In order to fight fraud in the payment industry, it is essential to understand how the fraudster thinks and works. In this piece, Maxim Kuzin, Head of Fraud Prevention at BPC and Radar Payments takes a look at how prepaid card fraudsters adapt their operations and how to stop them.

The Global Prepaid Card Market represents a huge opportunity as it is expected to reach USD 18.47 trillion by 2030. Prepaid cards are so widespread nowadays that you might think they have been around since the advent of modern-day credit cards. However, this is not the case. Prepaid cards are a tad younger, introduced in the 80s. 

Prepaid cards offer similar benefits as credit cards but without the disadvantages such as fees and potential debt. Prepaid cards don’t need to link to a bank account, can be branded and require no proof of credit history and keeping users anonymous.

Creating a more secure environment for financial transactions

2020 was a critical year for prepaid card adoption, as economies were forced to go cashless amidst the pandemic. Prepaid cards have consequently become one of the top 3 preferred methods in many countries such as Cyprus, Greece or Slovenia, with 60% of nationwide transactions (Ravelin). Financial institutions issuing cards, including banks, PSPs and fintechs, have seen their businesses during this pandemic. 

While 2020 marked the era of digital transformation with a historic increase in contactless and cashless transactions, it also presents a challenge for payment security in the industry with an unprecedented need for a more secure environment for financial transactions.

Strong authentication and 3DS2 have been enforced to guarantee customers financial safety. 

Who is the new prepaid card fraudster?

While all eyes have been on online and card-not-present activities, fraudsters have found new avenues to expand their operations. One of the targets has been prepaid card breaches. 

When card data is stolen in the presence of payment cards this is called card-presence (CP) Fraud. These types of frauds get more and more advanced and sometimes harder to detect. Some CP frauds outlined:

• Telephone scams – employees of merchants that sell prepaid cards are tricked to give the pin number for a prepaid card.
• Card swaps – branded prepaid cards that are hanging on the racks are swapped in the shops.
• Packaging compromises – magnetic swipe data from a prepaid card is copied from a card in the shop to another card, which the fraudster can use as soon as the skimmed card is activated.
• Stolen cards – because there is little data available from the owner of a prepaid card, it is hard(-er) to check if the presented card is actually stolen.
• Tax fraud – the fraudster uses a fake identity to fill out tax forms and takes the proceeds to a prepaid card.

The new prepaid card fraudster is well organised and can handle bigger targets

There are different types of hackers, and the most infamous are the ones that traditionally focus on attacking end-users. During this pandemic, we’ve also seen a surge in very organised fraudulent activities targeted at businesses. Today, banks, card issuers and third-party processors are the focus of fraud because this way, they can target a high number of cards at one go. 

The main goal in the Modus Operandi of large-scale prepaid card fraudsters is to access card numbers. These numbers are used to control balances and limits to cash out in multiple ways (purchases or withdrawals) over a period. Fraudsters are primarily turning to prepaid cards because these can be anonymised. Merchants find it challenging to identify a fraudulent prepaid card, and often transactions will result in disputes that they cannot understand or handle. 

Sophisticated fraudsters need sophisticated security controls

To combat this new wave of sophisticated fraud, financial institutions need a new mindset and business model. Financial institutions need to raise their guards to mitigate prepaid card frauds at an unprecedented level.

Financial institutions handle card transactions with issuers systems called a ‘switch’. The switch’s role is to authorise a transaction that comes from a merchant or business. A set of information is communicated from the merchant’s bank (the acquirer) with accepting the payment and sending the approval from the financial institution that has issued the prepaid card to the cardholder. A balance check is performed before the funds can be distributed. 

But, with prepaid cards, there might not be enough information available about the owner to present a (full) profile. This is where I think that financial institutions have to shift their mindset to better protect their institutions and customers alike against fraud. 

Is Instant fraud analysis by data core the way?

Financial institutions that don’t put their data core to instant fraud analysis and investigation are at higher risks in these times. It is now possible to access the profile of a typical prepaid card user in a set context and constantly leverage behavioural data from the core system, i.e., the switch level, in order to face the new type of fraudsters targeting prepaid cards.

The key to combating these types of attacks is to understand how organisations and customers behave. Behavioural analysis helps to find clues and evidence against potential or past attacks and react in real-time. Prepaid cards follow a specific sequence of transaction patterns, such as not being used more than three times a day.

There are many signs that can clearly show something is off if you look at the whole system over its core data. Financial institutions can scan patterns like raising a lot of prepaid card limits at the same time, or balances that are updated more often, or a group of cards used in a certain merchant category.

While fraudsters can bring more creativity to their methods, they cannot replicate natural behaviours or have enough information even if they try to do so. 

It is therefore crucial to Identify anomalies in transactions that can shed light on the origins of attacks with prepaid cards and act before a significant fraud occurs.

For more information on fraud-proofing your payment technology, visit https://www.bpcbt.com/

About Author:

Maxim Kuzin is a pioneering member at BPC with over 18 years of experience in Risk and Fraud Prevention Strategies. Maxim contributes to all research and development that is required to develop and constantly maintain SmartVista’s fraud prevention solution. He is a regular speaker and teacher, and has produced the foundation course for banking card technologies in universities for senior students who enrolled for Banking Systems and Information Technology. From designing the architecture to implementing solutions for customer support for various regions such as Europe, Africa, Asia and Middle East, Maxim’s involvement has taken Fraud Management at BPC to a leading position in the space.