Invasion of the Payments Snatchers: Strategies for Fighting Payment Fraud
Stephanie M Fuoco Director, Risk Payment Office
Card Services at Fiserv
Richard Maier AVP/Loss Prevention | Auditing
MIDFLORIDA Credit Union
Agenda • Understanding Payment Fraud
– Current market fraud trends – EMV and fraud
• Strategies to Fight Back • MidFlorida Credit Union Testimonial
CURRENT MARKET FRAUD TRENDS
• Merchant Processor – 7th largest USA merchant processor – Estimated 1.2MM cards at risk – Social engineering (spear-phishing) – Revoked PCI compliance in response to this breach
• Other Processor Breach – An acquirer processor with a presence in bill payment
processing – Merchant processor has taken steps to control access
to its data – Result of poor controls over database – SQL injection – >250 merchants associated with breach – Exposure on confirmed fraud cases from 05/11 – 02/12,
control gap was existent from 2006
• Force Posted Transactions – Pirating POS
• social engineering attacks • spear-phished credentials • replacing legitimate acquiring bank with offshore financial
institutions – Force post transactions at high velocity over short
timeframes – Illicit funds arriving at acquiring bank are loaded to
prepaid cards for cash out at ATMs in Eastern Europe – Issuer is not at risk as the transaction has chargeback
rights. – Merchants must ensure proper employee training to
avoid this type of fraud
• Malware – Mobile malware on Android devices is growing at a 472% – Modified variant of ZeuS divert post-transaction verification
phone calls – Ice IX manipulates content and injects rogue forms into online
banking websites – Cridex, similar to ZeuS, bypasses security controls to send out
emails – Fraud as a Service – Fraud call centers, money mules,
proliferation of malware custom tailored to your spec
• Skimming – $1.5 million ATM skimming scheme targeted top
banks in New York, Chicago and Miami. – In 2011 debit fraud outpaced credit fraud. The reason
- ATM skimming. – In 2010, ADT Security Solutions estimated losses
$30K per ATM skimming incident – In 2011, this average jumped to nearly $50K per
incident – 2012 fraud losses are expected to increase ATMs are
usually the last to be upgraded
Number of Victims and Incidence Rate of Fraud, 2004-2011
Source: Javelin Strategy and Research, 2012 Identity Fraud Report: Social Media and Mobile forming the New Fraud Frontier, February 2012
How Information Was Obtained by the Perpetrator, 2011
Source: Javelin Strategy and Research, 2012 Identity Fraud Report: Social Media and Mobile forming the New Fraud Frontier, February 2012
Information Available on Social Network Profiles by Privacy Setting, 2011
Source: Javelin Strategy and Research, 2012 Identity Fraud Report: Social Media and Mobile forming the New Fraud Frontier, February 2012
Cases Resolved by Fraud Type, 2009-2011
Source: Javelin Strategy and Research, 2012 Identity Fraud Report: Social Media and Mobile forming the New Fraud Frontier, February 2012
EMV AND FRAUD
UK Post-EMV Card Fraud by Type
• EMV significantly reduced card-present lost/stolen/counterfeit card fraud in Eurozone’s predominantly offline environment
• EMV rollout in Europe begins in 2004 • 200% increase in mitigation of fraud losses in ATM channel • However… fraud migrated to Card-not-Present channels (online, phone)
Source: E.A.S.T. ATM Fraud Analysts Report 2011 Source: UK CARDS Association, Financial Fraud Action UK, 2010
0
50
100
150
200
250
300
350
2004 2005 2006 2007 2008 2009 2010
Euro
s (M
illio
ns)
UK Post EMV Card Fraud by Type
Card-not-present Counterfeit Lost/stolen Mail Non-receipt Card ID Theft
EMV Impact on European ATM Fraud Migration
Fraud Implications for U.S. • EMV significantly reduced card-present lost / stolen / counterfeit fraud in U.K. • Card payments in U.K. have historically been offline vs. U.S.’s almost 100% online approach • U.K. card fraud reached as high as $5 billion
before EMV – UK Cards Association reports that card fraud
fell to about $571 million in 2010 • U.S. stands to gain less from fraud reductions
– U.S. card fraud losses totaled $3.56 billion in 2010 – an average of $2.40 per card
– Plus $8-$12 average dispute processing expense per case
• Analysts warn that the U.S. may become the primary target for card-present fraud
• August 2011: Announced incentives, mandates and dates for U.S. acquirer
support of EMV and NFC contactless – Requires U.S. acquirer processors and service providers to support merchant
acceptance of chip transactions no later than April 1, 2013 – U.S. liability shift for counterfeit card-present POS transactions, effective October
1, 2015 (October 1, 2017 for automated fuel dispensers)
• September 2011: Announced extension to U.S. of existing liability shift
program active in many regions for Maestro ATM transactions – Effective April 19, 2013, EMV liability shift program for inter-regional Maestro ATM
transactions will include both U.S. and Asia-Pacific regions
STRATEGIES TO FIGHT FRAUD
R.E.A.C.T
Respond Effectively Against Criminal Transactions
Fiserv Risk Solutions Transaction
Case Management
Real-Time Decisioning
Transaction Blocking
Case Management
Compromised Card
Management
A comprehensive product base of essential risk products to help financial institutions implement and manage an effective card fraud risk program for debit, prepaid and credit portfolios
EnFactSM Case Management RuleManagerSM Transaction
Blocking CaseTrackerSM CardTrackerSM
Enhanced Services Enhanced Chargeback Full Service Call Center
Real Time (Decision)
Authorize/ Deny
Risk OfficeSM
(Human Decision)
EnFactSM (Case Management)
EnFact Real-Time
TranBlockerSM
RuleManagerSM
CardTrackerSM
CaseTrackerSM
Enhance Chargebacks
Full Service Call Center (Chargeback)
Risk Management Tools (Electronic Decision)
FISERV PERFORMANCE MIDFLORIDA CREDIT UNION
MIDFLORIDA Credit Union Headquartered in Lakeland, Fla., MIDFLORIDA serves more than 150,000 members with assets over $1.6 billion through a network of 32 branches, 40 ATMs, and through its website, midflorida.com. MIDFLORIDA Credit Union provides banking services to anyone who lives, works, worships or attends school within their service area of 14 Central Florida counties.
The Triangle Miami
Tampa
Orlando
No More Reissues No Data Breaches
No Fraud
I wish I may, I wish I might, Have this wish. I wish…
RISK OFFICE FRAUD TOOLS
• TranBlocker • EnFact Real Time Scoring • Compromised Card Tracker • CaseTracker
BENEFITS OF RISK OFFICE • Efficiently manage real time and
TranBlocker rules • Establish custom rules based on current
fraud trends • Assist with the investigation of the cause of
the fraud
MIDFLORIDA’s RISK OFFICE SUCCESS
RETURN ON INVESTMENT
IN SUMMARY
• Fraud Attacks are more rapid and targeted with higher chance of success
• EMV will take time and fraud already highest in Card Not Present Fraud (virtualization of payment channels)
• End-to-End Risk Management is yielding 50% better results than national average (people are the best tools to fight against malicious threats)
• We are saving millions every month in fraud avoidance with our end-to-end management of fraud
Average Basis Points Across Clients' Monthly Reported Fraud (Risk Office vs. Non-Risk Office)
• Clients not utilizing Fiserv Risk Solutions have an average of 6.98 basis points of fraud loss • The risk market average of fraud losses to total transaction dollars is 9.0* basis points • Clients utilizing the FULL Fiserv Risk Solution suite of products and services have an
average of 3.19 basis points • *Source Federal Register, 7/11/2011
8.75
3.44 3.41
9.0
0123456789
10
Aver
age
Bas
is P
oint
s of
R
epor
ted
Frau
d
Fraud Reported Month
Non RiskOffice
Risk Office
IndustryAverage
LogarithmicTrend Line ofNon RiskOffice
Stephanie Fuoco 407-513-5045 [email protected]