Fraud Newsletter

September 2008

January 26, 2009

Forward| Bancard Site| Subscribe
Today's Headlines:
New Threat to Cell-Phone Data
RFID Skimming: Latest Threat to Your Identity
The New News About Hotel Key Card Fraud
Beware of the “Hit Man� Identity Theft Scam
Are You Ready for The Red Flags Deadline?
Real-Time Falcon Statistics
The “Quiet Epidemic� of Terrorist Credit Card Fraud
Using Common Data for Uncommon Results

New Threat to Cell-Phone Data

Issuers now have another information security worry to communicate to customers: Theft of personal identifying information from cell phones.


Details: A new device called the Cellular Seizure Invesigation Stick, or CSI Stick for short, has been released by Paraben Corporation. It is a portable device about the size of a disposable lighter which plugs into the charging port of most Motorola and Samsung cell phones (other makes and models will be compatible shortly). The user can then quickly download any data stored in the phone's memory, including address books, spreadsheets, photos, multi-media messages and much more.


Suffice it say that if your on-line banking or other confidential financial data are stored on your cell phone, you must now be extremely careful about whom you lend your phone to and about ensuring that you don't leave it unattended.


Sources:, Paraben Corporation, and


Back to Article List

RFID Skimming: Latest Threat to Your Identity

Latest reported identity theft threat: Your identity could be at risk if you use an RFID or Radio Frequency Identification credit card and you don't know it.

Background: New credit card technology enables specially designed credit cards to give off a radio signal that transmits your personal identifying information. You just wave your card in front of a reader at a POS terminal and keep moving.

While it offers a simple and quick way to make a purchase, the technology can also leaves you vulnerable to identity theft.

RFID skimming – a next-generation version of the familiar "low-tech" skimming of credit cards perpetrated by swiping customer cards through a hand-held reader--targets so-called "smart cards" which store your credit card data just like a conventional card, but which transmit that data via radio signal to the POS processing terminal.

Result: Anyone with a low-cost RFID reader can intercept the radio-transmitted information if they can get within four to six inches of your card for as little as half a second.

The card companies say that the technology is safe because all sensitive card information in encrypted. However, numerous news reports have demonstrated evidence to the contrary. University researchers with the inexpensive RFID readers have shown how they can steal card data from a card sitting in the wallet in a victim's back pants pocket.

Self defense: If you like the convenience of this technology ask your card issuer to confirm that the data on the card is encrypted. Even if it is, it's not a bad idea to shield the card in a special sleeve made of metal or just tin foil.

Sources: Tom Heydt-Benjamin, research, University of Massachusetts, quoted at and recent news reports.


Back to Article List

The New News About Hotel Key Card Fraud

Many of us remember well the stories circulating around the Internet about hotel key cards supposedly containing personal identifying information (PII) including guests' names, addresses, and credit card numbers.


But then it was confirmed that the stories were totally false. It was widely reported that there was no reason for a hotel to save the information on the they weren't actually doing it.



A recent news report from Las Vegas indicated that prostitutes and addicts there are being arrested with hotel key cards in their possession. And, according to the report, these key cards do have credit card information on them.


Details: Fraudsters are reportedly passing legitimate cards through hand-held scanners and cloning the information onto the mag strip on key cards which can be erased and re-written. The cards are then used by the criminals to cash out at ATMs and make small purchases.


Important: These crimes would presumably require the cooperation of hotel front desk clerks with access to guests' legitimate credit cards and equipped with a skimming machine to illegally record the mag stripe data.


Earlier reports that hotels themselves are systematically recording guests' credit card information on hotel cards are evidently still inaccurate.


Source: Tom Mahoney, founder, Merchant 911,



Back to Article List

Beware of the "Hit Man" Identity Theft Scam

The FBI is receiving thousands of reports about the new versions of the so-called "Hit Man E-mail Scheme".

Details: The E-mail content has evolved since late 2006; however, the messages remain similar in nature—claiming the sender has been hired to kill the recipient.

Details: New versions of the scheme began appearing this summer. One instructed the recipient to contact a telephone number contained in the E-mail and the other claimed the recipient or a "loved one" was going to be kidnapped unless a ransom was paid.

Recipients of the kidnapping threat were told to respond via E-mail within 48 hours. The sender was to provide the location of the wire transfer five minutes before the deadline and was threatened with bodily harm if the ransom was not received within 30 minutes of the time frame given. The recipients' personally identifiable information (PII) was included in the E-mail to promote the appearance that the sender actually knew the recipient and their location.

In some instances, the use of names, titles, addresses, and telephone numbers of government officials and business executives, and/or the victims' PII are used in an attempt to make the fraud appear more authentic.

Individuals who receive e-mails containing threats of violence and their PII should contact law enforcement as well as file a complaint at the Internet Crime Complaint Center,

Back to Article List

Are You Ready for The Red Flags Deadline?

By November 1 all financial institutions are required to have an Identity Theft Prevention Program in place to comply with the terms of the new FACT Act Identity Theft Red Flags regulations.

Important details: If your financial institution is like most, it already has in place basic procedures for preventing identity theft in new credit card applications, address changes, address discrepancies and the host of other financial account-related identity theft risks. If so, it will have little problem meeting the Nov. 1 deadline for compliance with the new regulation. Of course, the Federal Trade Commission (FTC) together with the five financial industry regulatory agencies that are responsible for enforcing the new "Red Flags" rules of FACTA will want to see documentation defining the organization's specific program details.

Key: According to current compliance guidelines, your organization's Red Flags compliance program must be based on existing anti-identity theft policies and procedures as well as other vulnerabilities to identity theft that the organization has—or should by now have—identified through an enterprise-wide risk assessment. Such an assessment is designed to pinpoint specific weaknesses in the organization's business processes and procedures that could be exploited by identity thieves.

In fact, the latest guidance--issued by the Office of Thrift Supervision-- indicates that as part of the agencies' enforcement measures, examiners will assess whether the financial institution has "conducted a risk assessment to identify [all] accounts that pose a reasonably foreseeable risk of identity theft, taking into consideration the methods used to open and access accounts, and the institution's previous experiences with identity theft."

Critical credit card clauses: The new Red Flags requirements have specific rules for credit and debit card issuers. Specifically, issuers are required to have in place procedures for authenticating card holders' requests for changes of address. Bank examiners will assess financial institutions' policies in this regard based on four tests...

  • Can the card issuer assess the validity of a change of address?
  • Does its policies and procedures prohibit issuance of a card until it verifies the change of address?
  • Are electronic notices sent for verification clear and conspicuous?
  • Perform sampling, if needed.

Click here for additional information about the latest guidelines.

Back to Article List

Real-Time Falcon Statistics

# of Actual Fraud Cases
#of Actual Fraud Accounts
Fraud $'s Saved*

* Potential loss if entire credit line had been compromised

For more information on Falcon statistics and ways that you can protect your bank from fraud attacks, contact Alan Nevels, Senior Vice President of ICBA Bancard at 1-800-242-4770 or visit ICBA Bancard's Online Risk Management & Prevention Center.


Back to Article List

The "Quiet Epidemic" of Terrorist Credit Card Fraud

According to Dennis Lormel, a former FBI Special Agent and now Managing Director of the risk management consulting firm, IPSA International, there is a "quiet epidemic" of terrorist-driven credit card fraud is in full swing globally.

While Lormel indicates that there is "limited or no empirical data" to measure the extent of the terrorist credit card fraud problem, his direct involvement in investigations of such cases leads him to urge extreme concern on the part of US card issuers, merchants, regulators and lawmakers.

A key part of the problem, says Lormel, is terrorists' growing proficiency in computer and Internet-based data theft. Sophisticated cells are increasingly responsible for the growing number of information security breaches that result in theft of large volumes of credit card data used for fraudulent purchases, funds transfers and money laundering.


In the case of Younes Tsouli, aka "Terrorist 007", and his accomplices, Waseem Mughal and Tariq al-Daour, investigators in the U.S and the U.K. determined the trio used computer viruses and stolen credit card accounts to set up a network of on-line communication forums and Web sites that hosted everything from tutorials on computer hacking and bomb making to videos of beheadings and suicide bombing attacks in Iraq.

They raised funds through massive credit card information theft and fraud, which were used to support the communications, propaganda and recruitment for terrorists worldwide, as well as to purchase equipment for Jihadists in the field. One expert described their activities as "operating an on-line dating service for al-Qaeda." Ultimately apprehended in the UK in 2005, the three men pled guilty in 2007 to inciting terrorist murder via the Internet. At the time of his arrest, Mughal was in possession of 37,000 credit card records, which were linked by investigators to more than $3.6 million worth of fraudulent transactions.

Essential now: Much more vigilant protective measures to safeguard stored credit card data as well as careful assessment by federal investigative agencies of past terrorist-related credit card fraud cases -- with the aim of establishing patterns that can be used to develop effective preventive and detective measures for institutions most vulnerable to data theft and card fraud.

Source: Dennis Lormel, Managing Director of IPSA International's Anti-money Laundering (AML) practice. Lormel has 31 years of government services, 28 years as a Special Agent in the FBI. He served as Section Chief for Financial Crimes where he was responsible for managing the FBI's White Collar Crime Program. Following the attacks of September 11, 2001, Mr. Lormel developed, implemented and directed the FBI's comprehensive terrorist financing initiatives, which evolved into the Counterterrorism Division's The Terrorist Financing Operations Section.


Back to Article List

Using Common Data for Uncommon Results:
Collaboration as the Key to Fraud Prevention

Kay Nichols,
EVP Decision Solutions
Fidelity National Information Services, Inc.

Reducing fraud across the banking enterprise depends on rich, high quality data and sophisticated analysis. While many organizations have point solutions to help them identify potential fraud within specific channels or transaction types, the ideal solution would make stolen customer information completely useless to a would-be fraudster.

The very heart of this strategy is to gain access to as much information as possible about the customer and his or her banking behavior. By accessing and leveraging data from across the enterprise, institutions gain the ability to run advanced, granular analytics on legitimate customer activity to help distinguish it from fraudulent behavior.  This is an invaluable and highly accurate approach to fraud identification and prevention, allowing banks to dramatically improve the efficacy of their strategy.
Prevention Begins at Home

A great deal of customer behavior and event information exists within the walls of the bank.  Proprietary data drawn from checking, debit and credit card and even core image systems is essential to accurately profiling customer behavior. For instance, knowing how frequently a customer uses an ATM out of network or how often a debit card is used at a retail location helps banks to sharpen their view of normal customer behavior while making it easier to flag potential fraud. This data is critical input for the robust analytical models that identify patterns in customer behavior.

By expanding the range of internal customer data that is available for evaluation, banks can reduce their exposure to fraud and better protect their customers. Still, a fraud prevention program can be tremendously strengthened when data from trusted outside sources is integrated with internal data to create an even deeper view of the customer. Indeed, when banks collaborate by sharing information - as demonstrated by fraud hot lists or velocity alerts of key behaviors - it benefits all participants.

Power in Numbers

External debit bureau databases can contain literally billions of consumer records that have been contributed by financial institutions over the years.  By sharing fraud and behavior data through a common warehouse managed by a trusted leader in the field, banks can be assured that this valuable consumer data is used only for agreed upon purposes.  This will allow them to integrate the external consumer records with their internal core banking transaction, payment transaction and card transaction data to create an unprecedented 360-degree view of customer behavior, creating multiple opportunities for savings.

Collaboration Benefits Everyone – Except the Fraudster

Many banks today have already joined together to collaborate against fraud, and for good reason. Every three seconds someone's identity is stolen, leaving banks to deal with charge-offs, upset customers and depending on the magnitude of the problem, reputational damage and customer defection.

By collaborating, financial institutions can do together what they cannot do alone: stop the rabid growth of bank fraud. They can also demonstrate to their customers that they truly understand them at an uncommon level, giving them the ability to build greater customer loyalty and increase wallet share.  Ultimately, that is the best outcome of all.   

Back to Article List

You are receiving this e-mail because you are a participant of ICBA Bancard or you registered to receive it. Note: When available, Web links are provided as a convenience. However, the location or accessibility of links may change during or after publication.

To change your e-mail address, please
go here. If you wish not to receive ICBA "Bancard E-News", please opt-out here. If you prefer not to receive any future e-mails from ICBA Bancard, please unsubscribe here. View our Privacy Policy.

Calendar & Events:

Fraud Training Calendar:

October 1

2:00 p.m. EST
Register >>

October 30
Webinar: Lost, Stolen, Fraud & Disputes

2:00 p.m. EST
Register >>

November 1
Webinar: Lost, Stolen, Fraud & Disputes

2:00 p.m. EST
Register >>

November 6
Webinar: Risk Management Tools & Services

2:00 p.m. EST
Register >>

December 11
Webinar: Lost, Stolen, Fraud & Disputes

2:00 p.m. EST
Register >>

December 17

2:00 p.m. EST
Register >>

Please refer to the ICBA Bancard Calendar for more fraud training.

Training Opportunity:

FraudAware, the leading provider of Web-based employee fraud awareness training has a limited number of slots available for ICBA member banks to sign up for FACT ACT Red Flags employee training. This is the ONLY training designed for bank EMPLOYEE education on red flags -- in compliance with latest regulatory guidelines. For a free, no-obligation consultation call Peter Goldmann, Training Developer at 1-800-440-2261 or E-mail him at

Program Highlights:
(FIS Clients Only)

This website will allow for better communication between clients, company partners, and processor regarding recent fraud trends as well as the latest products and services FIS is using to combat fraud and maximize recovery. (Available NOW!)

Merchant Statement Program
(FIS Clients Only)

Merchants who accept credit cards are required to be compliant with PCI Data Security Standards. The critical focus of these security standards is to help merchants:

  • Improve the safekeeping of cardholder information by enhancing their security standards.
  • Tighten these standards to help reduce the likelihood of experiencing breaches and financial losses.
  • Avoid the possibility of fines and penalties levied by Visa and MasterCard.

In an effort to better educate merchants about compliance and validation requirements of these standards, the FIS merchant team recommends the inclusion of a brief message in each monthly merchant statement. We encourage you to submit your own unique message or authorize us to include a message informing your merchants of the importance of being responsive to Visa and MasterCard compliance mandates, deadlines and other related information.

The administrative cost of this campaign is a monthly flat fee of $25 per bank (or per your agreement) regardless of the number of merchants. In order to facilitate the delivery of this statement message, we ask that you submit your approval to your merchant representative via email. If you have any questions, please feel free to call 727 227-5088.

Fraud Loss Protection Plan

This "Members only" program assists your bank in recouping losses that would otherwise be unrecoverable.

Coverage included for cards:
• Lost & Stolen
• Not Received Issued
• Counterfeit
• Skimmed Counterfeit
• Account Take Over
• Identity theft

More information

Confirm coverage

Online Fraud Claims Tool

Allows ICBA Bancard Fraud Loss Protection Plan participants to track status of reimbursement claims.

• Track claims from date of
   receipt to completion
• View processing comments
   entered by analysis
• View compensation amounts
   processed for your bank
• Examine or print any claims
• Secure login access

View claims

Custom Portfolio Consultation:

As a dedicated resource to all community banks, ICBA Bancard offers risk, marketing, and operational consultations at no cost to community banks.

Request a free consultation today

TCM Bank

This limited purpose credit card bank is designed to position community banks in the credit card business, promoting the bank's identity while limiting or eliminating the bank's exposure to risk and marketing costs.

More Info About TCM


• PCI Security Standards
• Merchant 911
• Visa (CISP)
• MasterCard Online
• Fiserv EFT
• Visa Online

Prevention Hightlights:


This technology makes use of Behavior-Metrics science that individually or concurrently authenticates that the correct people are accessing and/or receiving information in a secure and efficient environment.

More Info

Bancard Fraud Quarterly
Published by ICBA Bancard
© 2008 ICBA

Contact Editors of
Bancard Fraud Quarterly

1615 L Street NW
Suite 900
Washington, DC 20036
Ph: (202) 659-8111

Informz for iMIS