Payment fraud takes a ride on public transit

Transit thiefWhile public transit lets riders save on gas and turn commute time into reading, work, or Candy Crush time, it lets fraudsters test stolen data.

Readers of this blog are doubtless aware that no shortage of account numbers, complete with names, passwords, maiden names, SSNs, PINs, fingerprints, and other personal data, are available for sale on the Dark Web

Still, not every illicitly obtained account number is good. To avoid the inconvenience and embarrassment of a declined fraudulent transaction, thieves are well advised to verify that a pilfered account has not been suspended, closed, or otherwise compromised well before they attempt to go hog-wild with it. 

Lucky for them, account verification is nothing new. The trick is to conduct a quick, initial test transaction so negligibly small that, should it happen to bounce, few are likely to notice, and those who do notice aren’t like to raise much of a ruckus. 

Mass transit payment systems, with their typically low fares, can provide just such testing environment for fraudsters. This was brought to my attention last week by a Salt Lake Tribune article reporting that GoRide, the payment app used by Utah Transit Authority (UTA) is “… a favorite testing site for stolen credit cards.” 

It wasn’t account holders that brought the problem to the attention of authorities. It was an alert UTA analyst. Per the Tribune:

… investigations started when a fare operations analyst noticed a high number of chargebacks from banks … UTA figures thieves were using the GoRide app to test whether stolen credit card numbers were still active because low-cost charges for transit rides may not raise concern by credit card companies and owners initially, perhaps allowing thieves to go on spending sprees for other items with the working numbers.

The affidavits said UTA identified more than a dozen problematic accounts and was able to identify several people and their electronics and financial accounts suspected of using stolen credit card numbers. They said the agency found fraudulent activity dating back to last July.

Not incidentally, the GoRide app is smartphone-based. According to travel rewards website Upgraded Points, smartphones provide the “initial point of contact” for fraudsters 77 percent of the time.

Post script on personal security measures

Though hacking transit transactions for purposes of verifying pilfered accounts may be new, most of the techniques fraudsters use for stealing credit card data are not. This month, shared “10 identity theft techniques to watch out for in 2020.” Some making the list were of the higher tech variety, such as viruses that pilfer information from online shopping carts. But most, such as phishing scams and lifting data that people unwisely share on social media, were lower-tech and have been around for years.

Some merchants may be unwitting allies in credit card fraud. Chargebacks911 states:

The difficulty of identifying fraud online leads some businesses to adopt a defeatist posture. In fact, 47% of online sellers believe fraud is inevitable in the eCommerce environment. A further 20% think it costs too much to control; instead, it’s best to just maximize sales and hope to outpace the fraudsters.

While I have no desire to throw cold water on the development of high-tech and AI-driven fraud prevention, it seems that personal vigilance remains vital and has the power to take a big chunk out of payments fraud. 

Financial institutions can provide a needful and loyalty-building service by educating clients on everyday security measures anyone can and should take. Some ill-informed PR advisors may warn their bank clients from so much as bringing up fraud. But, as I wrote nearly three years ago, “Perhaps paradoxically, the proper presentation of information on staying safe from hackers can increase client confidence by conveying that a financial institution is knowledgeable and cares about its customers.”

Leave a Comment