Financial Crime and New Payment Methods

Financial Crime Related to New Payments Methods

Prepaid Cards

  • Prepaid payment cards provide access to monetary funds paid in advance by the cardholder (FATF, 2006).
  • Cards may be issued by and accounts held at a depository institution or a non-bank organization.
  • Limited-purpose (or closed system) prepaid cards:
    • Used for a limited number of purposes or services.
    • Use is often restricted to specific points of sale, e.g., merchant-issued gift cards.
    • May be limited to the initial value loaded (non-reloadable) or allow the cardholder to add value (reloadable).
  • Multipurpose (or open-system) prepaid cards:
    • Used for multiple purposes.
    • May be used on a national or international scale.
    • May be used by the purchaser or someone else.
    • Usually associated with a card payment network (Visa or MasterCard) and distributed by merchants or depository financial institutions.
  • Different from credit cards, which require the issuer to evaluate the cardholder’s creditworthiness.
  • Different from debit cards, which entail the existence of a payment account at a bank or financial institution.

Mobile Payments

  • Mobile payments traditionally refer to using mobile phones and other wireless communication devices to pay for goods and services.
  • Most mobile payment services use the phone as an access device to initiate and authenticate transactions from existing bank accounts or payment cards.
  • Financial institutions that facilitate mobile payments (person-to-business, person-to-person, or government-to-person) can be traditional payment service providers (banks or depository institutions) or non-bank payment service providers.

Internet-based Payment Services

  • Payment services rely on a bank account and use the Internet to move funds to or from the account.
  • Payment services provided by non-bank institutions operate exclusively on the Internet and are only indirectly associated with a bank account (e.g., PayPal).
  • Individuals can transfer funds, shop online, or participate in online auctions using a pre-funded account.
    • These payment services may use digital wallets, digital currencies, virtual currencies, or electronic money.
    • They may also be interconnected with other payment methods such as prepaid cards.
    • Internet-based payment services may also be associated with online gambling or virtual worlds for which only a proprietary form of currency can be used to conduct transactions.

Financial Crime Risks Associated with New Payment Methods

  • Prepaid cards can be funded by cash, bank transfers, and person-to-person (p2p) transfers, which may allow complicit third parties to fund the prepaid cards.
  • Prepaid cards can be funded through third parties for money laundering purposes.
  • Mobile payment services allow third-party funding, which can be exploited by criminals.
  • Criminals used p2p payments to fund their accounts.
  • Third parties were defrauded or tricked into sending money to the criminals, making use of the mobile payment service provider.

Frauds and Cyber-attacks Related to New Payment Methods

  • Card-related fraud: Fraudsters obtain the physical payment card and PIN for use in a face-to-face environment or obtain payment card data for e-commerce (Internet shopping, mail order, phone ordering).
  • ATM fraud: An attack against the Payment Cards and PINs used at an ATM (e.g., skimming, shimming attacks, or card trapping).
    • Skimming: The installation of an unauthorized device to capture data from the magnetic stripe of a payment card.
    • Shimming: The interception ("passive") and/or manipulation ("active") of information flowing between a payment card and the chip interface of a card reader to obtain the original payment card and PIN details.
    • Card Trapping: The unauthorized physical manipulation of an ATM, preventing the payment card from being returned to the card owner. A device is mounted over or within the ATM card entry slot prior to the customer using the machine and collects it directly afterwards; the PIN can be gathered via camera or PIN-pad overlay.
  • Mobile device-related attacks: Fake banking apps, mobile malware, spoofed SMS messages, phishing attacks, duplicated SIMs.
  • Credential harvesting malware: Obtains legitimate account and/or login information of online banking login details. The malware is usually spread to a victim’s computer through phishing emails containing malicious attachments. When the malware is installed on a victim’s device, it monitors and collects information, including bank account numbers and passwords.
  • Ransomware: A form of malware that stops a victim from using their computer or files until an amount of money is paid. Ransomware can encrypt files, lock a device, or block access of a victim; and usually targets victims’ computer via phishing emails.

Bank Card Fraud

  • Sourcing bank card information:
    • By skimming, hacking, or purchasing data online.
      • Skimming: Obtained bank card data directly from automated teller machines (ATMs) by using skimming devices. Fraudsters use special software to decrypt and transfer the data to cloned cards.
      • Hacking: Hackers attack e-commerce websites to collect bank card data.
      • Cybercriminals exchange, purchase, and even freely receive bank card data on underground websites or from other criminals via Internet-based communication methods.
  • Recruit “money mules” and other members: “Mules” are recruited to receive illegal money or products, or to disrupt LEAs’ financial investigations.
    • Among a fraudulent online purchase network, “money mules” are responsible for receiving products purchased with stolen bank card information. They then reship the goods to the core members (also known as “shipping mules”), especially to ship overseas.
    • “Money mules” can be recruited in person or virtually.
    • LEAs usually fail to prove they are aware of their criminal behaviors.
  • Prepare tools
    • Hiding real identity: When operating online, fraudsters use specialized software to mask their real IP addresses or use stolen email accounts for fraudulent transactions. In hacking forums, the members could discuss and exchange these fake IP protocols and stolen email accounts
    • In cases of counterfeit cards, fraudsters find card samples, card writers, and software to print them
  • Online purchases: Fraudsters used stolen debit or credit card information to buy goods online, mainly buying high-value and lightweight products
    • Purchase products online, such as on Amazon and eBay, from a foreign country. Foreign “shipping mules” then received products there before reshipping them to a destination country
  • Stolen bank card data is used to produce magnetic stripe cards to withdraw cash from ATMs or implement transactions via Point of Sale (POS) terminals