The Use of Information Security Standards in Tackling Card Fraud in Nigeria - Research Paper Example

Card Fraud in Nigeria Versus IT Security Measures Table of Contents I.Introduction 1 Overview of Card Fraud a. Worldwide bIn Nigeria 1.2 Thesis Objectives and Hypothesis II. Literature Review III. Research Methodology 3.1 Google Search of Related Articles on Card Fraud 3.2 Research of Historical Background of Card Fraud Syndicate 3.3 Research About Technologies of Card Fraud and Its Prevention 3.4 Simulation Method IV. Findings V. Discussion VI. Conclusions VII.Recommendations 7.1 Better IT Security Technology 7.2 Availability of a Fool-Proof Anti-Card Fraud Technology 7.3 Workability & Practicality of Using Better IT Security 7.3.1 Cost 7.3.2 Time 7.3.3 Convenience versus Security 7.4 Policy of Trust No One Except the Owner & Machine Authenticator 7.4.1 Statement of Policy and Clarifications 7.4.2 Duties and Responsibilities of Bank IT Security 7.4.3 Duties and Responsibilities of Card Owner 7.4.4 Duties and Responsibilities of Merchants Abstract (Proposed) A syndicate trained to defraud debit and credit card owners had been improving their strategies for over 20 years in the USA. Nigerians were identified as new entrants to America earlier than 1993 when they were discovered to be under training in various parts of the USA, most of them students whose entries were facilitated by Americans. Personal information gathered also by people in America was allegedly sold to Nigerians. And then identity theft, card theft, card cloning, and massive fraud which stole $ 2 billion per year took place in many countries. The security system of cards utilized magnetic tapes containing information, security PIN, and the microchip embedded on the card. Lately, the microchip was improved to encrypt the information and make it difficult for thieves to copy whatever is the personal information of the card owner. And there are plans to send verification messages via mobile phones of owners. All these technologies have their defects. A better technology that will be “fool-proof” should be developed given the available resources for IT security. This thesis presents a combination of IT security measures to protect card owners, merchants, and the bank from the most trained criminal in the card fraud industry. It is founded on a “Trust No Other Person Policy Except the Card Owner and the Bank’s Computerized Database”. I.Introduction 1.1 Overview of Card Fraud a. Worldwide An estimated $ 2 billion gets stolen annually through credit card fraud in various parts of the world. And the USA was identified to be with the most prevalent fraudulent use of credit cards. Nonetheless, Nigeria had been also linked to such thievery, causing the entire country to be “blacklisted in the internet” so that no payment could be transacted using any credit card issued by Nigerian banks. The report (NAIJ 2013) included among others the American unethical practice of selling personal information over the internet and possibly including credit card information. This was followed by telephone calls to card owners in order to trick them into disclosing their credit card number in order to allegedly change the PIN #. b. Nigeria In December 13, 2011, there were three Nigerians in India who were arrested for online purchases using stolen credit cards (Selvaraj, A. 2011). Anybody who owns a credit card or even debit card would be alarmed upon reading this news. Who might be next? How do they did they steal? In that case, the news said there was a mastermind in Nigeria who provided the credit card numbers. Years ago, in 2009, Standard Chartered Bank in Nigeria (2010) was able to discover a fraudulent withdrawal worth $ 80,000. But it was after a cheque needed to be funded while the account owner was not aware that his funds were withdrawn by a woman without his knowledge. It took the CCTV of Standard Chartered Bank to find out who was the thief. Apparently, the PIN # of a bank customer got stolen along with his card. Very recently, card fraud in Nigeria was traced to an international syndicate which had devices to “clone” credit cards and to collect credit card numbers’ details from the international community. They had hundreds of stolen cards or possibly cloned cards. There was also a report of card skimming, a fraudulent practice of using a swiping machine, a device apart from the authorized credit card verification machine, to gather the information contained within the credit card’s magnetic tape.(The Hindu Special Correspondent 2013) 1.2 Thesis Objectives and Hypothesis The primary objective of this thesis is to lay the foundation for a proposed set of IT Security Measures which cannot be exposed to high risk exposure to card fraud. It first describes how card fraud has been committed for sometime at the expense of card owners. Available precautionary measures are also reviewed. The basis of those existing steps how not to be victimized come from reliable sources like the US FBI and banks. After documenting the realities of card fraud as well as the actions that have been taken to prevent it from happening again, the 2nd objective is to survey, list, and assess the available technologies meant to prevent card fraud. And finally, the 3rd objective is to recommend the implementation of a technology not yet implemented but which can almost certainly make it extremely difficult to commit fraud anywhere in the world. The hypothesis for this study is that there is a definite but overlooked set of technologies and system of managing credit and debit card customers which will almost certainly end the illegal business of stealing debit or credit cards, stealing identities, and fabricating or cloning cards for fraudulent uses. II.Literature Review Most of the literatures reviewed hereunder are concerned with the technologies available for the prevention of card fraud. Having disclosed so much about past and recent commission of card fraud in the introduction (which will be elaborated further in Chapter IV -Results), principles and theories and their corresponding sources are found in this literature review. But discussion, analysis, and corresponding evaluation and recommendations will not be part of this chapter. Chip Technology is currently being recommended by the Canadian Imperial Bank of Commerce for the purpose of ensuring that the contents of the magnetic tape are encrypted and very difficult to decode. Each debit or credit card should have an added microchip which encrypts whatever will be the private information in the magnetic tape. The old type of debit and credit cards were cloned and made useful after another device copied the details supposed to be controlled by the magnetic tape. (CIBC 2013) In India, the recommended technology to prevent unauthorized use of credit and debit cards is via the use of “3D Secure PINS and Passcodes” (Bhagat, H.R. 2012, par. 3). To improve it further, a new recommendation involved the authorization to confirm each transaction via SMS to the real owner. A yes or no reply would have to be sent in order to have a transaction approved aside from automated credit limit screening. Details of the transaction identifying whatever needs to be purchased would be sent to the message receiver. It is expected that the owner of that mobile phone will be the person who will receive the information and who should reply. More recent IT anti-card fraud technologies (Eelbacher, M. et. al. 2012 p.98) include holograms and also lithographs protection against counterfeiting of debit and/or credit cards, a monitoring system, and stricter verification to identify the true owner of cards. As of 2012, the use of microprocessor chips is considered latest technology. BBC’s Watchdog (BBC 2013) against credit card fraud announced a few methods when the crime takes place, namely, (a) when the card is not present for inspection, (b) when lost, stolen, or utilized to commit fraud, (c) when cloning or skimming was done to create a fake or counterfeit credit or debit card, (d) during attempts at phishing, and (e) during attempts at ‘pharming’ bank websites or redirecting people to fake bank websites. According to a peer-reviewed document by Prabowo, H. Y.(2011, p. 1), the most common way of committing card fraud as of 2009-2010 was through online use of card details, which is also known as the card-not-present fraud. Skimming followed by counterfeiting was only 2nd according to statistics. The same reference will be utilized in the latter part of this thesis, particularly Chapter VII – Recommendations wherein the simulation will have to consider the “Four-Pillared house of Payments Fraud Prevention Practice” ( Prabowo, H.Y. 2011, p. 2). This is illustrated in Figure 1 as follows: [ Source: Prabowo,Hendi Yogi PhD. Nationwide Credit Card Fraud Prevention. PopCenter.org, 2011. Viewed February 11, 2013 @ http://www.popcenter.org/problems/credit_card_fraud/PDFs/Prabowo%20card%20fraud.pdf ] What the principle of the 4-pillared house is simply saying is that there are many entities involved in the possible commission of card fraud. Even the card company can be a part of it, e.g. through a “mole” within the organization. This can also be true in governments. Any person can check out through Google Search the reality of bank officials being part of the credit card scam, e.g. Al Ghalib,Essam (2008) who reported five people including Senior Bank Officials who stole $ 545,000 using credit cards they did not own and withdrawing cash using those cards in a foreign country. Detectives were able to recover over 100 credit cards from those 5 arrested card fraud criminals. The Pakistan, South Africa, and India nationals were arrested in UAE. In a very recent report ( 247UReports, 2013), the well established First Bank of Nigeria was found to have “bank officials” who conspired to falsify ID cards. In order to verify credit or debit card authenticity, it is a common practice to ask for identification cards. Although this case involved moneygram, the same fake ID can be utilized to serve as basis for verification of debit or credit card ownership. On the far end of the issue of fraud would be the accountability of Card Companies and Merchants who accept payments through cards. There is supposed to be an IT Cybercrime Audit against inside threats of fraud. Principles behind such a preventive measure are comprehensively discussed in a book by Moeller R.R. (2011) for the purpose of distinguishing the extent of liabilities on the part of cardholders, Credit and Debit Card companies, and merchants. For example, it is not the fault of customers when an employee within a Retailer finds a credit card and works in connivance with a cashier who intentionally recalls PIN numbers as well as intentionally fails to return a credit or debit card except when the customer asks for the return of his or her card before leaving. By the time the customer recalls that the card got left behind, the Retailer charged more transactions against the customer’s card. At the Chase Bank, there were reports of Debit Card Fraud connected to checking accounts. When one customer visited the bank to complain about unknown charges found in the bank statement he received, this is what the bank personnel replied (Bell, C. 2012): “Wow, I’ve had like six people in this morning with the same problem !” And that was in just one morning within one particular bank. It should be noted that Chase Bank recommends using the Debit Card because of its reliable security measures even up to the present. Its system offers “free security alerts”, “zero liability protection. . .for any unauthorized debit card transactions”, “guaranteed reimbursement”, “real-time fraud monitoring”(Chase 2013). And yet in the first quarter of 2012, their customers were victimized by debit card fraud. If this can happen to a multinational like Chase Bank, it can happen to many other smaller banks. Thus, the question of adequate IT security against card fraud remains at large. Is there really a way to control card fraud? There was a “World Congress on Engineering” (WCE) peer-reviewed recommendation to include the fingerprint thumb mark of each cardholder in ATM card in order to authenticate the card itself (Singh, D., et. al. 2011). But this thesis will argue against such a technology on grounds that such inclusion can also be copied by cloning. Furthermore, it would make criminals gain access to the thumb marks of people so that they can be used for many other fraudulent transactions. The idea runs contrary to limiting information access about private information per person. It favors the objectives of card fraud syndicates to collect as much information about an individual in order to successfully accomplish identity theft and proceed with the interconnected criminal acts related to identity theft. Prabowo, H.Y. (2011 [b] Abstract) produced a PhD peer-reviewed research work which recommends prevention of card fraud by limiting the opportunities to commit the crime of stealing information of cardholders, in all “four main groups in a payment system”. This is more logical because higher privacy means less access to private information of every individual to any other person or entity, including the banks. III.Methodology 3.1 Google Search of Related Articles on Card Fraud International news articles, law enforcement reports, and local informative sources were searched via Google and the homepages of authorities forewarning the public about card fraud. Priority was given to updated communication online. “Nigerian Card Fraud”, “International Card Fraud”, and “Fraudulent Practices During Credit or Debit Card Use” were fed into Google Search to first find out which agencies have been monitoring the internet for card fraud practices. In those organizations-in-charge, reliable information and updated news were gathered to see how fraud has been actually committed inside Nigeria and in other countries like the UK, USA, Greece, and other European countries. 3.2 Research of Historical Background of Card Fraud Syndicate Furthermore, an assessment of current fraud problems of Nigeria was seen from the viewpoint of a bigger picture. The Nigerian outlook, relationship with USA in particular, relationship with Visa International Card company, and perspective of people from other countries – all these had to be considered for the purpose of becoming aware of the urgency of card fraud management control in the soonest possible time. 3.3 Research About Technologies of Card Fraud and Its Prevention A third important part of this study involves looking at the alternative ways and means to ensure prevention of credit and debit card fraudulent use. Technologies implemented to protect cardholders against fraud were identified. For this part of the methodology, mostly descriptions of the recommended security measures were provided in preparation for more elaborations to be presented in Chapter IV – Findings, and in preparation for the analysis in Chapter V – Discussions. Finally, additional technologies, systems, policies, and procedures will be introduced and explained. These will fall under Chapter VII – Recommendations. A brief simulation of the usefulness of such a technology not yet being utilized by the banking industry will be in the form of considering the different scenarios when cardholders would have to use their debit or credit cards. 3.4 Simulation Method The simulation will consider, among others, the “methods of card fraud” (BBC 2013) made public by BBC’s Watchdog for credit card fraud and the “Four-Pillared House of payments Fraud Prevention Practice” as described by Prabowo,Hendi Yogi (2011, p.2). IV.Findings A problem occurred in determining the number of resources available for the topic Card Fraud in Nigeria. Over 2,000,000 results were counted by Google. And so there was much work to do by simply trying to go over the vast number of choices. Upon feeding Google Search with the phrase “Card Fraud in Nigeria”, one of the links showed the Federal Bureau of Investigation’s website which contains common denominators of fraudulent scheme (US FBI 2013). The contents were very informative because many details about the way criminals go out to steal from credit and debit card owners. One of the fraudulent schemes modus operandi is about the Nigerian 419 Letter which promises to transfer substantial funds from an alleged government official of Nigeria to a prospective victim in another country. Of course, the target victim does not know the laws in Nigeria. There is a criminal code in Nigeria considering anybody who serves as accessory to transfer funds to another country, to be a violator of the Nigerian law. Whoever tries to fool that potential recipient of cash does not really have any funds to transfer, and is simply using the idea as bait for the foreigner to disclose a bank account number, identity details, contact numbers, and whatever can help them in their effort to utilize an online credit card bearing the name. There is always the possibility that the criminal is not a citizen of Nigeria and is just using a Nigerian citizen to prepare for the fraud. If for example, an internet user tries to join a new Income-Earning Scheme and discloses a credit card number in alleged secured website, there may be a member or officer or owner of that website who might just be interested in gathering more information to be able to use the credit card for another purpose in the near future. Identity theft consists of first knowing a lot of information about one person with legitimate background information in various database. An unknown person fabricates a fake driver’s license with all the correct details coming from a stolen identity, and fabricates a Social Security ID, a Passport, a Bankbook, a Credit Card, etc. making anybody believe that the person is genuine. The passport may be genuine. But the owner is not, because the real owner did not yet apply for a passport. And the fake character was able to get a genuine passport because he was able to present complete identification cards, bankbook, credit card, debit card, and many other documents confirming the identity. (US FBI 2013 [a] and US FBI 2012 [b] ) 20 Years of Training in the Art of Card Fraud Tracing the reason how and why Nigerians were able to defraud people worldwide with fake credit cards or stolen credit cards, it would be logical to remember the report of Simcox, D. (1993) when US law enforcers performed an investigation of Nigerians in the USA. Reports said that about 50% of the 100,000 Nigerians present in the USA at that time entered as foreign students. And it was also discovered that “75 to 90 percent” of those Nigerian students had been part of fraudulent schemes. As early as 1989, there were reports of substantial losses due to fraud in Nigeria. By the time of investigation in 1993 inside the USA, a Nigerian Mafia was observed to have been well-funded and capable of sending Nigerians into various parts of the USA for training purposes in the art of committing fraud. They were found in New York, “Atlanta, New Orleans, Los Angeles, and the Washington-Baltimore area”. They even had classes to learn various fraudulent techniques in the banking, credit card, and insurance industries. Most were in school campuses. In order to enter the USA, false documents were furnished coming from Nigeria’s US consul for the purpose of getting a visa. Americans were reported to have helped them also using illegal processes like bank account opening using “kited” checks. Then the student Nigerians were able to fraudulently access student loans way back in 1989. Such a report of the investigation came from the initiatives of US Congress with the help of Los Angeles law enforcers. And so the roots of Nigerian fraud was a partnership between Americans and Nigerians which began over two decades ago. USA started diplomatic relations with Nigeria way back in 1960 (US Bureau of African Affairs 2012). Nigeria supplies USA with premium petroleum. The two countries have been trading partners in Africa in connection with mining, petroleum, and wholesale trade; US imports of cocoa, rubber, oil for example and US exports of machinery, plastics, wheat, and vehicles. Thus, as of the latest Visa Card International company announcement in 2013, although in past years African countries were among the top in the list of fraud incidents, VP for Visa International’s Risk Management in Africa, Hawkey, N. (2013) said that there has been a downtrend worldwide in commission of fraud and that Visa Card International was very willing to do business with Nigeria as well as help fight fraud. V.Discussion (Partial Only) In one article (Kassner, M. 2010), the problems with PIN and Chip Technologies had been reported to be costly and still not safe. At that time, the card companies believed the combination of both would make the security measure for each card sufficient except when the card gets stolen. First, the cost of implementing both was estimated to reach $ 5.5 billion. The second flaw was when the thief utilizes a devise and software to fool the program in process. A card can be cloned. Its contents can be copied using a device even if the security measure includes CHIP + PIN + Magnetic Tape. Also, when travelling, the more secure card technology does not work on swiping terminals in many merchants abroad, according to Weston, L. (2012). The First Bank of Nigeria uses EMV Chip + PIN security technology for both credit and debit cards.EMV refers to Europay, Mastercard, and Visa smart payment cards. Which contain electronic microprocessors embedded in the card itself and which contains security features that cannot be provided by magnetic tape. It boasts of a system which can be authenticated to distinguish a fake card from the genuine card. Then it creates a transaction data which when copied will not allow the card to be utilized for a different transaction. Verification is done to identify if the person using the card is the true owner, while a PIN is for online verification. And a signature is also matched for a third way of verification. (Smart Card Alliance 2013) VI.Conclusions (Partial Only) Nigerian card fraud is not isolated only to Nigeria and to citizens of Nigeria committing the criminal acts of using fake documents and false identities. Even bank officials from other countries had been arrested in the past in connection with card fraud. Any syndicate or government official can easily bribe and threaten bank officials with access to information outside of the secured computer database. After all, the payback will be much more annually and over the long term. The system of depending on security options within the control of people from within the banks is flawed by the mere corruptibility of those having access to decoding tools or software from within the banking system, who can supply the card fraud syndicate with the means to nonetheless skim and copy the contents of Card Chips said to be encrypted, and later on to clone credit or debit cards with copied information. Thus, a more rigid IT Security measure is one wherein the policy of “Trust No One Except the Bank’s Secured Computerized Database” should be implemented. Accountability should be limited to IT Security personnel and their ongoing mission to conduct regular IT security audit as well as improve the security measures via higher software technologies. This strategy will oblige the banks to shoulder all the duties and responsibilities that can prevent any security breach into the computer database of banks. And no outsider should be able to penetrate the bank’s Cyber Security System which is supposed to be under control by the banks’ IT Experts they have employed and trusted. In Chapter VII – Recommendations, the internal controls to prevent any case of card fraud are described in details through a simulation of the possible transactions using debit or credit cards. VII. Recommendations References 247UReports. MoneyGram Fraud: First Bank Official Conspire Wtth Fraudster to Falsify Identification Card. Persecondnews.com, February 11, 2013. Viewed February 11, 2013 @ http://247ureports.com/money-gram-fraud-first-bank-official-conspire-with-fraudster-to-falsify-identification-card/ Al Ghalib,Essam. Bank Officials Among Five Held in Card Fraud. The National UAE News, November 12, 2008. Viewed February 11, 2013 @ http://www.thenational.ae/news/uae-news/bank-officials-among-five-held-in-card-fraud BBC. Preventing Credit Card Fraud. BBC One Watchdog, 2013. Viewed February 11, 2013 @ http://www.bbc.co.uk/programmes/b006mg74/features/consumer-advice-fraud-prevention Bell,Claes. Wave of Debit Fraud Following Breach? Bankrate.com, April 24, 2012. Viewed February 11, 2013 @ http://www.bankrate.com/financing/banking/wave-of-debit-fraud-following-breach/ Bhagat,Hitesh Raj. How to Keep Your Debit and Credit Card Secure. ET Bureau, August 17, 2012. Viewed February 10, 2013 @ http://articles.economictimes.indiatimes.com/2012-08-17/news/33249581_1_debit-card-card-security-transactions Chase. Chase Debit Card. Viewed February 11, 2013 @ https://www.chase.com/checking/debit-cards CIBC. Chip Technology – Your Chip Card. Canadian Imperial Bank of Commerce, 2013. Viewed February 10, 2013 @ https://www.cibc.com/ca/how-to-bank/chipcard/index.html De Master Yoda. Greece: Nigerian Couple Held for Credit Card Fraud. Bulletin, February 7, 2007. Viewed February 10, 2013 @ http://antifraudintl.org/showthread.php?14997-Greece-Nigerian-couple-held-for-credit-card-fraud&s=305e96759be92aafa912adc01a67b96c Edelbacher,Maximillian; Kratcoski,Peter C.; Theil,Michael. Finnancial Crimes: A Threat to Global Security. USA: CRC Press, June 4, 2012. Hawkey,Neil. Fraud: Visa Gives Nigeria Clean Bill. Balancing Act Issue No. 261, 2013. Viewed February 10,2013 @ http://www.balancingact-africa.com/news/en/issue-no-261 Kassner,Michael. Chip and PIN: The Technology is No Longer Secure. Tech Republic: IT Security, 2010. Viewed February 11, 2013 @ http://www.techrepublic.com/blog/security/chip-and-pin-the-technology-is-no-longer-secure/3153 Moeller,Robert R. Cyber Security and Privacy Control. USA: John Wiley and Sons, April 12, 2011. NAIJ. US Ahead of Nigeria in Internet, Credit Card Fraud. NAIJ News, January 9, 2013. Viewed February 9, 2013 @ http://news.naij.com/19376.html Naija,Bella. Nigerian Couple in the UK Jailed for Trying to Claim £3.8m in Benefits Scam. ATMsecurity.com, September 30, 2012. Viewed February 9, 2013 @ http://www.atmsecurity.com/news/atm-fraud/nigerian-couple-in-the-uk-jailed-for-trying-to-claim-3.8m-in-benefits-scam-.-bella-naija.html Prabowo,Hendi Yogi PhD. Nationwide Credit Card Fraud Prevention. PopCenter.org, 2011. Viewed February 11, 2013 @ http://www.popcenter.org/problems/credit_card_fraud/PDFs/Prabowo%20card%20fraud.pdf Prabowo,Hendi Yogi PhD [b]. Building Our Defence Against Credit Card Fraud: A Strategic View. Journal of Money Laundering Control, Vol. 14 Iss: 4, pp.371 – 386. Viewed February 11, 2013 @ http://www.emeraldinsight.com/journals.htm?articleid=1955927&show=abstract Selvaraj, A. Nigerians Held for Card Fraud Sing on Network. The Times of India, December 23, 2011. Viewed February 9, 2013 @ http://articles.timesofindia.indiatimes.com/2011-12-23/chennai/30550319_1_abiodun-o-oyekunle-three-nigerians-mobile-phones Simcox, David. The Nigerian Crime Network. The Social Contract Press. Vol. 3 No. 3 (Spring 1993) Singh,Divya; Kushwaha,Pratima; Choubey,Priyanka; Vaish,Abishek; and Goel,Utkarsh. A Proposed Framework to Prevent Fraud Through ATM Card Cloning. Proceedings of the World Congress on Engineering. London,UK WCE July 6-8, 2011. Vol 1.pp. 1-4. Smart Card Alliance. EMV: FAQ. Viewed February 11, 2013 @ http://www.smartcardalliance.org/pages/publications-emv-faq#q1 Standard Chartered Bank. Sustainability Review 2009: Nigeria Card Fraud. StandardChartered.com, 2010. Viewed February 9, 2013 @ http://www.standardchartered.com/sustainability-review-09/en/our_contributions/our_stories/nigeria_card_fraud.html The Hindu Special Correspondent. Nigerians Part of Bigger Card Fraud Racket: Police. The Hindu, January 19, 2013. Viewed February 9, 2013 @ http://www.thehindu.com/todays-paper/tp-national/tp-karnataka/nigerians-part-of-bigger-card-fraud-racket-police/article4321790.ece US Bureau of African Affairs. US Relations With Nigeria: Factsheet. US Department of State Diplomacy in Action, November 20, 2012. Viewed February 10, 2013 @ http://www.state.gov/r/pa/ei/bgn/2836.htm US FBI. Common Fraud Schemes. The Federal Bureau of Investigation, 2013. Viewed February 9, 2013 @ http://www.fbi.gov/scams-safety/fraud US FBI [a]. Identity Theft. The Federal Bureau of Investigation, 2013. Viewed February 9, 2013 @ http://www.fbi.gov/about-us/investigate/cyber/identity_theft US FBI [b]. Living a Lie: Identity Theft That Lasted Decades. The Federal Bureau of Investigation, October 1, 2012. Viewed February 9, 2013 @ http://www.fbi.gov/news/stories/2012/october/identity-theft-that-lasted-decades Weston,Liz. New Credit Cards Make Travel Harder. MSN Money, April 13, 2012. Viewed February 11, 2013 @ http://money.msn.com/credit-cards/new-credit-cards-make-travel-harder-weston.aspx Read More