How credit card fraud detection works
Credit card fraud detection happens through a fine-grained process of analyzing credit card transactions and recognizing patterns and spending profiles.
This post may contain affiliate links and/or paid placement. Click here to read our full disclosure.
A few weeks ago I got a text, email and telephone call from my credit card company alerting me to a charge that may be fraudulent. My card number was used to make a $90-some dollar purchase at a woman's retailer and they asked for confirmation that I actually made the purchase.
I didn't. In fact, I hadn't used that particular card all day. This was indeed fraud, and the credit card company caught it, verified it with me and subsequently canceled the credit card and mailed me a new one. This was a well-oiled process and worked well, and it got me thinking - how does all this work? How do credit card companies detect fraud on my account before I can?
How does credit card fraud detection actually work?
I did some research, and the process is truly quite fascinating. Through a fine-grained process of analyzing credit card transactions and recognizing patterns and spending profiles, credit card companies can easily (and automatically) pick transactions that might be fraud.
Credit card companies, banks and other merchants have a vested interest in curbing as much credit card fraud as possible. According to a Forbes article, credit card fraud costs merchants around $190 billion every year. Much of this fraud happens online because the thief does not actually need your card in his or her possession to make a purchase.
The bottom line is very simple: you're being tracked with your credit card. Every purchase you make, your credit card company "knows" - not just in transaction logs that never really get used, but in systems that determine the validity of purchases. Your spending habits are critical to determine your individual spending profile, and this profile is used to detected fraud.
The easiest way that credit card companies identify credit card fraud is by recognizing a break in spending patterns. For example, if you live in Wichita, KS and suddenly your card is used to buy something in Bend, OR - that may tip the scales in favor of possible fraud, and your credit card company might decline the charges and ask you to verify them.
Examples of how these patterns work:
- Location: Live in one place but make a purchase in another
- What you buy: If your card is commonly used to buy your morning cup of coffee and then a tank of gas, and out of the blue is used to buy a pair of expensive designer shoes
- Spending amount: If you typically spend $500 / month, and suddenly rack up $3000 in a week
- Spending frequency: If your card is used to make a large number of purchases over a short period of time
- Large purchase after a smaller one: Thieves typically test stolen credit cards with smaller purchases first, such as a song from iTunes; if the card works, they will proceed to make another larger purchase, like an expensive camera, or television, or sound system
- Digital origins: Ecommerce makes it easy for us to make purchases, but it also makes it easy for thieves to commit fraud; the digital origins of purchases are recorded and analyzed with each purchase; if an IP address had been used to commit fraud in the past, subsequent transactions from the same IP or network may be flagged
Banks also use information provided by their own customers to help identify possible fraud. Credit card companies will record fraud attempts recognized by the customer rather than the credit card company and take steps to recognize similar charges on other customer's credit cards. If it's fraud for one person, it may also be fraud for another.
The algorithms and processes that credit card companies use to determine fraud can be very complex. For those who are more technically minded, this Wikipedia article provides a high level overview of the math involved. Generally, these systems use techniques like clustering (mapping and linking common purchase attempts together), classification (labeling purchases in respect to their characteristics, like location, time, fraud probability, etc) and averaging to determine patterns of behavior.
There is much to fraud detection that we simply do not know about, for fairly obvious reasons. The less that a thief knows about how fraud detection works, the more successful credit card companies will be in catching fraud attempts.
Why do thieves target the United States?
Unfortunately, the United States accounts for nearly half of all fraudulent credit card transaction across the entire world. Why would thieves target a country with advanced fraud detection networks in place?
Because we have credit cards, and lots of them.
In fact, more than 70% of Americans have at least one credit card in their possession. In terms of pure numbers, the U.S. Census Bureau reports that in 2008, 1.49 billion cards were in circulation - including both debit and credit. That's a ton of cards. Americans are ripe for thieves to target as possible victims, assuming that if they're able to get passed automated credit card fraud detection services, many people simply won't notice the charges, or even if they do, it will be too late to prevent.
Additionally, despite our fairly sophisticated fraud detection services, our nation still makes it fairly easy to obtain credit card numbers.
From an Economist.com report:
But America also makes things easy for fraudsters: alone among developed countries, it still relies exclusively on cards with magnetic strips, which are far less secure than the chip-and-PIN technology used elsewhere. This combines a personal code with a microchip from which it is harder to extract data than a magnetic strip.
In the end, fraud detection is big business and, at least in my experience, has worked fairly well. It has tagged a few of my own purchases as fraud in the past, but the inconvenience that I experience is worth the added protection I get from real fraud, like what happened to me.
Have you experienced fraud on one of your credit cards? Did your bank or credit card company catch it before you did?