Not Your Godfather’s Fraud
Fraud is getting out of control and we need digital identity to have even a chance of tackling it.
Dateline: San Diego, 1st May 2020.
In his fascinating autobiography Tough Guy (which ends with his prison conversion to Judaism!), the former Gambino family mobster Louis Ferrante gives a poetic description of card fraud in the years before mobile phones, Transport Layer Security (TLS) and Tik Tok. Back in the day, Louis’ enterprising criminal confederates had discovered that you didn’t need to be able to forge cards terribly well to enter the counterfeiting business, provided you had the right collaborators…
For years I made big wood with Sonny’s “dupes”, phony credit cards with real numbers. He sold them to me for a hundred bucks a piece. Sonny had salespeople in retail stores on the take, boosting charge card receipts… I’d visit a jeweller who was in on the scam and buy a Rolex. If the watch retailed for five grand, I’d tell him to hit the card for ten. I’d leave with the watch. He’d made money. Both of us happy.
What the wise guys, as I believe they are known, really wanted though, rather than Rolex watches and the like, was cash. Card fraud was a means to that end.
If I knew a guy who sold stuff I didn’t want, like Paulie Flowers, I’d work out a cash split. I’d show up and tell him “hit my card for four grand, keep two and give me two when you get paid”. He’d tell the card company he’d delivered arrangements to a wedding, and send them a phoney bill of sale, and that was that.
Things have changed since then. That kind of card fraud was a sort of cottage industry, almost quaint. Today the fraudsters have followed the banks and the rest of the business world and globalised. It’s no longer about getting a Rolex and a few thousand to spend, it’s about investment and return on investment.
The European Central Bank's most recent report on card fraud, from October 2021, calculates losses at around 3.6 basis points (of which 80% comes from "card not present" transactions) which appears manageable. It all adds up though. According to The Nilsson Report (a respected industry newsletter), card fraud will mean over $400 billion in losses globally over the next decade. They estimate that by 2030, when total payment card volume is expected to hit a whopping $79 trillion, the industry will lose an estimated $49 billion to fraud (around six basis points).
The US, as always, accounts for a much bigger share of fraud than of volume (although that share has fallen over the years because of chip & PIN). Last year it was a fifth of world card volume but a third of world fraud. By 2030, U.S. fraud losses are expected to increase their share of the pie to $17 billion in a total card volume of nearly $19 trillion.
Those figures sound huge, but by comparison with the losses in Louis’ day, they are manageable. The invention of tamper-resistant chips, PINs, 3D Secure, online authorisation, tokenisation and so on mean that while card fraud might sound enormous it is down to a few basis points compared to the 14 basis points and climbing that we saw in the UK before we began the transition to chip and PIN.
Whether it’s one basis point or ten, as a consumer I don't really care about card fraud. Which is a good thing, if you think about it. Commerce is greatly enhanced by the fact that if I happen to see something online and I want it (for example, a perfectly good used copy of the Alien RPG) then I can simply press a button and buy it, safe in the knowledge that if my counterparty is a fraudster then it is my bank's problem and not mine.
Although I don’t care about fraud, there are other things about the world of cards that bother me though. The lack of data is one. I recently noticed a strange charge on my credit card bill. It was for a hotel in France sometime when I was most certainly not in France. So I called up my credit card company to ask what the charges were for but the credit card company had no more idea what the payments were for than I did. So naturally I disputed the charge. I then forgot all about it until a few weeks later when a letter arrived from the credit card company with a copy of a bill that had been provided by the hotel that was disputing the disputed charge. From the blurred PDF of a fax of a photocopy of the purported transaction record, I was able to determine that the charge actually related to a hotel in Spain that I had stayed at. The payment had actually been made to the French parent company or sister company. The charge was perfectly correct. What a complete waste of time and money. And this must go on all the time, tying up resources as people and businesses struggle to reconcile payments correctly.
However, I digress. My purpose is not a parable on the value of transaction data and the business case for integration between accounts and payments and invoicing and so on. My point is that because I know that I can dispute transactions in the case of fraud (or cancel the card completely in the case of a Continuous Authority for gym membership), I can use my card in comfort and convenience.
(Or, at least, I could until the new rules about strong customer authentication, SCA, came into force in the UK. Now every time I try to buy something online I get annoyed by having to get one-time codes via text messages or run my credit card issuers app for my bank to authorise the transaction. Apart from anything else, these flows don't always work, and so I had more than one transaction fail last week because I thought I'd done the right thing but hadn't or thought I'd entered the right code but didn't.)
In the UK, credit card fraud rates have now reached a five-year high as criminals exploit social media more and more effectively. What is frightening though is that credit card fraud is no longer the biggest problem in retail payments fraud. Last year authorised push payment (APP) fraud - that is, direct from account frauds where consumers are tricked into authorising transfers - rose by three quarters and those losses now exceed the losses due to card fraud.
That kind of fraud is on the rise in America too. The New York Times uses the example of a consumer who lost $500 to a scammer impersonating a Wells Fargo official. The consumer, a longtime Wells Fargo customer who had immediately reported the Zelle-powered scam, assumed that the bank would refund the money but the bank said (correctly) that since the consumer had authorised the transaction (which he had), it was not from their point of view fraudulent.
The situation regarding account-to-account fraud has drawn criticism from many directions, including Senators Elizabeth Warren of Massachusetts and Bob Menendez of New Jersey from the Senate Banking Committee who recently asked Zelle's operator (Early Warning Services, EWS) what steps it had taken to protect consumers from the proliferation of sophisticated scams while accusing the banks of abdicating responsibility for fraudulent transactions.
This is not a problem confined to the UK and the USA. Unfortunately, account-to-account payment the world over has become a focal point for a variety of grifters including dating app delinquents, cryptocurrency con artists and those who prowl social media sites advertising concert tickets and purebred puppies only to disappear with buyers' cash after they pay - indeed, a good friend of mine was caught out by just such a scam last year.
(Payment card fees in the US have more than doubled over the past decade to $138 billion according to the Nilsson Report, to the point where the National Retail Federation says that these fees are most stores’ second highest operating cost after labour. But the payment schemes say that these fees deliver safety for consumers and merchants alike when compared to Zelle, and they have a point.)
Now For The Bad News
If you think account-to-account payments fraud is bad, hold on to your hat. In the UK, card fraud and APP fraud and other vanishing crimes such as cheque fraud didn't add up to a billion, a figure that pales into insignificance when set against the backdrop of the wider fraud landscape. Across the UK, fraudsters might have stolen as much as £37 billion of pandemic support funds from the taxpayer, according to analysis by University of Oxford researchers!
(The British media report that some of these stolen funds ended up as suitcases full of cash that were seized from people trying to take them out of the country. How is it that in 2022 there are still some people who have never heard of Bitcoin, Monero or NFTs?)
Similarly terrifying figures can be seen in the US, where as much as a tenth of the $800 billion Paycheck Protection Program, was pilfered. That's on top of the $90 billion to $400 billion that NBC News report was stolen (at least half taken by international fraudsters) from the $900 billion Covid unemployment relief program in addition to something like another $80 billion looted from a separate Covid disaster relief program. NBC quote Justice Department Inspector General Michael Horowitz, who oversees Covid relief spending, as saying that Covid relief programs were structured in ways that made them “ripe for plunder” and Matthew Schneider, a former U.S. attorney from Michigan calling out “the biggest fraud in a generation”.
To be honest, I am rather nostalgic for those long ago days when card fraud was not only the biggest problem but a problem that we knew how to fix, even if we didn’t always actually get to on and fix it quick enough. But we have to face up to the colossal frauds going on today and we have to get on and fix them a bit quicker. To do this we need a working population-scale digital identity infrastructure and we need it now, so I’m in San Diego at the (fantastic) Liminal Summit to find out who is going to build it, how they are going to make it work it and when it will start protecting consumers.