5c Fraud Impacts

1
5c Fraud Impacts

• Richard Sanders, Business Consultant
• ACI Worldwide

2
What is Fraud and who is a Fraudster?

• What is Fraud
• A deliberate act to obtain a benefit dishonestly
  (VISA)
• A deception deliberately practiced in order to
  secure unfair or unlawful gain. (The American
  Heritage Dictionary of the English Language)
• ..the crime or offence of deliberately deceiving
  another in order to damage them - usually, to
  obtain property or services.. unjustly.(The
  'Lectric Law Library's Legal Lexicon)

• Fraudsters can be
• Organised crime
• Hacker seeking publicity
• Academic
• Customer
• Insider/disruptive group
• Competitor/other company

3
How Secure is Secure? Its all relative

• All Systems can be broken - they are only as
  strong as weakest link
• What is secure today may be broken tomorrow
• Security is a Process and an attitude, not a
  position
• The most secure systems may not be commercially
  viable. Security has a cost and a business has to
  decide what is appropriate
• Security has to be integrated to a product even
  if that product is outsourced to a processor
• Risk Management may be fragmented in a Bank and
  have different definitions of secure
• Retailers and etailers may have a different view
  again
• Compliance is now a big spend item for Banks and
  some mistakenly think this is all that is
  required for security
• The ideal system should detect fraud and move to
  the next level of security when an unacceptable
  fraud level is reached

4
The Security Balancing Act
Lack of Security is also a cost
Security is a cost of doing business

• To buy
• To Detect
• and Recover from breach
• To Keep Current
• To Maintain Consumer Confidence

• Direct Loss
• Consequential Loss
• Reputational Loss

The aim must be balance between the two
5
Risk Management as EMV Moves Forward
6
Agenda

• What are the likely fraud trends post EMV?
• What is required to address them?
• How to provide a managed risk environment for the
  future

7
Fraud Trends Post EMV
8
Fraud Trends Over the Decades
Fraudsters have historically grown bolder and
more organised To pursue a larger prize
9
Evolving Card Fraud Concerns
Collusion PCI Breaches Money Laundering Carding
Phishing Pharming Identity
NRI
CNP Internet Insider
Lost Stolen
Data Compromise ATM
Counterfeit
2001 2002 2003 2004 2005 2006 2007
Its getting complex and its no longer just
about cards thanks to EMV
10
Complex Environment
Physical POS ATM Card Cheque Cash
Remote MOTO Internet Contactless
Wireless POS M-Commerce SMS Mobile
Multiple Channel Payments
11
Requires More Complex Solutions
NEURAL
NEURAL
CHECKING
CHECKING
RULES
RULES
CHECKING
CHECKING
REAL
-
TIME
REAL
-
TIME
AUTHOR
-
AUTHOR
-
OFFLINE RISK MANAGEMT
ISATION
ISATION
SCREENING
SCREENING
SCREENING
AUTHEN
-
AUTHEN
-
TICATION
TICATION
VALIDATION
VALIDATION
Offline And spend limit
Weed out
Learn by
If amount
Limit,
Positive
1, 2, 3
Weed out
Learn by
If amount
Limit,
Positive
1, 2, 3
Limit,
the
example
more than
velocity
Balance,
factor
the
example
more than
velocity
Balance,
factor
velocity

obviously
100 and
checks
etc.
obviously
100 and
checks
etc.
checks
fraudulent
.
fraudulent
.
Valid format
Valid format
PIN
Usage
Funds
Simple
Pattern
PIN
Usage
Funds
Simple
Pattern
Usage
Usage
Luhn
Luhn
Password
Velocity
Online
Complex
Scoring
Password
Velocity
Online
Complex
Scoring
Velocity
Velocity
Expiry date
Expiry date
Card
NEG
Real
-
time
Cardholder
Modelling
Card
NEG
Real
-
time
Cardholder
Modelling
Limits
Biometric
Limits
Scripting
Merchant
Adaptive
Biometric
Limits
Scripting
Merchant
Adaptive
Limits
LRC
LRC
12
EMV Not Intended To Solve All Problems

• Fraudsters are still targeting cards and the
  internet
• High return for low investment while stripe
  remains on the card
• Not technically challenging stripe / SDA
• Organised crime can fund
• Information/attack methods easily dispersed via
  internet
• Fraud moves easily across borders and there are a
  number of options
• Migrating towards the weakest channels

EMV Chip PIN
VbyV/SecureCode CAP/DPA
13
UK CNP Fraud grew by 16 last year and now
represents 50 of Total Fraud
14
EMV migration an opportunity for fraudsters?

• Stripe and chip co-exist for at least 10 years
  US is still very resistant to EMV
• Counterfeiting still viable until stripe goes
• Disable chip and force fallback
• ATM Weakness and Foreign use
• Intercept mail
• Opportunity to damage chip and return to post
• Harder to track fraudulent fallback
• Stolen cards
• Damage chip
• Cross-border usage
• ATM Weakness
• Compromise Terminals
• Increase in Lebanese loop type activity
• Easier than trying to counterfeit the chip card

15
EMV migration an opportunity for fraudsters?

• Mass rollout helps ease of access to cards and
  terminals to learn and deploy fraudulently
• Huge deployment of cards and terminals
• Inexperience of cardholders and merchants
• Inexperience of customer services
• Readiness of risk management systems and
  procedures for change
• Technology enablers for Fraudsters
• PIN compromise via electronic, photographic
  techniques in addition to shoulder surfing
• Speed of global deployment
• Range of deployment

16
The Fraudsters Tools Phishing and Pharming

• Phishing - Short for password harvesting fishing
  is the name given to the of sending emails at
  random purporting to come from a genuine company
  operating on the Internet, attempting to trick
  customers of that company into disclosing
  information at a bogus website operated by
  fraudsters. These emails usually claim that it is
  necessary to "update" or "verify" customer
  account information and urge people to click on a
  link from the email which takes them to the bogus
  website. Any information entered on the bogus
  website will be captured by the criminals for
  their own fraudulent purposes.
• Pharming - DNS poisoning or domain hijacks to
  redirect users to spoof urls which is potentially
  more sinister than phishing because it avoids the
  need to coax users into responding to junk email
  alerts. Pharming is seen by some as a
  next-generation phishing attack,"

17
The Fraudsters Tools - Trojans and Money Mules

• Trojans - come from the term 'Trojan Horse' - a
  type of computer virus which can be installed
  often without the owner realising. Some install a
  "keystroke logger", which captures all keystrokes
  entered into the keyboard or passwords entered at
  certain web sites. Screen shots of sites visited
  can also be sent to the fraudsters over the
  Internet.
• Typically fraudsters send out random emails to
  get people to click on a link and visit a
  malicious web site where web browser
  vulnerabilities are exploited to install the
  Trojan. The emails are not normally related to
  Internet banking and try to dupe people into
  visiting with a variety of excuses.
• Money Mule - As most fraudsters behind phishing
  and Trojan scams are located overseas and it is
  not possible to make cross-border transfers from
  most online bank accounts a "money mule" or
  "money transfer agent" is required to launder the
  funds obtained.

18
Two Factor Authentication

• MasterCard have introduced a one-time password
  device and licensed it to Visa
• MCAP or VISA DPA
• A method of using EMV to handle two factor
  authentication
• For e-commerce and MOTO (Mail Order/Telephone
  Order), i.e. Card Not Present (CNP)
• e-banking logons and transaction protection
• Tokens will emerge in markets in 2007
• CAP provides
• Cardholder authentication for a channel or
  service.
• Prevents known password security issues such as
  phishing
• Payment signing proves authenticity, origin and
  integrity for payment transfers
• e-commerce authentication for internet payments,
  addressing card not present fraud

19
How does CAP work?

• EMV Card is placed into Personal Card Reader
  (PCR)
• Cardholder types
• One-time password
• Challenge/Response
• Signature Function for transactions (e.g.
  transfers)
• PCR asks for Card PIN, Card verifies PIN
• If PIN is correct, card/reader generates a
  dynamic password (a modified ARQC), e.g. 1234
  5678

20
Securing card-not-present transactions
Factor
Drawbacks
Benefits

• Roll out to large customer groups can be
  expensive, costly to manage easy to lose
  inconvenient for customers with multiple banks
  unless interchangeable
• Need a compliant phone model stolen mobiles pose
  a threat and inconvenience
• Issues for multiple customers using the same IP
  address, e.g. through a firewall not a solution
  for customers that travel frequently
• Need to rollout hardware to enable use with
  remote channels need to roll out new cards with
  CAP application

• Proven and widely accepted by some geographies
  and customer segments
• Most customers already own a mobile phone
• Cheaper, as no need for hardware rollout or
  management
• Customers already carry credit/debit cards they
  are already comfortable using them as identity
  for ATMs and payments

• Token
• Mobile
• IP address
• Smart bank card

Something I have

• Passwords

• Customers struggle to remember multiple
  passwords risk of customer disclosing to others
  e.g. through phishing attacks can be easily
  hacked using key-logging technology and other
  spy-ware

• Known only to the customer and associated with a
  unique log-in easy to change and maintain

Something I know

• Biometrics, e.g. fingerprint/ retina/ vein
  recognition technology

• Technology is still costly mass roll-out is time
  consuming as customer data must be gathered in
  person risk of identity theft

• Unique to each customer, difficult and expensive
  to fake

Something I am
21
Identity theft

• Fraudulent applications, account take-over,
  additional or replacement card
• Card and identification theft
• Ease of access to personal information
• Pressure on bank employees
• Monitor for internal fraud, pretext calling, etc

22
Cheque fraud

• Easier than compromising EMV card
• Quality of printing facilities
• Still widely used in some geos
• Lack of investment in risk management in area
  makes it an easy target
• MI
• Checking Systems
• Need for Enterprise Risk Management

23
Bank Cards are an appealing target for fraud -
which is a problem for banks

• Banks need to-
• provide customers with increasing confidence
  their assets are safe
• embrace new technologies to provide cardholders
  ubiquitous access to their payment accounts
  wherever they may be
• provide security protections against new threats
• adapt to new consumer expectations and design
  more flexible business strategies
• Utilise Smart Card Management systems that allow
  them access to all available EMV data
• "For a card authentication solution to be truly
  effective in a non face-to-face environment, it
  has to offer a high level of security, and be
  low-cost and consistent across multiple
  channels.
• Fikret Ates, Vice President, Chip Product
  Management
• MasterCard International.

24
What are Biometrics and can they help?

• Individual Unique Biometric Information
• Fingerprints
• Hand and Finger Geometry
• Retinal or Iris patterns
• Facial Patterns/Geometry
• Voice Patterns
• Odour
• Bone length,
• Fingernail ridges
• Ear shape/Form
• DNA
• Dynamic Signature

• Biometrics Biological Measurements
• The Science of using physiological and
  behavioural characteristics to verify the
  identity of an individual
• Verification Am I Who I claim to be?
• Identification Who am I?
• Biometrics stored on the card and verified with
  the actual biometric at point of interaction

25
Biometrics What are the Concerns

• Customers
• Accuracy Reliability Privacy
• Personal invasive, cultural, religious
• Banks
• Choice of technology - a Biometric ideal in all
  scenarios
• Business Case Cost of enrolment Centralised
  infrastructure
• Ownership of Data
• Reputational Risk
• False Rejection Rate (FRR) - Reject the correct
  person
• False Acceptance Rate (FAR) - Accept the wrong
  person
• Tuning of Acceptance/Rejection - Where FRRFAR
• Processing Speed of Decision - Increase in
  transaction times
• Robustness - Invariant to lighting, background
  etc.

26
Biometrics - Summary

• Security - Yes
• Usability In some cases
• Accountability Maybe
• Learn from EMV for a new CVM implementation

• Convenience - In some cases
• Conclusion
• Not universal - yet
• Good in specific cases
• May be cultural issues

The test for biometrics! Source Google
27
(No Transcript)