​The Make Your Own Credit Card Scam

Although some retailers can be easily duped by fake credit cards, cards with smart chips are dramatically reducing card fraud.

Comments Views

​Five individuals allegedly used fake credit cards to steal more than $500,000 in merchandise from HomeGoods, Marshalls, and TJ Maxx stores, WABC reports. Police in Westchester County, N.Y. say the group created fake credit cards for the three stores and purchased items with those cards until the stores discovered they were fraudulent. Police charged the individuals with multiple counts of grand larceny and are investigating whether the group's alleged activities extended beyond Westchester County.

Lessons Learned

The value of the goods and money allegedly stolen by the fraudsters in this story pales in comparison with the billions of dollars lost in the past two decades to hackers, skimmers, and other kinds of credit card and identity thieves. Yet, it is still easy for criminals to manufacture fake credit cards and IDs to commit fraud.

For example, it is legal to purchase a credit card embosser, but it is illegal to use it to commit credit card fraud. These machines can be bought for $1,000 to $3,000, including on the internet. Moreover, there are plenty of videos that show in detail how to make fake credit cards and IDs. In addition, anyone can purchase a magnetic stripe reader (skimmer) for $5 to $10.

What more can be done to help prevent this kind of fraud? Here are some suggestions for regulators, financial institutions, retailers, and auditors.

  • Restrict the availability of credit card embossing and other similar machines. While there can be legitimate reasons why individuals would own these machines, requiring greater background checks before allowing such purchases to take place could help prevent them from being used illegitimately.

  • Extend the use of two-factor authentication in conducting financial transactions. Whether it is a password, personal identification number (PIN), or code sent to a verified location for a card not present transaction, these technologies are helping reduce fraud. More particularly, accelerating the deployment of smart chip technology — known as Europay, MasterCard, and Visa (EMV) — is a significant way to prevent credit card fraud.

    Widely used in Canada, Europe, and other countries, EMV-based cards are much more secure and harder to hack, at least from a skimming point of view, and they also require a PIN. Counterfeit fraud rates decreased more than 50% in the U.S. between 2016 and 2017 as a result of EMV adoption by merchants, according to MasterCard and Visa.

    Being EMV-compliant requires having a terminal or point of sale system that can process credit cards with chips embedded in them. Switching to a credit card terminal that can accept chip cards comes with a cost and currently is not mandatory. However, businesses that do not have EMV-compliant terminals risk incurring financial responsibility for any credit card fraud that happens. Not only can business owners protect themselves by becoming EMV-compliant, but they also can contribute to the overall effort to combat credit card fraud.

  • Retailers and banks need to move away from using magnetic stripes. In addition to the transition costs, some critics say people won't use their credit cards as often if they have to enter a PIN. Yet, a dual EMV/magnetic stripe system invites fraudsters to simply avoid using the chip technology. That said, many retailers are using a system that requires the use of the chip on a credit card where available.

    Alternatively, some retailers are moving to a system where consumers can just tap their cards without entering a PIN, or even just have their cards in their pockets. This type of system is not secure, though — anyone with the right equipment can sit in his or her car and intercept transaction information.

  • Retailers and auditors should review transaction processes to ensure there are adequate controls in place. This review needs to include the policies and processes around transaction processes as well as whether employees are trained and required to comply with them.

    First, inspect the credit card before processing. Indications of tampering or damages may include embossing on the card that isn't clear or straight, a hologram that is rough and not three-dimensional, and signs of tampering on the front and back of the card.

    Second, ask for customer identification before accepting a credit card and verify that the information between the shopper's ID and his or her payment card match. Specifically, keep an eye out for the shopper's name and signature.

    Third, compare the account number on the card with the number in the terminal and receipt. Regardless of whether a card is swiped, tapped, or inserted into the machine, verify that the digits on the card match the ones in the retailer's terminal. Examine the printed receipt to see if the last four numbers on the card match the ones on the receipt. When there is doubt, make an authorization request. Doing so will connect the retailer to the card issuer, who will then ask a series of yes or no questions to avoid alerting the customer that his or her card is being flagged.

    Fourth, be aware of the business' purchasing averages and patterns. If a transaction falls completely outside of those averages, or a daily maximum is reached (as in this story), pay close attention to that transaction and take extra steps to verify the card's authenticity.
Art Stewart
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Art StewartArt Stewart<p>​Art Stewart is an independent management consultant with more than 35 years of experience in internal audit, financial management, performance measurement, governance, and strategic policy planning.​​​</p>https://iaonline.theiia.org/authors/Pages/Art-Stewart.aspx


Comment on this article

comments powered by Disqus
  • AuditBoard-April-2021-Premium-1
  • PwC-April-2021-Premium-2
  • Pulse-of-Internal-Audit-April-2021-Premium-3



Thanks, We Already Know Thathttps://iaonline.theiia.org/blogs/jacka/2020/Pages/Thanks-We-Already-Know-That.aspxThanks, We Already Know That
U.S. SEC: Environmental, Social, and Governance Risks Better Be on Your Radarhttps://iaonline.theiia.org/blogs/chambers/2021/Pages/US-SEC-Environmental-Social-and-Governance-Risks-Better-Be-on-Your-Radar.aspxU.S. SEC: Environmental, Social, and Governance Risks Better Be on Your Radar
Six Data Privacy Predictions for 2020https://iaonline.theiia.org/blogs/Jim-Pelletier/2020/Pages/Six-Data-Privacy-Predictions-for-2020.aspxSix Data Privacy Predictions for 2020
Public Servants Are Vital to Defeating COVID-19https://iaonline.theiia.org/blogs/chambers/2020/Pages/Public-Servants-Are-Vital-to-Defeating-COVID-19.aspxPublic Servants Are Vital to Defeating COVID-19