Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
MASTERCARD INTERNATIONAL SECURITY AND RISK MANAGEMENT: CREDIT CARD FRAUD
Michael Cornish Kathleen Delpha Mary Erslon
Executive Summary Credit card fraud is a growing concern of global proportions. Resourceful criminals are finding creative ways to capture private credit card holder account and identification information, and are using this information for fraudulent acquisitions of everything from personal care items to cars to home loans. Because of the universal reach of the Internet, criminals are easily able to perpetrate their crimes from anywhere in the world. The costs of credit card fraud reach nearly U.S. $2.5 billion annually. Internet fraud alone accounts for nearly 3% o It nta so 3 t e h hrhn rd cr f u rt i t “ hs a w r . While consumers are fn resl ,r 0 i s i e t cei ad r d a sn h pyi l ol ” e e m g a t a e e c d generally held harmless for credit card fraud, the payment industry and merchants absorb the losses from fraudulent purchases, and its participants continually search for ways to detect and prevent them. MasterCard International, the licensor and franchisor of the MasterCard branded family of payment products, is appropriately concerned about credit card fraud, since MasterCard research shows that the majority of their cardholders are alarmed about credit card fraud and the risk to their personal and financial information. MasterCard and other credit card systems are susceptible to two general categories of threats for fraudulent activities: Internal threats and external threats. Internal threats are those that evolve from collusion within the credit card system itself. However, internal threats are often mitigated by following good employment practices such as conducting employee background checks, and implementing strong controls that prevent unauthorized access to sensitive information and tracking authorized access. External threats come from forces outside the credit card system. External threats are very difficult for the credit card system to mitigate because there are so many points of compromise outside of their control. In atu rto e os frd cr f u, e cr-not-peet ad dn tt fm t d,r i rai prcl , m t d ocei ad r dt “ad i a w h t a h rsn n i tyh t e osaen es g ” ei e h c n in incidence. A review of the literature and focused conversations with MasterCard employees revealed that credit card fraud is underreported in general and that the exact amount of losses due to fraudulent activities on cards is unknown. Merchants who accept MasterCard branded products are burdened with the expenses associated with fraudulent purchases, but consumers are left with a real burden when they fall victim to identity theft. Consumer and merchant concerns about using and accepting credit cards have led MasterCard to intensify their security and risk management activities. A review of security and credit card research and reports, and personal interviews with MasterCard International security executives, cm r e t bs f ort y f s r adseui o pi sh ai o u s d o Mat C r’scry s e s r u e t measures targeted at combating card-not-present and identity theft credit card fraud. Payment card security management comprises the collective set of activities to develop and implement physical card designs that combat fraud. Risk management comprises the activities that po ct ss m s ati n rt th yt ’prc at e e e ip s f mceiad ru r kI t s ae, e ei Mat C r’scr and risk management activities, and r rd n f d i .nh pprw rv w s r adseuity o t a s i e e offer case studies of specific measures that MasterCard has taken to combat these growing threats. With the urging of consumers, merchants and payment companies, the growing fraud problem has also caught the attention of state and federal legislators. We will provide an overview of key legislation introduced and/or passed to combat credit card fraud and identity theft. The payment industry is working diligently to provide Information Technology (IT)-enabled solutions for early detection and capture of fraudulent credit card transactions. MasterCard employs the following applications and services to manage fraud: Address Verification System, Combined Warning Bulletin, Common Points of Compromise, Fraud Velocity Monitor, Issuers Clearinghouse Service, MasterCard Alerts, MasterCard Internet
1
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
Gateway Services, MasterCard SecureCode, Merchant Alerts to Control High Risk, Merchant Online Status Tracking, NameProtect Partnership, RiskFinder, Site Data Protection, and System to Avoid Fraud Effectively. At best, such solutions may prevent many fraudulent transactions, saving dollars and distress for consumers, merchants, and the payment industry in general. Unfortunately, because of the Internet, numerous fraudulent credit card transactions take place abroad, where perpetrators are not subject to United States laws or penalties. The best the credit card industry can hope to achieve is to quickly detect when a new type of threat emerges, then devise electronic and procedural countermeasures to mitigate the threat. Fighting credit card fraud is not solely the responsibility of the credit card systems, however. General guidelines for all prc ati ceicr t nat n e eg a “ et rccs:f cnu esm ati n n rd ad r scos m re s bspate” o osm r erchants, credit card ip s t a i i r , i ur ad cu esad h py etyt shm e e. B spate”m y e sip ad o s es n aqi r n t am n ss m t sl s “ et rccs a b a s l n l s r , e e e v i m e w technology as a consumer keeping track of receipts for credit card transactions, or as complex and hightechnology as implementing software-enabled neural networks designed to detect data anomalies that are predictors of fraudulent activity. In general, all participants in the credit card transaction process must be conscientious about protecting private identification and financial information, monitoring credit card activity, and keeping aware of fraud trends in the credit card world.
A TYPICAL VICTIM OF CREDIT CARD FRAUD
Jane D. looked worriedly at the charges for a new stereo system on her latest MasterCard statement. Jane had not purchased a stereo system, and she had many questions: Who had access to her credit card number? Where was the stereo system? Was she liable for the charges? Jane D., like nearly 25 million other adults each year1, is a victim of fraud. With over 600 million MasterCard credit cards in circulation2, it is not surprising that incidence of credit card fraud is a major concern for all participants in the payment industry. Credit card fraud costs merchants more than U.S. $2 billion a year3. The cost of fraud is passed on to the consumer in the form of higher prices, interest rates and fees.
Fraudulent credit card activities present unique challenges for MasterCard and other credit card companies, financial institutions that issue and process credit card transactions, and the consumer. The credit card industry is working hard to enhance fraud prevention and detection techniques. This paper will review the methodology of credit card transactions, explore case studies of card-not-present transactions and identity theft credit card transactions, present Information Technology (IT)-enabled solutions to these fraudulent transactions, discuss legislative efforts to cm ac d cr f u,n of “et r te” o o btr i a r dad f r bspa i s fr et d a e cc prevention and detection of credit card fraud for consumers, merchants, and card processors.
1
www.ftc.gov/opa/2004/08/fraudsurvey.htm, viewed October 17, 2004. 2 “ s ra C roa FcS et Mat C r opr e at he” e d t . www.mastercardinternational.com/docs/corporate_fact_ sheet_0804.pdf, viewed October 18, 2004. 3 Bhatla, Jej Paul, Prbhu, Vikram, and Dua, Amit, “ ne t d g r iC r Fad” U dra i Ce t a r s Card Business sn n d d u Review # 2003-01, June 2003, 1-15. 3 “ s ra C roa FcS et Mat C r opr e at he” e d t , www.mastercardinternational.com/docs/corporate_fact_ sheet_0804.pdf, viewed October 18, 2004. 5 MasterCard International SEC Form 8K – February 3, 2004, www.sec.gov/Archives/edgar/data/1141391/000095012 304001154/y93767e8vk.txt, viewed October 18, 2004, 3.
2
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
MASTERCARD LICENSES AND FRANCHISES THE MASTERCARD BRAND TO ITS MEMBER BANKS4
MasterCard International, Inc. is a private stock membership association owned by its 25,000 member banks. MasterCard International is the licensor and franchisor of the MasterCard branded family of payment products; the individual member banks are the franchisees. The family includes credit card and debit card products which are targeted at both businesses and consumers. The MasterCard payment brand is number two by spending volume globally, behind Visa, and is accepted at more than 22-million merchants and over 900,000 Automated Teller Machines (ATMs) worldwide. MasterCard cardholders transacted 13.2billion times for a gross value of U.S. $1.27 trillion in calendar year 2003. 5 As franchisor, MasterCard International sets and maintains brand standards and operating rules, and provides commonly needed IT services like transaction processing, settlement, and risk management. Combined, these standards, rules, and services enable seamless payment brand acceptance and global interope b i . s ra ’gafor people like Jane r it Mat C r s ol a ly e d D. is for her to have universal acceptance of her credit card and to have the same quality experience, wherever she is on the globe. A common misconception about MasterCard is that it issues credit cards, sets annual and other fees, determines annual percentage rates (APRs), and solicits merchants to accept cards. All of these activities are otd o Mat C r’soe Mat C r’m m e u i f s ra s cp. s ra s e br se e d e d banks are responsible for all activities revolving around issuance of cards and signing merchants to accept them. MasterCard International is a multinational corporation, with global headquarters located in Purchase, New York, USA. Its technology headquarters, known internally as Global Technology and Operations (GTO), are l a d n ’ao, s ui o t iO Fl nMi or USA. MasterCard ce l s , employs about 4,000 people globally, about 2,000 of which work for GTO. Mat C r’COit ha o G O ad eot s ra s I sh ed f T ,n r r e d e p s directly to the President and CEO. In addition to classic IT functions like data center operations, network operations, architecture management, and systems development, the CIO is responsible for member
services, security and risk management, and technology business management.6
CREDIT CARD TRANSACTIONS “ O WIHT EF O G T H L W” F O INFORMATION
For you to understand the complexities of managing credit card fraud, it is critical to understand how the credit card business is structured. The credit card business operates under the notion of an acceptance badl e s ra ’i e ok g e ad eo r , k Mat C r sn r ci r n yl w n i e d tl n d l circles. The acceptance brand is essential for matching up the two elemental participants: Merchants and Cardholders.
The merchant is a business or governmental entity
which accepts credit cards as a form of payment for goods or services it provides. A merchant displays signage for one or more acceptance brands prominently on its store front, counter tops, marketing literature, and website to announce that it accepts like-branded cards for payment. The cardholder is a person who has been issued a credit card bearing a brand mark, for use to purchase goods and services at participating merchants. A cardholder may be an individual consumer or business person. The cardholder is trained to look for brand signage to recognize merchant outlets that accept the credit card. Many other participants enable cardholders and merchants to exchange value using branded credit cards as a payment device. Participants vary significantly depending on the structure of the credit card system. There are two basic structures in the credit card industry: the open system and the closed system.
The Open Payment System: Two or More Participants Cooperate to Process Payment for Mutual Benefit
An open payment system is typified by two or more cooperative entities that collectively issue credit cards and facilitate acceptance at merchants, for mutual benefit. The open system model is also referred to as the Interchange Model, in recognition of its interactive and reciprocal nature. The cooperative participants are often referred to collectively as associations or
6
Fisher, Bill. Pers. Comm. VP Processing Strategy, MasterCard International. Interviewed by telephone by Mike Cornish, October 26, 2004.
3
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
networks. The associations and networks define extensive rules to govern how transactions and value flow between the participants, and they may be regional, national, or global in scope. Using the U.S. as an example, a regional network may operate within a small number of contiguous states, whereas a national association would operate within all 50 states. The U.S. market had dozens of regional networks at one time, such as NYCE, HONOR, PULSE, and BankMate. Over time, most of the regional networks were bought up and consolidated into a few national networks. Prominent national networks in the U.S. are STAR and Interlink. There are two players at the global level: MasterCard and Visa. Figure 1 depicts the business relationships and flows of i om t n e en a ipn i Mat C r’oe n r ao bt e prc at n s ra s pn f i w ti s e d system. Besides the Merchants and Cardholders, the participants in an open system typically perform one or more of the following roles. The numbers in parentheses correspond to the circled number on the figure.
Acquirer: A financial institution which sponsors merchants into the open payment system (1). The institution accepts merchant deposits for credit card transactions, and reimburses the merchants for the value of the transactions, less any fees. Acquirers are financially liable for the actions of their merchants, so they take great care in screening merchants to make sure they are legitimate. Issuer: A financial institution which issues credit cards to businesses and consumers, for use in paying for goods and services (2). The institution determines credit worthiness, assigns credit lines, sets interest rates and fees, prints and mails statements, and collects payments. Each Issuer reimburses Acquirers for purchases made by its cardholders, and then collects future payments plus fees and interest from the cardholders. Issuers are financially liable for the actions of their cardholders, so they carefully screen applicants to ensure they only issue cards to those who represent acceptable risks. Processors: Usually third parties, who provide merchant and/or card issuing processing services on behalf of acquirers (3) and issuers (4). Some very large
1
5
2
Cardholder
8
Account Relationship
Merchant
Statementing Relationship
6
*
7a
Transaction Relationship
Acquiring Bank
3
Processing Relationship
7a
Issuing Bank
4
7b
Acquiring Processor
Issuing Processor
* Structure for Visa is similar.
Figure 1: Open System - Interchange Model
4
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
and very small member institutions do process their own business in-house, but they are more the exception than the rule. Third-party processors range in breadth and scope from performing simple services like Point-of-Sale terminal management and customer service call center operation, to providing full-service, turn-key operations for merchants (6) and issuing processing (8). Association or Network: A cooperative group of financial institutions, each of whom behave in the role(s) of acquirer and/or issuer, to enable use of credit cards for value exchange between participating merchants and cardholders (5). The association or network often provides an underlying technology infrastructure and business applications to facilitate transaction processing and payments between participants (6), (7a). Note: Some Acquirers are also Issuers, and so it sometimes happens that a transaction occurs involving a card issued and a merchant sponsored by the same member bank. This situation is cld n o-u”r sco. such cases, the ae a “n s t nat n In l a i transaction would likely be processed in-house without being sent to the association. A similar case occurs when a given pair of Acquirers and Issuers shares the same processor. Transactions between the pair of members would likely be processed internally within t poesr ntok 7) h rcs ’ e r (b. e os w
Figure 2 depicts the standard transaction and financial flows necessary to complete a typical MasterCard credit card cardholder purchase at a merchant acceptance outlet. The processing steps are as follows: 1) The Merchant initiates a request for authorization from its point-of-sale (POS) terminal or electronic cash register (ECR). The request flows to the acquiring processor, t og Mat C r’ntoko h i u g h uh s ra s e r t t s i r e d w e sn processor. 2) The issuing processor makes a credit decision, and returns a response indicating an approved or declined transaction back to the merchant device, following the reverse path of the request. 3) Assuming the authorization request was approved, the merchant and cardholder complete the sale. The merchant submits the completed sale at the end of its business day, in a batch of all transactions completed during the day. 4) The Acquiring bank makes a deposit into the m r at bn acuto e br t e hn s ak cont r m us h c ’ i e e merchant for the accumulated value of the deposited batch of transactions, less any pre-
*
Merchant
1
Acquiring Processor
Acquiring Bank
Issuing Bank
Issuing Processor
Cardholder
Authorization Request (real-time) Authorization Response (real-time)
3 2
Merchant Deposit Merchant Payment
5 4
First Presentment Notice Settlement
6 7
Statement Payment
8
* Flow is similar for Visa.
Figure 2: Open System - Interchange Transaction Flow
5
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
agreed discounts and fees. 5) The acquiring processor submits the transaction as a first presentment into Mat C r’c a n poes T e s ra s l r g rcs h e d ei . transaction is grouped in a file with all of the daily transactions for all of the merchants processed by the acquiring processor. Mat C r’c a n poes o et sr, s ra s l r g rcs clc ,ot e d ei l s s and redistributes all of the transactions to each appropriate issuing processor. The issuing processors post the transactions to the appropriate crhl r acut a o e ’con . d ds s 6) The association collects funds from issuers and distributes them to acquirers, for the net value of all cleared transactions. 7) The issuing processor produces monthly statements and sends them to cardholders. 8) Cardholders make payments against their credit card accounts.
merchants. Examples of closed systems vary in scope from house brands, to national and global brands. Home Depot is an example of a house branded credit card. Home Depot cardholders may only use their credit cards in Home Depot and Expo stores. Discover card is an example of a national brand, and American Express (AMEX) is an example of an international brand. Figure 3 depicts the business relationships and flows of i om t n e en a ipn i A e cn xr s n r ao bt e prc at n m r a E pe ’ f i w ti s i s closed system. Unlike an open system, there are no separate Acquirers ad s e i A e cn xr sc sd yt . n I ur n m r a E pe ’l e ss m s s i s o e Merchants contract directly with American Express for card acceptance (1), and American Express issues cards directly to all of its cardholders (2). American Express performs all of the Acquirer and Issuer functions described for the open system above. American Express also provides the underlying technology infrastructure and business applications to facilitate transaction processing for merchant acceptance (3), (4a). Due to high levels of consolidation of merchant processing across the payments industry, American Express handles transactions from Acquiring Processors as well (4b).
The Closed Payment System Makes Its Own Rules
A closed payment system is typified by a single entity that both issues credit cards and facilitates acceptance at merchants. The entity defines its own rules to govern how transactions and value flow between itself and its
3
Cardholder Merchant
4a 4b
Transaction Relationship
1 Account
Relationship
2
*
4b
Acquiring Processor
* Structure for Discover is similar.
Figure 3: Closed System
6
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
Figure 4 depicts the standard transaction and financial flows necessary to complete a typical AMEX credit card cardholder purchase at a merchant acceptance outlet. The processing steps are as follows: 1) The Merchant initiates a request for authorization from its point-of-sale (POS) terminal or electronic cash register (ECR). The request flows to AMEX either directly t og A X s e oko through an h uh ME ’nt r,r r w Acquiring Processor. 2) AMEX makes a credit decision, and returns a response indicating an approved or declined transaction back to the merchant. 3) Assuming the authorization request was approved, the merchant and cardholder complete the sale. The merchant submits the completed sale at the end of its business day, in a batch of all transactions completed during the day. 4) A Xm ks dps i o h m r at ME ae a eoi n t e hn s tt e c ’ bank account to reimburse the merchant for the accumulated value of the deposited batch of transactions, less any pre-agreed discounts and fees. 5) AMEX posts the transactions to the crhl r acut a o e ’con . d ds s 6) AMEX produces monthly statements and sends them to cardholders.
7) Cardholders make payments against their credit card accounts.
Open and Closed Credit Card Systems are Subject to Two Classes of Threats
Open and closed credit card systems are susceptible to two general categories of threats for fraudulent activities: internal threats and external threats. While the most serious threat might be an attack that diverts some or all of the billions of dollars flowing through the credit card systems daily, the most prevalent attacks are those that expose individual account and private consumer identifying information. Of the two, private consumer identifying information is the most lucrative. Account information, e.g., account numbers and expiration dates, allows thieves to make fraudulent purchases; private consumer identifying information, e.g., names, addresses, and Social Security numbers, allows thieves to obtain fraudulent credit.
Internal threats: A Isd J b “ n n ie o ”
Internal threats are those that evolve from collusion within the credit card system itself. These threats may appear at any point along the distribution channel where employees have access to account or consumer information, and vary in severity in relation to the quantity and quality of information accessible. Note that open credit card systems likely have more exposure to internal threats by virtue of the sheer number of
*
Merchant
1
Acquiring Processor
Cardholder
Authorization Request (real-time) Authorization Response (real-time)
2
3
Merchant Deposit Merchant Payment
5 4
Statement Payment
6
* Flow is similar for Discover.
Figure 4: Closed System - Typical Transaction Flow
7
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
participants in the system. Examples of internal threats are: A merchant or acquiring processor employee who conspires to collect good account numbers and expiration dates. An issuer or issuing processor employee who collects private customer identifying information such as Social Security numbers, names, and addresses Internal threats are often mitigated by following good employment practices such as conducting employee background checks, and implementing strong controls that prevent unauthorized access to sensitive information, and tracking authorized access. Additional mitigation techniques are defined in the section on Best Practices found later in this report.
servants, to sophisticated computer hackers. Office workers can be a lucrative source of information. Many businesses hold account numbers and private identification information on file. Social Security Numbers are collected by many businesses and public entities alike, including insurance companies, health care providers, schools, and government agencies. Crime syndicates approach people who work in such offices and use extortion or promises of financial reward to gain cooperation in collecting the valuable information. Seemingly every day there is a news story about another database that hackers compromised to expose credit card account numbers or Social Security numbers (see Figure 5). While early hackers were motivated by t t i o bek g n a aks a bs,ur t h h l f r i i o bn’dt aecr n e rl an t a e -day hackers are motivated by the financial gains they may realize by selling information to the crime syndicates. External threats are very difficult for the credit card systems to mitigate because there are so many points of compromise beyond their control. The best the credit card systems can hope to accomplish is to quickly detect when a new type of threat emerges, then devise electronic and procedural countermeasures to mitigate the threat. In the end, the threat emergence-mitigation cycle continues in a positive feedback loop, in a cold war-like escalation between the criminal organizations and the credit card systems. The criminals hatch a new scheme and successfully run it for awhile. Eventually the credit card systems catch on, and develop effective
External Threats: “ e MeMa eY u Lt k o an Offer YouC nt eu e a ’R fs ”
External threats come from forces outside the credit card system. While the threats may originate from the isolated actions of a few individuals, they are more often the result of highly organized criminal enterprises. The criminal organizations form networks or syndicates of sources of account and identifying data, and use the ill-gotten information to perpetrate large-scale fraud enterprises. A source could be anyone who has compromised a place where account numbers or private consumer identification information is stored. Sources can run the gamut from private citizens, to public
“
Jan 23, 2003
” “ ”
Sep 12, 2003
“ ”
Aug 5, 2004
“
Oct 24, 2003
” ”
“
Feb 19, 2003
“
March 17, 2003
” “ ” ”
Nov 20, 2001
“
Feb 27, 2003
“
Sep 12, 2003
”
Figure 5: Hackers in the News 8
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
countermeasures. In a Darwinesque example of survival of the fittest, a few criminals are caught and crime organizations are taken down, but the rest adapt and find new ways to compromise the systems.
Under Attack: Credit Card Fraud Results from Threats Executed Against the System
Credit card fraud is defined as “ when an individual uses ao e i i da s r icr for personal reasons nt rn v ul c d a h di ’ et d while the owner of the card and the card issuer are not aware of the fact that the card is being used.7”
or front of all US-issued credit cards10. A newer type of c d cr f u,ae “ r i a r dcld phishing,ocrw e a et d a l ” cus hn victim is solicited via e-mail to visit a sham website of a t s d ntu o”o cni o r e ” r a “ ut i i t n t “ofm re w pi t r e st i r n ve account information. In the phishing scam11, this account information is then used to place fraudulent credit card orders over the Internet, or to perpetrate identity fraud by making financial applications in the crhl r nm . a o e s a e Figure 6 depicts the incidence of d d’ fraud by method, as documented by Bhatla, et al in their recent study on credit card fraud12
Incidence of Fraud by Method
48% Credit card fraud can take many forms, but 50% generally result from threats carried out 40% against the credit card system. The most common type of credit card fraud stems 30% from lost or stolen cards or card numbers, 20% 15% which can lead to the thief using the card 14% 12% or card number for criminal purposes over 6% 10% 5% the telephone or the Internet (card-not0% present purchases). Identity theft occurs w e ah f ss nt rni da s hn t e ue ao e i v ul i h di ’ identifying facts to perpetrate an economic fraud8, such as taking over a financial account (i.e. a credit card account), or applying for credit. Counterfeit cards can be created by copying a legitimate crhl r dtot a ee c a . a o e s a n gnr cr d d’ a o i d Figure 6: Incidence of Fraud by Method. Bhatla14 Legitimate card numbers can be obtained b“ y skimming,w i cp s a f ma a ’ ” h h oi dt r c e a o cr s d Our Top Story Tonight: Credit Card magnetic stripe into an electronic device; account number generation, or software programs that generate Fraud Reaches Nearly U.S. $2.5 valid credit card numbers and expiration dates; and Billion Annually! hacking, where an individual gains unauthorized access A review of the literature and focused conversations to an individual or corporate computer system for the 9 with MasterCard employees13 revealed that credit card purpose of stealing data . Overall, credit card fraud is underreported in general and that the exact counterfeiting is decreasing however, largely because amount of losses due to fraudulent activities on cards is of industry measures such as the addition of holograms and the Card Verification Value (CVV), a three-to-four digit number that is printed (not embossed) on the back 10 A oy os“ ak a R pr C ut f t g nnm u,B n C r eot on r in d : e ei Fl, uOhr r d e a s ABA Banking asB t t Fa R m i , l e u n” Journal, Vol. 78, No. 9,. 60. 11 “ e L ay i T re It ntP i i ” ht N w eh Bl a t n re“h h g T a l gs e sn 7 B aaJj rh,n D a“ ne t d g Credit ht,e Pbuad u,U dra i l , sn n Steals $2 b./yr. Fro C nu e , Jl20. m osm r” u 04 s y C r Fad”. a r s1 d u www.leahy.senate.gov/press/200404/070904c.html, 8 Sudr K rM. n Z ce Bue“ on r t g viewed October 20, 2004. ane , ut , d ukr rc,C ut a i s a , e cn 12 Identity Fraud in the Information Age: The Identity B aaJj rh,n D a“ ne t d g r i ht,e Pbuad u,U dra i Ce t l , sn n d T e ad s m t n f e r ne c International hf n A s p o o D t r c A t t u i ee ” C r Fad,2 a r s . d u ” Review of Law, Computers & Technology, August 13 1999, 183-192. Fisher, Bill. Pers. Comm. VP Processing Strategy, 9 Bhatla, Jj rh,n D a“ ne t d g r i e Pbuad u,U dra i Ce t , sn n d MasterCard International. Interviewed by telephone by C r Fad,.-6. a r s 4 d u ” Mike Cornish, October 26, 2004
S ki m m in g C ou nt er N fe ev it er R ec ei ve d
Lo st /S to le n
Th ef t
ID
O th er
9
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
unknown14. However, credit industry analyst reports estimate that fraudulent card activity in 2002 is between U.S. $2 and U.S. $2.5 billion15,16. The rate of Internet fraud ranges between 2% and 3% of sales17,18, and is estimated at 30 times higher than credit card fraud rates it “hs aw r . nh pyi l ol ” e c d 19
end solutions to help position MasterCard as the Global Payments Leader.20” The group is responsible both for conducting investigative field work, and for analyzing fraud trends and developing mitigation strategies. The field work team is largely comprised of retired law enforcement officers who entered the private sector. The officers typically came from detective squads, the Secret Service, and the Federal Bureau of Investigation, where they investigated white collar financial crimes and organized crime. Their principle duties are to work with fraud officers from the member banks and to cooperate with local, national, and international law enforcement agencies to investigate and crack major cases of fraudulent credit card use. The fraud analysis team is a combination of credit card fraud experts and systems analysts. The team collects f u r ot g a f mMat C r’m m e r d e rn dt r a p i ao s ra s e br e d institutions and analyzes it to discern emerging changes in fraud patterns. When a given type of fraud makes a significant directional change, they research and investigate with member banks to determine the underlying reasons. Often the change results from some new attack. Based on their findings, the team works with industry security specialists, fraud officers at the member institutions, and sometimes even scientists, to further study the problem and devise counter-measures. The Security and Risk Management group is the business owner for most of the services and applications targeted at fraud management. Each of the services and applications is targeted to address one of the following fraud management goals: Goal Awareness Description Identify and communicate positive/negative changes in fraud trends Detect when specific fraud is likely to have occurred Prevent fraudulent transactions
SHELTER FROM THE STORM: SECURITY AND RISK MANAGEMENT
Payment card security management comprises the collective set of activities to develop and implement physical card designs that combat fraud, and to design policies and procedures to protect and control stocks of blank cards to prevent them from being stolen and turned into counterfeit cards. Risk management comprises the activities that protect t ss m s h yt ’ e e participants from credit and fraud risk. Credit risk is the potential for financial losses resulting from making poor credit decisions when member banks issue credit cards or sign up merchants for acceptance. Fraud risk is the potential for financial losses resulting from fraudulent activities. Many of the everyday activities of the credit card systems are targeted at managing risk. The practice of requiring merchants to request authorization for purchases mitigates both credit and fraud risk. Issuers practices of pulling credit histories before issuing new credit cards also mitigates credit risk. The scope of this paper is limited to managing fraud risk.
MasterCar:“ rtcigB a d d P oe t n rn Itgi a dMa a igFa dRs ” ne ry n t n gn ru ik
Mat C r’Scr and Risk Management group is s ra s euity e d wholly contained in the GTO organization, and reports to the CO T e ru’m s o it “rt t r d I . h gops i i so Po cba sn e n integrity and manage fraud risk through best in class core and value added services with integrated end to
14
B aaJj rh,n D a“ ne t d g r i ht,e Pbuad u,U dra i Ce t l , sn n d C r Fad,2 a r s . d u ” 15 Ibid. 16 www.epaynews.com/statistics/fraud.html, viewed October 22, 2004. 17 www.merchant911.org/fraud-trends.html, viewed October 22, 2004. 18 www.epaynews.com/statistics/fraud.html, viewed October 23, 2004.
19
Detection Prevention
The following are brief descriptions of the services and applications that MasterCard employs to manage
www.retailindustry.about.com/cs/lp_Internet/a/gl_cs11 1803.htm, viewed October 21, 2004.
20
“eui & Rs Mi i & O e i .D cm n Scry i t k so sn vr e ” ou et vw , MasterCard International, February 24, 2003.
10
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
fraud.21 Note those denoted by an asterisk (*) have business owners outside of Security and Risk Management, but are still important pieces of the overall risk management strategy: Address Verification System*: Permits merchants who accept Card Not Present transactions to verify that the cardholder billing address provided by the person making the purchase matches the address on the i ur dt ae s e s a bs. s ’ a Combined Warning Bulletin: Maintains a database of credit card account numbers that are blocked from use. The accounts are restricted because they were reported as lost, stolen, counterfeit, or otherwise compromised. Any authorization request for a restricted account at acl r e e a p k p a ” epne u m tay e i s “i u cr r os. o i l cv c d s Common Points of Compromise: Analyzes merchant use histories for account numbers reported in fraud, to identify any common merchants at which the accounts were used prior to the frauds occurring. A high incidence of accounts for a common merchant indicates a probability that the merchant has a collusive employee who is stealing account numbers. Fraud Velocity Monitor: Analyzes velocity (numbers of uses and accumulated spending) by account, and flags accounts with patterns of rapid growth in activity. Flagged accounts are reported to issuers for their further investigation. Issuers Clearinghouse Service: Screens credit applications against a database of recent applications to detect unusual patterns in increased credit applications. Key applicant data are matched against information like names, addresses, Social Security numbers, and phone numbers. Known fraudulent and non-existent addresses are also checked. MasterCard Alerts: Distributes high-priority information about new fraud schemes and alerts about specific accounts and merchants to member institutions. MasterCard Internet Gateway Services*: Provides a payment gateway which eCommerce merchants may integrate into their catalog shop-and-buy websites, to facilitate credit card payments without actually handling credit card account details.
MasterCard SecureCode: Defines a set of rules and underlying technology that permits a cardholder to df e “as od t t ut e ucs u y n r e n a ps r”h m sb sces l et e i w a fl e d on a participating website, before a sale can be completed. Merchant Alerts to Control High Risk: Identifies merchants who have accumulated fraudulent activity t txed Mat C r’rl fr e et e f h eces s ra su so pr n g o a e d e c a fraudulent transactions to total sales. Merchant Online Status Tracking: Tracks merchants that MasterCard has terminated from the system because of excessive fraudulent activity. Screens merchant registrations against the database of terminated merchants to keep bad merchants out of the system. Key registration data are matched against i om t n i o nr nm ,dr sSocial Security n r ao l e w e s a eade , f i k ’ s number, employer id number, and Dunn & Bradstreet number. NameProtect Partnership: A contracted service that monitors the worldwide web, searching for websites which are promoting and exchanging information for purposes of credit card and identity theft fraud. RiskFinder: Screens approved authorization transactions against a neural network designed to detect data anomalies that are predictors of fraudulent activity, and produces a score that indicates the likelihood of fraud. An alert message is sent to the card issuer for any transaction for which the fraud score exceeds the i ur pe s esr s ’ -established threshold. Site Data Protection: A service provided to evaluate a m r at w bi aa sbspate fr e hn s ese gi t et r i so c ’ t n cc eCommerce security, and to make recommendations which the merchant should consider to strengthen its site against attacks. System to Avoid Fraud Effectively: Collects and summarizes member reported fraudulent transaction information, to aid the Security and Risk Management team and the member institutions in tracking fraud trends. Figure 7 depicts how each of the above applications or services addresses the Security and Risk Management gopsr d aae etol fr various types ru’f u m ngm nga ,o the a s of fraud.
21
“ plao P ro o Scry Rs A p ct n ot l : eui & i i i fi t k A p ct n.It nl ou etWod ou et plaos n radcm n i i ” e : r dcm n . MasterCard International, March 27, 2003.
11
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
Application or Service
A dd C res om s C bin Ver om e if i Fr m o d W cat au n a io r n I s d V Po n i n S su e in g ys M e rs loc ts o Bu tem as C ity f lle P M ter lea Mo ur tin as Ca ri n ch n M ter rd gh itor a s as Ca A o in e l u M ter rd erts se g er Ca In Se t rv M cha rd ern er n Se e ic e ch t A c t G N an le ure a t am t rt C e R eP On s t od wa is r o l o in C e y S k er Si Fin te c e S on vi te d t P t tr ce er a at ol S y Da us H rt s ne T ig s t ta em Pr rs ra h hi ck Ri to o te p in sk ct A g vo ion id Fr au d Ef fe ct iv el y
D P P P P P D D D D P A A A P P P P D D D D D D D P P A A A A A
Fraud Type
ID Theft Counterfeit Card Not Present Lost & Stolen Never Received
Awareness Detection Prevention
Figure 7: Fraud Types Addressed by Application or Service.
“ WA NTE E T E E :CARDI S’ VN HR” NOT-PRESENT FRAUD Card-Not-Present: No Way to Ds ueta aP rh s Wa nt ip t h t uc a e s ’ Made
Card-not-present credit card fraud poses a great threat to merchants, because they are not protected with the pyi le f ao f t e peetn bi ad hs avri t n e u s r ni “r k n c ic i a r s c m r r bs ess B cue ehrh cr nrh ot ” ui s . eas ni e t a o t a n e t e d e cardholder are present at the point of sale, the merchant is unable to verify the signature or photo identification of the cardholder22, so there is no way to dispute a cardholder claim that a purchase was not made. In these situations, the merchant assumes the full risk of credit purchases. Online and telephone shoppers expect fast decisions for purchases. Because of the explosion of eCommerce, card-not-present transactions are a necessity. Merchants, credit card processors and credit card companies are asking the credit card systems for real-
time tools and support for online credit decisions,23 and the systems are working to provide a variety of multilevel IT-enabled solutions.
Understandably, Credit Card Holders are Concerned about Credit Card Fraud
Electronic transactions are estimated to have a worldwide market potential of U.S. $3 trillion-plus. Still, MasterCard research shows that 90% of online buyers worry that their personal and financial information may be at risk, and 71% are concerned about credit card fraud.24 How valid are their fears? It is very difficult to determine the actual incidence and prevalence of credit card fraud, and there are several reasons why. First, many cardholders do not report fraud to law enforcement agencies – they simply contact their issuing bank, and the fraudulent charge is
23
21
Bhatla, Jej, Prbhu, an D a“ ne t d g r i d u,U dra i Ce t sn n d C r Fad,1 a r s . d u ”
A oy os “ r iRs A a s Mae e nnm u. Ce t i nl i ks d k ys C m e e a r ABA Banking Journal. Nov o m r Sf ” c e 1999, Vol. 91, Iss. 11; 54. 24 “ s ra Scr oeo O l e r at” Mat C r eue d fr n n Me hn . e d C i c s Online security document for merchants at www.mastercardmerchant.com/docs/securecode/Merca hnt_Brochure.pdf, viewed October 20, 2004.
12
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
credited.25 Similarly, merchants may simply absorb the fraudulent charges, and not think it necessary to report the fraud to law enforcement agencies.26 Lastly, credit card companies such a Mat C r ad i dnt s s ra n Vs o’ e d a release the credit card fraud information they do have. Linda Locke of MasterCard, as quoted in an article published on msnbc.com, said in response to figures released by a security agency about credit card fraud: “ dnte aeht i o dt htem w y We o’r es t k d f a …t se s a l a n a a oe te…w wlntadtt t u br e vra d e i o vl a h nm e st l i e a …w think t t u brsnr i y vra d 26 h nm e ii e b oe te. a cdl st ” MasterCard reports that card-not-present fraud incidents account for between 80 and 84% of credit card fraud.27 Other sources report that online fraud rates are up to thirty times higher than those in the physical world, representing a revenue loss of about U.S. $1.6 billion, or about 2% of all online sales in 2003.28 Projected losses to Internet merchants in 2005 are expected to be between U.S. $5 and U.S. $15 billion.29 The Merchant Risk Council is a non-profit organization of merchants, vendors, financial institutions and law efr m naec s I m m e “hr t cm o noc etgni . t e br sa h o m n e e s s e e goal of protecting and encouraging the thriving online commerce industry by establishing best practices for cbr cry a w la w r wt law enforcement ye eui , s e s ok i s t” l h agencies to catch and prosecute cyber criminals. A 2003 Merchant Risk Council survey of eCommerce fraud shows two key trends:30 1) Merchants are
25
spending more on fraud prevention - 17% of merchants spent more than 2% of their revenue on fraud prevention in 2003; and 2) Chargeback rates are down – only about 10% of online businesses have chargeback rates greater than 1%, and the number of online merchants with chargeback rates of less than 0.35% is increasing proportionately.
“ o , eeDdI u MyC e i N w Wh r i P t rdt C r? Causes and Contributing ad ” Factors to Card-Not-Present Fraud Lost or Stolen
Credit cards or credit card numbers can be stolen by very covn oa “ wt ho g” en sc a a net nl l e nl y m as uh s i ,o c o thief sorting through trash to retrieve discarded cards, credit card receipts, or credit card statements, which is ko n s dm s r i n. S m c d crs r nw a “u pt d i ” o e r i a a e vg et d e s p “ s b t crhl rl t ei at a point of i l l t yh a o e e bh d m y o” e d d;f n sale. Credit cards may also be removed from purses or briefcases at work, school, or other settings if left unattended by the cardholder. Several legislative rulings, to be discussed later in this paper, limit the information printed on credit card receipts and statements in an effort to combat this type of fraud.31 Consumer best practices presented later in this paper may also help to combat low technology theft of credit cards or card numbers.
www.merchant911.org/fraud-trends.html, viewed October 22, 2004. 25 Ibid. 26 S lvnB b “ r iC r L as ot u a u i , o, Ce t a ek C n ne t la d d i F r u Pc”http://msnbc.msn.com/id/6030057/. ui s ae o Viewed October 22, 2004. 27 B ne, A “Dd’D I US Banker, Vol. 111, ent R . I i t o t t n ” No. 12, December 2001, 48. 28 “ n n Fadt s ae 1 BO t f 03 O l e r s rT k $. uo 20 i u e 6 e o m r . CyberSource, Cm ee c” www.retailindustry.about.com/cs/lp_Internet/a/bl/cs111 803.htm, viewed October 20, 2004. 29 B aaJj rh,n D a“ ne t d g r i ht,e Pbuad u,U dra i Ce t l , sn n d C r Fad,2 a r s . d u ” 30 Merchant Risk Council Press Release, www.merchantriskcouncil.org/press.php?p_press_id+1 3, Feb 3, 2003, viewed October 21, 2004
High Tech, Low Touch
Valid credit card numbers may also be obtained for card-not-peetce e b s n i n y oe h h r nshm s y i ic t m r “i s g fa l g t ho g” en. h i l e pi i a w la e nl y m as T i n u s h h g s e s c o s cd sn l ol e acos o f s m r atis ei e t n n “ut n” ra e e hn se ds nd o i i l c t g lure purchasers into believing they are making legitimate purchases at valid retail web sites. Other schemes, such as account number generation, may be beyond a a hl r cn o Credit card companies, cr o e s ot l d d’ r. issuers and processors are developing IT-enabled solutions to combat the high technology schemes at multiple levels. Two such IT-enabled solutions licensed by MasterCard will be discussed as case studies.
31
Micci-B r c, . U a e b Fad Security a eaD “ nw d y r . r u” Management, Vol. 47, No. 9, September 2003,75.
13
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
E G ad Ma tr adsEfforts to n u r: seC r’ Combat Card-Not-Present Fraud Security SecureCode: Cardholder Authentication
MasterCard SecureCode for Online Merchants is a “l al e-commerce solution enabling cardholders to gb o authenticate themselves to their issuer through the use 32 of a unique, personal code.” (Visa has a licensed cut prcld V ri b Vs,o V y . on ra ae “ e f d y i ” r bV) e t l ie a Scr oe eu e a e hn “l -i” rota eue d r i s m r atp g n o sf r C qr c u , w e m dl t b dp yd nh m r at w b i. t ou , e el e o t e hn s e se I eo o e c ’ t also requires the merchant to use a data transport mechanism and purchase compatible processing support from their transaction processor. Though the software module and accessories represent a cost to the merchant, the merchant gets explicit evidence of an at r e pr aermt crhl r i urad u oi d uc s f h a o e ss e n h z h o e d d’ s , gets the security and protection of fully guaranteed online payments and protection from chargebacks.33,34,35 Though it is a relatively new security platform, MasterCard believes it will be effective and endorsed a mandate for MasterCard issuers to implement support for SecureCode effective November 1, 2004.36 Case Study: eTronics has eFraud Problems.37 eTronics is a top ten Internet consumer electronics retailer that has over 200,000 customers and processes more than 300,000 orders annually. Their annual sales exceed U.S. $65 million. In 2002, eTronics had credit card chargeback costs of more than U.S. $1 million for the year. eTronics first implemented a multi-level antifraud process, but it was costly and cumbersome. In
32
2003, they implemented SecureCode. eTronics says it i“ o ono e”h i pco Scr oe n hi s t so t tlt m at f eue d o t r o l e C e r un n net et ut y r “p m sc n e r o i s n bth a ot iiad t v m , e e i t et s sc – anxious for all card issues to be n ui t” and h ai required to support SecureCode. Case Study: Gone Phishing with Citibank. Mike Cornish received the e-mail message in Figure 8 in his home e-mail account, stating that his request for a “ xr s r s r hd en n E pe Ta f ” a be received. He is, in fact, s ne a Citibank client. Compare the two web sites and osreh s iri btenh f s “h h g be t i l ie e e t a e pi i ” v e m a ts w e l sn web site (Figure 9) and the true website for MyCiti.com (Figure 10). The phishing site looks remarkably authentic. Cornish called Citibank customer services and the representative confirmed that the email was bogus. She said she had recently handled many similar calls from other customers.
“ K o Wh Y uA ea dI a Inw o o r n Sw Wh t o Dd : a Y u i” Neural Networks Modeling Technologies Profile Cardholder Spending Patterns
Mat C r RsFne ia er ntok yt s ra i i r s nua e r ss m e d k d™ l w e developed by MasterCard and Fair Isaac. It is a modeling technology that builds detailed profiles of ec i i dacrhl r sed g ae s n ahn v ula o e s pni ptr ad di d d’ n tn behavior, which are updated with every transaction.38 RsFne eal t nat n t b “cr ” ae o i i r nb sr scoso e soe bsd n k d e a i d the profiles of cardholder patterns and behavior, existing patterns of fraud, and merchant trend data. If a t nat n cr aoeh et lhd t nat n r sco soe bv t s b se “ asco a i s e ai r i scor t ehl ” issuer will contact the cardholder eh so ,the r d to be sure no fraudulent activity has occurred. By leveraging this processing network to identify purchases which exceed threshold scoring, it is hoped that fraudulent activities will be identified.39 As of 2004, it has saved issuers up to 50% in fraud losses.40
“ s ra Scr oeo O l e r at” Mat C r eue d fr n n Me hn . e d C i c s Online security document for merchants at www.mastercardmerchant.com/docs/securecode/Merca hnt_Brochure.pdf, viewed October 20, 2004. 33 Ibid. 34 White Paper: Security Best Practices: Protecting Your Business. www.authorizenet.com/files/securitybestpractices.pdf. Viewed November 10, 2004. 35 “ r iC r A t n ct n Py et h Ce t a u etao. am n c d d h i i ” e Solutions. www.paymentech.net/sol_frapro_carnotpre_crecaraut_ page.jsp. Viewed November 10, 2004. 36 “ s ra Scr oe ae t ye rn s Mat C r eue d C s Su :Toi . e d C d c” 2003. www.mastercardmerchant.com/docs/SC_Case_StudyeTronics.pdf. Viewed October 21, 2004. 37 Ibid.
38
Mat C r RsFne “o t n. s ra i i r S l i s e d k d. uo ” www.fairisaac.com/cgibin/MsmGo.exe?grab_id=13&page_id=655872&query =RiskFinder&hiword=RiskFinder+, viewed October 21, 2004. 39 “ s ra ad Y EE t It A r m n” Mat C r n N C n rn ge et e d e o e . 2004. www.tgc.com/dsstar/00/0718/101932.html, viewed October 21, 2004. 40 Mat C r RsFne “o t n. s ra i i r S l i s e d k d. uo ” www.fairisaac.com/cgibin/MsmGo.exe?grab_id=13&page_id=655872&query =RiskFinder&hiword=RiskFinder+, viewed October 21, 2004.
14
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
Figure 8: E-mail to Mike Cornish vr y g eusfr E pes ei i rq eto “ x rs fn T a s r t Ctacu t rnf ” o i co n. e i
Figure 9: P i ig w bse o “ hs n ” e i fr h t MyCiti.com. Note request for ATM card number and PIN, as well as trademark and official logo.
Figure 10: Authentic web site for MyCiti.com. Note they request User ID and Password, not account number.
41
Sudr n Z ce “ on r t g dn t Fad ane ad ukr C ut a i Iety r s , e cn i u in the information Age: The Identity Theft and 42 A sm t n f e r ne c 14 Ibid., s p o o D t r c A t 8. u i ee ” 43 Groves, S an,Po cn Y u Iety hna“rt t g ordn t ei i” Information Management Journal, May/June 2002, 2731.
15
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
Case Study: Venice the eMenace. In the summer of 2003, a l n e h’20-year old daughter went K te D l a he p s to Europe to study art history. Delpha gave her daughter her credit card, and notified the card issuer that her daughter would be taking it to England, southern France, and Florence. Three weeks into the trip, Delpha received a call from the card issuer stating that suspicious charges had posted to her credit card, and the issuer “ agd t acutsr gl . The f ge”h cona ieu r l e r a charges were for two train tickets to Germany, and for an Austrian corporation doing business as a trailer park
Fraud and Identity Theft Rising
600,000
t ho g e . His definition of identity theft e nl y r ” c o a 41 emphasizes the iits o ao e sdn fi f t lc ue f nt r i ty g a s li h’ ei n c to commit a fraud. The fraud can be anything from otn g c d cr b ui sm oe l ’nm , b i n a r i a y s g o en e e a e ai et d n ss address, and Social Security number on the application for credit, to opening bank accounts, obtaining loans, or s n gesso cro aa m n i t v t ’ i i l e fr a r pr et nh ii s gn a s t s e cm name.42 Simply put, identity theft is taking on the identity of the victim for malevolent purposes.
I C rflWh ’ aeu, y m Should I Worry About Identity Theft?
The significance of the emergence of this 214,905 technology-enabled crime is 40% 400,000 that it has quickly become the 161,836 Identity Theft Complaints number one source of 58% 300,000 Fraud Complaints consumer complaints to the 60% 39% Federal Trade Commission,43 200,000 86,212 301,835 with credit card fraud as the 61% 242,500 100,000 most common form of 134,131 identity theft annually since 2002.44 Ic ai l “ e nr s g ,t e ny h 220,343 404,336 516,740 weapon of choice is the CY 2001 CY 2002 CY 2003 45 Complaints by Calendar Year Internet. Since the FTC ” began tracking identity theft Figure 11: Annual Identity Theft and Fraud Complaints to FTC in 1998, there is clear evidence that fraud and in Venice. Delpha knew her daughter had no plans to i n t t f “r a ed m c b grs e than d tyh t a l ay uh i e i us e i e, e r g s go to Germany, and that her daughter was “o ar l nt t ir ae cnet nl i o et a s 46 David Myron ovn oaws m sm t . i d i e” pr k d f i. T e r i a w s l e o hl a i o g l h c d cr a p cd n o . k n r” et d a d prepared the following chart from FTC data for When Delpha reached her daughter, she learned that, in American Demographics.47 fact, the charges were legitimate: her daughter had charged train tickets to Germany for a friend in The data in Figure 11 illustrates that both forms of exchange for much-needed cash, and her visit to Venice complaints are growing each year, and that identity to see a major art show was expensive, but the trailer theft is growing at a slightly faster rate than fraud. park was an inexpensive place to stay. While the Whereas identity theft accounted for 39% of complaints charges were legitimate, the neural network worked to registered in 2001, it accounted for 42% by 2003, identify credit charges that were beyond the threshold established by Delpha’uul ucai bhv rad s sapr s g eai s n h n o those identified as acceptable for her daughter. 41 Sudr n Z ce “ on r t g dn t Fad ane ad ukr C ut a i Iety r s , e cn i u in the information Age: The Identity Theft and IDENTIFY THEFT FRAUD: Is He “ A sm t n f e r ne c ,8. s p o o D t r c A t 14 u i ee ” 42 Really Who He Says He Is ” ? Ibid. 43 G oe, hna“rt t g ordn t rvsS an,Po cn Y u Iety ei i” Exactly What is Identity Theft Fraud Information Management Journal, May/June 2002, 2731. Anyway? 44 Ibid., 28. Law Professor Kurt Saunders has described identity 45 Myo, ai “t e N m sBg u br rnD v ,So n a e, iN m e ” d l s thfa,t no r c m o t i om t n e s“ e et i r e fh n r ao t h ec i e f i American Demographics, September 2004, 36-38. 46 Ibid., 37. 47 Ibid.
500,000 42%
16
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
s an “er U.S. $50 billion in t l g na y ei l ill-gotten gains in the U.S. last year a n. l e 48 o ”
19 and Under
Gen-Exers Most Victimed (2003 Data)
This is of concern to more than just the individuals who have their identities stolen. Online sales increase every year, and with the steady growth of fraud and identity theft, it is certain to increase the cost of doing business. Staying ahead of the criminals is the concern of those businesses most likely to be affected.
20-29
30-39
Age
40-49
50-59
60-69
70 and over
0%
5%
10%
15%
20%
25%
30%
Percentages are based on the total number of Internet-related fraud complaints where consumers reported their Another finding of interest by age. Myron is that Gen-Xers, as compared to other age groups, are Figure 12: FTC data showing Gen-Xers are most victimized for most victimized by Internet-related identity theft. fraud complaints. The chart Security number, in effect a unique, lifelong identifier; depicted in Figure 12 is an adaptation of David ‘ cntut e c d cr nm e bi hce’ 52 i a’j b a r i a u br e g akd. t s et d n ” Myo’aa s o t F Cdt49 rns nl i fh T a . ys e a Increasingly, financial industry sources are making a d t co bten acutaevrdn tt f ii t n e e “cont oe i tyh t sn i w k /e i e” This is of small comfort for those of us who are not of ad h m r cm o peo eo o “ ety r d n t oe o m n hnm nn fi n t f u. e d i a ” that generation since it suggests two things. First, since Gen-Xers are more frequent Internet users than their Identity fraud is being used to describe situations parents; those of us in other generations who regularly “ hr e m n o a el e o’i n t w e l et f r pr nsd ty e e s a s e i —typically shop online are likely at higher risk than others in our their Social Security number—are blended with madeown generation. The other thing suggested by this data up elements, such as a false name, to open new is that, without intervention, the problem will continue acut” Behrman notes the importance of this con . s 53 to grow as young, computer-literate children come of d t co it tnh i n t f u sea o“ h ii t nsh i t d ty r d cnr ,‘ e sn i a e ei a i t age. v t it i tu o’ T eni da s r ih t y ii sh n i t n. h i v ul c d io cm e st i d i ’ e t sr is not tarnished, so they will never know. Meanwhile, Some sources dispute the figures published by the FTC i d conidp t ‘ e ak i v ed h l t taee t i n t t fbi “ubd t f t t when the short-l e acuts ele,t bn wl h hv l o d ty h t e g dbe ‘ e a e a d ei e n h ss r ie ia a r il snt f u l s” e s rts c d o ,o ar d o ’ 54 gt et s a s. go i c m i A e c’ 50 An industry roundtable rwn r en m r a” g i i . jointly organized by the Federal Reserve Board and It will be interesting to see how this discussion Gartner, Inc. in February 2004 met to try to achieve a continues to develop in the coming months and what consensus definition of identity theft. The American the consensus will be regarding the definition of Bankers Association Senior Federal Counsel, Nessa identity theft. Those who are critical do not dispute that Fdi c i shti n t t fibi eagr e ed ,lm t “ ety h ts e g xge t s a a d i e n ad identity theft is a huge and growing problem. While because all kinds of fraud are being redefined as such. they disagree with the number of victims, critics like ‘ep cli n tt fw at y Pol a d tyh t hth would before have e l ei e e Behrman acknowledge that identity theft will continue cld s l cek sy Fdi” Dennis ae a t e hc, as ed . l on ’ s 51 to grow in the years ahead. Behrman, an analyst with Financial Insights, an IDC subsidiary, says, “ dn tt fr u e sniv ‘ etyh te i sesi I i e qr t e, For the purpose of this paper, we are continuing to use pr nlnom t n sc a sm oe S c l e oai r ao, uh s o en’ oi s f i ’ s a the FTC definition which includes the misuse of an existing credit card account as one form of identity theft.
48 49
Ibid. Ibid., 38. 50 O S lvnO l “ T e O e ’u i , r ,I hf vrstated? Some Think la a D t S” o ABA Banking Journal, February 2004, 8-10. 51 Ibid., 8.
52 53
Ibid., 10. Ibid. 54 Ibid.
17
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
Armed Forces Banks Brokerage Firms City or County Commissioners of Revenue Colleges Continuing Professional Education Providers Credit Bureaus Credit Card Companies Department of Motor Vehicles Doctors, Dentists, Hospitals, Labs Employers, Former Employers Finance Companies Grocery Stores (check cashing clubs) Health Clubs Health Insurers Internal Revenue Service Investment Service Providers
56
Landlords Lawyers Life Insurance Companies Loan Companies Mutual Funds Occupational and Professional Bureaus Libraries Realtors Retail Stores Retirement Plans School Systems Social Security Administration State Commissioners of Revenue U.S. State Department (passports) Utility Companies Voter Registrars
What are the Causes and Contributing Factors to Identity Theft Fraud?
When the infamous bank robber, Willie Sutton, was akd h qet n“ lew y o o rb ak? h se t uso,Wii h d yu o bns” e e i l, as e d“ eas t t w e t m nys nw r ,B cueh ’ hr h oe i” e as e e . Pras oe ep w u aot u o’ot o i e p m r pol ol dp S t ns u ok f h e d t l there were not federal laws with steep penalties for robbing a bank. Conversely, the under-prosecution of crimes that facilitate identity theft is a contributing factor to its ubiquity. Identity theft is continuing to grow at an alarming rate according to Bruce Townsend, special agent in charge of Financial Crimes Division with the Secr Sri ,eas,C m a d o qay e e c bcue“ o pr t eul t ve e l profitable crimes involving drug or gun trafficking, the sentencing for identity fraud is much lighter—and those fl a t g t ct . The methods used to obtain o s r o ho a h 55 k e u c” ao e pr nsdn fi i om t n r varied, but nt r e o’i ty g n r ao a h s ei n f i e they can be summed up as falling into the following categories that can be described as either low-tech or high-tech, or due to human vulnerability.
Low Technology:O eP ro ’ n es ns Ta hi A oh r es nsTe s r rs s n te P ro ’ ra ue
Similar to methods used to obtain data for card-notpresent fraud transactions, low technology methods for identity theft may stem from a lack of personal responsibility (such as improperly disposing of receipts) as well as from information that was purloined from paper records not in t crhl r cn o h a o e s ot l e d d’ r. Identifiers including name, address, birth date, and Social Security number can be found in many computer and paper files of institutions listed in Table 1. While banks and credit card companies such as MasterCard have multiple levels of security to guard against identity theft, not all of the above institutions are as informed and diligent when it comes to safeguarding personal information.
High Technology: h s Wh C nt T oe o a’ Hack It Go Phishing
Two major high technology causes that contribute to credit card identity theft are phishing and hacking.
56
55
Be k L ue,Iety hf ABA Banking isi ar “ n tT e ” l , n d i t Journal, January 2001, 27-30.
RodnDae . n RodnMi al . Wh i a, i A, d i a, c eP, o r n a r h “ H s or u br ” a Y u N m e ? Strategic Finance, April 2003, s 22-26.
18 Table 1: Common places where Social Security numbers can be found
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
P i i ,.,Sel g opr i si n ts s h h ge . t i croao ’d ti a a s n g “ an t n e ie m a t i pr nt gni da ,57 has already been eno m e oan i v ul” s i di s discussed in the Card-not-present Case Study. In the context of identity theft however, the greater the number of pieces of personal information obtained by a fraudster, the greater the chance of full-blown identity theft. The Anti-Phishing Working Group estimates that 5% of consumers will respond to requests to visit phony web-sites and enter their account numbers and passwords. More will be said in the upcoming section o t “am nIdsy f r t C m aIety nh Py etnut Ef t o o btdn t e r os i T e ” buat n t topr i s r t i t hf aotcosh croao a a n o t i a tn e k g protect the integrity of their websites and copyrighted logos. Anw r h h g cm “ur t sr d g n n e e pi i sa ,cr n y pe i ol e sn el an i works without your ever having to click on a hyperlink; a t t r u e t at a t sa ifr o t l h ’ e i d o cvt h cm so yuo l as q r i e e open an infected e a.58 This phishing attack uses m i” l the same approach that virus writers take. The phishing scam has been labeled JS/QHosts21-A by an antivirus vno, ohs “ h sa i o e a rj hr edrS po. T e cm n l s To n os vv a e that combines with an ActiveX vulnerability in Windows to install itself on your machine invisibly, without a i . The Trojan horse makes changes wrn ” n g 59 to your Hosts file, which will later take you to the f us r w bi w e yu yen h nm o a r dt ’ ese hn o t i t a e f a es t p e bn w bi. T e i eto wt a rj , a fr ak ese “ hyn cyu i To nw i o t f h a t you to visit a banking site, and then a keylogger grabs yu ps od 60 This scam is currently only targeting or as r. w ” banks in Brazil, and furthermore, up-to-date antivirus software should be able to catch it. But security experts are concerned. Because this approach does not require the creation of a bogus website, there is less work for the hackers, and less chance of there being clues to lead to them. It also exposes the poor security in place at the w bis f ay ak ad i ni i tu os “ f ese o m n bns n f ac ln i t n. ‘ t n a st i I your bank is using a static user name and password, t t l eev g h kyo or os udr or h ’ i l i t e t yu hue ne yu as k a n e dom t sy Jce Bnt i c r f or a’as ohm i , r t o , s de o cm ui t n fr ac dtscry ‘ s g ti o m n aoso V so a eui . U i s t ci a t n ac ps od ol esut o scr eog ay oe ” as rs n n ij nteue nuh nm r ’ w i s . 61 The technical discussion about this latest form of phishing leads right into the other high-tech method for obtaining information that can be used to perpetrate identity theft: hacking. Hacking can happen on home
57
computers, on merchant sites, and anywhere else where personal information is stored, especially when servers a nteu cr cy O e fh m t d ue t r ’stp or t . n o t e os sd o e el e h compromise these computers is a method called endm pi , h h p g” e e ss m tay n lt ap gw i “i s sr r yt acl ut i n c n vs e i l i finds an open port to exploit.62 A massive number of records were compromised in an August 2004 incident through an intrusion on a computer at the University of California, Berkeley. The computer contained information for a research project involving the personal information of 1.4 million recipients and providers of In Home Supportive Services from the California Department of Social Services. Berkeley IT staff, through the use of intrusion detection software, determined that the database was compromised by hackers. A report in N tok r F s n ni t t t t m li s e r Wol ui i c e h , h ac u w d o d a d a “ e io hce ep id vl r it i ‘ m e il akr xl t a u e b i n c m r ay oe n a ly o cl aaaldt ae ota ’ n cm rm sd h vib a bs sf r ad o po i t l e a w e e e cm u rbthy o’ko it aak a o pt ,ut dnt nw fh tc w s e e e t targeted, speculating that malicious hackers possibly discovered the system by scanning for machines running vl r lvros fh dt ae ota . u e b e i o t a bs sf r ” n ae sn e a w e 63
Human Vulnerability: The MissionCritical IT Handlers
Human vulnerability remains as one of the most compelling threats to security. Stakeholders should be cautioned against a false sense of security that can be created through the use of technology security systems. Jm s ae e re t tt a e B ur w ish “ l t a echnology system designers, contractors, administrators, or any others who come in contact with the technology all occupy a position at the center of the hourglass of enterprise information management that affords them unparalleled ability to damage the enterprise if they are so inclined. They should be screened no less rigorously than 64 executive officers trusted to lead the organization.” Bauerle goes on to warn that when a destructive force is directed from within the institution that even a thorough set of security policies and procedures, diligently enforced and regularly updated, combined with up-todate security technology forming a platform for protecting the integrity of the institution and its records, will not be a sufficient defense. He counsels that “ i is t
62
O S lvnO l “ oe h h g ABA Banking ’u i , r ,G n P i i ” la a sn Journal, November 2003, 7-8.
58
Be k L ue,Sr i t Ceta a H vn n n” isi ar “tv go r e Sf ae O l e l , n in a e i ABA Banking Journal, May 2003, 53-59.
63
http://msn.pcworld.com/news/article/0,aid,118489,00.as p viewed, November 19, 2004. 59 Ibid. 60 Ibid. 61 Ibid.
http://www.nwfusion.com/news/2004/1020califdisc.ht ml, viewed October 25, 2004. 64 B ur ,a e F,G l n y R dx The ae eJm s . o e E e eu, l “ d ” Banking Law Journal, March 2003, p. 11.
19
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
incumbent upon executives and managers in charge of an institution to take effective physical security precautions, including the deployment of up to date security appliances. Above all else, they must create and sustain an institutional culture that values and promotes critical thinking, high self-esteem and 65 genuine loyalty to the institution.” Without this, vulnerability from within exists, because the greatest t eta i i r“ t t pn r ci scryo h a r n d s i e uo be h g eui t r s e se n n a n t 66 accomplish illicit objectives.”
high cost factor also involved with genetic engineering, t ss n xm lo aeho g t ta “en e h ia ea p f t nl yh hs be m t i e c o a with ethical concerns by individuals worried about the security and privacy of information collected by these 69 devices.”
S rC rs Wh tsY u C r’ mat ad : a i o r ads IQ?
Smart cards are credit cards that, instead of (or in addition to) a magnetic stripe on the back of the card, have an embedded CPU or electronic chip. These chips “otn 2 cn i3-kilobyte microprocessors, capable of a generating 72 quadrillion or more possible encryption keys, thus making it practically impossible to f uu n y eoenom t nn h ci ” r dl t dcd i r ao it h . a el f i e p 70 According to Tata Consultancy Services, Smart cards offer many advantages over the magnetic stripe technology, including: Stores many times more information than a magnetic stripe card. Reliable and harder to tamper with than a magnetic stripe card. Compatible with portable electronic devices such as phones and personal digital assistants (PDAs), and with PCs. Stores highly sensitive data such as signing or encryption keys in a highly secure manner Performs certain sensitive operations using signing or encryption keys in a secure fashion.71 The primary reason that smart cards have not replaced magnetic stripe cards is that all of the card readers will have to be replaced. MasterCard and Visa will eventually issue deadlines for compliance for embedding chips in cards and processing the cards. Large investments by issuing banks and merchants will be required to comply with these guidelines, so the process is a slow one.
Payment Industry Efforts to Combat Identity Theft Fraud: To Definitively Correspond the User to the Instrument
There are a variety of IT-enabled system security methods, both specific and non-specific to the Payment Industry, that are employed as part of a layered approach to security against ID theft.
Show Me Your ID Please: Identity Authentication Technologies
Generally, identity authentication technologies fall into two broad categories: biometrics and genetic engineering. Biometrics include face recognition, retina scans, fingerprint authentication, voice/speech verification, and handwriting analysis. Face recognition has been studied extensively by the U.S. Department of Defense Counterdrug Technology Development Program Office and the National Institute of Justice. The technology uses a sensor to observe the face and create a biometric signature. A computer algorithm then normalizes the biometric signature making it the same size, view, and resolution as the other signatures in the database. Finally, a matcher compares the normalized signatures and provides a similarity score.67 The primary problem with this technology, as with retina scans, is the high cost resulting from the extensive research required to develop it. They are currently regarded, at least in commercial applications, a,a ea p o a ei w oe xess ol s“n xm l f dv e hs epne cu e c d 68 outweigh the practicality of its use.” The other identity authentication technology is genetic engineering. Genetic engineering analyzes the DNA components of human fluids and cells. Besides the
65 66
L t S ae Issuers Clearinghouse e’ h r: s
I ur Cer gos iao t rj t e en s e ’ l i hues j npo cbt e s s an i e w MasterCard and Visa designed to detect fraudulent and high-risk credit card applications.72 Every MasterCard and Visa application is run through this site to validate
69 70
Ibid., 14. Ibid., 6. 67 G oe,Po cn Y u Iety p2. rvs“rt t g ordn t ” .8 ei i, 68 Ibid., 29.
Ibid., 28. B aaJj rh,u,U drad g ht,e, bu a“ ne t i Credit Card l P D sn n Fad” 2 r s 1. u 71 Ibid.
72
https://www.merchantconnect.com/CWRWeb/glossary. do?glossaryLetter=i , Viewed October 30, 2004.
20
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
and track addresses, phone numbers and Social Security numbers used in credit applications. If multiple applications are processed for any of the same identifying information, the applications are flagged and investigated. This service is one of the oldest forms of fraud detection used by MasterCard.
Good Fences Make Good Neighbors: General System Security Starts With a Perimeter
The Payment Industry and issuing banks use a layered approach to security—perimeter, app-layer protection, intrusion detection, use of various monitoring tools— because threats are varied, and no environment works as well as it should, in theory.77 This strategic approach is not unique to the Payment Industry, but rather is standard for all businesses that use a strategic approach to security. Many industries are now appointing privacy officers who play a strategic role in creating information privacy policies to prevent identity theft. Many of the i om t n aae sepni li dvtl i n r ao m ngr r os its oe iwt f i ’ s b ie a h prevention measures: creating retention schedules, properly tracking and filing information, and training staff on information management procedures. The i om t n aae “ a asm sm o a o a n r ao m ngr m y s e o e r l f f i u l pi c of e sdn tpo co dts 78 r ay fcr i ty rt t n u e. v i ’ ei ei i” Information managers and privacy officers should be the ones who step in and help the company understand the laws regarding privacy and security. They also need to train each individual employee on privacy and security. Gary Clayton, Founder and Chairman of the Pi c C uc,o totht Pi c ad eui r ay oni pi s ut , r ay n scry v l n a“ v t do not work if you do not have top-level buy-in. Information managers might very well be the key people within the organization to help accomplish t s 79 h. i” Increased security to prevent identity theft is one of the key challenges facing MasterCard. Glover T. Ferguson, Chief Scientist with Accenture, offers this advice. “ a e t n oi scry s hrlt oe o e R t rh ps g eui a a ud o vr m , h a n t e c cm ai sol v wt ics m r pi c nes o pn s hu i h r ut e ’ r ay ed e d e e o s v as an opportunity through which they can differentiate themselves as trust leaders, increase their financial value and even ene i ete cnm e. r z n r eoo i ” ge i s 80
Wh t i aN me NameProtect® a’ n a ? s
NameProtect® is a MasterCard monitoring service that continuously scans and monitors the Internet. This service watches all gTLD73 and ccTLDs74, new r ir i s n at aos “ a ert t i n f s e sao ad cvt n. N m Po c d ti g ttn i i e ® e ie Web sites, emails, chat rooms and other electronic venues where personal credit card data is published, sl o t dd 75 Through this program, phishing sites o ,rr e. d a ” are often shut down within hours of their appearance on t We. nh cs o “ pr i Fr a, h e b I t ae fO e t n i w l” e ao e l NameProtect® was an invaluable tool in identifying and then tracking illegal activity. C s Su y “ prt nFrw l”MasterCard ae td : O eai i a . o e l International Senior Vice President of Security Risk Services, Sergio Pinon, noticed a suspicious level of activity last November in certain chat rooms and websites known to specialize in credit card and identity document trafficking. He contacted the authorities with his suspicions and worked with them to set up a sting, code-named Operation Firewall. The operation was conducted by the U.S. Secret Service, the Justice Department, Homeland Security, the Royal Canadian Mounted Police, and Europol. It targeted 21 suspects in the United States and seven others in six other countries. Arrests were made on both sides of the Atlantic on October 29, 2004 charging 28 people with stealing, selling, and forging credit card and i n f ao dcm n i l i di r less d ti t n ou et n u n r e si ne, e ic i s cdg v’ c birth certificates, and foreign and domestic passports. A t ri c i e t th ssetw r “ sos l u oie lm d h t upc e r pni e h ts a a e s e e b for running Web sites that investigators said served as ol e aarfr akrad dn tt ee. n n bza o hce n i tyh vs 76 i s s ei i ” Investigators say that the suspects bought or sold 1.7 million stolen credit card numbers operating on Internet servers in Belarus, Canada, Sweden, and Ukraine.
73 74
G nr T p eeD m i ,.,. m o “ d” ee c o L vl o a se . c ” r. u i n g “o e C ut cd T p eeD m i ,.,. ”o t on y oe o L vl o a se . u frh r n g “s e U id te,r. ”o C nd n e Sa so “ a fr aaa t t c
75
http://www.nameprotect.com/html/services/id_theft/cre dit_card.html ,Viewed October 30, 2004. 76 K esBi ,2 Iety hfS setA r t i r , r n“8 dn tT e upc r s d n b a i t s ee Tastn c t g The Washington Post, October 29, r aat Si ” n l i n 2004.
77
Be k “tv go r ta a H vn n n, isi Sr i t Ce e Sf ae O l e l , in a e i ” 58. 78 G oe,Po cn Y u Iety 3. rvs“rt t g ordn t ” 1 ei i, 79 Ibid. 80 Myron, “t e N m sBg u br” 8 So n a e, i N m e ,3. l s
21
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
WER F O T EG V R ME T ’E R M H O E N N , WER H R T H L : Legislative ’E E E O E P Efforts to Combat Credit Card Fraud Identity Theft and Assumption Deterrence Act of 1998
This is the seminal piece of legislation in the fight against identity theft. When The Identity Theft and Assumption Deterrence Act passed in 1998, no court hd ec s f d pr nsdn ta t g l a ytl si a e o’i ty sa i e a ie s ei nb personal property.81 “ o i i t eii f e l N t n nh x t g e r hg e sn d a statutory scheme specifically prohibits a person from illegally assuming the identity of another individual without first obtaining false documents but with the intent to engage in fraud-r a d cv y 82 Federal e t at i . le i t ” law at the time prohibited the use and transfer of false identification (a felony), but card-not-present crimes committed over the Internet fell through the legal cracks. Key provisions of this legislation included: Expressly criminalized identity theft Classified private citizens as direct victims of such conduct Allowed individual restitution to victims in restoring credit records Added identity theft to the U.S. Sentencing Guidelines Manual Allowed corporal and financial sanctions by judges at sentencing Directed the Federal Trade Commission to establish a centralized clearinghouse to record and track complaints and to provide consumer education Instructed the FTC to implement procedures for referring complaints to the three major national consumer-reporting agencies (Experian/TRW, Transunion, and Equifax) and to channel complaints to respective law enforcement agencies. Directed the FTC to establish procedures for educating the public83 When President Clinton signed the Act into law, he said “s e n rh i om t n g, ic tat t u a w et t n r ao aei s ri lh or e e f i t ic a nw st ho g s upror l svl s 84 e ete nl i spot u o eta e. c oe d u ”
Privacy Act of 2001
Congressional hearings found that the inappropriate display, sale, or purchase of Social Security numbers is a contributing factor to a range of illegal activities including card-not-present fraud and identity theft. “ h Pi c A t f 01 eu e t companies T e r ay co 20 r i shat v qr otn cnu e sepes osn pi t sa n b ia osm r ‘ r cnet r ro hr g a ’ x s ’ o i or selling sensitive information such as Social Security numbers and nonpublic personal financial i om t n 85 n r ao. f i ”
Consumer Privacy Protection Act (2002)
This legislation placed requirements on data-collection organizations to provide remedies in the case of identity fraud.86
Identity Theft Prevention Act (2003) & Social Security Number Misuse Prevention Act (2003)
B ten 02 n 20,R f cn t nt ns e e 20 ad 03“ e et gh ao’ w l i e i ongoing concern, at least 50 bills concerning i om t n r ay e i rdcd n oges 87 n r ao pi c w r n oue iC nr . f i v e t s” Each bill further refines previous legislation and attempts to address areas still needing sharpening. These two pieces of 2003 legislation permit legitimate business and government use of Social Security numbers, but ban the sale and display of the numbers “ i oth epesd osn o t i i da” wt u t xr e cnet fh n v ul h e s e di . They prohibit the government from displaying Social Scry u bro “ul r od ps d nh eui nm e n pb c e rs ot o t t s i c e e Internet or issued to the public through electronic m d . T e a o i iw e bs ess a r u e ei” hy l l t hn ui s m y e i a s m n e qr customers to provide their Social Security numbers.88
Fair and Accurate Credit Transactions Act of 2003
This legislation is another sweeping attempt to take a variety of steps to stem the increasing growth of cardnot-present fraud and identity theft. Provisions include: Requires that merchants and bankers truncate account numbers on electronic credit and debit card receipts to print no more than the last 5 digits of the account number.
85
81
Sudrad ukr” on r t g dn t Fad ane n Z ce C ut a i Iety r s , e cn i u in the Information Age: The Identity Theft and A sm t n f e r ne c 17 s p o o D t r c A t 8. u i ee ” 82 Ibid., 186. 83 Ibid., 188-189. 84 Ibid., 190.
H lrJsn“ e SntPi c Bll Addresses ee ao,N w ea r ay i l, e v Pr nl Ieti lIfr ao” e oay dn f b nom t n Intellectual s l ia e i Property &Technology Law Journal, September 2001, 31-32. 86 Rodn“ o a Y u N m e ? 2. i a,Wh H s or u br ” 4 r s 87 Ibid. 88 Ibid.
22
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
Requires credit and debit card issuers to verify the address of the consumer if a request for a new card on an existing account is received within 30 days of a change of address. Al s osm rt p c “ ad l t i l w cnu e o l e f u a r”n o s a r es their credit files obligating the consumer reporting agencies to verify that the consumer and not a fraudster is opening an account or obtaining a loan. Requires the consumer to call only one credit bureau to notify all three. R qi seu t so ei ai o “ d eu e r lo t dv e lt fr r gar s s e f g i i t s to identify patterns, practices, l ”n c o a dar and specific forms of activity that indicate the possible existence of identity theft in order to prevent fraudulent activity before it can cause m j dm g t a osm r c d fe a r a aeo cnu e s r i i. o ’ e tl Allows consumers to request a free credit report once a year to review for inaccuracies or unauthorized activity.89
BEST PRACTICES: D nt eP ro o ’B at f the Problem
Fighting credit card fraud and identity theft are not solely the domain of the credit card systems. Virtually any person, business, or governmental agency can add to the fraud problem if they are not careful in handling and protecting account and private identifying information. Best practices follow a holistic approach, flowing from general guidelines for all industries and government entities, through IT-specific guidelines, down to the individual participants in the credit card systems: consumers, merchants, acquirers and their processors, issuers and their processors, and the payment systems themselves.
Become Part of the Solution! Best Practices for All Industries and Governmental Agencies
As discussed, criminal elements must gain access to account and private identifying information to perpetrate their fraudulent activities. Their jobs are all too easy because of a general lack of control over the data. Businesses and governmental agencies must take actions to protect their employees, customers, and constituents from identity theft. Some specific guidelines are92: Ask only for the bare minimum amount of information necessary to conduct business. While employers obviously need to keep Social Security number of their employees on file, very few businesses or governmental agencies need the Social Security numbers of their customers or constituents. Do not use Social Security numbers as identifiers. Doing so risks putting them in the public domain. Using Social Security nm e fr upssuh s r e ’i ne u br o proe sc a di r les s vs c numbers, insurance identification numbers, or patient record numbers makes it far easier for identity thieves to get the information. Regularly check backgrounds of employees who have access to private identifying information, and not just when they are first hired. Simple, periodic criminal records and credit checks will identify employees who may be at higher risks of succumbing to the
92
The Identity Theft Penalty Enhancement Act
This is a 2004 law that establishes a new crime of “gr a d dn t t f” e nd s s g s l aga t i ty h t df e a ui a t e v e e i e, i n on identity to commit other crimes. Convictions for aggravated identity theft carry a mandatory two-year prison sentence.90
Anti-Phishing Act of 2004
Introduced by Senator Patrick Leahy in July, this legislation targets the entire scam, all the way from sending the email to creating f uu nse. T e c r dl tis “ h A t a e t is smart because it criminalizes the bait—not just successful phishing. It makes it illegal to knowingly send out spoofed email that links to sham websites, with the intention of committing a crime. And it criminalizes the operation of the sham websites that are t l u o t w ogo g 91 h o s fh rndi . e c e n” T og is s r t law will not eradicate the huht a t t his ’ a, problem of phishing, since many phishers send their emails from other countries, and it is difficult to prosecute offshore crime.
89
http://frwebgate.access.gpo.gov/cgibin/useftp.cgi?IPaddress=162.140.64.21&filename=h26 22eas.pdf&directory=/diskb/wais/data/108_cong_bills , viewed October 25, 2004. 90 Ramasastry, n a“ h A t A i,T e n -Phishing Act of 2004: t i AU e l ol gi tdn t T e ” i L ws i sf T o A a sIety hf Fn a ’Wr u n i t d t Legal Commentary, August 16, 2004, 1-4. 91 Ibid., 4.
“ o Can I Protect My Customers From Identify Hw Thf ” o r o t re G nr :DT e e ? C l a At ny ee lI hf t od o a t Prevention & Information, www.ago.state.co.us/idtheft/clients.htm, viewed November 3, 2003.
23
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
financial gains possible from stealing account numbers and private identifying information. Define a privacy policy and communicate it to your customers and employees. The policy should describe what information the business or agency collects, what they do to protect it, how they may share the information with other parties, and how they destroy the information when it is no longer needed. Protect sensitive paper information like payment card numbers, Social Security numbers, and other private customer identifying data. Secure records in a vault or under lock-and-key. Restrict access only to persons with a legitimate need to know. Shred records when they are no longer needed. Immediately report security breaches to affected customers and law enforcement. Conduct a risk assessment for impact from loss or disclosure of business data. Identify areas of concern for the business or agency, and evaluate the likely amount of damage or disruption based on the assigned level of risk. Table 2 depicts example areas of concern, and typical damage assessments for three levels of risk: low, medium, and high. Once completing the risk assessment, the business or agency should design record retention policies and physical access controls that are appropriate based on the assessed risks of loss or disclosure. 93
Area of Concern
Business Disruption Legal impact Financial Impact Health & Safety Impact Effort to Restore
IT organizations to implement and follow best practices for protecting the enterprise from attacks. PC Magazine94 and the Carnegie Mellon Software Engineering Institute’(SEI) CERT® Coordination s Center95 outline the following best practices for IT security: Use physical firewall devices and anti-virus, anti-spyware, and access control software to protect networks and computers from external attacks. While each type of protection alone provides some measure or security, all are needed to fully secure networks, servers, and personal computers. Keep operating system and security software up-to-date with the latest security patches from the software vendors. Define policies for strong passwords and require users to change them frequently. Discourage passwords that are too easily guessed, such as those based on easily collected pr nlnom t nbt o’ e oai r ao,udnt s f i require passwords so difficult to remember that employees must write them down. Replace default passwords and disable guest accounts too. Monitor network, firewall, web server and PC security logs for signs of any abnormal behavior. A higher than usual number of invalid user id or invalid password log entries might indicate someone is attempting to hack into the network or server. Frequently monitor security information websites for breaking information about new threats and best practices (e.g., CERT® Coordination Center). Protect sensitive electronic information like private customer identifying data and account numbers. Restrict data access rights to only those persons and systems with legitimate needs to know, and consider encrypting sensitive information housed in databases. Segregate sensitive data on separate servers from web servers to provide an additional layer of protection against external attacks. Otherwise, a hacker who defeats the security
94
Low
Easy
Medium
Moderate Minor Minor Moderate
High
Major Major Major Threatened Significant
Table 2: Example Risk Assessment areas of concern and damage assessment
You Only Thought You Knew It All Already?! Best Practices For IT Practitioners
Since most businesses and governmental agencies these days use IT-based solutions for record keeping and customer relationship management, it is incumbent on
93
“ be e Scry et r te”PC Magazine, Wesr r eui B sPa i s, v t cc www.pcmag.com/article2/0,4149,11525,00.asp, viewed November 2, 2004.
95
“ e ok eui P lyB sPate Wh e N t r Scry o c: et r i s i w t i cc t Ppr Cso yt s ae ” i S s m , , c e www.cisco.com/warp/public/126/secpol.html, 2, viewed November 2, 2004.
CERT® Security Improvement Modules, CERT® Coordination Center, www.cert.org/securityimprovement, viewed November 2, 2004.
24
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
on your web site has immediate access to your database. Keeping the data separate requires hackers to work harder and longer, and may give you just enough time to detect their activities.
Be suspicious of emails and websites requesting private information Verify URLs and make sure websites are secure before entering account numbers and personal private identifying information Be careful when locating websites through search engines to ensure you have found the legitimate site Call the company if you are unsure of the validity of a website
Only You Can Prevent Fraud! Best Practices For Consumers
A diligent, informed, aware consumer can take responsibility for protecting himself or herself from many low-technology fraud opportunities. Suggestions f mMat C r ad aaa pb c a t w t dg r o s ra n C nd’ ul sf y a ho e d s i e c include:96,97 Only give payment account numbers or personal identification information to companies you have contacted Challenge businesses that ask for personal identification information about why they need to know Avoid saying information over the phone when others may hear Do not carry unnecessary payment cards or identification papers (e.g., Social Security card, birth certificate) in your wallet or purse D nts S Nfr or r e s o o ue S o yu di r license or v’ other identification cards Keep track of receipts for payment card transactions Shred receipts and account statements having full account numbers, and the unsolicited credit card and loan applications you receive in the mail Cancel unused credit card accounts Keep a list of all of your payment card account nm e a n wt t ii ur nm s n u br l g i h rs e ’ a e ad so h e s s contact numbers so you can cancel them quickly if lost or stolen Use firewall, anti-virus, and anti-spyware software on your PC Keep your PC operating system and security software up-to-date with latest security patches from your vendors
96
T eesMore to Business Than h r’ Collecting Bags of Money! Best Practices For Merchants
Merchants are charged with employing the latest ITenabled cardholder authentication technologies and applicable credit card system rules to ensure secure financial transactions. Examples of these include:98
Card Present
Check that the embossing on the card extends into the hologram Check the hologram and indent printing Compare the signature on the card to the one on the sales draft Check that the magnetic strip appears authentic C lfr “ oe 0 at r ao i a o a C d 1” u oi t nf l h zi sm t n dentfeel” o e i os’“ hg right
Card-not-Present
Use address verification systems to check the acut o e s ii ades con hl r b l g dr d ’ ln s Implement SecureCode and Verified by Visa services Include card verification values/codes in authorization messages (but do not store them in your database) Require complete customer contact and payment information before completing an order Process transactions in real-time
“ et r te fr r et g n n Iety hf” B sPa i so Pe n n O l e dn tT e , cc v i i i t Public Safety and Emergency Preparedness Canada, www.ocipep-bpiepc.gc.ca/opsprods/info_notes/IN04002_e.asp. Viewed November 2, 2004. 97 “ i fr r et g am n C r Fad Tp o Pe n n Py et a r , s v i d u” MasterCard International, www.mastercardinternational.com/newsroom/security_ risk.html, viewed October 22, 2004.
98
“r et g r d Fgt g r d s S a d Pe n n Fa : i i Fa ia hr v i u hn u e R sos it” s ra It nt nl epni ly Mat C r n raoa bi, e d e i , www.mastercardmerchant.com/preventing_fraud, viewed October 28, 2004.
25
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
Keep the customer on the website until the payment card is authorized and the sale is completed Monitor international transactions Employ rules-based systems to screen and detect suspicious order activity Maintain negative databases of fraudulent orders and offenders, and positive databases of trusted returning customers A ot s ra ’B sPate fr dp Mat C r s et r i so e d cc eCommerce websites Have a Site Data Protection audit done on your eCommerce website
rules, or for having excessive fraudulent activity.
The Last Line of Defense: Best Practices For Issuers and Issuing Processors
Issuers and their processors are accountable and liable for the actions of their cardholders. In addition to implementing the industry and IT best practices described above, issuers should consider adopting the following best practices to protect themselves and their cardholders: Monitor cardholder purchase and cash velocity for drastic changes. Significant increases in the number of uses or the accumulated spending amount over a short period of time may indicate that a card was lost, stolen, or was otherwise compromised. Issuers should contact the cardholder to ensure the uses are legitimate, and consider temporarily blocking a card if they are unable to contact the cardholder in a reasonable amount of time. Use behavioral model/neural network software sc a Mat C r’RsFne pouto uh s s ra s i i r rdct e d k d dt tudm n lhne i crhl r e cfna et cagsn a o e ’ e a d ds behaviors. As with velocity changes above, investigate significant changes and consider temporary blocks to mitigate exposure.
Protect Yourself From Your Merchants! Best Practices For Acquirers and Acquiring Processors
Acquirers and their processors are accountable and liable for the actions of their sponsored merchants. In addition to implementing the industry and IT best practices described above, acquirers should consider adopting the following best practices to protect themselves and their merchants: Provide merchants with access to security features developed by the credit card systems, and compel them with contracts and pricing incentives to use the features. Security f t e sc a Mat C r’A des e u s uh s s ra s dr ar e d s Verification Service and SecureCode go a long way to protect merchants and prevent fraudulent activity. Monitor merchant deposit velocity for unexpected increases in deposits. While a s n i nsi o i r s i a e hn s i ic tp e rn e en m r at g fa k ca c ’ deposits may be due to nothing more than a sale or improving business conditions, it could indicate a merchant who has an employee who is colluding to commit fraud. Acquirers should consider freezing funds for excess deposits until they can investigate the suspicious activity. Check and report each m r at t m nt n e hn se i i c ’ r ao history. Before contracting with a new merchant to begin accepting credit card transactions, Acquirers must check out the m r at h t y s g s ra ’ e hn s io ui Mat C r s c ’ sr n e d Merchant Online Status Tracking system. Any “i” ut enet a d A qi ra o h s m sb i sgt . cu e l t v i e rs s must report merchants who were terminated for cause, such as for violating association
Protect Your Brand! Best Practices For Payment Companies
Payment companies are the ultimate guarantors of the credit card systems. Companies like MasterCard, Visa, and American Express work hard to protect consumer confidence in their brands. Credit card fraud and identity theft represent serious challenges and could quickly erode consumer confidence in the system if left unchecked. In addition to implementing the industry and IT best practices described above, the payment companies adopt the following best practices to protect themselves and their constituents: Monitor to detect shifts in types and volumes of fraudulent activity. The dynamics of fraudulent activity are constantly changing. Criminal elements are adept at finding and exploiting new weaknesses. The pervasiveness of information sharing on the Internet permits information about new weaknesses to be quickly broadcast to hackers and crime organizations. New schemes for attacks start with a trickle of activity, and quickly change to a deluge.
26
�Cornish, Delpha, Erslon / MasterCard International Security and Risk Management
Cooperate with each other to conduct research to innovate new fraud detection and prevention mechanisms. Continue research on emerging technologies that authenticate the card, the account number, and the cardholder to the card. Continue to create, refresh and enforce security standards to adapt to the dynamic nature of fraud. Adaptation is the key to survival of the fittest. The payment companies that are best able to adapt will shed attackers, who then will focus on the weaker victims.
CONCLUSION
Fraudulent credit card activities present unique challenges for MasterCard and other credit card companies, financial institutions that issue and process credit card transactions, merchants, and consumers. Criminals find creative ways to capture private credit cardholder account and identification information, and the credit card industry spends millions of dollars annually searching for ways to detect and prevent them. MasterCard International has licensed security measures designed to combat the significant threats posed by card-notpresent and identity theft credit card fraud, and has corporate functions aimed at the detection and capture of emerging types of credit card fraud. Fighting credit card fraud is also the responsibility of the cardholder, however. To successfully counter the growing threats posed by credit card fraud and identification theft, it is critical that every participant in the credit card transactional flow assume responsibility for the protection and monitoring of personal and financial information.
27
�