5c Fraud Impacts - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

5c Fraud Impacts

Description:

Money Mules ... Money Mule - As most fraudsters behind phishing and Trojan scams are located ... bank accounts a 'money mule' or 'money transfer agent' is ... – PowerPoint PPT presentation

Number of Views:602
Avg rating:3.0/5.0
Slides: 28
Provided by: spen8
Category:
Tags: fraud | impacts | mule

less

Transcript and Presenter's Notes

Title: 5c Fraud Impacts


1
5c Fraud Impacts
  • Richard Sanders, Business Consultant
  • ACI Worldwide

2
What is Fraud and who is a Fraudster?
  • What is Fraud
  • A deliberate act to obtain a benefit dishonestly
    (VISA)
  • A deception deliberately practiced in order to
    secure unfair or unlawful gain. (The American
    Heritage Dictionary of the English Language)
  • ..the crime or offence of deliberately deceiving
    another in order to damage them - usually, to
    obtain property or services.. unjustly.(The
    'Lectric Law Library's Legal Lexicon)
  • Fraudsters can be
  • Organised crime
  • Hacker seeking publicity
  • Academic
  • Customer
  • Insider/disruptive group
  • Competitor/other company

3
How Secure is Secure? Its all relative
  • All Systems can be broken - they are only as
    strong as weakest link
  • What is secure today may be broken tomorrow
  • Security is a Process and an attitude, not a
    position
  • The most secure systems may not be commercially
    viable. Security has a cost and a business has to
    decide what is appropriate
  • Security has to be integrated to a product even
    if that product is outsourced to a processor
  • Risk Management may be fragmented in a Bank and
    have different definitions of secure
  • Retailers and etailers may have a different view
    again
  • Compliance is now a big spend item for Banks and
    some mistakenly think this is all that is
    required for security
  • The ideal system should detect fraud and move to
    the next level of security when an unacceptable
    fraud level is reached

4
The Security Balancing Act
Lack of Security is also a cost
Security is a cost of doing business
  • To buy
  • To Detect
  • and Recover from breach
  • To Keep Current
  • To Maintain Consumer Confidence
  • Direct Loss
  • Consequential Loss
  • Reputational Loss

The aim must be balance between the two
5
Risk Management as EMV Moves Forward
6
Agenda
  • What are the likely fraud trends post EMV?
  • What is required to address them?
  • How to provide a managed risk environment for the
    future

7
Fraud Trends Post EMV
8
Fraud Trends Over the Decades
Fraudsters have historically grown bolder and
more organised To pursue a larger prize
9
Evolving Card Fraud Concerns
Collusion PCI Breaches Money Laundering Carding
Phishing Pharming Identity
NRI
CNP Internet Insider
Lost Stolen
Data Compromise ATM
Counterfeit
2001 2002 2003 2004 2005 2006 2007
Its getting complex and its no longer just
about cards thanks to EMV
10
Complex Environment
Physical POS ATM Card Cheque Cash
Remote MOTO Internet Contactless
Wireless POS M-Commerce SMS Mobile
Multiple Channel Payments
11
Requires More Complex Solutions
NEURAL
NEURAL
CHECKING
CHECKING
RULES
RULES
CHECKING
CHECKING
REAL
-
TIME
REAL
-
TIME
AUTHOR
-
AUTHOR
-
OFFLINE RISK MANAGEMT
ISATION
ISATION
SCREENING
SCREENING
SCREENING
AUTHEN
-
AUTHEN
-
TICATION
TICATION
VALIDATION
VALIDATION
Offline And spend limit
Weed out
Learn by
If amount
Limit,
Positive
1, 2, 3
Weed out
Learn by
If amount
Limit,
Positive
1, 2, 3
Limit,
the
example
more than
velocity
Balance,
factor
the
example
more than
velocity
Balance,
factor
velocity

obviously
100 and
checks
etc.
obviously
100 and
checks
etc.
checks
fraudulent
.
fraudulent
.
Valid format
Valid format
PIN
Usage
Funds
Simple
Pattern
PIN
Usage
Funds
Simple
Pattern
Usage
Usage
Luhn
Luhn
Password
Velocity
Online
Complex
Scoring
Password
Velocity
Online
Complex
Scoring
Velocity
Velocity
Expiry date
Expiry date
Card
NEG
Real
-
time
Cardholder
Modelling
Card
NEG
Real
-
time
Cardholder
Modelling
Limits
Biometric
Limits
Scripting
Merchant
Adaptive
Biometric
Limits
Scripting
Merchant
Adaptive
Limits
LRC
LRC
12
EMV Not Intended To Solve All Problems
  • Fraudsters are still targeting cards and the
    internet
  • High return for low investment while stripe
    remains on the card
  • Not technically challenging stripe / SDA
  • Organised crime can fund
  • Information/attack methods easily dispersed via
    internet
  • Fraud moves easily across borders and there are a
    number of options
  • Migrating towards the weakest channels

EMV Chip PIN
VbyV/SecureCode CAP/DPA
13
UK CNP Fraud grew by 16 last year and now
represents 50 of Total Fraud
14
EMV migration an opportunity for fraudsters?
  • Stripe and chip co-exist for at least 10 years
    US is still very resistant to EMV
  • Counterfeiting still viable until stripe goes
  • Disable chip and force fallback
  • ATM Weakness and Foreign use
  • Intercept mail
  • Opportunity to damage chip and return to post
  • Harder to track fraudulent fallback
  • Stolen cards
  • Damage chip
  • Cross-border usage
  • ATM Weakness
  • Compromise Terminals
  • Increase in Lebanese loop type activity
  • Easier than trying to counterfeit the chip card

15
EMV migration an opportunity for fraudsters?
  • Mass rollout helps ease of access to cards and
    terminals to learn and deploy fraudulently
  • Huge deployment of cards and terminals
  • Inexperience of cardholders and merchants
  • Inexperience of customer services
  • Readiness of risk management systems and
    procedures for change
  • Technology enablers for Fraudsters
  • PIN compromise via electronic, photographic
    techniques in addition to shoulder surfing
  • Speed of global deployment
  • Range of deployment

16
The Fraudsters Tools Phishing and Pharming
  • Phishing - Short for password harvesting fishing
    is the name given to the of sending emails at
    random purporting to come from a genuine company
    operating on the Internet, attempting to trick
    customers of that company into disclosing
    information at a bogus website operated by
    fraudsters. These emails usually claim that it is
    necessary to "update" or "verify" customer
    account information and urge people to click on a
    link from the email which takes them to the bogus
    website. Any information entered on the bogus
    website will be captured by the criminals for
    their own fraudulent purposes.
  • Pharming - DNS poisoning or domain hijacks to
    redirect users to spoof urls which is potentially
    more sinister than phishing because it avoids the
    need to coax users into responding to junk email
    alerts. Pharming is seen by some as a
    next-generation phishing attack,"

17
The Fraudsters Tools - Trojans and Money Mules
  • Trojans - come from the term 'Trojan Horse' - a
    type of computer virus which can be installed
    often without the owner realising. Some install a
    "keystroke logger", which captures all keystrokes
    entered into the keyboard or passwords entered at
    certain web sites. Screen shots of sites visited
    can also be sent to the fraudsters over the
    Internet.
  • Typically fraudsters send out random emails to
    get people to click on a link and visit a
    malicious web site where web browser
    vulnerabilities are exploited to install the
    Trojan. The emails are not normally related to
    Internet banking and try to dupe people into
    visiting with a variety of excuses.
  • Money Mule - As most fraudsters behind phishing
    and Trojan scams are located overseas and it is
    not possible to make cross-border transfers from
    most online bank accounts a "money mule" or
    "money transfer agent" is required to launder the
    funds obtained.

18
Two Factor Authentication
  • MasterCard have introduced a one-time password
    device and licensed it to Visa
  • MCAP or VISA DPA
  • A method of using EMV to handle two factor
    authentication
  • For e-commerce and MOTO (Mail Order/Telephone
    Order), i.e. Card Not Present (CNP)
  • e-banking logons and transaction protection
  • Tokens will emerge in markets in 2007
  • CAP provides
  • Cardholder authentication for a channel or
    service.
  • Prevents known password security issues such as
    phishing
  • Payment signing proves authenticity, origin and
    integrity for payment transfers
  • e-commerce authentication for internet payments,
    addressing card not present fraud

19
How does CAP work?
  • EMV Card is placed into Personal Card Reader
    (PCR)
  • Cardholder types
  • One-time password
  • Challenge/Response
  • Signature Function for transactions (e.g.
    transfers)
  • PCR asks for Card PIN, Card verifies PIN
  • If PIN is correct, card/reader generates a
    dynamic password (a modified ARQC), e.g. 1234
    5678

20
Securing card-not-present transactions
Factor
Drawbacks
Benefits
  • Roll out to large customer groups can be
    expensive, costly to manage easy to lose
    inconvenient for customers with multiple banks
    unless interchangeable
  • Need a compliant phone model stolen mobiles pose
    a threat and inconvenience
  • Issues for multiple customers using the same IP
    address, e.g. through a firewall not a solution
    for customers that travel frequently
  • Need to rollout hardware to enable use with
    remote channels need to roll out new cards with
    CAP application
  • Proven and widely accepted by some geographies
    and customer segments
  • Most customers already own a mobile phone
  • Cheaper, as no need for hardware rollout or
    management
  • Customers already carry credit/debit cards they
    are already comfortable using them as identity
    for ATMs and payments
  • Token
  • Mobile
  • IP address
  • Smart bank card

Something I have
  • Passwords
  • Customers struggle to remember multiple
    passwords risk of customer disclosing to others
    e.g. through phishing attacks can be easily
    hacked using key-logging technology and other
    spy-ware
  • Known only to the customer and associated with a
    unique log-in easy to change and maintain

Something I know
  • Biometrics, e.g. fingerprint/ retina/ vein
    recognition technology
  • Technology is still costly mass roll-out is time
    consuming as customer data must be gathered in
    person risk of identity theft
  • Unique to each customer, difficult and expensive
    to fake

Something I am
21
Identity theft
  • Fraudulent applications, account take-over,
    additional or replacement card
  • Card and identification theft
  • Ease of access to personal information
  • Pressure on bank employees
  • Monitor for internal fraud, pretext calling, etc

22
Cheque fraud
  • Easier than compromising EMV card
  • Quality of printing facilities
  • Still widely used in some geos
  • Lack of investment in risk management in area
    makes it an easy target
  • MI
  • Checking Systems
  • Need for Enterprise Risk Management

23
Bank Cards are an appealing target for fraud -
which is a problem for banks
  • Banks need to-
  • provide customers with increasing confidence
    their assets are safe
  • embrace new technologies to provide cardholders
    ubiquitous access to their payment accounts
    wherever they may be
  • provide security protections against new threats
  • adapt to new consumer expectations and design
    more flexible business strategies
  • Utilise Smart Card Management systems that allow
    them access to all available EMV data
  • "For a card authentication solution to be truly
    effective in a non face-to-face environment, it
    has to offer a high level of security, and be
    low-cost and consistent across multiple
    channels.
  • Fikret Ates, Vice President, Chip Product
    Management
  • MasterCard International.

24
What are Biometrics and can they help?
  • Individual Unique Biometric Information
  • Fingerprints
  • Hand and Finger Geometry
  • Retinal or Iris patterns
  • Facial Patterns/Geometry
  • Voice Patterns
  • Odour
  • Bone length,
  • Fingernail ridges
  • Ear shape/Form
  • DNA
  • Dynamic Signature
  • Biometrics Biological Measurements
  • The Science of using physiological and
    behavioural characteristics to verify the
    identity of an individual
  • Verification Am I Who I claim to be?
  • Identification Who am I?
  • Biometrics stored on the card and verified with
    the actual biometric at point of interaction

25
Biometrics What are the Concerns
  • Customers
  • Accuracy Reliability Privacy
  • Personal invasive, cultural, religious
  • Banks
  • Choice of technology - a Biometric ideal in all
    scenarios
  • Business Case Cost of enrolment Centralised
    infrastructure
  • Ownership of Data
  • Reputational Risk
  • False Rejection Rate (FRR) - Reject the correct
    person
  • False Acceptance Rate (FAR) - Accept the wrong
    person
  • Tuning of Acceptance/Rejection - Where FRRFAR
  • Processing Speed of Decision - Increase in
    transaction times
  • Robustness - Invariant to lighting, background
    etc.

26
Biometrics - Summary
  • Security - Yes
  • Usability In some cases
  • Accountability Maybe
  • Learn from EMV for a new CVM implementation
  • Convenience - In some cases
  • Conclusion
  • Not universal - yet
  • Good in specific cases
  • May be cultural issues

The test for biometrics! Source Google
27
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com