Docstoc

Fiserv_Fraud Prevention

Document Sample
Fiserv_Fraud Prevention Powered By Docstoc
					Debit Card Fraud:
A Roadmap to Managing Risk


INTECH Client Conference



               JB Rambaud – Executive Vice President
                            Chief Security & Risk Officer
  Key Questions to Ask Ourselves

• What is the debit climate and the new world of fraud?

• What is the impact of fraud?

• How do you prepare?




                                                          2
  Debit Fraud Trends

• PIN and signature debit transaction volumes showed a
  significant increase in 2006 with signature growth
  outpacing PIN (20.3% vs. 15.7%)
   – Between 2004 and 2005, industry-wide debit issuers’ net losses
     increased 21% from $546MM to $662MM
   – Signature-based losses increased 28% in 2005 while PIN-based
     losses (ATM and POS) increased 17%
   – Issuers rated CVV/CVC checking, neural networks, and
     international transaction blocks as the most effective tools for
     reducing fraud losses




   Source: Dove Consulting, 2007 Debit Issuer Study




                                                                        3
  Fraud: The New World
• Attacks are highly sophisticated
• Fraudsters know what they are after
• Significant increase in counterfeit fraud
   –   Phishing
   –   Key logging
   –   Skimming
   –   Merchant data breaches
• Market for things bought, sold and advise
• Ease of technology and access




                                              4
U.S. Issuer Fraud Types
    Compromised full track data; CVV or CVV2 is a key
      driver to counterfeit and card not-present fraud




 Source: Visa                                            5
Fraud Trends
How are the fraudsters getting sensitive data?
  Skimming          E-Commerce Content

False Association      Phishing
                                        Rock Phishing
                       Physical Theft
 Brandjacking                             Pay-Per-Click
      Cybersquatting        Offensive Content
  Domain Kiting     Hacking
                                        Key Logging


                                                          6
  Fraud Trends Posing the Greatest Risk
  to Financial Institutions
• Phishing threats increased 104%
    – Phishing incidents increased in Q1 2007 by 104% compared to Q1
      2006, indicative of the adaptive nature of phishers
• Phishing attacks against financial institutions outnumber auction
  attacks
    – Phishing attacks against financial services companies, including
      large banks as well as credit unions, represent 41% of all phishing
      attacks in Q1 2007, compared to 29.4% in Q1 2006
    – Attacks on online auction brands fell below those against financial
      institutions for the first time, representing 38% in Q1 2007
• Financial institution are the primary target of kiters
    – A four-week average of financial kiting targets reveals more than
      980 kited sites targeting financial brands, more than double that of
      any other segment
    – Kiting is the fastest growing form of abuse with the number of
      incidents increasing 242% from Q1 2007 to Q2 2007


   July 2007, Brandjacking Index, MarkMonitor
                                                                             7
CyberCrime
Typical Costs of Goods and Services in Forums
                          $7   $25   $80   $100   $150   $300   $500   $1000   $5000   FREE   4% to
 Service & Cost                                                                               8% of
                                                                                               deal
Bank information for
credit card issuing                                                                     x
institution
Birth certificate
                                                   x
Change billing data
                                     x                    x
Credit card w/PIN
                                                                 x
Credit card w/security
code & expiration date    x    x
Driver’s license
                                                   x
Fee to escrow agent
                                                                                               x
PayPal account logon
and password              x
Social Security card
                                            x
Trojan Program to
transfer funds                                                          x       x



Source: USA Today – 10/12/06
                                                                                                      8
  Latest Data Breaches
  September 2007
• Sept 1: John Hopkins Hospital had a computer stolen that
  contained patient information including addresses and SSNs
  for over 5,700 patients
• Sept 4: Pfizer experienced a security breach that may have
  compromised 34,000 employees personal data including
  birthdates, SSNs, addresses, and credit card numbers
• From Sept 4 – Sept 14: Over a dozen colleges and
  universities throughout the nation have experienced data
  compromise from hackers, phishing schemes, social
  engineering, and stolen equipment
• Sept 9: Two computers were stolen from McKesson
  Healthcare which has compromised thousands of patients’
  personal information
  http://www.privacyrights.org/ar/ChronDataBreaches.htm



                                                               9
  Latest Data Breaches
  September 2007 (continued)
• Sept 11: Two computers containing mental health records of
  over 300,000 patients and SSNs of over 2,000 employees
  were stolen from the Pennsylvania Public Welfare
  Department
• Sept 12: A TennCare / AmeriChoice Inc. courier lost personal
  information (addresses, SSN, DOB, etc.) of over 67,000
  people
• Sept 13: Voxant.com online ecommerce store server was
  hacked compromising credit card information for 4,500 people
• Sept 14: TD Ameritrade Corp had one of its databases
  hacked and the contact information for 6.3 million customers
  was stolen
  http://www.privacyrights.org/ar/ChronDataBreaches.htm




                                                            10
    “Pain Points” in the Industry
•   Market dynamics
    – Consumer perception - “fraud factor”
    – Issuers bearing burden of fraud loss
    – Rising cost of security and risk management solutions
    – Need for industry collaboration, standards and accountability –
      PCI impacts
    – Ongoing National Data Breach Bill debate
•   The realities of fraud
    –   Detection is key
    –   Response time essential
    –   A balanced defense is the best defense
    –   An understanding of controls is critical
    –   One solution will not fit all
    –   Dynamic environment



                                                                        11
    The Risk Climate
• Consumers love their debit card
•   Debit card fraud is here to stay
•   Card compromise impact, regulations and debate
•   Fact vs. fiction and reality vs. perception
•   Issuers bearing the burden
•   Consumer perception - impact of the “fraud factor”




                                                         12
  How Do We Prepare?

• Develop comprehensive risk management strategies
  and programs

• Increase investment in the “right” risk management and
  security solutions

• Rethink the role of the cardholder




                                                           13
  Risk Strategy Considerations
• Key ingredients
   – Detect
   – Respond
   – Protect
• Must be able to evolve to changing conditions
• Quantifiable results
• “It takes a village”




                                                  14
Risk Management Best Practices

 Mitigation                 Basic         Advanced         Premier
              Minimal
 Strategy


  Types of    Internal      Card         Authorization      Predictive
  Controls               Management                      & Proactive




                             Solutions




                                                                         15
The Product Evolution
Enhancing Core Principles

                                Protect           Detect Quicker
Protect Better
                                                  – Neural Network
 – Enhance                  Stop fraud              Intelligence
   business rule             before it
   driven                                             • Real-time
                             happens                     scoring &
   solutions
                                                         decision making
 – Evolve from
   cardholder                                         • Integration of
                   Reduce the                            Card Association
   behavior to      impact of
   transaction-                                          scores
                      loss             Identify
   based                            fraud when        • Offer
   analytics                          it occurs          exception/travel




• Respond faster
• Utilize technology for communication & alerting


                                                                            16
    Detecting Potential Fraud
    Added Value Controls
• Neural Network Fraud Detection
•   Compromised Card Tracking
•   Neural Network Real-Time Decisioning
•   Authorization Level Transaction Blocking
•   Risk Office




                                               17
  Predicting Risk
• Neural Network Fraud Detection
   – Using transaction, industry, cardholder and merchant data to
     forecast the likelihood of fraud
   – Determines fraud potential on all ATM and POS cardholder
     transactions
   – The higher the score, the higher the likelihood of fraud
   – Financial institution specifies the threshold in which an action is
     taken
   – Reporting provides data to analyze trends and determine areas
     of high risk




                                                                           18
  Cost Effective Decisioning
• Compromised Card Tracking
  –   Manages Visa and MasterCard compromised alerts
  –   A severity indicator is assigned based on data compromised
  –   Reporting of compromised transaction data with a severity
  –   Indicator assists with monitoring card activity
  –   Reduces the costs of blocking and re-issuance of cards




                                                                   19
  Pro-Actively Detecting Fraud
• Neural Network Real-Time Decisioning
   – Predicts the likelihood of fraud during the authorization process
   – Transactions will be scored in real-time based on pre-defined
     criteria
   – Financial institution can define real-time coverage
   – Transactions can be referred or denied based on pre-defined
     scoring thresholds
   – Reduces fraud potential by allowing suspect transactions to be
     stopped before they are approved




                                                                         20
  Rule-Based Protection
• Authorization Level Transaction Blocking
   – Applying rules to block transactions deemed as high risk
   – Blocks activity originating from foreign countries, specific
     merchants, or merchant category codes at the BIN or
     cardholder level
   – Allows out of reach or traveling cardholders to be exempt from
     denials and inconvenience
   – Mitigates risk on known fraud patterns and stops the transaction
     from approving




                                                                        21
  Risk Office
• Risk Office - Silver Service Level
   – 8 x 5 Fraud Investigation Center
   – 8 x 5 Risk Expert Investigation Support
       • Responds immediately for risk investigation to any request, risk threats /
         events, or flash fraud activity
   – 8 x 5 Support: email / phone
       • Second-line Call Center support
       • Ticket workflow management
       • End-to-End Incident Management reported by clients
   – Annual Risk Health Assessment
   – Fraud Scoring, Threshold, and Case Management
       • Score monitoring; comparing client performance to overall performance
       • Advise and implement case create and restrict thresholds
   – Transaction Blocking Management
• Risk Office - On Demand Service Level
   – “Your A La Carte Risk Center Help Desk”
   – Represents Silver Risk Office Services a la carte



                                                                                      22
Thank You!