Subscribe to this Blog

Subscribe Via Email

Enter your email address:

Thursday, April 06, 2006

Perils of Business 2 Business Credit Card processing - Hypothetical

Exploring the Perils of Business to Business Credit Card Processing

During a routine audit of credit card transactions, relatively small dollar frauds from credit card transactions are sometimes found. This sometimes can be part of a larger pattern. Apparently, the small time (assuming they are small time) fraudsters that put credit card transactions through a system realize that the targeted company may have identified their business names, addresses, phone numbers, fax numbers or several other identifying characteristics. They realize that we are highly dependent on computer systems to screen the incoming data for these unique characteristics. Here is where they get a little smart. Basically, they routinely submit and resubmit these small dollar orders with many variations of names, addresses, phone numbers etc. Sometimes the change can be as small as including an extra space ' ' between an address or company title for example 1 short street 1 short street 1 short street 1 s hort street 1 short street etc. Obviously, given the vast array of techniques that money launderers and fraudsters utilize this is just one more way that they can through a random variable at our systems and prevent the detection of their fraud. Fraud auditing and Business Intelligence tools today are available that not only screen for common names and addresses and screen for different degrees of variation of each. It takes a lot of computing power to aggressively take into account all of the permutations available for a fraudster altering names, locations, and phone numbers all at once and carrying out this same fraud at multiple locations probably with dollar amounts ranging all over the place. Consider the implications of a higher power or organization that has controls of thousands of fraudsters with many names and businesses and addresses and even many mules that can deposit or carry out transactions all over the world. The situation moves out of the credit card realm and into the universe of Money laundering and anti-money laundering. If one looks at this as a military group would or an encryption specialist, it is probable that a certain degree of control needs to be exercised for the launderer/fraudster controlling group to keep a handle on what is really going on. Security/encryption keys could be used and probably are (hope I'm not giving ideas on how to wrong but how to stop it). For example, in the military a person would be given an identification nomenclature. Whenever the person sends out a message they go through certain channels or predetermined communication methods. The thing is they don't want the other side to know who is sending the message so they change their nomenclature on a regular basis (daily, weekly, monthly etc.) All of their communications should be encrypted and when a wily person or computer program comes along and happens to break this code they end up finding some possibly useful information, but they do not know who it is coming from or who it is going to (because the parties refer to each other given the nomenclature assigned for that time period. So let's say the program or person is really smart or lucky and happens to figure out that the nomenclature abc stands for John Smith. Well more than likely the next day the transmissions if decoded will not refer to abc at all. John Smith will have switched to the new nomenclature assigned for that day maybe xyz or 123 or something else. Now it is time for the program or person to basically find out every nomenclature in use by the entity they are trying to track on any given day (maybe they rotate in cycles of a year, month, week or something). So lets say they are really good and they find out what John Smiths nomenclature is for every day of a 30 day period and that it starts over at the beginning of the next 30 day period. Great now they will always know who is sending what to whom. Unless John Smith, gets wise to the notion that somebody has broken their code and nomenclature. He sends out word that the code is a bust and every body up and switches all the encryption and nomenclature to a completely fresh code. This is where business intelligence job security derives. A company witnessing minor frauds or multiple frauds, might only see the tip of an evasive iceberg. They could potentially be looking at a group that is running not only a rotating nomenclature of false names, businesses and addresses, but they are also keeping these false nomenclatures live and undetected by inserting random misspellings and spaces to throw off our fraud detection filters!