1 MasterCard International Credit Card Security & Risk IS6800 Group Presentation Mike Cornish Kathleen Delpha Mary Erslon November 2004.

1

MasterCard International Credit Card Security & Risk

IS6800 Group Presentation

Mike CornishKathleen DelphaMary Erslon

November 2004

2

Agenda

MasterCard Organization Credit Card 101 Credit Card Fraud Case Studies

Card Not Present Fraud Identity Theft Fraud

Best Practices for Credit Card Security

3

MasterCard Organization

4

CIO & SEVPGlobal Technology

& Operations

SVP GTO HumanResources

SVP Computer & Network Services

SVP TechnologyBusiness

Management

SVP Security &Risk Management

SVP GTOAdministration

SVP MemberServices

SVP SystemsDevelopment

SVP DebitServices

TechnicalArchitecture

BusinessRequirementsManagement

TechnologySales

Organization

BusinessSystems

TechnologyInfrastructure

Data WarehouseHardware &

Software ChangeManagement

Data CenterOperations

NetworkOperations

ProjectManagement

Office

OffshorePartnership

Management& Sales

Debit SystemsDevelopment

Global DebitOperations

Debit CustomerSupport

IT InvestmentManagement

Office

GTO Plans &Budgets

VP TechnologyCommunications

Security & RiskAnalysis

Field Operations

Global MemberOperations Support

1-800-MasterCardCall Center

MasterCard Product Support

Call Center

MasterCard’s IT & Security Organizations1

Direct IT Functions Security & Fraud Functions

CIO reports to the President & CEO

5

Major IT Decisions1

IT Principles MasterCard GTO level

IT Architecture MasterCard GTO level

IT Infrastructure MasterCard GTO level

Business Application Needs

Federal:Core- MasterCard GTO level

Value Added*- Mixture of GTO and business levels

IT Investment and Prioritization

Duopoly: CxO level & GTO

* Includes Security & Risk Management applications

6

Governance1

Transitioning to IT Duopoly at the CxO level from IT Monarchy All IT spending remains under control of GTO GTO led initiative to bring transparency to the IT

decision making processes, and to bring business involvement into IT investment management

CxO level sets budget for technology investment & decides priorities

GTO investment management office Facilitates business prioritization by CxO level Allocates & tracks technology spending across GTO

7

Metrics

• 37 Sites: Global HQ, GTO HQ, 5 regional & 30 local country offices2

• Total GTO FTE*: ~2,0003

• Total MasterCard FTE*: ~4,0002

• Desktops: ~ 4,800 worldwide4

• Security & Fraud Applications: 115

• GTO’s IT Budget for 2003 was ~11%6 of Total Revenue of $2.23 Bn7

* Full-time Equivalents (employees, contractors, temps)

8

Credit Card 101

9

Open System: Interchange Model

Biggest threats come from outside the payment system!* Structure for Visa is similar.

*

Merchant

Acquiring Processor

Acquiring Bank

Issuing Bank

Issuing Processor

CardholderAccount

Relationship

TransactionRelationship

ProcessingRelationship

StatementingRelationship

10

Open System:Interchange Transaction Flow

Authorization Request (real-time)

Authorization Response (real-time)

First Presentment Notice

Settlement

Merchant Deposit

Merchant Payment

Statement

Payment

Merchant Acquiring Processor

Acquiring Bank

Issuing Bank

Issuing Processor

Cardholder

* Flow is similar for Visa.

*

11

Closed System

* Structure for Discover is similar.

*

Merchant

Acquiring Processor

Cardholder

Biggest threats come from outside the payment system!

AccountRelationship

TransactionRelationship

12

Closed System:Typical Transaction Flow

Authorization Request (real-time)

Authorization Response (real-time)

Merchant Deposit

Merchant Payment

Statement

Payment

Merchant Acquiring Processor

Cardholder

* Flow is similar for Discover.

*

13

MasterCard’s Space

MasterCard International is a global payments company2

Membership corporation of 25,000 financial institutions that issue MasterCard, Maestro, and Cirrus branded cards

Licensor and franchisor for the MasterCard, Maestro, and Cirrus payment brands

2003 Key Business Indicators2,8

Gross volume: US$ 1,272 Bn Number of transactions: 13.2 Bn Number of account: 529.5 MM Number of cards: 632.4 MM Number of merchants: 22.0+ MM in 210 Countries Number of ATMs: 900K+ in 120+ Countries

14

Not MasterCard’s Space2

MasterCard does not… Issue cards Set annual fees on cards Determine annual percentage rates

(APRs) Solicit merchants to accept cards or set

their discount rates

15

Credit Card Fraud

MasterCard’s Strategies

16

Headlines

“

”Aug 5, 2004

“ ”Jan 23, 2003

“

”Feb 27, 2003

“ ”Oct 24, 2003

“ ”Feb 19, 2003

“

”Nov 20, 2001

“ ”

Sep 12, 2003

March 17, 2003

”“

”Sep 12, 2003

“

17

Types of Fraud9

Identity Theft * Application Fraud Account Takeover

Card Not Present * Mail, telephone, web

Counterfeit * Skimming Account number

generation Lost & stolen Never Received after Issue Merchant Fraud

Collusion Triangulation

* Increasing and gaining a lot of attention in recent years, especially in the online space

Incidence of Fraud by Method

48%

15% 14% 12%6% 5%

0%

10%

20%

30%

40%

50%

Lost/S

tole

n

ID T

heft

Skim

min

g

Counte

rfeit

Never

Rec

eive

d

Oth

er

18

Industry Fraud Estimates*

* There is no true consolidated source for credit card fraud statistics in the industry

10

12

11

13

Fraud Rates as % of Transaction Volume

19

MasterCard’s Security & Risk Mission

“Protect brand integrity and manage fraud

risk through best in class core and value

added services with integrated end to end

solutions to help position MasterCard as

the Global Payments Leader ”

Mission: 14

20

Security & Risk Management Applications & Services5

Awareness Detection Prevention

Account M

anag

emen

t Sys

tem

Address

Ver

ifica

tion S

yste

m

Comm

on Poin

ts o

f Purc

hase

Fraud V

eloci

ty M

onitorin

g

Issu

ers

Clear

inghouse

Ser

vice

Mas

terC

ard A

lerts

Mas

terC

ard In

tern

et G

atew

ay S

ervi

ces

Mas

terC

ard S

ecure

Code

Mer

chan

t Ale

rts to

Contro

l Hig

h Ris

k

Mer

chan

t Onlin

e Sta

tus

Track

ing

NameP

rote

ct P

artn

ersh

ip

RiskF

inder

Site D

ata

Prote

ctio

n

Syste

m to

Avo

id F

raud E

ffect

ivel

y

ID Theft D P D D A

Counterfeit P D D A P P D D P A

Card Not Present P D A P P D D P A

Lost & Stolen P P D A D A

Never Received P A

Merchant Fraud D P P D D A

Fraud Type

Application or Service

21

Case Study

Card Not Present Fraud

22

“Card Not Present” Defined

Definition9: Neither the card nor the cardholder is present

at the point-of-sale Merchants are unable to check the physical

security features of the card to determine if it is genuine

Ecommerce; online or telephone transactions No way to dispute a cardholder claim that a

purchase wasn’t made

23

Ecommerce Market15

> $3 Trillion worldwide MasterCard research

shows that 90% of online buyers worry about their personal and financial information online

24

Statistics

MasterCard CNP incidents account for between 80 and 84% of credit card fraud16

Online fraud rates up to 30x higher than in the physical world17

2003- $1.6B or ~2% of all online sales lost to credit care fraud17

2004 credit card fraud rate has decreased by 0.5% since 2000, but the amount lost has increased by 60%19

Projected losses to internet merchants in 2005 expected to be $5 - $15 billion9

25

Statistics (continued)

Merchant Risk Council Survey 200319

Fraud chargeback rates > 1% = 9.7% 50% reduction since 2002

Fraud chargeback rates < 0.35% = 64% 30% increase since 2002

17% of merchants spent > 2% of revenue on fraud prevention 30% increase since 2002

26

Examples of Card Not Present Credit Card Fraud

Low-Tech: Dumpster Diving Card Loss/Theft

High Tech: Phishing or site

cloning Account number

generators Online “auctions” or

false merchant sites

27

Card Not Present

May be caused by Less-than-diligent cardholder (dumpster

diving, theft) Cardholder response to plausible ploy

(phishing) May be out of cardholder’s control

(numbers generator, hacking)

28

Combating CNP Fraud: Legislative Examples

Anti-Phishing Act of 200420

Introduced 07/04 by Sen. Leahy (D-VT) Phishing responsible for $2B in merchant

losses/year Enters 2 new crimes into US Crime Code

E-mail that links to sham websites with the intent of committing a crime

The sham websites that are the true scene of the crime

29

Combating CNP Fraud: Legislative Examples

State laws21 regulate the amount of information on a credit card receipt to the last four numbers of the credit card

Expiration date may not appear on receipt

CA, WA, MD, CT enacting legislation

30

Combating CNP Fraud: Consumer

Education and Awareness Consumer “Best Practices”

31

Combating CNP Fraud: Merchant

Multi-level technical solutions Cardholder Authentication Neural Networks

32

Case Study: SecureCode™

Licensed MasterCard cardholder authentication solution15 enables cardholders to authenticate themselves to their issuer through the use of a unique personal code (PIN)

A VISA counterpart is“Verified by VISA” or “VbyV.”

33

SecureCode15

Cardholders enter their secure code in a separate browser window before an on-line transaction can be authorized Requires a merchant

“plug-in,” or software module, to be deployed on the merchant’s website

Requires the merchant to use a data transport mechanism and processing support

34

SecureCode15

The participating merchant gets explicit evidence of an authorized purchase (authentication data)

Fully guaranteed online payments – protection from chargebacks

MasterCard mandated that issuers implement support for MasterCard Secure Code by November 1, 2004

35

SecureCode and eTronics22

A Top Ten Internet consumer electronics retailer >200,000 customers and 300,000 orders

annually Over $65 million in yearly sale

In 2002, eTronics had credit card chargeback costs of over 1 million/year

Implemented SecureCode in 2003 “Too soon to tell” impact since SecureCode

is not yet implemented globally, but eTronics is “optimistic and enthusiastic” about its success

36

“Phishing Attack” – Mike’s Experience

Phishing Attack Website Authentic MyCiti Website

37

Case Study: RiskFinder™ A “neural network” system Fair Isaac’s proprietary

profiling technology for fraud prevention – RiskFinder23 is a MasterCard-specific application

Enables transactions to be “scored” based on highly detailed cardholder patterns/behavior, existing patterns of fraud, and merchant trend data23

38

Case Study: RiskFinder™

The institution can establish a transaction score threshold, and conduct supplemental review and cardholder follow-up on any transaction that scores above the threshold23

RiskFinder has saved issuers up to 50% in fraud losses23

39

Citibank Fraud Detection

www.fightidentitytheft.com/video/babe_magnet.mpeg,Viewed, October 30, 2004

(Click the thumbnail to play the commercial)

40

RiskFinder and Kathleen’s Story

Kathleen’s daughter goes camping in Venice.

41

Case Study

Identity Theft Fraud

42

Identity Theft: The neoteric crime of the IT era24

Identity theft is the illicit use of another individual’s identifying facts to perpetrate an economic fraud, such as Opening a bank account Obtaining bank loans or credit Applying for bank or department store cards Or leasing cars or apartments

in the name of another.24

43

Citibank Identity Theft

www.fightidentitytheft.com/video/flaps_mpls_te_mpg.mpeg, Viewed, October 30, 2004

(Click the thumbnail to play the commercial)

44

Identity Theft: The neoteric crime of the IT era

Number one source of consumer complaints to the Federal Trade Commission (FTC) in 2001(and thereafter)25

Credit card fraud was most common form of identity theft in 2002 according to the FT25

45

Identity Theft: The neoteric crime of the IT era

26

46

Identity Theft: The neoteric crime of the IT era

“Compared to equally profitable crimes involving drug or gun trafficking, the sentencing for identity fraud is much lighter—and these folks are tough to catch.”

- Bruce Townsend

Special Agent in charge of

Financial Crimes Division

Secret Service27

47

Identity Theft: The neoteric crime of the IT era

In 52% of cases in which the victim discovered how the information was stolen, the thief turned out to be a family member, neighbor, or coworker.28

Low-Tech sources include: Paper records of personal information kept

by numerous sources.

48

Identity Theft: The neoteric crime of the IT era

29

49

Identity Theft: Causes

Phishing “Stealing corporations’ identities as a

means to impersonating individuals”30

Greater number pieces of personal information = greater chance of Identity Theft

50

Identity Theft:

To counteract phishing, corporations are using software to search for sites breaching their copyrights, then go directly to the company hosting the bogus site to get it shut down.30

5% of consumers respond to phishing according to the Anti-Phishing Working Group.31

51

Identity Theft: High Tech Causes

Hacking merchant sites, home computers and any place where personal information is stored. Servers that aren’t set up correctly can be

compromised by techniques like “end-mapping,” which “pings” servers systematically until it finds an open port to exploit.

Trojan horse content can slip by ordinary packet filter devices deployed by firewalls (spyware, keyloggers).32

52

Identity Theft: High Tech Causes

Commandeering other applications. Eavesdropping Software that reports to

the hacker a person’s keystrokes and uses it to pick up passwords and gain entry.32

53

Identity Theft: High tech Causes

Case Study: “Operation Firewall”. 28 Identity Theft Suspects arrested 1.7 million stolen credit card numbers Investigation instigated by MasterCard’s

senior vice president of security risk services.33

54

Identity Theft: Low tech Causes

Security firms tend to stress physical security issues, which are easier to identify and remedy than human vulnerabilities.

Financial institutions, in order to reduce the risk from within, must create and sustain an institutional culture that values and promotes critical thinking, high self-esteem and genuine loyalty to the institution. 34

55

Identity Theft: Actions to Combat

Legislative Identity Theft and Assumption Deterrence Act of

199824

Privacy Act of 200135

Consumer Privacy Protection Act, May 200229

Identity Theft Prevention Act, Jan 200329

SSN Misuse Prevention Act, Jan 200329

Fair and Accurate Credit Transactions Act of 200336

Anti-Phishing Act of 2004 20

56

Identity Theft: Actions to Combat

Payment Industry—calling for implementation of technology that definitively corresponds the user to the instrument.27

57

Identity Theft: Actions to Combat

Identity Authentication Technologies Biometrics

Face recognition Retina scans Fingerprint authentication

Voice /speech verification Handwriting analysis

Genetic Engineering Analyzing DNA components of human fluids &

cells. 25

58

Identity Theft: Actions to Combat

Use of Public Key Infrastructure (PKI) Digital signature Protects electronic records Inherent security hinges on who has access

to system. 25

59

Identity Theft: Actions to Combat

System embedded security controls to enhance the privacy and confidentiality of information processed across Internet architectures Data encryption Digital signatures Secure socket layers (SSL) Cryptographic protocols such as hypertext

transfer protocol over SSL (HTTPS)37

60

Identity Theft: Actions to Combat

Smart Cards Contain embedded CPU (electronic chip). 32-kilobyte mini-processors are capable of

generating 72 quadrillion encryption keys. Can be programmed to perform tasks & store

information. Practically impossible to fraudulently decode.9

61

Identity Theft: Actions to Combat

Personnel & Procedures Background checks Limit access through password protection Leave an audit trail of who got into files &

when Shred information being thrown away Train staff by creating a security handbook25

62

Identity Theft: Actions to Combat

Designate a Privacy Officer –could be the Information Manager

“Privacy and security do not work if you do not have top-level buy-in. Information managers might very well be the key people within the organization to help accomplish this.”

- Gary Clayton

Founder & Chairman

The Privacy Council25

63

Identity Theft: Actions to Combat

Use of a layered approach to security Perimeter App-layer protection Intrusion detection Monitoring tools

Strategic rather than silver-bullet approach32

64

Issuers Clearinghouse

Joint MasterCard and Visa service. To detect fraudulent and high-risk

credit card applications. Screens, validates & tracks

Addresses Phone numbers Social Security numbers38

65

NameProtect®

Monitors Internet 24x7 Watches all gTLD and ccTLDs, new

registrations, and activations. “Identifies Web sites, emails, chat

rooms and other electronic venues where personal credit card data is published, sold or traded.”39

66

Identity Theft

“Rather than posing security as a hurdle to overcome, companies should view their customers’ privacy needs as an opportunity through which they can differentiate themselves as trust leaders, increase their financial value and even energize entire economies.”

Glover T. Ferguson

Chief Scientist

Accenture26

67

Best Practices

68

Best Practices: All Industries40

Protect your employees and customers from ID theft Ask only for necessary information Don’t use SSNs as identifiers Regularly check backgrounds of

employees who have access to identifying information

Define a privacy policy and communicate it to your customers and employees

69

Best Practices: All Industries40

Protect sensitive paper information like payment card numbers, social security numbers, and customer identifying data Secure records in a vault or under lock-and-key Restrict access only to persons with a legitimate

need to know Shred records when they are no longer needed Immediately report security breaches to affected

customers and law enforcement

70

Best Practices: All Industries41

Conduct a risk assessment for impact from loss or disclosure of business data

Design record retention policies and physical access controls based on the assessed risks from loss or disclosure.Area of Concern Low Medium High

Business Disruption - Moderate Major

Legal impact - Minor Major

Financial Impact - Minor Major

Health & Safety Impact - - Threatened

Effort to Restore Easy Moderate Significant

71

Best Practices: IT Functions 42, 43

Use firewalls, anti-virus, anti-spyware, and access control software to protect networks and computers

Keep operating system and security software up-to-date with latest security patches from vendors

Define policies for strong passwords and change them frequently

Monitor for signs of network and web server attack Monitor security websites for breaking information

about new threats and best practices (e.g., CERT® Coordination Center)

72

Best Practices: IT Functions43

Protect sensitive electronic info like customer identifying data and account numbers Segregate sensitive data on separate

servers from web servers Restrict data access rights to only those

persons and systems with legitimate need to know

Consider encrypting sensitive information housed in databases

73

Best Practices: Consumers44

Only give payment account numbers or personal identification information to companies you have contacted Challenge businesses that ask for it about why

they need to know Avoid saying information over the phone when

others may hear Do not carry unnecessary payment cards or

identification papers (e.g., social security card, birth certificate) in your wallet or purse Do not use SSN for your driver’s license or other

identification cards

74

Best Practices: Consumers44

Keep track of receipts for payment card transactions Shred receipts and account statements having

full account numbers Cancel unused credit card accounts* Keep a list of all of your payment card

account numbers along with their issuers’ names and contact numbers so you can cancel them quickly if lost or stolen

* But be aware of potential credit score impact

75

Best Practices: Consumers45

Use firewall, anti-virus, and anti-spyware software Keep your PC operating system and security

software up-to-date with latest security patches from your vendors

Be suspicious of emails and websites requesting private information

Verify URLs and make sure websites are secure before entering account numbers and personal identifying information Be careful locating sites through search engines Call the company if you are unsure of the validity of a site

76

Best Practices: Merchants46

Card Present Check that the embossing extends into the

hologram Check the hologram and indent printing Compare the signature on the card and sales

draft Check that the magnetic strip appears authentic Call for a “Code 10” authorization if something

doesn’t feel right

77

Best Practices: Merchants21

Card not Present Use address verification systems to

check the account holder’s billing address

Implement SecureCode and Verified by Visa services

Include card verification values/codes in authorization messages (but do not store them in your database)

78

Best Practices: Merchants21

Card not Present (Continued) Require complete customer contact and

payment information before completing an order

Process transactions in real-time keep the customer on the website until the

payment card is authorized and the sale is completed

Monitor international transactions

79

Best Practices: Merchants21

Card not Present (Continued) Employ rules-based systems to screen and

detect suspicious order activity Maintain negative databases of fraudulent

orders & offenders, and positive databases of trusted returning customers

Adopt MasterCard’s Best Practices for eCommerce websites Have a Site Data Protection audit done on your

eCommerce website

80

Best Practices: Acquirers & Merchant Processors

Merchant Acquirers & Processors Provide security features like Address

and Card Verification services to merchants

Monitor merchant deposit velocity for unexpected increases in deposits

Check & report merchant’s termination history

81

Best Practices: Issuers & Card Processors

Card Issuers & Processors Monitor cardholder purchase and cash

velocity for drastic changes Use behavioral models/neural network

software to detect fundamental changes in cardholders’ behaviors

82

Best Practices: Payment Companies

Payment Companies Create, refresh & enforce standards Monitor to detect shifts in types and

volumes of fraudulent activity Conduct research to innovate new fraud

detection and prevention mechanisms

83

Questions & Answers

84

References

85

References1. Fisher, Bill. Pers. Comm. VP Processing Strategy, MasterCard

International. Interviewed by telephone by Mike Cornish, October 26, 2004.

2. “MasterCard Corporate Fact Sheet,” www.mastercardinternational.com/docs/corporate_fact_sheet_0804.pdf, viewed October 18, 2004.

3. “Global Technology and Operations,” Fact Sheet. www.mastercardinternational.com/newsroom/gto.html, viewed October 18, 2004.

4. “Total Cost of Ownership Analysis.” Internal document: Powerpoint Presentation. Technology & Architecture Services, MasterCard International, February 26, 2003, page 4.

5. “Application Portfolio: Security & Risk Applications.” Internal document: Word document. MasterCard International, March 27, 2003.

6. “2003 GTO & Division Level Financial Data.” Internal document: Excel Sheet. GTO Division, MasterCard International, January 3, 2003.

86

References7. MasterCard International SEC Form10K – March 4, 2004,

www.sec.gov/Archives/edgar/data/1141391/000095012304002820/y94488e10vk.htm, pages 6, 22-24, viewed October 19, 2004.

8. MasterCard International SEC Form 8K – February 3, 2004, www.sec.gov/Archives/edgar/data/1141391/000095012304001154/y93767e8vk.txt, viewed October 18, 2004, pages 3.

9. Bhatla, TP, Prabhu, V, and Dua, A. “Understanding Credit Card Frauds”. Card Business Review #2003-01, June 2003, pp 1-15.

10. “Taking a Bite our of Credit Card Fraud,” Celent Communications, www.celent.com/PressReleases/20030121/CreditCardFraud.htm, viewed October 28, 2004.

11. “Identity Theft: Protecting the Customer – Protecting the Institution,” Celent Communications, www.celent.com/PressReleases/20020731(2)/IDTheft.htm, viewed October 28, 2004.

12. “Online Payment Fraud: The Grinch who stole Christmas?” Celent Communications, www.celent.com/PressReleases/20001218/OnlineFraud.htm, viewed October 28, 2004.

87

References13. Valentine, Lisa. “The Fraudsters’ Playground.” American Bankers

Association. ABA Banking Journal, 95(8), Aug. 2003, p. 39. 14. “Security & Risk Mission & Overview.” Document, MasterCard

International, February 24, 2003.15. “MasterCard SecureCode for Online Merchants.” Online security

document for merchants. http://www.mastercardmerchant.com/docs/securecode/Merchant_Brochure.pdf, viewed October 20, 2004.

16. Bennett, RA. “I didn’t do it.”. USBanker 111(12), December 2001, p. 48.

17. “Online fraudsters take $1.6B out of 2003 eCommerce.” CyberSource, www.retailindustry.about.com/cs/lp_internet/a/bl_cs111803.htm, viewed October 20, 2004.

18. US Credit Card Fraud Statistics 2000-2007. Celent Communications, www.epaynews.com/statistics/fraud.html, viewed October 18, 2004.

88

References19. Merchant Risk Council Press Release,

www.merchantriskcouncil.org/press.php?p_press_id+13, February 3, 2003, viewed October 21, 2004.

20. “New Leahy Bill Targets INTERNET “PHISHING” That Steals $2 b./yr. from Consumers.” July 2004. www.leahy.senate.gov/press/200404/070904c.html.

21. Micci-Barreca, D. “Unawed by Fraud.” Security Management 47(9), p. 75.

22. “MasterCard SecureCode Case Study: eTronics.” 2003. http://www.mastercardmerchant.com/docs/SC_Case_Study-eTronics.pdf., viewed October 21, 2004.

23. MasterCard RiskFinder. “Solutions.” http://www.fairisaac.com/cgi-bin/MsmGo.exe?grab_id=13&page_id=655872&query=RiskFinder&hiword=RiskFinder+, viewed October 21,2004.

89

References24. Saunders, Kurt M., and Zucker, Bruce, “Counteracting Identity

Fraud in the Information Age: The Identity Theft and Assumption of Deterrence Act” International Review of Law, Computers & Technology, August 1999, 183– 192.

25. Groves, Shanna, “Protecting Your Identity” Information Management Journal, May/June 2002, 27-31.

26. Myron, David, “Stolen Names, Big Numbers” American Demographics, September 2004, 36-38.

27. Bielski, Lauren, “Identity Theft” ABA Banking Journal, January 2001, 27-30.

28. Diller-Haas, Amy, “Identity Theft: It Can Happen to You” The CPA Journal, April 2004, 42-44.

29. Riordan, Diane A., and Riordan, Michael P., “Who Has Your Numbers?” Strategic Finance, April 2003, 22-26.

90

References30. O’Sullivan, Orla, “Gone ‘Phishing’” ABA Banking Journal, November

2003, 7-8.31. Bauerle, James F., “Pattern Recognition Software and Dramas of

Deception: New Challenges in Electronic Financial Services” The RMA Journal, October 2004, 2-5.

32. Bielski, Lauren, “Striving to Create a Safe Haven Online” ABA Banking Journal, May 2003, 53-59.

33. Krebs, Brian, “28 Identity Theft Suspects Arrested in Transatlantic Sting,” The Washington Post, October 29, 2004.

34. Bauerle, James F., “Golden Eye Redux” The Banking Law Journal, March 2003, 1-15.

35. Heller, Jason, “New Senate Privacy Bill Addresses Personally Identifiable Information” Intellectual Property & Technology Law Journal, September 2001, 31-32.

36. http://frwebgate.access.gpo.gov/cgi-bin/useftp.cgi?IPaddress=162.140.64.21&filename=h2622eas.pdf&directory=/diskb/wais/data/108_cong_bills , viewed October 25, 2004.

91

References37. Phillips, John T., “Privacy vs. Cybersecurity” Information Management

Journal, May/June 2002, 46-50.38. https://www.merchantconnect.com/CWRWeb/glossary.do?glossaryLett

er=i , Viewed October 30, 2004.

39. http://www.nameprotect.com/html/services/id_theft/credit_card.html, Viewed October 30, 2004.

40. “How can I protect my customers from identify theft?” Colorado Attorney General: ID Theft Prevention & Information, www.ago.state.co.us/idtheft/clients.htm, viewed November 3, 2003.

41. “Network Security Policy: Best Practices White Paper,” Cisco Systems, www.cisco.com/warp/public/126/secpol.html, Page 2, viewed November 2, 2004.

42. CERT® Security Improvement Modules, CERT® Coordination Center, www.cert.org/security-improvement, viewed November 2, 2004.

43. “Webserver Security Best Practices”, PC Magazine, www.pcmag.com/article2/0,4149,11525,00.asp, viewed November 2, 2004.

92

References44. “Tips for Preventing Credit Card Fraud,” MasterCard International,

www.mastercardinternational.com/newsroom/security_risk.html, viewed October 22, 2004.

45. “Best Practices for Preventing Online identity Theft”, Public Safety and Emergency Preparedness Canada, www.ocipep-bpiepc.gc.ca/opsprods/info_notes/IN04-002_e.asp, viewed November 2, 2004.

46. “Preventing Fraud: Fighting Fraud is a Shared Responsibility,” MasterCard International, www.mastercardmerchant.com/preventing_fraud, viewed October 28, 2004.