Fraud Newsletter

June 2008

January 26, 2009

Forward| Bancard Site| Subscribe
Today's Headlines:
Do You Have a Card Fraud Loss problem?
Smishing: Safeguard Your PDA Data
Is PCI Compliance Enough?
Olympic Data Vulnerability
OCC Warns Banks About Customer Information Vulnerability Through Poor Application Security
Headway in Information Security
New Legislation Makes Important Pro-Merchant Adjustment to FACT Act
Real-Time Falcon Statistics
PCI Non-Compliance Could Leave Card Payment Security Vulnerabilities Unresolved Indefinitely
Training Opportunity

Do You Have a Card Fraud Loss problem?

How do you know if your losses are abnormal? What is a valid way to measure your losses?  Industry publications suggest that you measure your losses against a benchmark that calculates losses as a percentage of sales, or fraud to volume. Are your sales greater or less than the benchmark portfolios used to develop the published numbers? BFS Consulting Inc., a consulting team dedicated to helping the card industry better control fraud losses, believes the first step is to find a simple benchmark that will tell you if you have a "problem". If you find that your card losses are out of line, you can then refine your analysis and determine the cause of the "problem."

 

Based on recent loss statistics from the card associations, the "average" fraud loss to volume is a little above 7 basis points (.07% = .0007). A survey of community banks indicated that the average sales volume on a card is about $4300. Losses on such an account, based on the association average, would be $3.01 as determined by: $4300 x .0006 = $3.01. Below are steps you should follow to determine if there is a "problem" looming within your card portfolio.

 

Step One - Take your total fraud loss write off for last year and divide it by the number of accounts you have on file. Is this number greater than $2.00? For example, if the losses are $23,000 on 10000 accounts, the loss would be $2.30 per account. Since that's greater than $2.00 per account, let's refine the analysis.

 

Step Two - Separate the losses and the number of accounts on file into separate categories:

  • Credit
  • Debit
  • ATM (if you have a proprietary ATM card as a separate program)

Repeat the calculation used in step one and determine which portfolio has losses greater than $2.00 per account.

 

If losses are in your debit portfolio, break out losses by PIN and Signature. If one category is significantly greater than the other, you have identified the "problem" portfolio. Try to break down the identified losses into US and Non-US losses. Again this may further identify why your losses are not aligned.

 

Now, you have to find out why your "problem portfolio" has losses greater than your other card products. This involves a review of the fraud prevention, detection and recovery tools provided by your processor and the way your bank is utilizing them.

 

Back to Article List


Smishing: Safeguard Your PDA Data

There's a new "ishing" amongst us. "Smishing" is similar to keylogging cyber-attacks that plant malicious software on PC's that then record and transmit the victim's on-line typing – including entries of usernames, passwords and personal identifying information. With this data, the fraudsters can grab data off of a PDA's (Personal Digital Assistant) hard drive or gain unauthorized access to a company's network.

Important:
Smishing—a term derived from the more familiar "phishing" but describing attacks using SMS text messages often sent via Instant Messaging to trick users into downloading the malicious software—is relatively new. But it is likely to grow as more and more PDA's develop greater functionality and people acquire them and store sensitive personal and company data on them.

Self defense:

  • Avoid clicking on links within text messages, E-mails or attachments from anyone you don't know.
  • Avoid downloading free games, screensavers and music files onto your PDA.
  • Avoid clicking within the body of suspected Spam.

White-Collar Crime Fighter sources:

  • Jon McDowall, CFE, PCI, CIFI, CEO of Fraud Resource Group, consultants providing fraud prevention and training services, www.fraudresourcegroup.com.
  • McAfee Inc. computer security product and service providers, www.mcafee.com.

Back to Article List


Is PCI Compliance Enough?

Hannaford Bros. says it received a certificate on February 27 stating it was fully PCI-compliant. As if to mock the entire credit card security world, on the very same day, cyber-thieves stole 4.2 million cards of the New England retailer's customer card records.

 

If there is a silver lining in this and other recent mega-breaches, it is that retailers have been prompted to seek security systems well beyond PCI standards.

 

Since the breach, Hannaford has reportedly installed a 24/7 security monitoring and detection service to track all user log-ins.

 

More important: The company has also begun to encrypt all customer card information immediately--from the time the card is swiped at the cash register, so that data is scrambled all the way to the company's corporate servers, from where it is sent to the credit card company. This better-late-than-never move to lock down customer data at the POS stage is being adopted by other large retailers.

 

The Hannaford Bros. event was an expensive lesson to the PCI standard-setters that still more needs to be done to keep pace with the fraudsters. The PCI Council has stated that it will eliminate any weaknesses that it discovers from its ongoing investigation of recent breaches. Updated standards are due out later this year.

 

In the meantime, retailers and issuers should remain consistently aware of the fact that Hannaford was victimized by having its private internal network breached—an area previously thought to have been hack-proof.

 

Unfortunately, while PCI mandates that all transaction data sent over public networks be encrypted, it doesn't specifically require that for transmissions over internal private lines.
In the Hannaford attack, hackers reportedly installed malicious software on the companies' private networks to steal unencrypted credit card information being transmitted from the POS to processors for approval.

 

The good news: Retailers don't have to wait until PCI amends its encryption standards to protect themselves from similar attacks. Technology exists to encrypt card data "from the get-go"—ie from the moment a customer's card is swiped.

 

Additional security requirements coming soon: As of June 30, retailers must install firewalls that prevent hackers from accessing internal company files through software programs that are exposed to the Internet--such as applications that handle online credit card transactions.

PCI also plans to toughen its standards in September in the areas of wireless transmissions, card pre-authorization procedures and software applications that handle credit card data.

 

This article is based in part on an article by The Wall Street Journal's Joseph Pereira.

 

 

 

Back to Article List


Olympic Data Vulnerability

Security experts at MessageLabs, which scans E-mail messages for risky content and provides security services, recently reported having found more than a dozen Olympic-themed attacks targeting different industries with Trojan attachments that could allow the attacker to conduct corporate espionage by accessing the victim's system via Microsoft Access Database (".mbd") files.

Details: These E-mail attacks have very legitimate-sounding subjects, such as The Beijing 2008 Torch Relay, and purport to be from the International Olympic Committee in some cases, although most originate in Asia.

The Trojans are not embedded in Microsoft Word attachments, as so many others have been over the years. Instead, says MessagesLabs chief security analyst, Mark Sunner, as those vulnerabilities have been remedied, cyber-criminals are now moving on to new types of Microsoft files. Sunner said exploits within these file types are much less likely to be detected by traditional antivirus engines.

Added risk: The Olympic-theme attacks are extremely precise in that they target individual E-mail recipients.

Key: Unlike typical "volume attacks", the  Olympic attacks highlight a trend toward targeting a single company or individual within that company. The intent is more personal and more destructive.

According to Sunner, antivirus programs are likely to be insufficient in warding off these personalized attacks. A mail-screening service will help, Sunner said. Safe computing principles should also be reinforced—especially emphasizing warnings against opening or downloading attachments that are not clearly work-related.

Source: Mark Sunner, chief security analyst, MessageLabs, Internet security service providers, quoted at Data Storage Today, a Web portal for data storage professionals, www.data-storage-today.com
 


Back to Article List


OCC Warns Banks About Customer Information Vulnerability Through Poor Application Security

In an apparent show of continued concern about ongoing risks to the security of bank customer data, the Office of the Controller of the Currency (OCC) released a bulletin urging national banks to redouble their efforts to ensure that all applications – both purchased and developed in-house—be adequately assessed from a data security perspective.

Note: Though issued to senior executives of national banks, the advice contained in the bulletin is valuable and relevant to all banks that rely on modern computer software to gain operational efficiency.

Details: The bulletin specifically states that "As part of their information security program, national banks should ensure that all applications are developed and maintained in a manner that appropriately addresses risks to the confidentiality, availability, and integrity of data.

"National banks should include application security in their risk assessments, including those required by Interagency Guidelines Establishing Standards for Safeguarding Customer Information. The scope of a bank's application security efforts may vary depending on the size and complexity of the bank and the nature of its software applications."

Helpful: The bulletin lists several key factors that bank management should consider in the risk assessment of an application...

  • Accessibility of the application via the Internet
  • Whether the application provides the ability to process or access sensitive data
  • Source of application's development; such as, in-house, purchased, or contracted
  • Extent that secure practices are used in the application's development process
  • Existence of an effective, recurring process to monitor, identify, and remediate or correct vulnerabilities
  • Existence of a periodic assurance process to validate independently the security of the application.

APPLICATION VENDORS AREN'T SECURITY EXPERTS

Common mistake: Banks that purchase applications typically rely upon the vendors to provide secure applications. This is in most cases highly risky because vendors usually are most interested in selling their products, not in ensuring the security of data they are designed to handle.

Critical: The OCC bulletin contains the important reminder that "Bank management remains responsible for ensuring that the application meets the bank's security requirements at acquisition and thereafter. As needed for purchased software, banks should expand their vendor management program to include application security considerations in their request for information (RFI) or request for proposal (RFP) process.

"An attestation from the vendor that their software development process follows secure development practices and is periodically tested may suffice for some applications. For applications that present [high] risks, banks may require vendor evidence of adherence to sound processes and validation through third-party testing and/or audits. All applications purchased should be supported by appropriate vulnerability identification and remediation processes, including appropriate vendor support. Additionally, banks should ensure that their ongoing testing process (e.g., penetration, vulnerability assessment) includes purchased and contracted applications."
 
Source: Comptroller of the Currency, Bulletin 2008-16.


Back to Article List


Headway in Information Security

According to a new survey by Frost & Sullivan, C-Level management, a trendy term designating the "chief officers in a corporation", is finally taking on a significant and direct role in enhancing their organizations' information security.

Apparent reason: Recent massive breaches such as TJX, Hannaford Bros and many others.

Additional finding: Banking/Insurance/Finance sector security and management personnel have a greater concern for all security threats, such as hackers, viruses and other threats compared to other industry segments.

According to the study, the five main areas for attacking information security vulnerability are, as in previous years...

  1. Users following security policy
  2. Management support of security policies
  3. Training of staff on security policies
  4. Qualified security staff
  5. Software solutions

The good news this year is that IT security personnel should be having an increasingly easy time obtaining C-level management support in their efforts to bolster security. And the banking industry appears to be leading the way in this trend.

Source: The 2008 (Isc)2 Global Information Security Workforce Study by consultants Frost & Sullivan on behalf of (ISC)2, the leading information security professional certification and education organization.

Back to Article List


New Legislation Makes Important Pro-Merchant Adjustment to FACT Act

The newly enacted Credit and Debit Card Receipt Clarification Act into law, authored by Florida Congressman Tim Mahoney amends the Fair and Accurate Credit Transaction Act (FACTA) to ensure that it is not abused by frivolous class-action lawsuits against businesses.

Important: The legislation also preserves consumers' right to sue for negligence when a merchants' secure customer identifying information is breached and results in identity theft or credit card account fraud.

Background: In 2003, Congress passed FACTA to improve and strengthen provisions against identity theft. Ever since then, a topic of ongoing debate among merchants, issuers, credit companies and legislators has been the bill's key provision requiring businesses to limit the amount of information printed on receipts, holding that "No person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number OR the expiration date upon any receipt..."

To comply with the new law, businesses began truncating the credit and debit card number printed on receipts down to the appropriate number of digits.

Problem: Shortly after implementation of the rule, hundreds of abusive class action lawsuits were filed against certain merchants, alleging that their failure to both truncate the card number and delete the expiration date on printed receipts was a violation of the law. Because FACTA was incorporated into the Fair Credit Reporting Act (FCRA), the statutory damages provisions of the law (between $100 and $1000 per transaction) meant that a company that had, for example, printed a million receipts with card expiration dates was looking at up to $1 billion in damages.

A SIGH OF RELIEF

The new Credit and Debit Receipt Clarification Act, addresses the unintended legal consequences of FACTA and makes clear that if a merchant truncates a consumer's credit card number, but does not remove the expiration date, then the company has not willfully violated FACTA and cannot be sued for statutory damages.

Important: According to Rep. Mahoney, despite the flurry of lawsuits following enactment of FACTA, there is scant evidence that a merchant's failure to redact an expiration date has ever resulted in a consumer being directly victimized by identity theft or fraud. Moreover, none of the lawsuits that were filed alleges any actual harm to an individual's account or identity.

Caveat: The new law's technical correction, does preserve a consumer's right to sue for negligence in the event that he or she does experience actual fraud as a result of having their expiration date printed on their receipt.
 
Sources:

Back to Article List


Real-Time Falcon Statistics

Month
# of Actual Fraud Cases
#of Actual Fraud Accounts
Fraud $'s Saved*
March
17,935
239
$991,637
April
17,090
283
$1,304,857
May
16,919
262
$1,134,971

* Potential loss if entire credit line had been compromised

For more information on Falcon statistics and ways that you can protect your bank from fraud attacks, contact Alan Nevels, Senior Vice President of ICBA Bancard at 1-800-242-4770 or visit ICBA Bancard's Online Risk Management & Prevention Center.

 

Back to Article List


PCI Non-Compliance Could Leave Card Payment Security Vulnerabilities Unresolved Indefinitely

Post June 30, 2008, a substantial proportion of merchants will be required to either use a specialized firewall for protecting their Web applications or to have completed a Web application software code review for eliminating payment card security vulnerabilities in these applications remaining non-compliant.

Problem: While the requirements have been recommended best practice for more than 18 months and are now a card industry requirement, security analysts including Stamford, CT-based Gartner Inc are surprised at how many retailers are still far from meeting the standards. "Most of our clients are not going to be ready" states Avivah Litan in an article for Computer World Security. Litan is an analyst with Gartner Inc.

Important: Gartner's clients are reportedly choosing to deploy Web application firewalls instead of code review. Because security experts consider firewalls to be a "quick fix" compared to identifying and correcting flaws in application software, many Web applications in the credit card payment area could remain susceptible to fraud well beyond the June 30 deadline.

Gartner has been quoted as recommending that retailers give top priority to fixing vulnerabilities in Web applications with firewalls serving as an "add-on" security measure.

Essential: Designating the best-qualified individual to conduct application reviews. PCI rules allow for either manual or automated code reviews performed by "qualified third parties" or by qualified internal resources.

Problem: There is no official definition of "qualified" in this context.

Helpful: A new PCI Security Standards Council, update (download PDF) aimed at clarifying code review and firewall requirements.

Note: There is also widespread concern that because the February breach of Hannaford Bros. occurred despite the company's full compliance with PCI standards, there is a need for further fine-tuning of the Web application standards.

The PCI Security Standards Council has stated that it is still investigating the Hannaford breach to determine if further refinements of security standards is required. In addition, a new set of data security standards is due out this September.

Back to Article List


Training Opportunity

FraudAware, the leading provider of Web-based employee fraud awareness training has a limited number of slots available for ICBA member banks to sign up for FACT ACT Red Flags employee training. This is the ONLY training designed for bank EMPLOYEE education on red flags -- in compliance with latest regulatory guidelines. For a free, no-obligation consultation call Peter Goldmann, Training Developer at 1-800-440-2261 or E-mail him at pgoldmann@fraudaware.com .


Back to Article List


You are receiving this e-mail because you are a participant of ICBA Bancard or you registered to receive it. Note: When available, Web links are provided as a convenience. However, the location or accessibility of links may change during or after publication.

To change your e-mail address, please
go here. If you wish not to receive ICBA "Bancard E-News", please opt-out here. If you prefer not to receive any future e-mails from ICBA Bancard, please unsubscribe here. View our Privacy Policy.

Calendar & Events:

Fraud Training Calendar:

July 24
Webinar: Data Compromises Webinar

2:00 p.m. EST
Register >>

August 21
Webinar: Lost, Stolen, Fraud & Disputes

2:00 p.m. EST
Register >>

August 26
Webinar: COMPROMISE MANAGERTM Webinar

2:00 p.m. EST
Register >>

Please refer to the ICBA Bancard Calendar for more fraud training.














Product Hightlights:

Enhanced Risk Blocking (FIS Clients Only):

The FIS Enhanced Risk Blocking service allows Issuers to employ flexible authorization practices to proactively block suspicious transactions in real-time. Enhanced Risk Blocking lets you protect your bank by minimizing losses from fraud, while eliminating cardholder inconvenience. This product combats:

- Global fraud events
- Localized fraud events
- Persistent portfolio fraud

Contact your FIS client relations representative for more information
.


Real-Time Processing for eNFACTSM is Generally Available (FISERV EFT Clients Only)

The Fiserv EFT neural network transaction fraud detection system, eNFACT, utilizes Falcon software technology to detect the likelihood of a transaction being fraudulent. eNFACT fraud case management has previously been available in a near real-time environment.

eNFACT Real-Time is an add-on product offering that can be added to a client's existing Case Management or Near-Time program. eNFACT Real-Time allows clients to set filters at the card base that determine which transactions will be scored in real-time and potentially denied during authorization processing based on the score. These filter options are:

  • ATM Amount – Any ATM debit transaction equal/greater than this amount will score in real-time.
  • POS Amount – Any POS debit transaction equal/greater than this amount will score in real-time.
  • International – Transactions that originate from a country other than the issuer's domestic country will score in real-time.
  • TranBlocker Denote & Continue – Transactions that "bump up" against a TranBlocker rule but are not denied will be scored in real-time.
  • CardTracker Compromised Card – Transactions for card numbers that are flagged as compromised via CardTracker will score in real-time.

No additional support on your business unit's part is required beyond what is required for Case Management or Near-Time product support.



ww.fisriskmanagement.com
(FIS Clients Only)
This newly developed website will allow for better communication between clients, company partners, and processor regarding recent fraud trends as well as the latest products and services FIS is using to combat fraud and maximize recovery. (Available NOW!)


Merchant Statement Program
(FIS Client Only)

Merchants who accept credit cards are required to be compliant with PCI Data Security Standards. The critical focus of these security standards is to help merchants:

  • Improve the safekeeping of cardholder information by enhancing their security standards.
  • Tighten these standards to help reduce the likelihood of experiencing breaches and financial losses.
  • Avoid the possibility of fines and penalties levied by Visa and MasterCard.

In an effort to better educate merchants about compliance and validation requirements of these standards, the FIS merchant team recommends the inclusion of a brief message in each monthly merchant statement. We encourage you to submit your own unique message or authorize us to include a message informing your merchants of the importance of being responsive to Visa and MasterCard compliance mandates, deadlines and other related information.

The administrative cost of this campaign is a monthly flat fee of $25 per bank (or per your agreement) regardless of the number of merchants. In order to facilitate the delivery of this statement message, we ask that you submit your approval to your merchant representative via email. If you have any questions, please feel free to call 727 227-5088.



Fraud Loss Protection Plan

This "Members only" program assists your bank in recouping losses that would otherwise be unrecoverable.

Coverage included for cards:
• Lost & Stolen
• Not Received Issued
• Counterfeit
• Skimmed Counterfeit
• Account Take Over
• Identity theft

More information

Confirm coverage



Online Fraud Claims Tool

Allows ICBA Bancard Fraud Loss Protection Plan participants to track status of reimbursement claims.

Highlights:
• Track claims from date of
   receipt to completion
• View processing comments
   entered by analysis
• View compensation amounts
   processed for your bank
• Examine or print any claims
   submitted
• Secure login access

View claims



Custom Portfolio Consultation:

As a dedicated resource to all community banks, ICBA Bancard offers risk, marketing, and operational consultations at no cost to community banks.

Request a free consultation today



TCM Bank

This limited purpose credit card bank is designed to position community banks in the credit card business, promoting the bank's identity while limiting or eliminating the bank's exposure to risk and marketing costs.

More Info About TCM



USEFUL WEBSITES:

• PCI Security Standards
• Merchant 911
• Visa (CISP)
• MasterCard Online
• Fiserv EFT
• Visa Online
• Bankrate.com
• Consumer.gov
• FTC
• AnnualCreditReport.com



Prevention Hightlights:

Neokinetics

This technology makes use of Behavior-Metrics science that individually or concurrently authenticates that the correct people are accessing and/or receiving information in a secure and efficient environment.

More Info


Bancard Fraud Quarterly
Published by ICBA Bancard
© 2008 ICBA

Contact Editors of
Bancard Fraud Quarterly

1615 L Street NW
Suite 900
Washington, DC 20036
Ph: (202) 659-8111

bancard@icba.org