General security

E -Money Fraud

Daniel Dimov
May 9, 2013 by
Daniel Dimov

1. Introduction

Electronic money (e-money) is the digital equivalent of cash that is stored on an electronic device or remotely at a server. It is a relatively new payment instrument that has been developed to provide a more secure form of transaction and to facilitate electronic commerce. A typical example of e-money is Proton. It is an electronic purse application for debit cards in Belgium. The goal of Proton is to replace cash —primarily for small transactions around the 15 EUR. For security reasons, the card is limited to storing 125 EUR of available electronic cash. The main advantage of Proton is that merchants can accept payments without the need for using a bank terminal.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Below, in order to provide a better understanding of e-money, I use two criteria to differentiate four categories of e-money schemes. These criteria are the means used for storing e-money and the identification of the user of e-money.

Based on the means used for storing the e-money, e-money schemes can be divided into (1) card-based e-money schemes and (2) network-based e-money schemes. Card based e-money is stored on cards that can be used for making payments so that the user of the card does not need to use cash. The e-money cards contain a portable magnetic tape that carries the information required for making payments. Network-based e-money refers to e-money transactions conducted via telecommunication networks, such as the Internet. Network-based e-money is well suited for e-commerce payments.

Based on the identification of the user of e-money, e-money schemes can be divided into (3) anonymous e-money schemes, and  (4) identified e-money schemes. While anonymous e-money schemes do not reveal the identity of the user, identified e-money schemes always reveal the identity of the user. Anonymous e-money schemes are regarded as a digital analog of cash.

This article examines e-money fraud. Specifically, it examines five types of e-money fraud —the duplication of e-money cards (Section 2), alteration or duplication of data or software (Section 3), theft of e-money cards (Section 4), repudiation of transactions (Section 5), and money laundering (Section 6). Finally, a conclusion is drawn (Section 7).

2. Duplication of e-money cards

When e-money is stored on a card, the criminals may create a duplicate of that card that function as a genuine, but contains fake balances. In order to duplicate a card used for e-money transactions, the criminal would need to have a high level of expertise and resources. The reason is that the duplication of such cards requires obtaining the same type of chip card and software. It should be noted that e-money cards include prepaid and gift cards. Both types of cards can be unlawfully duplicated.

A gift card can be defined as a preloaded debit card allowing the cardholder to use it for the purchase of goods or services. In 2010, the Federal Reserve estimated that 17% of Americans are using gift cards. A prepaid card contains a preloaded amount of funds. It is issued by a financial institution, and is used like a normal credit card. An important difference between gift cards and prepaid cards is that while gift cards are anonymous, prepaid cards are normally issued in the name of individual account holders.

The 2008 RBS WorldPay incident is a good example of an incident involving the use of cloned prepaid cards. By cloning thousands of prepaid cards, the criminals stole 9,000,000 USD from 2,100 cash machines in 280 cities. In order to obtain the data required for creating forged cards, the criminals broke into RBS WorldPay systems. The incident was one of the first globally coordinated attacks affecting the payments industry.

In 2012, a federal judge in Atlanta delivered the first verdict related to the RBS WorldPay incident. S.M., a 45-year-old Chicago resident, who was one of the leaders of the attack was sentenced to 30 months imprisonment and ordered to pay 89 000 USD in restitution. In relation to the case, Sally Quillian Yates, the U.S. Attorney for Northern Georgia, said that:

"This case demonstrates the growing expertise and reach of law enforcement in combating international cyber criminals. (…) We will continue to work with our law enforcement partners throughout the world to investigate and prosecute those who defraud victims in the United States, wherever the perpetrators may be."

3. Alteration or duplication of data or software

Another crime concerning e-money is the unauthorized modification of data stored on a genuine electronic money device. For instance, the criminals may fraudulently increase the balance recorded on an e-money card. A modification of data on an e-money card could be performed either by exploiting security weaknesses in the software or by physical attacks on the chip itself.

The FIS incident is illustration of an attack exploiting security weaknesses in software. In 2011, criminals changed the withdrawal limits of prepaid cards issued by the Fidelity National Information Services Inc. (FIS), a Florida-based financial institution. The balances on these prepaid cards were stored in a central database, and not on the cards themselves. After increasing or eliminating the withdrawal limits for 22 prepaid cards that they had obtained, the criminals cloned the prepaid cards and withdrew 13,000,000 USD.

The Edmonton incident is an example of an incident involving a physical attack on the chip of e-money cards. In 2007, the Police in Edmonton, USA, arrested a 26-year-old man that used a fake reader to modify the cards. By modifying the magstripes of genuine bank gift cards, the criminal was able to use the gift cards like cash. It is worth mentioning that, in order to modify the magstripes, the criminal compromised not only the security code on the magstripe but also automated systems that warn the bank issuing the gift cards for suspicious transactions.

4. Theft of e-money cards

Another type of e-money fraud is the theft of gift and prepaid cards. A case illustrating a theft of gift cards has recently happened in the United States. In the beginning of 2013, a former postal worker in the USA was accused of stealing and using gift cards from customers while delivering post. After several customers complained of missing gift cards, the United States Postal Service Office started investigating one of its employees. It is interesting to note that the investigators used a test letter marked "U.S. Currency." The letter contained 40 USD and a device informing the investigators when someone opens the letter. Shortly after leaving the post office, the device indicated that the letter was opened. Agents went to employee's postal vehicle and took her into custody. In the vehicle, they found a Visa gift card addressed to a customer of the United States Postal Service Office.

5. Repudiation of transactions

A user of e-money card may fraudulently claim that he/she did not authorize a transaction made with his e-money card. This kind of fraud usually takes one of the following three forms: (1) the user claims that he never received an item ordered online; (2) the user claims that he received the wrong item ordered online; (3) the user claims that he had his credit card stolen and was charged for items he did not order. Through such a fraud scheme, cardholders may receive goods and services without paying for them.

According to Robert W. Botelle, the chief customer officer at the US-based payments intelligence and processing platform "Litle & Co.," such a claim is called "friendly fraud." Robert W. Botelle stated that more consumers have resorted to it because of the pressures of the recession. A study published in 2011 by Javelin Strategy & Research and LexisNexis reveals that losses caused by "friendly fraud" amount to 20 % of all losses suffered by merchants in the United States. Friendly fraud has a significant impact on the digital products market because, due to the non face-to-face nature of the transactions, it is difficult for merchants to prove that their clients received the purchased goods or services.

6. Money laundering

In most jurisdictions, money laundering is a criminal offence. It is defined by Interpol as "any act or attempted act to conceal or disguise the identity of illegally obtained proceeds so that they appear to have originated from legitimate sources (See http://www.interpol.int/Crime-areas/Financial-crime/Money-laundering)."

E-money systems can be attractive to money launderers because of two reasons — untraceability and mobility of e-money. The e-money systems are untraceable because the parties to the transaction can deal with each other directly without the need of identification and the intervention of a financial institution. In relation to the mobility of e-money, it should be noted that e-money systems may be used for making international transfers of funds to a country that does not have legal protection against money laundering.

7. Conclusion

Since its creation, the form of money has been subject to a perpetual change. In the past, societies used shell money, pieces of metals, gold and silver coins, and other forms of money. Today, we face the next change in the form of money and, in particular, the shift from paper money to electronic money. If implemented with due regard to information security, electronic money has the potential to become an important form of currency in the digital world.

This article has described various types of e-money fraud. The prevention measures against these types of fraud should include the adoption of strategies in which close cooperation will exist between all actors involved in providing and using e-money systems. These actors include individual users, retail merchants, services providers, telecommunications carriers and financial institutions. It should be noted that the adopted strategies should allow a quick identification of the weakness in e-money systems.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Because of the technical complexity of e-money cards and applications, a single organization may not be able to assess the security risks related to an e-money product.
That is why it is preferable if the organizations use an integrated approach to security, including independent security assessments, to assess the security risks.

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.