Credit/Debit Card Fraud: New Trends, Incidents

Phishing, Offshore Fraudsters Fuel Surge in Attacks
Credit/Debit Card Fraud: New Trends, Incidents
Credit and debit card fraud: It's the threat that keeps growing and evolving.

A year ago, many banks and credit unions were forced to cancel and reissue thousands of cards as a result of the TJX breach. More recently, banks located in Indiana saw accounts breached from ATM or debit card transactions. Indiana law enforcement and the FBI are investigating breaches from at least 10 banks after more than 100 customers reported money missing from bank accounts beginning June 14. The majority of the withdrawals, from a few hundred dollars to a few thousand dollars, were posted in Nigeria, Russia, Ukraine and Spain.

There are more examples from this year with larger losses: An investigation (Citibank Complaint) by FBI cyber-crime agent Albert Murray shows two men made hundreds of fraudulent withdrawals from New York City ATMs, getting $750,000 earlier this year. Murray's affidavit points to what he sees as the culprit: a Citibank server that processes transactions had been breached, allowing the criminals to make the fraudulent withdrawals. (Citibank denies that its servers were the source of the breach.)

Although the industry has made great strides in lowering credit/debit card fraud, the problem clearly remains a threat to institutions and consumers alike. A look at the Federal Trade Commission's Consumer Sentinel (Consumer Fraud and Identity Theft Complaint Data) from 2007 shows the complaint database developed by the FTC received more than 800,000 consumer fraud and identity theft complaints. Consumers reported losses from fraud of more than $1.2 billion. Credit Card fraud , at 23%, was the most common form of reported identity theft. New schemes are emerging, and call for greater scrutiny from institutions and their customers.

The New Face of Fraud
Credit/debit card fraud is everywhere says Yuval Ben-Itzhak, CTO at security vendor Finjan. "Believe it or not, you can Google 'sell dumps,' and the result (at least in the US) will indicate many websites willing to sell. You can find price lists, card types, just about anything you like."

Among the most common credit/debit card schemes:

Foreign Fraud - Overseas criminals operating outside of US law enforcement jurisdiction continue to hit US consumers with a variety of scams. "Foreign fraud continues to be a huge issue for (card) issuers," says Alan Nevels, Senior Vice President of Operations and Card Risk for ICBA Bancard, the electronic payments services subsidiary of the Independent Community Bankers of America (ICBA). "This is mostly due to phishing and vishing attempts by criminals." Offshore fraudsters' success owes to "packet sniffing" (Trojans that capture authorization traffic between the merchant and authentication processing server) and Pin Entry Device tampering.

Spear Phishing -- where criminals access small amounts of personal data from several related severs to construct a more direct individual communication that seems very authentic to the consumer. Security vendor Verisign recently revealed a study showing more than 15,000 individuals have been spear phished in the last 15 months. (http://www.verisign.com/security-intelligence-service/current-intelligence/research-reports/index.html)

Counterfeit Fraud -- "particularly skimmed counterfeit fraud." This is the top fraud reported for both debit and credit cards.

Fighting Fraud
The best fraud defense starts with the customer, experts say.

"One of the best fraud initiatives our banks can employ to help guard their debit card portfolio, next to the neural network tools that are available, is to solicit their customers in helping to monitor their accounts for suspect activity," Nevels says. "Our banks will not really begin to get their arms around safeguarding their portfolio without the help of their customers."

Finjan's Ben-Itzhak agrees that customer awareness is key in helping fight fraud, although credit card holders are not technical people, and it is difficult to educate them about security. "Institutions should provide their customers with software and tools to make their online purchase safe - after all, it's the institution that pays the bill in case of a fraud," he says

As a first step in customer awareness, Nevels says, institutions must constantly remind their customers to be alert for suspect charges on their cards and to check their monthly statements as soon as they arrive.

The banking industry overall has come a long way in the past 15 years in working to stamp out credit and debit card fraud. According to Doug Clare, Vice President, Fraud Product Management at Fair Isaac. Fair Isaac (NYSE:FIC), provides consulting services and enterprise decision management systems. They developed the FICO scores, a measure of credit risk, which is the most used and recognized credit scores in the world. When Fair Isaac first began in fraud prevention, credit card fraud ran upwards of 18 to 20 basis points. One basis point is equal to one one-hundredth of one percentage point (0.01%), so 100 basis points equals one full percent. The latest figures on credit card fraud from Visa and MasterCard show U.S. credit card fraud hovering a bit above 6 basis points. Debit card fraud ranges approximately 4-5 basis points.

ICBA's Nevels says for most small to midsized banks, the fraud numbers are much lower than the national average, "since they do not typically experience fraud losses on similar levels," he says. Even with lower loss numbers, all debit and credit card fraud losses are absorbed by the issuing bank. "Unless it can be proven that the cardholder acted in a manner that caused the financial institution unnecessary financial duress, in which I believe they can be held to the liability as laid out in Reg. E & Z," Nevels explains.

Reg E: Is a Federal Reserve regulation that sets rules, liabilities, and procedures for electronic funds transfers (EFT), and establishes consumer protections using EFT systems.

vReg Z: Is a federal law that requires lenders to fully disclose in writing the terms and conditions of a mortgage, including the annual percentage rate and other charges. It is also known as the "Truth in Lending" statement.

Approaches To Fraud Prevention
To monitor for debit and credit card fraud, ICBA's Nevels recommends that institutions establish a written risk management policy that outlines who has access to what type of cardholder information, separate logins and dual controls for implementation of certain procedures. He emphasizes that all issuers today must have a neural network that is operating in the background to assist in monitoring for suspect transactions. This is especially critical for small to midsize Issuers. "More importantly, I recommend that the institution again establish written procedures for how they will handle the reporting of suspicious activity out to their customers - when/where/how," he says. "The institution also needs to have a policy in place that they can follow should they find themselves in the midst of the data compromise event."

The move of the retail industry to comply with the Payment Card Industry Data Security Standards (PCI-DSS) is a positive, says Doug Johnson of the American Bankers Association (ABA. "Using PCI to get retailers up to the level of security on the banking side will benefit everyone." A new version of PCI-DSS is expected to be released in October, again raising the "requirement bar" for compliance.

Johnson cites the refinement of deposit account fraud detection methods over the past 10 years, where banks are now spending $1 for every $10 they protect against deposit account fraud. "While I can't cite the same numbers for debit card fraud side, I know institutions are getting better at it." He recommends institutions of all sizes take an enterprise wide approach to fraud prevention.

One area that institutions can have monitoring tools do "double duty" is with existing anti-money laundering monitoring tools. "These can be of great value when monitoring transactions," Johnson says. "More and more, we're seeing tools that were viewed as a pure cost and were related to compliance are now tools that can be used to mitigate fraud as well." He notes if an institution has to have those tools for compliance, "why not also use them to detect fraud?"

Fair Isaac's Clare agrees with Johnson's assertion for need to take an enterprise-wide view of fraud prevention and detection strategies. He sees that the collaborative, best practices approach within the industry has also helped to reduce the problem. "No fraud will ever go away completely," Clare says. "There will always be someone who tried something we haven't thought of."

With the recent number of data breaches in the news, Nevels sees card fraud is certainly not going anywhere and "it is definitely not on the decline." He strongly believes in a layered approach to combat card fraud. "There is no 'silver bullet' on the market to-date, so no one solution will do the trick," he says Issuers need a neural network, coupled with a customer name matching option, and an online verification solutions like VbyV for example, to assist in the safeguarding of their portfolio.

With each layer there is an added cost. But Nevels sees third-party card processors are now more in line to absorb some of the cost associated with these fraud solutions, and sees they will find it necessary to move some of their optimal fraud solutions on their platform(s) as a core solution of their business offerings.

"Be better, not bitter," Nevels says. "This holds true for all card Issuers today. Bancard's Issuing members have all of the same bells, whistles and product solutions available to them as do their large counterparts."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.