How credit card fraud detection works

Published September 14, 2015   Posted in Having some fun

A few weeks ago I got a text, email and telephone call from my credit card company alerting me to a charge that may be fraudulent.  My card number was used to make a $90-some dollar purchase at a woman’s retailer and they asked for confirmation that I actually made the purchase.


I didn’t.  In fact, I hadn’t used that particular card all day.  This was indeed fraud, and the credit card company caught it, verified it with me and subsequently canceled the credit card and mailed me a new one.  This was a well-oiled process and worked well, and it got me thinking – how does all this work?  How do credit card companies detect fraud on my account before I can?

How credit card fraud detection worksHow does credit card fraud detection actually work?

I did some research, and the process is truly quite fascinating.  Through a fine-grained process of analyzing credit card transactions and recognizing patterns and spending profiles, credit card companies can easily (and automatically) pick transactions that might be fraud.

Credit card companies, banks and other merchants have a vested interest in curbing as much credit card fraud as possible.  According to a Forbes article, credit card fraud costs merchants around $190 billion every year.  Much of this fraud happens online because the thief does not actually need your card in his or her possession to make a purchase.

The bottom line is very simple: you’re being tracked with your credit card.  Every purchase you make, your credit card company “knows” – not just in transaction logs that never really get used, but in systems that determine the validity of purchases.  Your spending habits are critical to determine your individual spending profile, and this profile is used to detected fraud.

The easiest way that credit card companies identify credit card fraud is by recognizing a break in spending patterns.  For example, if you live in Wichita, KS and suddenly your card is used to buy something in Bend, OR – that may tip the scales in favor of possible fraud, and your credit card company might decline the charges and ask you to verify them.

Examples of how these patterns work:

  • Location: Live in one place but make a purchase in another
  • What you buy: If your card is commonly used to buy your morning cup of coffee and then a tank of gas, and out of the blue is used to buy a pair of expensive designer shoes
  • Spending amount: If you typically spend $500 / month, and suddenly rack up $3000 in a week
  • Spending frequency: If your card is used to make a large number of purchases over a short period of time
  • Large purchase after a smaller one: Thieves typically test stolen credit cards with smaller purchases first, such as a song from iTunes; if the card works, they will proceed to make another larger purchase, like an expensive camera, or television, or sound system
  • Digital origins: Ecommerce makes it easy for us to make purchases, but it also makes it easy for thieves to commit fraud; the digital origins of purchases are recorded and analyzed with each purchase; if an IP address had been used to commit fraud in the past, subsequent transactions from the same IP or network may be flagged

Banks also use information provided by their own customers to help identify possible fraud.  Credit card companies will record fraud attempts recognized by the customer rather than the credit card company and take steps to recognize similar charges on other customer’s credit cards.  If it’s fraud for one person, it may also be fraud for another.

The algorithms and processes that credit card companies use to determine fraud can be very complex.  For those who are more technically minded, this Wikipedia article provides a high level overview of the math involved.  Generally, these systems use techniques like clustering (mapping and linking common purchase attempts together), classification (labeling purchases in respect to their characteristics, like location, time, fraud probability, etc) and averaging to determine patterns of behavior.

There is much to fraud detection that we simply do not know about, for fairly obvious reasons.  The less that a thief knows about how fraud detection works, the more successful credit card companies will be in catching fraud attempts.

Why do thieves target the United States?

Unfortunately, the United States accounts for nearly half of all fraudulent credit card transaction across the entire world.  Why would thieves target a country with advanced fraud detection networks in place?

Because we have credit cards, and lots of them. 

In fact, more than 70% of Americans have at least one credit card in their possession.  In terms of pure numbers, the U.S. Census Bureau reports that in 2008, 1.49 billion cards were in circulation – including both debit and credit.  That’s a ton of cards.  Americans are ripe for thieves to target as possible victims, assuming that if they’re able to get passed automated credit card fraud detection services, many people simply won’t notice the charges, or even if they do, it will be too late to prevent.

Additionally, despite our fairly sophisticated fraud detection services, our nation still makes it fairly easy to obtain credit card numbers.

From an Economist.com report:

But America also makes things easy for fraudsters: alone among developed countries, it still relies exclusively on cards with magnetic strips, which are far less secure than the chip-and-PIN technology used elsewhere. This combines a personal code with a microchip from which it is harder to extract data than a magnetic strip.

In the end, fraud detection is big business and, at least in my experience, has worked fairly well.  It has tagged a few of my own purchases as fraud in the past, but the inconvenience that I experience is worth the added protection I get from real fraud, like what happened to me.

Have you experienced fraud on one of your credit cards?  Did your bank or credit card company catch it before you did?

We track our net worth using Personal Capital



Comments

10 responses to “How credit card fraud detection works”

  1. Chris Muller says:

    Really interesting article Steve! I’ve had fraud on my credit card that was caught before I noticed but also a time when I caught it before the bank. It also happened on my debit card. It’s actually very common, as you laid out in the article here. When I was a credit analyst, we looked high level for suspicious charges, but usually just forwarded those accounts on to the fraud department. One additional thing I’d look for, that’s extremely rare but a HUGE hit is check kiting. This is where people use a stolen credit card to write access checks (they also can just use a stolen check from your mailbox) to write against the line of credit. They write the check to themselves, usually for far more than the credit line allows, get the cash at a bank, and disappear. I’d encourage everyone reading this article to call their credit card companies and stop getting access checks delivered to their mailbox. It’s dangerous and an an easy way for criminals to make fraudulent charges on your card. Thanks again for this Steve – very helpful!

    • Steve says:

      Thanks for the comment, Chris. Agreed, those checks are annoying to get and, like you mentioned, introduce a potential risk if stolen. I had never thought about that particular element of this topic. Appreciate your thoughts!

  2. Ugh — Just dealt with this a few weeks ago, and it seems like it’s happening more and more often. Used to have a credit card fraud situation every couple of years, and now it seems like it’s once or twice every year. Sigh.

    What is amazing is how the credit card companies are continually stepping up their game to find the fraudulent transactions. I travel constantly, so charge things all over the place. I charge amounts large and small, and my bills vary hugely month to month, depending on how much work travel I’m doing. This should make it hard for Chase to know when a charge isn’t legit, but they nail it every time. The fraudulent charge this last time: a $1 charge at a website hosting site, which is definitely in the range of possibility for what I would charge. It seems this was the thieves’ “test charge,” and I’m just glad Chase caught it before they went off and bought the stereo system! 🙂

  3. Lisa says:

    We’ve also had real fraud discovered by the bank, and charges of our own that were tagged as fraud by the bank, but were legit. (Didn’t realize we should tell bank we were going on vacation to another state). As you mention though, the inconvenience of having to get a new card (for the real fraud) is worth the added protection. Since our fraudulent transactions were all online so far, we have one credit card that we use for all online purchases, and nothing else. If it is used fraudulently, and the bank cancels it, it doesn’t disrupt our finances too much.

  4. Maggie says:

    I love that they are good at catching it. I hate that they always have to send me new credit cards and I have to change the number on things (lazy). But I agree it’s worth it. Once, I purchased $40,000 worth of airplane tickets for an event (which was certainly over my highest spend month ever of around $5000) and nothing was flagged, but then the next day, I bought $200 worth of ferry tickets and those I had to approve.

  5. I’ve never understood why America is behind the times with something like chip and pin cards (the same goes for cheques as well, as I’ve written about recently here http://insideraccountant.com/2015/08/23/when-will-cheques-finally-die-out/), especially when the US leads the way in so many other things.

    We had our cards skimmed in 2008 and it cost $15k (which our bank repaid to us), and shortly thereafter Australia began switching to chip and pin cards. The UK had this technology well before this too, so it bewilders me that the US hasn’t rolled this technology out to all cards. The same goes with contactless payments, which for some reason the US is really onot starting to ramp up now when other countries have had them for ages.

    • Steve says:

      Sadly, the United States – with all the technology that we have at our disposal, still suffers from using older technology. This is just one example, unfortunately.

  6. Mr. SSC says:

    I had my credit info stolen twice, and the bank didn’t catch either. They recognized it immediately when I called to ask why I was suddenly overdrawn. There had been a deposit of 1 cent at an atm to test if they picked a legit account and when it worked, they spent over $1200 in rural NY in less than an hr. I should note I was living in Denver and had used my card to get gas that morning in Denver… Bank fail. 🙂
    The second time, was similar but the bank caught it before approving the first attempted charge. It was all refunded to my account immediately, but still a pain to deal with. Fortunately, I haven’t had any crazy ID theft to go along with it. That sounds like a nightmare and a half!

  7. […] confirm any card-not-present transactions. To fight fraud, card issuers have implemented important preventive measures such as contacting cardholders when purchases show marked deviation from their usual […]

Leave a Reply