies on the appetite for general-purpose reloadable (GPR) prepaid cards. It turns out there is little public data covering the fraud portion of the industry. I look forward to results from the Federal Reserve's 2016 Payments Study, which added a number of questions related to GPR card fraud.
Last week, LexisNexis® released a fraud study titled Issuers Confront Application Fraud and Account Takeover in a Post-EMV U.S. The study reports that issuers annually lose $10.9 billion to card fraud overall, with 4 percent attributed to all types of prepaid cards (not just GPR), 25 percent to debit cards, and 71 percent to credit cards. The study examines what types of fraud schemes are responsible for losses, but the data is aggregated and not broken down by card type. We will look at these results and I will describe how fraudsters could use prepaid to perpetrate that type of fraud.
Lost/stolen cards: 28 percent of total card fraud
GPR card information can be lost or stolen in a variety of ways—as can happen with all payment card instruments. When the fraudster acquires the account numbers, he or she can then sell, clone, or counterfeit new cards to make fraudulent purchases. The most common schemes include:
- Skimming magnetic stripes via compromised ATM or POS terminals
- Cyberattacks/data breaches
- Simply lost or stolen cards
"Lost or stolen" also include information obtained from extortion by coercive measures and deceptive marketing. Fraudsters trick consumers into loading funds on a prepaid card and then handing over the account information. Some prepaid issuers have included warnings about this type of crime on their packaging. Some recent schemes include:
- Pretending to represent a creditor or utility and convincing victims they are overdue on bills and must immediately make a payment using a prepaid card
- Money-winning schemes (I always win cruises) whereby a consumer must pay taxes on the winnings with a prepaid card
Account takeover: 20 percent
These schemes typically involve business bank accounts. However, a blog by Kreb’s on Security describes a well-known case involving prepaid. Cybercriminals allegedly breached a number of payment processors over a two-year period. They acquired account information and changed account balances and daily withdrawal limits. The criminals then used the breached payment card information to clone cards to use at ATMs all over the world and withdrew nearly $55 million in cash.
Application fraud: 20 percent
Ultimately, this scheme involves the criminal opening a GPR account under a stolen or false ID, using stolen funds to open the account. Schemes that fit into this category are:
- Filing fraudulent tax returns and sending refunds to prepaid accounts. (I recently blogged on this.)
- Buying prepaid cards with stolen or counterfeit cards, a growing scheme that essentially creates free money out of stolen funds
Counterfeit cards: 16 percent
Counterfeiting usually occurs in conjunction with other fraud schemes. Counterfeit cards (and even lost or stolen cards) can be sold, often at a discount to the purchaser, potentially making their way into the hands of law-abiding citizens through wholesale websites.
Maybe fraudsters stock their pantry with prepaid cards, but are these common schemes unique to GPR cards or prepaid accounts? Although it's easier to open a prepaid account with little direct human contact, couldn't we substitute debit card or credit line accounts in any of these fraud schemes? Every type of monetary instrument experiences fraud but the prepaid industry has worked diligently to address these common areas. The vast majority of prepaid customers are legitimate users that have chosen this type of product for economic or payment preference reasons.
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed