Fraud: Who has the keys to your financial back door? Chris Funk Vice President Treasury Product Consultant NASC Annual Conference March 14 th, 2014 © 2010.

Fraud: Who has the keys to your financial back door? Chris Funk

Vice President

Treasury Product Consultant

NASC Annual Conference

March 14th, 2014

© 2010 Wells Fargo Bank, N.A. All rights reserved. Member FDIC


Agenda

Latest fraud trends Check fraud ACH fraud Online fraud Card fraud Mobile security

2

3

Latest fraud trends



Cybercrime continues its evolution

61%of organizations experienced attempted or actual payments fraud

27%of them report that the number of fraud incidents

increased

16%report that the number decreased

Source, 2013 AFP Payments Fraud and Control Survey

4


Types of fraud

87%of effected organizations report that checks were targeted

29%of those effected report that corporate/commercial purchasing cards were targeted

$20,300typical loss due to payments fraudSource, 2013 AFP Payments Fraud and Control Survey

5

0.8

0.18 0.1 0.03 0.05 0.05 0.01 0.01

Sources of Payment Fraud

Outside individualOrganized crime ringInternal partyThird-party or outsourcerAccount takeoverOtherLost or stolen laptopCompromised mobile device

Payment fraud trends

1. 2013 AFP Payments Fraud and Control Study

6

7

Check fraud


0

0.25

0.5

0.75

Counterfeit checks (other than payroll)

with your organization’s MICR line data

Payee namealteration onchecks issued

Counterfeit checks with you name

drawn on fake or another company’s

account information

Dollar amountalteration onchecks issued

Loss, theft orcounterfeit inemployee pay

checks

Axis

Title

2012

Types of attempted or actual check fraud events


8


Check Fraud mitigation Payroll

– ACH Direct Deposit

– PayCard

Vendor payments– ACH

– Perfect Receivables®

Business and travel expenses– Commercial card

Positive pay Maximum check Maximum check cashing amount

9

10

ACH fraud


0.00% 25.00% 50.00% 75.00% 100.00%

Other

Create separate account for electronicdebits initiated by the third party (e.g.,…

Debit block on all consumer items withdebit filter on commercial ACH debits

Block ACH debits on all accounts

Block all ACH debits except on a singleaccount set up with ACH debit filter/ACH…

Reconcile accounts daily

2012

2012

Control procedures used to protect against ACH fraud


11


ACH services

Perfect Receivables®

ACH Debit Block

ACH Fraud Filter– Review service

– Stop service

12

13

Card fraud


Tools of the trade

14

ATM Skimming

Social Engineering

Hacking Skimming

marsk01

We'll need updated photos as these are not brand compliant. Maybe we can talk through this as imagery is tricky.


How do we know what’s happening?

Data, data, and more data Visa and MasterCard alerts Auto email notifications Organized calls with other issuer fraud teams Industry risk conferences Partner calls

15

marsk01

This image is not brand compliant. We'll need to remove it or replace it.

http://www.datarecovery.eu/clnpics/36_data_mining.gif


Top 10 MCC used for fraud

16

1) Telecommunication services

2) Grocery stores, supermarkets

3) Computer network /information services

4) Computer software stores

5) Service stations (pay at the pump)

6) Fast food restaurants

7) Miscellaneous and specialty retail stores

8) Discount stores

9) Drug stores, pharmacies

10)Department stores


Wells Fargo approach to risk management Fraud watch

– We are able to place a Fraud Watch on a card that is determined or confirmed to be at risk of fraud.

Carefully monitor compromises– Replace affected cards when necessary

False-positive ratio – accounts reviewed in queues that are determined

normal as compared to fraud

Manage the risk– FP Finder tool – know the impact before implementing a

strategy

17


Card technology

Visa and MasterCard liability shift 2015 Chip and pin cards Card readers to your table More secure (n +1)

19

20

What are the options for card present fraud?

A Card Present Solution is a

combination of encryption and

tokenization technologies

Secures the transaction with

end to end encryption Three Four

Removes card data from the

merchant environment

with tokenization

Randomly-generated

numbers that are used in

place of Primary Account

Numbers (PANs)

Card number: 3456789011121314

Tokenized Number: 0176219034751314

E2EE (End to End Encryption)

Combines end-to-end encryption and payment tokenization

Completely removes card data by replacing it with a token

Reduces PCI scope

Transfers risk to Processor

Works with Terminals

Works with Integrated Solutions

Works as a part of the payment transaction

21

What is a gateway?

22

A Payment Gateway is a piece of software, which connects front-end systems (such as websites, on-line stores or POS credit card terminals) to a backend credit card processing platform, which goes directly into card networks such as Visa, MasterCard, American Express and Discover.


How you can help

Respond quickly to our communications Program design

– MCC templates

– Single transaction limits

– Appropriate credit limits

– International capability for cardholders who really need it

Cardholder education – Ensure that your cardholders are aware of our fraud

strategies

– Responsibility to safeguard their accounts

– Decline procedures – call us anytime, day or night

Balancing risk with cardholder experience 24

25

Online fraud



Common fraudster techniques

Social engineering– Manipulating people into performing actions or divulging

confidential information by impersonating a trustworthy entity in an electronic communication

Malware– MALicious softWARE installed on a computer without a

user’s consent

– Records keystrokes and screen shots, redirects the browser, displays fake web pages and/or allows fraudsters to impersonate the customer in online transactions

Combination of social engineering and malware– Social Engineering is used in order to trick a user in

order to infect them with malware

26


STOP!

Succumbing to social engineering is one of our weakest links

When receiving an unsolicited communication (email, text, phone call) you should stop and ask yourself:– Did I initiate the communication?

– Is the request of an urgent nature?

– Is the request for sensitive or confidential information?

27

58%23%

10%

6% 3%2012

Internal ITdepartment

Manage withinTreasury

Advice received frombanks

Use externalIT/security consultant

Key party organization relies on most for hacking, phishing, and other corporate account takeovers


29


Prevention

Educate employees, raise awareness Institute dual control for executing all payment

transactions and self administration Use a dedicated computer to conduct online

banking activity Update antivirus programs Protect your network Institute transaction and daily limits Audit your users frequently

30


Detection

Monitor and reconcile accounts and transactions on a daily basis

Use notification/alert services

32

Response

Immediately call your customer service group if you notice anything out of the ordinary

Report online fraud attempts to: [email protected]


Online services

Sign up to receive text or e-mail notifications alerting you of electronic debits to your accounts

– Positive pay exceptions notifications

– Wire notifications – incoming/outgoing

– ACH Fraud Filter notifications

– Balance threshold notifications

Check out our CEO® demo for more details

33

34

Mobile security


© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC35

Level set: mobile landscape

TextingOne-way

alerts easiest

Two-way information

Two-way transactions

BrowserDevice

agnosticBuild onceLess robust

user interface

AppsHeavier

investmentChoose

platformsMore robust

UICamera/RDC

TabletsEvolving

More like full laptop

experienceApps and browser

Bigger real estate

VoiceVoice

authenticationVoice-

controlled browsers

All should be complimentary, especially with traditional online experience

All must be done securely


Going mobile

• Mobile devices set to become the dominant method for Internet access and computing

• Smartphones today are almost as powerful as desktops and laptops.

• Mobile devices have same vulnerabilities as desktops / laptops

• Mobile devices particularly susceptible to man-in-the-middle attacks that impersonate the user and steal money from accounts

36


Mobile challenges

The same risks in online space extend to mobile and mobile bring some new risks too– Mobile leverages the same breadth of existing risk controls that have

withstood the test of time and customized them for mobile

– We continue to monitor this space for evolving risks in preparation to react quickly when new threats appear

Mobile brings even more unique challenges– Rapidly changing technology landscape and customer behaviors

– Lack of industry best-practices or available vendor solutions

– Emerging risks not clearly known or defined

37


A look ahead: Future trends affecting banking Biometrics

– Voice recognition and voice authentication

– Biometric authentication: iris, facial, palm

Device sizes and resolutions Touch interfaces and responsive design Apps

– How apps might be bundled

– Embedded security features in apps

Range of mobile definitions and policies– Laptops using Wi-Fi, tablets and smartphones

– BYOD policies


Mobile security and fraud – bank perspective Financial institutions employ multilayer security

– ID credentials and tokens

– Encrypted sessions

– Session tracking and transaction monitoring

– Other behind the scenes tracking

– Blocking known “holes”– browsers, devices

Best practices– Mobile design and development

• No data stored on the device

– Processes between FIs and customers• Dual custody/control (separate users to initiate and

approve high-risk payments and changes to user access)


Additional best practice security measuresEducate your employees about mobile fraud and train them to protect their mobile banking information Download and install legitimate apps only

– Download iPhone app for CEO Mobile® service only from Apple iTunes App Store

– Download BlackBerry shortcut only from CEO Mobile sign on page

Use passcodes to protect mobile devices and enable screen-lock features after inactivity

Avoid connecting to unsecured wireless networks

40


Additional best practice security measures Install mobile malware protection Install anti-virus and file integrity software Keep smartphone software patches and upgrades

up to date Be aware that jail-breaking or rooting increases a

mobile device’s risks. Anytime an application or service runs in “unrestricted” or “system” level within an operation system, it allows any compromise to take full control of the device.

Use the same precautions on a mobile device as you would use on a PC

41

42

Questions

TM-2415 8/10 © 2010 Wells Fargo Bank, N.A. All rights reserved. Member FDIC. For public use.

Fraud: Who has the keys to your financial back door? Chris Funk Vice President Treasury Product Consultant NASC Annual Conference March 14 th, 2014 © 2010.

Documents

risk of fraud

fraud watch

member fdic slide

member fdic types of

afp payments fraud

wells fargo bank

payments fraud source

actual payments fraud