Fraud Current Environment and Best Practices ICUL

1
Fraud Current Environment and Best
PracticesICUL

• Josh Davenport, Visa USA
• August 7, 2006

2
Agenda

• Visa Fraud Control Overview
• Account Compromise History and Perspective
• Current Security Environment
• Fraud Trends Current and Future
• Account Compromise Response/Impacts
• Visa Fraud Tools and Best Practices
• Final Thoughts

3
Fraud Control Overview

• Major Case Fraud Investigations
• Data Intrusion Response and Investigation
• Fraud Trend Analysis
• Test Site Validation
• Common Purchase Point Identification
• Law Enforcement Liaison
• Best Practice Consultations with Members
• Key Member Assignments and Global Regional
  Liaison

4
Timeline of compromises
5
Fraud Trends Current to Future

• Data Compromises Continue
• Europe, Asia Pacific, Latin America
• Rise in counterfeit fraud
• Fueled by track data compromises
• Skimming
• ATM/PIN fraud
• Increase in fraud involving prepaid cards
• Load fraud
• Fraud credits
• Money laundering aspect

6
Fraud Trends Current to Future

• Increase in account takeovers
• Via online banking sites
• Key drivers identity theft and phishing
• Hacker focus is full data sets
• Verified by Visa fraud
• Account takeovers
• Fraudulent enrollments
• Need to evaluate stronger out of wallet
  authenticators

7
How technology helps and hurts us

• Technology advances and so do criminals
• Personal information resides on open networks,
  servers, databases everything is networked
• Connectivity to the Internet and open networks
  has changed everything
• Traditional POS acceptance environment has
  changed Dial up vs DSL

8
Security Breaches
Network Vulnerabilities

• No segmentation and/or firewall
• Un-patched systems and/or default configuration
• No logging
• No encryption or authentication on Wireless
  Access Points
• Default passwords
• No intrusion monitoring

9
Why the increase?

• High yield, low risk of getting caught
• It has never been easier to commit a crime
• Vulnerabilities are published on the Internet
  Google hacking and searches
• Application/software vulnerabilities
• OS vulnerabilities Microsoft, Linux
• Hacking tools are available to anyone
• Hacking is easy Hacking for Dummies

10
Hacker Focus

• Increase in Brick and Mortar Merchant attacks
• Target TPS entities in the payment system
• Web based processing solutions
• Software that stores full magnetic stripe data
• Remote data base management / PC Anywhere
• Attack routers as well as servers
• Hackers looking for
• Magnetic stripe data and PIN information
• Payment card information personal data Full
  data sets

11
Whos behind the hacking

• Organized Crime based in Eastern Europe and AP
  areas
• Highly organized structured organizations
• High level management sets directives based on
  demand
• Hackers identify targets provide data to
  suppliers
• Suppliers resell to vendors or directly to
  counterfeiters or carders
• The Internet is the global market place for
  stolen data
• Internet based carder forums/BBs selling data
• IRC chat rooms hook up low level buyers and
  sellers
• Dedicated websites for members only for one stop
  shopping

12
Boa Website
13
Whos Who?
14
Incident Response

• Situation reported
• Issuers
• Acquirer
• Merchant
• Contact Acquirer
• Is Merchant storing Track Data?
• Provide proof of CISP compliance
• Engage a Forensic Investigation
• Obtain at-risk Visa account numbers
• Notify affected Issuers
• CAMS
• Guide merchant in limiting exposure
• Assist law enforcement investigation

15
Compromises Account Management System (CAMS)
CAMS
PROGRAM OBJECTIVE Distribute to Issuers their
account numbers that may have been put at-risk.
Issuers have opportunity to implement risk
mitigation appropriate for the event.
At-Risk Accounts
Merchant or 3rd Party
Visa CAMS
Issuer
Issuer
Issuer
Issuer Risk Mitigation Activities
Manage
Monitor
Re-issue
16
Rare Event Detection Investigation (REDI)
REDI
PROGRAM OBJECTIVE Monitors at-risk accounts
for unusual activity such as account testing,
fraud runs. Detects unusual buying patterns, out
of area purchases and more. The information is
shared with Issuers to be considered in modifying
any mitigation strategies that are in place.
At-Risk Accounts
Merchant or 3rd Party
Visa CAMS
Issuer
REDI
Issuer
Issuer
17
Advanced Authorizations
VISANET
PROGRAM OBJECTIVE Enhance the VisaNet
Authorization message by inserting real-time
expansive risk insight and intelligence into each
authorization. Bring security and increased
confidence to each authorization. Improve the
accuracy (false/positive) of risk formation.
ADVANCED AUTHORIZATION
Account-level Fraud Detection
Payment System Fraud Detection
Compromised Accounts System
18
What To do ?
19
Points to Consider

• Determine ratio of currently active accounts
• Determine if you have current fraud on account
  population provided
• If accounts have been reissued after compromise
  date, they may be at lower risk
• Can you or your processor monitor accounts with
  fraud management system
• Coordinate with dispute area to take action when
  disputes begin to occur
• Review affected accounts for expiration in next
  30 to 180 days and consider moving up the reissue
  date

20
More Points to consider

• Consider number of cards affected, daily spending
  limits on cards and likelihood that fraud may
  occur
• Consider the likelihood of card not present
  fraud, which will have chargeback rights on fraud
• Consider block reissue requirements for
  accounts where counterfeit insurance may be
  involved.
• Monitor authorization activity for less than 1
  dollar authorization requests. This is often an
  early indicator of impending fraud activity.
• Consider declining ALL authorizations for less
  than a dollar.
• Consider cost/benefit BEFORE listing on Card
  Recovery Bulletin.

21
Issuer best practices at the ATM

• Check CVV and/or card based PIN offsets during
  authorizations
• Respond to reports of modifications to ATMs
• Resist sending legitimate emails to customers
  with log on links
• Consider alternative authentication tokens for
  user validation
• Educate cardholders to be aware of ATM tampering
  and Internet phishing

22
Best Practices Educational Materials
23
Public Concerns and Industry Consequences
Media Scrutiny
Cardholder Data Targeted
Cardholders Victimized
Regulatory Enforcement
Government Intervention
24
Questions?

• Thank you!
• 650-432-1388
• jdavenpo_at_visa.com

24