This article provides an essential overview of the types of transaction fraud and associated liabilities, helping you understand and manage the risks involved.
Transaction Fraud
Transaction fraud refers to unauthorised or illegitimate transactions made using issued payment cards, credit cards, or other payment instruments provided to customers by issuers. This type of fraud can occur in various forms, such as:
-
Card Absent Fraud: This happens when fraudulent transactions are made online, over the phone, or through mail order, where the physical card is not required to be presented. The card information might be compromised in a number of ways, including but not limited to:
-
Data breaches - Unauthorised access to sensitive information, such as financial data or personal identifying information, through hacking or theft.
-
Phishing attacks - Fraudulent attempts to obtain sensitive information, such as passwords or credit card numbers, by posing as a trustworthy entity in an electronic communication.
-
Insider threats - Employees or other insiders who have access to sensitive information and misuse it for personal gain or to harm the organisation.
-
Malware - Malicious software that can steal, alter, or delete information from a computer or network.
-
Physical theft - Stealing physical devices that contain sensitive information, such as laptops or external hard drives.
-
Unsecured networks - Using unsecured or public Wi-Fi networks to transmit sensitive information can leave it vulnerable to interception by third parties.
-
- Lost or Stolen Cards: When a cardholder loses their card or it is stolen, a fraudster may use it to make unauthorised purchases.
- Counterfeit Card Fraud: Involves creating fake cards with stolen card details, often obtained through skimming devices placed on ATMs or card readers.
-
Account Takeover: When a fraudster gains access to a cardholder's account, changing the account details, and making unauthorised transactions.
Account takeovers happen when an unauthorised person gains access to a user's account credentials and uses them to gain access to the account. This can happen in a variety of ways, including but not limited to:
-
- Phishing attacks: Where attackers trick users into revealing their login credentials by pretending to be a legitimate organisation or website.
- Credential stuffing: Attackers use previously breached username and password pairs on multiple sites, hoping that users have reused their login credentials across different platforms.
- Keylogging: Malware that records a user's keystrokes, including account passwords, can lead to account compromise if the device is infected.
- Social engineering: Attackers may use personal information available online to answer security questions and gain access to an account.
- SIM swapping: Attackers deceive mobile carriers into porting a victim's phone number to a new SIM card, gaining access to SMS-based two-factor authentication codes.
- Brute force attacks: Attackers use automated software to generate and try a large number of possible passwords to gain unauthorised access.
Once an attacker has taken over an account, they can commit fraudulent activities, steal personal information, or use the account to send spam or carry out further attacks. It is essential to use strong, unique passwords, enable multi-factor authentication, and remain vigilant for any signs of phishing or other forms of social engineering to prevent account takeovers.
We’ve put together a list of things you can do to take control of your card security and make sure you’re as protected as possible: How can I avoid card fraud
Loss liability
Loss liability refers to the financial responsibility that arises from an issue with a transaction, resulting in one party incurring financial loss. In the context of transaction fraud, liability is typically assigned to either the merchant (the provider of the service or goods being purchased), you as the Airwallex Issuing user, or, in some instances, the cardholder. When loss liability is assigned to the "issuer," meaning you as the Airwallex client, are accountable unless an exception applies.
As a client utilising Airwallex Issuing services, it is essential for you to understand that you bear the ultimate responsibility for loss liability. Although Airwallex provides a robust risk management framework and systems designed to prevent and detect fraudulent activity, the responsibility for managing and mitigating the risk of fraud within your operations falls on you.
Airwallex Issuing empowers you to develop your fraud monitoring system and apply your own business logic to transaction decisions. This means that while Airwallex may assist in providing tools and support to help prevent transaction fraud, all losses deemed liable by the issuer will be your responsibility. Thus, it is crucial for you to implement and maintain sufficient controls to effectively monitor, manage, and prevent fraud.
The key areas of responsibility for you, as an Airwallex client, include but are not limited to:
-
Transaction Monitoring: Regularly review transaction activity for signs of unusual or unauthorised behaviour, and open the real-time notification to detect possible fraudulent transactions.
-
Card Controls: Utilise Airwallex's customizable card controls to set spending limits and enforce restrictions that align with your company's spending policies and risk appetite.
-
Fraud Reporting: Promptly report any suspected fraudulent activity to Airwallex, or raise the dispute if needed, allowing for immediate investigation and potential mitigation of further risk.
-
Compliance and Training: Ensure that your team is well-educated on card security best practices and compliance with relevant laws and regulations to minimise the potential for fraud.
Being proactive in your approach to fraud management will not only protect your business from financial loss but will also maintain the integrity and security of your and your customer’s financial transactions.
Liability Assignment
According to the network policies, liability assignment in cases of transaction fraud can vary depending on the scenario and the circumstances under which the fraud occurred. Below are the most common scenarios of transaction fraud and how liability is typically assigned:
-
Card Absent Fraud:
-
Merchant Liability:
- Non-3DS transactions (normal online transactions and usually conducted by entering the card number, expiry date, CVV2 etc...)
-
Issuer (client of Airwallex) Liability:
- 3DS transactions (usually through a form of two-factor authentication such as a one-time passcode)
-
Merchant Liability:
-
Card Present(CP) Fraud:
-
Merchant Liability:
-
Manually entered card numbers, such as with key-in via a POS terminal.
-
However, if the merchant can provide the imprint, it’s issuer(client of Airwallex) Liability.
-
-
A counterfeit card transaction occurs at a point of sale that is not EMV-compliant(a terminal that only supports magnetic stripe payments)
-
-
Issuer (client of Airwallex) Liability:
-
Transactions, that is, by using the contact or contactless chip interface or swiping the magnetic stripe (usually occurs when card is lost and stolen)
-
A mobile wallet such as Apple Pay and Google Pay is present
-
-
Please be aware that in situations where the Issuer (Airwallex client) is liable, we cannot process chargebacks through the network, even in cases of fraudulent transactions.