Procurement Card Fraud
By Lloyd Rain
Procurement cards, also called “P-Cards” and “Pro-Cards,” have become increasingly popular in higher education and in every public agency across the nation. You’ve probably read any number of procurement card horror stories, but take note of these. They are a bit beyond the norm. The stories are noteworthy, not only because they represent different aspects of procurement card fraud, but because they might be of interest to your P-Card administrator and others involved in P-Card management. At the end of the article, of course, are the obligatory warnings and admonishments for all users—tried and true lists of protections that may or may not be good enough. Yes, the realities of procurement card fraud are scary, but often preventable.
Story Number One—The “Creditmaster Run”
Three major universities recently have experienced what banks call a suspected creditmaster run.
This fraudulent activity operates through downloadable software that generates sequential credit card numbers using the algorithm used by the credit card associations. A list of card numbers generated by such software is called a creditmaster run. Criminals who generate such a list will then make fraudulent purchases using the card numbers on the list and may try four or five numbers in a row for each purchase until they score a “hit.” A creditmaster run is difficult to do in person, but a crook with a modicum of brains can try a hundred numbers an hour on any online ordering system until one gets accepted. Then the felon can go and buy any number of leather jackets, diamond rings, or graphite fishing rods with impunity—until the fraud is discovered and the card terminated.
During November 2004, a total of 100 University of Delaware procurement card accounts were hit with fraudulent charges (most of which were denied). Many of the charges were made by auto parts dealers from all over the country who apparently received orders containing University credit card numbers through text messaging services such as IP-Relay. In most cases, the shipping address was in Nigeria. To have so many attacks occur during a two-week period is indicative of a creditmaster run. The criminals hit fast and hard, hoping that some charges will get through. Then these individuals disappear, most likely into the foreign nation from which they operate. If they do get some charges through, the banks bear the brunt of the hit, not the institutions.
The University of Maryland had over 300 cards with sequential account numbers. The first 12 numbers of each card were identical, so criminals used an algorithm that randomly chose the last four digits. The institution’s bank knew the run was happening almost immediately and requested that its fraud team be left alone to “handle the issue.” The University let the bank handle it for a few months, but when fraudulent charges began showing up on half its cards, the university cancelled the entire issue of cards and established new accounts.
The University of Montana fielded numerous fraudulent card charges, mostly in four-digit amounts ($1,000 through $9,999 each). Thanks to excellent processing checks and balances, no fraudulent card charges were actually paid.
According to news reports about the incidents, no one has been caught and punished for any of these attacks. Because we can identify three large and highly reputable institutions at which these attacks occurred, it is likely that they are happening, discovered or undiscovered, at many institutions of higher education and at thousands of public agencies throughout the nation.
Story Number Two—The “Georgia Tech1,000 File Intrusion”
In the early morning hours of Sunday, March 9, 2004, computer hackers circumvented the Georgia Institute of Technology’s server security and gained access to a server in the business office. The intrusion resulted in the downloading of some 350 gigabytes of data from that server, giving the intruder access to 1,000 personal files that dated as far back as July 1, 2000, and included such items as:
- Travel and reimbursement vouchers,
- Credit card numbers,
- Social security numbers,
- Drivers license numbers,
- Digital signatures,
- Images of receipts,
- Employee addresses and phone numbers,
- IDs and passwords for access into the P-Card system,
- Account numbers and expiration dates, and
- Employee ID numbers.
Although resulting criminal activity from the security breach has yet to occur, potentially serious ramifications might surface at any time. To circumvent problems, Georgia Tech took all possible steps within its domain to deal with its processes, the compromised information, and the owners of that information.
Nevertheless, it could be years before this theft actually results in rebound criminal activity. The 1,000 staff members affected were immediately notified, counseled, and protected, yet may never know if and when their information is being used for illegitimate purposes on credit reports, gun registrations, or passport applications.
Story Number Three—The “Louisiana Skimming Incident”
A relatively new type of fraud, called “skimming,” depends upon credit cards to access personal and institutional bank accounts.
This fraudulent action can happen while your credit card is in your pocket, even if you’ve never given the number over the phone or the Internet. All you have to do is use your credit card, personal or institutional, to buy something.
Skimming can happen anytime after you use a charge card, and just recently happened to a Cincinnati couple.
Brian and Jenny Little received a shock last year when their credit union called to ask if they’d been shopping in Louisiana. They’d never been to the state, but someone used their credit card to buy goods at a New Orleans Wal-Mart, then at a McDonald’s drive-through, and twice at a Shell gas station, all in a four-hour period.
Eight hours later, the Littles’ checking and savings accounts were depleted. Fortunately for them, after finding out Brian and Jenny didn’t use the card, their credit union put the stolen money back into their accounts and, of course, cancelled the card and changed all account numbers. Many victims of skimming are not so fortunate.
Here’s how skimming works. If someone can get possession of a credit card, perhaps only for a few seconds, the card and its magnetic strip can be scanned through a readily available card reader. All information on the magnetic strip is copied. In turn, a bogus hard copy of the card can be generated, or the information simply can be used electronically or by voice. And away the criminals go, with an exact copy of your card, spending your money at any place that accepts credit cards.
Skimming usually happens when you use your credit card to buy an item and a dishonest clerk palms the card for a few seconds, runs it through a skimming machine, and manufactures a counterfeit copy of your card sometime later. Small restaurants and shops are the most likely venues for skimming, although an unscrupulous clerk with a $50 skimming machine (no larger than an alarm clock hidden behind a counter) can record hundreds of cards in one shift. The counterfeit card may be only “electronic” or may be a perfect physical copy, depending upon the type of reader and the criminal’s modus operandi.
The only prevention against skimming is to watch your credit card closely and never let it out of your sight. Watch the swiping and the receipt that comes out of the swiper. Then get the card back immediately.
Story Number Four—The “Australian Incident”
In this case, it wasn’t just a few hundred dollars at stake. Instead, the incident involved a $100 million global fraud.
The State of Victoria county court was told that the Victoria police had uncovered technology never before seen in Australia.
Police who searched Wee Heong Toeh’s house as a result of a bogus liquor store purchase found a device called a modem line tap, which can be used to intercept credit card information being sent via telephone lines during EFTPOS (Electronic Funds Transfer at Point of Sale) purchases.
The police found 770 credit card numbers in Toeh’s possession, most being identified as stolen from a bank in Trinidad. The bank from which the numbers were stolen has estimated losses of more than US$100 million. Police believe that 30 banks may have been affected by the scam.
Receipts for diamonds, Christian Dior and Cartier products, Mont Blanc pens, and Rolex watches were found during a search of Toeh’s house.
The modem line tap device, which has other legal purposes, can translate the tones that are made during telephone line transactions into readable data, including card numbers. This method of stealing card numbers is also called “skimming,” and stolen numbers can then be used on counterfeit electronic or physical credit cards to make purchases.
One method of skimming that Toeh probably used to obtain credit card numbers was to install the modem tap device on the telephone exchanges of shopping centers. Because communications utility rooms in malls and businesses are accessible by almost anyone with a uniform and a set of lock-picking instruments, installing such a device in broad daylight is a simple task for any person having rudimentary wiring skills, including criminals in many foreign countries. Once installed, the device can go undetected until it’s actually discovered by an honest technician.
No direct defense can prevent electronic skimming other than not having a credit card at all.
What Can You Do?
No article on procurement card fraud would be complete without offering the traditional warnings, so here they are, followed by some recourses that are not so common.
Primary defenses include:
• Review credit card transactions monthly, if not weekly.
• Keep e-mail addresses and phone numbers updated with your P-Card program administrator.
• Sign the card.
• When the card is not in use, keep the card in an accessible but secure location.
• Limit each card to a single user. The cardholder whose name appears on the front of the card should be the ONLY authorized user of the card—do not allow substitute or multiple users. NEVER issue department cards.
• Shred all documents and receipts containing card account information, including credit card statements, bank statements, credit reports, checks from credit companies, or any important documents with personal or agency information. Do not throw these documents away.
• If you suspect fraudulent activity, notify your P-Card administrator IMMEDIATELY. If you can’t reach him or her immediately (minutes count), notify your bank.
• Do not provide social security numbers on bank checks or on a driver’s license.
• Be judicious about submitting any information over the Internet.
• Contact all credit bureaus and request a copy of your personal credit report at regular intervals (every six months) and specifically look for fraudulent activity.
• Check every receipt after every card purchase.
Most state laws now prohibit businesses from printing more than the last five digits of a credit card number and/or the expiration date of the card on an electrically generated customer receipt, but listing all the digits still happens every day and should be reported to the business, the card administrator, and the Federal Trade Commission (FTC) whenever you notice it.
All these safeguards are, or should be, standard practices, although they probably will not deflect a determined thief.
Compromised Information
If you think that any of your information may have been compromised, contact the credit reporting agencies listed below, tell them that your personal information may have been compromised, and request a credit report. There is no need to pay anyone to obtain this information, unless you want the process expedited. The service is free if you suspect fraud.
- Equifax 800-525-6285
- Experian 888-397-3742
- TransUnion 800-680-7289
Ask each bureau for a copy of your credit report. After reviewing your credit report, contact all banks and credit card companies where fraudulent credit has been established and ask that a password be set up for all future account changes. Follow up all requests in writing.
Also, if you suspect fraud, inform your credit card companies and/or your procurement card administrator that your credit card number may have been compromised. The phone number for your company should be on the back of each credit card. If not, contact the financial institution through which you received the card, then:
- Notify each of the above numbers of potential or actual fraudulent activity concerning your identity or credit and follow up in writing.
- Ask that a “Hawk” or “Fraud” alert be placed on your credit account so that you will be contacted each time an inquiry is made concerning your credit.
- File affidavits of forgery with all banks and creditors where credit has been established.
- File a police report with the local law enforcement authorities and obtain a copy of the police report.
- Follow up with the credit bureaus and request copies of your credit report every three months until your credit is clear.
Some Not-So-Common Credit Card Fraud Options
Most of the following options are available from your bank or credit card providers. Some safeguards may have to be purchased as extras or may only be available from third-party software providers.
• Payer Authentication (“Verified by Visa,” “MasterCard SecureCode”). These programs, offered by the card associations, verify cardholder identity at the time a transaction is initiated (requests purchaser to enter a password or PIN number). Depending on the card brand, fraud liability is shifted to the issuing bank for transactions that are authenticated.
• Card Verification Number Check. This feature is available as a part of the card authorization process. The service validates whether the three- or four-digit number printed on the back of the card matches that purchaser’s 16-digit card number.
• Address Verification Service (AVS).This service is provided by the banking network as a standard part of the credit card authorization process and evaluates whether the address information on file with the card issuing bank matches that of the purchaser.
• CyberSource. CyberSource Corp. provides a series of anti-fraud options that support the built-in fraud protection services provided by your processing network, including Address Verification Service (AVS) and Card Verification Value. Your bank may have a different name for this service.
• Decision Management Solutions. This software allows business managers or P-Card administrators to control all fraud tools and set rules for order acceptance using a user-friendly “dashboard”—no computer coding is required. The software evaluates inbound transactions in real time and determines whether they should be accepted, rejected, or reviewed based on the rules set by the administrator.
• Advanced Fraud Screen (AFS). This option is built into the Decision Management solutions and works with all card brands. It calculates the risk associated with an order and returns a “risk score” in real time.
Additional Protections From Credit Card Fraud
The FTC maintains a national database for victims of identity theft. Some contacts are:
- Federal Trade Commission: 877-ID-THEFT;
- Social Security Administration Fraud Hotline: 800-269-0271.
The FTC issues a pamphlet called “ID Theft” that provides tips on detecting and avoiding credit card and identity theft. Copies of the pamphlet are available at www.govinfo.bz/5196-201.
Above all, guard your card. In the wrong hands, it’s a printing press for endless stacks of green by those with ill intent.
Editor’s Note:
Lloyd Rain is the former Director of Purchasing Services (retired) at Lane Community College, Eugene, OR.
Born in Toronto, Rain spent most of his life in the United States but returned to Canada after obtaining his first degree in communications and geography from the University of Miami. He spent six years in the Royal Canadian Air Force as a pilot, then resigned to attend the University of British Columbia. Rain moved back to the U.S. after completing his second degree (architecture). He became a U.S. citizen in 1980.
As Director of Purchasing at Lane Community College, Rain administered $20 million in purchases each year and, in his last three or four years, an additional $60 million of bond funds.
Since his retirement, he has been the sole proprietor of Lloyd Rain Associates, dedicated to the provision of solicitations for public agencies. He sits on several public agency boards and recently completed service on the Rules Advisory Committee for revising Oregon’s State Purchasing Rules. In addition, Rain has handled solicitations for the City of Eugene, the State of Oregon, Portland Public Schools, Housing Authority of Portland, and numerous community colleges.
Rain is a frequent contributor to the National Association of Educational Buyers’ Educational Procurement Journal. He has given presentations at numerous NAEB Annual Meetings and writes a monthly article for the NAEB online publication, Purchasing Link.
For additional information about Lloyd Rain Associates, visit www.govinfo.bz/5196-202.
References
—EFTPOS (Electronic Funds Transfer at Point of Sale) is one of the many acronyms for paying by credit card wherein the money is transferred directly to the vendor from your bank account immediately upon conclusion of the transaction. Domestically, we think of it simply as a “debit card transaction.” However, in international purchases it takes on additional, somewhat sinister, significance, especially because of the difficulty of reversing a fraudulent transaction or one in which the exchange rate is miscalculated. The Catch-22 is this: Many vendors are reluctant to reverse an international transaction, not only because they have the money in hand and the likelihood of a merchandise return is low, but the reversing transaction itself may be fraudulent.
—This article is not an endorsement of CyberSource Corp. The company name is used as an example only. Your bank or network provider may have similar services from different sources. CyberSource provides businesses with services and software designed to automate the e-commerce transaction process. The company began developing electronic payment and fraud detection technology in 1996, at the dawn of the e-commerce industry. CyberSource specializes in card-not-present transaction environments, multiple-channel environments, back-office solutions to transactions, and fraud detection. Other companies also provide some or all of these services, including Cardwatch, Internet Concepts, Inc., and Quickbooks Merchant Services by Intuit.
—After Sept. 1, 2005, all American consumers became entitled to free credit reports. If you make your request online, you can view your credit report within minutes. Americans can get such reports (but not credit scores) once a year from each of the big three companies that maintain credit histories. Visit www.govinfo.bz/5196-203 for information on how to obtain the reports for Equifax, Experian, and TransUnion. Consumers also can call 877-322-8228 toll free or write to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281, but these requests take 15 days to process. Beware of companies that try to pressure you into buying related financial products or credit reports more frequently.