Fraud: Who has the keys to your financial back door? Chris Funk Vice President Treasury Product Consultant NASC Annual Conference March 14 th , 2014 © 2010 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Dec 23, 2015
Fraud: Who has the keys to your financial back door? Chris Funk
Vice President
Treasury Product Consultant
NASC Annual Conference
March 14th, 2014
© 2010 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Agenda
Latest fraud trends Check fraud ACH fraud Online fraud Card fraud Mobile security
2
3
Latest fraud trends
© 2010 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Cybercrime continues its evolution
61%of organizations experienced attempted or actual payments fraud
27%of them report that the number of fraud incidents
increased
16%report that the number decreased
Source, 2013 AFP Payments Fraud and Control Survey
4
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Types of fraud
87%of effected organizations report that checks were targeted
29%of those effected report that corporate/commercial purchasing cards were targeted
$20,300typical loss due to payments fraudSource, 2013 AFP Payments Fraud and Control Survey
5
0.8
0.18 0.1 0.03 0.05 0.05 0.01 0.01
Sources of Payment Fraud
Outside individualOrganized crime ringInternal partyThird-party or outsourcerAccount takeoverOtherLost or stolen laptopCompromised mobile device
Payment fraud trends
1. 2013 AFP Payments Fraud and Control Study
6
7
Check fraud
© 2010 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
0
0.25
0.5
0.75
Counterfeit checks (other than payroll)
with your organization’s MICR line data
Payee namealteration onchecks issued
Counterfeit checks with you name
drawn on fake or another company’s
account information
Dollar amountalteration onchecks issued
Loss, theft orcounterfeit inemployee pay
checks
Axis
Title
2012
Types of attempted or actual check fraud events
1. 2013 AFP Payments Fraud and Control Study
8
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Check Fraud mitigation Payroll
– ACH Direct Deposit
– PayCard
Vendor payments– ACH
– Perfect Receivables®
Business and travel expenses– Commercial card
Positive pay Maximum check Maximum check cashing amount
9
10
ACH fraud
© 2010 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
0.00% 25.00% 50.00% 75.00% 100.00%
Other
Create separate account for electronicdebits initiated by the third party (e.g.,…
Debit block on all consumer items withdebit filter on commercial ACH debits
Block ACH debits on all accounts
Block all ACH debits except on a singleaccount set up with ACH debit filter/ACH…
Reconcile accounts daily
2012
2012
Control procedures used to protect against ACH fraud
1. 2013 AFP Payments Fraud and Control Study
11
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
ACH services
Perfect Receivables®
ACH Debit Block
ACH Fraud Filter– Review service
– Stop service
12
13
Card fraud
© 2010 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Tools of the trade
14
ATM Skimming
Social Engineering
Hacking Skimming
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
How do we know what’s happening?
Data, data, and more data Visa and MasterCard alerts Auto email notifications Organized calls with other issuer fraud teams Industry risk conferences Partner calls
15
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Top 10 MCC used for fraud
16
1) Telecommunication services
2) Grocery stores, supermarkets
3) Computer network /information services
4) Computer software stores
5) Service stations (pay at the pump)
6) Fast food restaurants
7) Miscellaneous and specialty retail stores
8) Discount stores
9) Drug stores, pharmacies
10)Department stores
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Wells Fargo approach to risk management Fraud watch
– We are able to place a Fraud Watch on a card that is determined or confirmed to be at risk of fraud.
Carefully monitor compromises– Replace affected cards when necessary
False-positive ratio – accounts reviewed in queues that are determined
normal as compared to fraud
Manage the risk– FP Finder tool – know the impact before implementing a
strategy
17
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Card technology
Visa and MasterCard liability shift 2015 Chip and pin cards Card readers to your table More secure (n +1)
19
20
What are the options for card present fraud?
A Card Present Solution is a
combination of encryption and
tokenization technologies
Secures the transaction with
end to end encryption Three Four
Removes card data from the
merchant environment
with tokenization
Randomly-generated
numbers that are used in
place of Primary Account
Numbers (PANs)
Card number: 3456789011121314
Tokenized Number: 0176219034751314
E2EE (End to End Encryption)
Combines end-to-end encryption and payment tokenization
Completely removes card data by replacing it with a token
Reduces PCI scope
Transfers risk to Processor
Works with Terminals
Works with Integrated Solutions
Works as a part of the payment transaction
21
What is a gateway?
22
A Payment Gateway is a piece of software, which connects front-end systems (such as websites, on-line stores or POS credit card terminals) to a backend credit card processing platform, which goes directly into card networks such as Visa, MasterCard, American Express and Discover.
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
How you can help
Respond quickly to our communications Program design
– MCC templates
– Single transaction limits
– Appropriate credit limits
– International capability for cardholders who really need it
Cardholder education – Ensure that your cardholders are aware of our fraud
strategies
– Responsibility to safeguard their accounts
– Decline procedures – call us anytime, day or night
Balancing risk with cardholder experience 24
25
Online fraud
© 2010 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Common fraudster techniques
Social engineering– Manipulating people into performing actions or divulging
confidential information by impersonating a trustworthy entity in an electronic communication
Malware– MALicious softWARE installed on a computer without a
user’s consent
– Records keystrokes and screen shots, redirects the browser, displays fake web pages and/or allows fraudsters to impersonate the customer in online transactions
Combination of social engineering and malware– Social Engineering is used in order to trick a user in
order to infect them with malware
26
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
STOP!
Succumbing to social engineering is one of our weakest links
When receiving an unsolicited communication (email, text, phone call) you should stop and ask yourself:– Did I initiate the communication?
– Is the request of an urgent nature?
– Is the request for sensitive or confidential information?
27
58%23%
10%
6% 3%2012
Internal ITdepartment
Manage withinTreasury
Advice received frombanks
Use externalIT/security consultant
Key party organization relies on most for hacking, phishing, and other corporate account takeovers
1. 2013 AFP Payments Fraud and Control Study
29
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Prevention
Educate employees, raise awareness Institute dual control for executing all payment
transactions and self administration Use a dedicated computer to conduct online
banking activity Update antivirus programs Protect your network Institute transaction and daily limits Audit your users frequently
30
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Detection
Monitor and reconcile accounts and transactions on a daily basis
Use notification/alert services
32
Response
Immediately call your customer service group if you notice anything out of the ordinary
Report online fraud attempts to: [email protected]
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Online services
Sign up to receive text or e-mail notifications alerting you of electronic debits to your accounts
– Positive pay exceptions notifications
– Wire notifications – incoming/outgoing
– ACH Fraud Filter notifications
– Balance threshold notifications
Check out our CEO® demo for more details
33
34
Mobile security
© 2010 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC35
Level set: mobile landscape
TextingOne-way
alerts easiest
Two-way information
Two-way transactions
BrowserDevice
agnosticBuild onceLess robust
user interface
AppsHeavier
investmentChoose
platformsMore robust
UICamera/RDC
TabletsEvolving
More like full laptop
experienceApps and browser
Bigger real estate
VoiceVoice
authenticationVoice-
controlled browsers
All should be complimentary, especially with traditional online experience
All must be done securely
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Going mobile
• Mobile devices set to become the dominant method for Internet access and computing
• Smartphones today are almost as powerful as desktops and laptops.
• Mobile devices have same vulnerabilities as desktops / laptops
• Mobile devices particularly susceptible to man-in-the-middle attacks that impersonate the user and steal money from accounts
36
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Mobile challenges
The same risks in online space extend to mobile and mobile bring some new risks too– Mobile leverages the same breadth of existing risk controls that have
withstood the test of time and customized them for mobile
– We continue to monitor this space for evolving risks in preparation to react quickly when new threats appear
Mobile brings even more unique challenges– Rapidly changing technology landscape and customer behaviors
– Lack of industry best-practices or available vendor solutions
– Emerging risks not clearly known or defined
37
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC38
A look ahead: Future trends affecting banking Biometrics
– Voice recognition and voice authentication
– Biometric authentication: iris, facial, palm
Device sizes and resolutions Touch interfaces and responsive design Apps
– How apps might be bundled
– Embedded security features in apps
Range of mobile definitions and policies– Laptops using Wi-Fi, tablets and smartphones
– BYOD policies
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC39
Mobile security and fraud – bank perspective Financial institutions employ multilayer security
– ID credentials and tokens
– Encrypted sessions
– Session tracking and transaction monitoring
– Other behind the scenes tracking
– Blocking known “holes”– browsers, devices
Best practices– Mobile design and development
• No data stored on the device
– Processes between FIs and customers• Dual custody/control (separate users to initiate and
approve high-risk payments and changes to user access)
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Additional best practice security measuresEducate your employees about mobile fraud and train them to protect their mobile banking information Download and install legitimate apps only
– Download iPhone app for CEO Mobile® service only from Apple iTunes App Store
– Download BlackBerry shortcut only from CEO Mobile sign on page
Use passcodes to protect mobile devices and enable screen-lock features after inactivity
Avoid connecting to unsecured wireless networks
40
© 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC
Additional best practice security measures Install mobile malware protection Install anti-virus and file integrity software Keep smartphone software patches and upgrades
up to date Be aware that jail-breaking or rooting increases a
mobile device’s risks. Anytime an application or service runs in “unrestricted” or “system” level within an operation system, it allows any compromise to take full control of the device.
Use the same precautions on a mobile device as you would use on a PC
41
42
Questions
TM-2415 8/10 © 2010 Wells Fargo Bank, N.A. All rights reserved. Member FDIC. For public use.