Commonwealth racks up $99m corporate card fraud bill

A single federal agency appears to have been hit hard by a massive, automated online credit card fraud attack that exploited a systemic weakness to execute more than 340,000 bogus transactions, the cost of which is still being calculated.

The shocker of a sting is revealed in a new statistical report on Commonwealth fraud investigations published by the Australian Institute of Criminology (AIC) that attributes the giant hit to a single agency that fell victim to systemic weaknesses in a new credit card it was using.

The scale and volume of the attack are so large it is literally off the chart, with the AIC cautioning against statistical comparisons with previous years due to its size.

“Financial fraud was also the most commonly recorded target in external fraud investigations (342,342) in 2016–17, with 18 entities conducting these investigations. The majority of the external fraud investigations (over 95 percent) were attributable to one large entity and involved payment card fraud,” the AIC report says.

The report does not name the entity which was hit in 2016 – 2017 with each of the bogus 342,000 transactions recorded as separate incidents. It doesn’t name the payment scheme either.

The average value of the fraud worked out to just $31, according to the AIC’s numbers, a tell-tale sign of an automated high volume-low value attack that hides in plain sight.

The AIC said the spike in external fraud against the government was largely “due to fraud involving a retail payment card system that permitted cardholders to conduct transactions using stolen cards resulting in a loss to the Commonwealth".

“Once the frauds had been identified and the vulnerability resolved, the payment card system was again made available for use. The majority of these investigations involved one large entity.”

While the payment scheme has not been named either, the AIC’s revelation is primed to provoke awkward questions of agency chiefs during the Senate Estimates process.

While comment is being sought from a number of agencies by iTnews, finance industry sources suggested on first reading of the report that there could still be more bad news in the pipeline.

The total bill for the massive sting, and who ultimately cops liability for it is still unclear. The AIC put the total cost of external fraud against the Commonwealth at $99 million, but as mentioned previously, attributes the bulk of that to a single entity.

Who ultimately pays and cops liability for the fraud is also not clear and could yet be contested.

While everyday consumers are largely indemnified for online or physical credit card fraud with issuing banks and schemes passing through losses to merchants – a highly contentious process in itself – rules vary for corporate credit cards depending on limits, risks and fee structures.

Dealing with the scale of the fraud will itself be highly problematic and expensive. With more than 340,000 transactions detected, the cost of processing chargeback claims could potentially exceed the amount lost.

Should that eventuality arise, the question then becomes who wears the write-off of the fraud amount, an issue that could well be disputed by the entities.

A crucial question will be how fraudsters accessed the credit card numbers and where the attack was ultimately launched from.

In the event a corporate customer's own infrastructure - such as financials software capable of authorising payments - was compromised, payments providers could dispute liability under card rules.

The treatment of the flood of bogus transactions is individual incidents suggests the government may well be prepared to sheet the losses back via chargeback procedures, a scenario that could create pressure on the card provider to settle because of the monumental amount of processing work involved.

Credit card schemes and banks have been heavily pushing virtualised corporate credit cards and single-use card numbers as fraud proofing for at least five years, with a heavy emphasis on swift anomaly detection.

However the AIC report reveals the incidents were detected externally.

“The responsible entity was notified of the frauds by an external party and reviewed each transaction to determine whether the fraud was linked to the payment card scheme and the extent of individual losses involved.

“Although each fraud involved a similar modus operandi, they were counted as separate investigations owing to the presence of separate individual offenders in each matter,” the AIC said.

Automated attacks by sophisticated commonly seek to distribute their fraud footprint and often use networks of ‘mules’ to cash out or convert transactions into hard currency.

Another question is whether the rash of fraud incidents from the government have yet filtered through into official payment fraud statistics.

While there is no suggestion either the government or participants in the payments industry inappropriately withheld the fraud numbers, iTnews is seeking clarification as to if and when they counted in official numbers.

Ironically the overall level of external fraud against the government dropped in the AIC’s latest reporting period.

“The estimated dollar value of all external frauds that respondents could quantify and that were the subject of investigations commenced in 2016–17 totalled $99,006,782, a substantial decrease from the estimated value of external fraud investigations in 2015–16 of $500,045,551,” the AIC said.