Invasion of the Payments Snatchers: Strategies for ... · Invasion of the Payments Snatchers: Strategies for Fighting Payment Fraud Stephanie M Fuoco Director, Risk Payment Office

Invasion of the Payments Snatchers: Strategies for Fighting Payment Fraud

Stephanie M Fuoco Director, Risk Payment Office

Card Services at Fiserv

Richard Maier AVP/Loss Prevention | Auditing

MIDFLORIDA Credit Union

Agenda • Understanding Payment Fraud

– Current market fraud trends – EMV and fraud

• Strategies to Fight Back • MidFlorida Credit Union Testimonial

CURRENT MARKET FRAUD TRENDS

• Merchant Processor – 7th largest USA merchant processor – Estimated 1.2MM cards at risk – Social engineering (spear-phishing) – Revoked PCI compliance in response to this breach

• Other Processor Breach – An acquirer processor with a presence in bill payment

processing – Merchant processor has taken steps to control access

to its data – Result of poor controls over database – SQL injection – >250 merchants associated with breach – Exposure on confirmed fraud cases from 05/11 – 02/12,

control gap was existent from 2006

• Force Posted Transactions – Pirating POS

• social engineering attacks • spear-phished credentials • replacing legitimate acquiring bank with offshore financial

institutions – Force post transactions at high velocity over short

timeframes – Illicit funds arriving at acquiring bank are loaded to

prepaid cards for cash out at ATMs in Eastern Europe – Issuer is not at risk as the transaction has chargeback

rights. – Merchants must ensure proper employee training to

avoid this type of fraud

• Malware – Mobile malware on Android devices is growing at a 472% – Modified variant of ZeuS divert post-transaction verification

phone calls – Ice IX manipulates content and injects rogue forms into online

banking websites – Cridex, similar to ZeuS, bypasses security controls to send out

emails – Fraud as a Service – Fraud call centers, money mules,

proliferation of malware custom tailored to your spec

• Skimming – $1.5 million ATM skimming scheme targeted top

banks in New York, Chicago and Miami. – In 2011 debit fraud outpaced credit fraud. The reason

- ATM skimming. – In 2010, ADT Security Solutions estimated losses

$30K per ATM skimming incident – In 2011, this average jumped to nearly $50K per

incident – 2012 fraud losses are expected to increase ATMs are

usually the last to be upgraded

Number of Victims and Incidence Rate of Fraud, 2004-2011

Source: Javelin Strategy and Research, 2012 Identity Fraud Report: Social Media and Mobile forming the New Fraud Frontier, February 2012

How Information Was Obtained by the Perpetrator, 2011

Source: Javelin Strategy and Research, 2012 Identity Fraud Report: Social Media and Mobile forming the New Fraud Frontier, February 2012

Information Available on Social Network Profiles by Privacy Setting, 2011

Source: Javelin Strategy and Research, 2012 Identity Fraud Report: Social Media and Mobile forming the New Fraud Frontier, February 2012

Cases Resolved by Fraud Type, 2009-2011

Source: Javelin Strategy and Research, 2012 Identity Fraud Report: Social Media and Mobile forming the New Fraud Frontier, February 2012

EMV AND FRAUD

UK Post-EMV Card Fraud by Type

• EMV significantly reduced card-present lost/stolen/counterfeit card fraud in Eurozone’s predominantly offline environment

• EMV rollout in Europe begins in 2004 • 200% increase in mitigation of fraud losses in ATM channel • However… fraud migrated to Card-not-Present channels (online, phone)

Source: E.A.S.T. ATM Fraud Analysts Report 2011 Source: UK CARDS Association, Financial Fraud Action UK, 2010

0

50

100

150

200

250

300

350

2004 2005 2006 2007 2008 2009 2010

Euro

s (M

illio

ns)

UK Post EMV Card Fraud by Type

Card-not-present Counterfeit Lost/stolen Mail Non-receipt Card ID Theft

EMV Impact on European ATM Fraud Migration

Fraud Implications for U.S. • EMV significantly reduced card-present lost / stolen / counterfeit fraud in U.K. • Card payments in U.K. have historically been offline vs. U.S.’s almost 100% online approach • U.K. card fraud reached as high as $5 billion

before EMV – UK Cards Association reports that card fraud

fell to about $571 million in 2010 • U.S. stands to gain less from fraud reductions

– U.S. card fraud losses totaled $3.56 billion in 2010 – an average of $2.40 per card

– Plus $8-$12 average dispute processing expense per case

• Analysts warn that the U.S. may become the primary target for card-present fraud

• August 2011: Announced incentives, mandates and dates for U.S. acquirer

support of EMV and NFC contactless – Requires U.S. acquirer processors and service providers to support merchant

acceptance of chip transactions no later than April 1, 2013 – U.S. liability shift for counterfeit card-present POS transactions, effective October

1, 2015 (October 1, 2017 for automated fuel dispensers)

• September 2011: Announced extension to U.S. of existing liability shift

program active in many regions for Maestro ATM transactions – Effective April 19, 2013, EMV liability shift program for inter-regional Maestro ATM

transactions will include both U.S. and Asia-Pacific regions

STRATEGIES TO FIGHT FRAUD

R.E.A.C.T

Respond Effectively Against Criminal Transactions

Fiserv Risk Solutions Transaction

Case Management

Real-Time Decisioning

Transaction Blocking

Case Management

Compromised Card

Management

A comprehensive product base of essential risk products to help financial institutions implement and manage an effective card fraud risk program for debit, prepaid and credit portfolios

EnFactSM Case Management RuleManagerSM Transaction

Blocking CaseTrackerSM CardTrackerSM

Enhanced Services Enhanced Chargeback Full Service Call Center

Real Time (Decision)

Authorize/ Deny

Risk OfficeSM

(Human Decision)

EnFactSM (Case Management)

EnFact Real-Time

TranBlockerSM

RuleManagerSM

CardTrackerSM

CaseTrackerSM

Enhance Chargebacks

Full Service Call Center (Chargeback)

Risk Management Tools (Electronic Decision)

FISERV PERFORMANCE MIDFLORIDA CREDIT UNION

MIDFLORIDA Credit Union Headquartered in Lakeland, Fla., MIDFLORIDA serves more than 150,000 members with assets over $1.6 billion through a network of 32 branches, 40 ATMs, and through its website, midflorida.com. MIDFLORIDA Credit Union provides banking services to anyone who lives, works, worships or attends school within their service area of 14 Central Florida counties.

The Triangle Miami

Tampa

Orlando

No More Reissues No Data Breaches

No Fraud

I wish I may, I wish I might, Have this wish. I wish…

RISK OFFICE FRAUD TOOLS

• TranBlocker • EnFact Real Time Scoring • Compromised Card Tracker • CaseTracker

BENEFITS OF RISK OFFICE • Efficiently manage real time and

TranBlocker rules • Establish custom rules based on current

fraud trends • Assist with the investigation of the cause of

the fraud

MIDFLORIDA’s RISK OFFICE SUCCESS

RETURN ON INVESTMENT

IN SUMMARY

• Fraud Attacks are more rapid and targeted with higher chance of success

• EMV will take time and fraud already highest in Card Not Present Fraud (virtualization of payment channels)

• End-to-End Risk Management is yielding 50% better results than national average (people are the best tools to fight against malicious threats)

• We are saving millions every month in fraud avoidance with our end-to-end management of fraud

Average Basis Points Across Clients' Monthly Reported Fraud (Risk Office vs. Non-Risk Office)

• Clients not utilizing Fiserv Risk Solutions have an average of 6.98 basis points of fraud loss • The risk market average of fraud losses to total transaction dollars is 9.0* basis points • Clients utilizing the FULL Fiserv Risk Solution suite of products and services have an

average of 3.19 basis points • *Source Federal Register, 7/11/2011

8.75

3.44 3.41

9.0

0123456789

10

Aver

age

Bas

is P

oint

s of

R

epor

ted

Frau

d

Fraud Reported Month

Non RiskOffice

Risk Office

IndustryAverage

LogarithmicTrend Line ofNon RiskOffice

Stephanie Fuoco 407-513-5045 [email protected]