Modern credit and debit cards have come a long way since they were first dreamt up by some guy who forgot his wallet at a restaurant that one time (check out our brief history of credit cards for more on that fun story). Today, they come in all sorts of different materials, colors, designs, with various rewards, and some don’t even exist in the physical world at all – think Google Pay or Apple Pay.
But an increasingly digital world comes with unique risks. The convenience that comes with being able to make purchases without a physical card also opens the door to different types of fraud; namely, Card-Not-Present (CNP) fraud. This type of fraud has grown in lockstep with the rise of e-commerce, posing significant challenges to businesses and consumers alike. Understanding CNP fraud and how it happens is crucial in order to mitigate its impact for individuals, businesses, and the card issuers themselves.
What is Card-Not-Present (CNP) Fraud?
Credit card fraud is rampant both in the US and across the world, but it encompasses many different types of card fraud. If we told you to picture an instance of credit card fraud, do you imagine someone trying to use a stolen card at a store? That’s something called Card-Present fraud (so named because the physical card is there at the time of the attempt), which is actually less common than you’d expect.
It's CNP fraud that’s the real 800-pound gorilla in the room. Card-Not-Present fraud occurs when stolen payment card information is used to make a transaction from a distance, without the physical card being used during the fraud attempt at all. CNP fraud includes fraudulent online, telephone, and mail-order transactions. To commit the most common type of CNP fraud, fraudsters exploit vulnerabilities in online payment system to make unauthorized purchases using stolen credit card details.
Here's an example of a simple instance of CNP fraud: you’ve finished your gourmet meal at your local greasy spoon and hand your credit card over to the server to pay. The server goes away to process your check, but he surreptitiously memorizes your name, card number, expiration date, and even the CVC/CVV on the back of your card.
Later that night, the server uses your card information to buy front row tickets to Kid Rock online. By the time your credit card company alerts you to the odd transaction (you haven’t been to a Rock concert since 2002, so it’s odd), the tickets are already purchased.
This type of fraud happens millions of times every year.
The Costly Impact of CNP Fraud
According to some estimates, Card-Not-Present fraud is responsible for up to 54% of all fraud losses worldwide. Additional data shows that on an average, CNP fraud is responsible for 75% of the losses from all card fraud. And with the boom of e-commerce and thus an increase in online transactions that don’t require someone to present a physical card, CNP fraud is skyrocketing. Some estimate that by 2030, losses due to CNP fraud will reach $49 billion globally.
What does all this mean? It means that CNP fraud is one of the most pressing financial issues of our time.
CNP fraud has significant impacts on businesses, systems and individuals, as well as broader economic implications. In 2024, payment card fraud is projected to cause $13.73 billion in losses for consumers, businesses, and banks in the US - and remember, CNP accounts for the vast majority of those losses. Specifically at the customer level, in 2023, 52 million Americans experienced a collective $5+ billion of unauthorized transactions on their payment cards. And while individuals have protections in place to curb their losses when credit card fraud strikes, that doesn’t extend to debit card fraud that could potentially wipe out their entire bank account.
Of course, banks and merchants are often on the hook to eat the cost of payment card fraud, hurting their businesses and increasing costs for everyone. CNP fraud also effects governments and economies by diverting funds that could be used for schools, healthcare, infrastructure, or other vital services; and funneling them into fraud protection and investigation agencies instead.
A Step-by-Step Timeline of How CNP Fraud Happens
Let’s take a deeper dive into how Card-Not-Present fraud occurs.
Step 1: Stealing Card Information
The first step in CNP fraud is to fraudulently acquire payment card information. This can happen in different ways:
Data breaches at banks, stores, or credit card companies can expose the card details of millions. Hackers can infiltrate databases and steal sensitive information, including card numbers, expiration dates, and CVV codes.
Fraudsters often trick people into revealing their card information by sending messages that appear to come from legitimate sources, such as financial institutions or big retailers. This is known as a “phishing attack.”
Malware installed on a victim’s computer or smartphone can capture their keystrokes or take screenshots when they access their online bank information or make an online purchase. This allows fraudsters to steal the card information as it’s used.
There are many other strategies for stealing credit card information, but these three are some of the most common.
Step 2: Testing the Card Details
Fraudsters often test the stolen card information once they’ve acquired it. They do this to make sure the cards attached to the stolen information are still active and haven’t been frozen or reported. In order to test the information, fraudsters often make inconspicuous purchases, or “micro charges” – like a pack of gum or a subscription to a newspaper – that are small enough to avoid detection by the cardholder and their bank’s fraud detection systems.
These “tests” of stolen card data typically come a couple months after the data theft itself, allowing time for criminals to hide their tracks and get separation – both distance and time – from the breech. This also allows time for batches of stolen data to be collected since credit card numbers are typically sold in large groups on the dark web.
Some online services are available to help fraudulent actors check card validity without even making a purchase.
Step 3: Making Unauthorized Purchases
Once the fraudster tests their stolen card information, they can proceed with unauthorized purchases.
To commit CNP fraud, the fraudster takes the stolen card information (card number, cardholder name and address, CVV, expiration date, etc.) and uses it to make a transaction – most often by entering the card information into checkout at an online store. Fraudsters often use the stolen information of several cards at once with different online stores to buy as much as they can before the card activity is tagged as suspicious.
Since the fraudulent payment goes through with only the card information (without verifying signatures, swiping, dipping, or tapping the physical card), the fraudster doesn’t need the physical card. Oftentimes, the victim has the physical card in their wallet and doesn’t know that its information has been compromised until they notice the unauthorized purchases in their bill. This is the essence of Card-Not-Present fraud.
Step 4: Covering Their Tracks
When committing CNP fraud, tricky fraudsters may cover their tracks with some of the following strategies:
Proxy servers and VPNs: Using proxy servers and VPNs, fraudsters can mask their IP addresses and make it difficult for law enforcement to trace their activities.
Drop addresses and reshipping: CNP fraudsters often use drop addresses, which are temporary or third-party addresses where the physical goods they order with stolen card information can be delivered to for a later pick-up. These addresses can be vacant properties, rented mailboxes, or accomplices’ homes. Fraudsters may also engage in reshipping, where an intermediary receives the physical goods and forwards them to the fraudster’s location. This makes it harder for law enforcement to find the guilty parties.
Clever account management: after making a purchase, fraudsters may opt to close, abandon, or change the incriminated account immediately. This serves to obscure their trail even further.
Step 5: Cashing Out
If the fraudster bought physical goods during their CNP fraud spree, their final step will be to convert those goods into cash in a process known as “cashing out.” Fraudsters can discreetly resell the goods on online marketplaces and auction sites, or in-person. Some convert their gains into cryptocurrency, which can prove difficult for law enforcers to trace. Money laundering is also common.
CNP fraudsters often target high-value items that can be quickly resold for cash. Electronics, luxury goods, and gift cards are common targets. Digital and online goods such as software, web hosting, VPN subscriptions, and gaming accounts are also attractive targets because they can be delivered instantly and without physical shipping, reducing the risk of interception. Gift cards are so popular in cases of CNP fraud that gift card fraud is its own sub-category of fraud.
To make extra profit, fraudsters often sell the stolen card information in lieu of or in addition to the goods. Stolen card details are often sold on the dark web or websites known as “carding forums.” These underground markets sell card information to criminals all around the world. This starts the cycle all over again by offering a whole new circle of criminals access to fraudulently obtained card information.
Preventing CNP Fraud
Preventing CNP fraud is not an easy task, but a necessary one in light of losses growing ever larger. There are only a handful of technologies and tools in place to fight CNP fraud on the market today because of the difficulty of creating a catch-all solution. Some of the most important tools used to fight CNP fraud are:
Machine learning and AI that combs through cardholder’s transaction history to detect fraud early
Tokenization and encryption that protects card details during transmission and storage to combat data breaches
Educating consumers about CNP fraud and encouraging best practices, such as using strong passwords and being cautious with email links
Regular security audits and vulnerability assessments to identify and address potential weaknesses in payment systems
Multi-factor authentication (MFA) and other technologies that create additional steps to verify cardholders’ identities. One such method is an authentication app on your mobile phone (eg. Google Authenticator), which provides a code that changes periodically, making it even more challenging for fraudsters to exploit stolen card information.
The newest and most effective CNP fraud prevention technology is Ellipse’s EVC, an on-card dynamic security code (dCVC/dCVV) that changes with every physical use. It combines the effectiveness of a MFA tool with the convenience of it being built, and activated, right on the credit or debit card. This removes friction of use (ie. card holders no longer need to pull out their mobile devices to check some authentication app) leading to higher adoption rates, which is crucial to extend real-world fraud protection.
So, even though Card-Not-Present fraud is a significant challenge in the digital age, understanding how CNP fraud happens and how it can be mitigated can protect billions of dollars from going up in smoke. By enhancing security measures, leveraging advanced technologies, and fostering collaboration, it is possible to virtually eliminate CNP fraud and protect the integrity of the future of e-commerce.
Comments