Download - Enhancing Debit Card Security: The Life of a Counterfeit Card (Credit Union Conference Presentation)
National Association of Federal Credit Unions l www.nafcu.org
Enhancing Debit Card Security: Life of a Counterfeit Card
Presented by David Mattei
VP, Fraud Solutions
National Association of Federal Credit Unions l www.nafcu.org
Agenda
• Common forms of card compromises
• Review of the criminal network
• Fraud trends and stats
• Best practices for credit unions
• Future fraud solutions
National Association of Federal Credit Unions l www.nafcu.org
Data Breaches
• Heartland Jan 2009 130,000,000 cards
• TJX Jan 2007 94,000,000 cards
• Hannaford Mar 2008 4,200,000 cards
• RBS Dec 2008 1,500,000 cards
• LexisNexis May 2008 40,000 cards
• ALDI Sept 2010 25,000 cards
• Sony Mar 2011 77,000,000 cards
• Michael’s May 2011 Unknown # cards
National Association of Federal Credit Unions l www.nafcu.org
Common Skimming Locations
National Association of Federal Credit Unions l www.nafcu.org
Skimming Technology
Common skimmer at a restaurant
(aka “The Wedge”)
Wireless skimmer at pay-at-the-pump
National Association of Federal Credit Unions l www.nafcu.org
ATM Skimming Technology
National Association of Federal Credit Unions l www.nafcu.org
The Various “ishings”
• Other techniques to collect data:
– Phishing (emails)
– Vishing (land line phone calls)
– Smishing (cell phone SMS/text messages)
– Pharming (redirection of users to criminal copy of a web site)
• All are meant to collect account and/or card data
National Association of Federal Credit Unions l www.nafcu.org
Underground Criminal Network
• Carding – unauthorized use of card data
• Carders – the criminals involved in carding
• Carding Forums – web sites dedicated to buying/selling card data
– Tutorials, message boards, network intrusion tools/software, good list/bad list of criminals
• Dumps
– Track 1 data, Track 2 data, Track 1&2, PIN, personal data
National Association of Federal Credit Unions l www.nafcu.org
Common Uses of Card Data
• Carders commit 1 of 4 types of fraud:
– Carding online (CNP)
– In-store carding (CP)
– Cashing (ATM)
– Gift card vending (buy/sell gift cards)
National Association of Federal Credit Unions l www.nafcu.org
Criminal „End Product‟
36,000 counterfeit cards shipped from Hong Kong to US
Production facility in Vancouver, Canada
Captured in arrest of Australia cell
National Association of Federal Credit Unions l www.nafcu.org
Fraud Trends
National Association of Federal Credit Unions l www.nafcu.org
Fraud Losses
Past Year Global Basis Points Current Year Global Basis Points
Comparison of 4 Consecutive Quarters Q3 2009 through Q2 2010
National Association of Federal Credit Unions l www.nafcu.org
Best Practices
• There is no silver bullet
• Multi-prong strategy
National Association of Federal Credit Unions l www.nafcu.org
Solutions in Each Fraud Stage
Pre Authorization
Time of Authorization
Post Authorization
On Going Fraud
Management
National Association of Federal Credit Unions l www.nafcu.org
Pre-Authorization
• Require card activation
• Watch for drifting / poor card limits
• Set prudent expiration dates
• Educate your members
National Association of Federal Credit Unions l www.nafcu.org
Drifting / Poor Card Limits Card Limit Levels High Dollar Transactions
Authorization
Number Settled Date
Settled
Amount
512647 12/24/2010 $9,004.17 206341 10/16/2010 $9,000.00 424820 11/30/2010 $9,000.00 532177 11/04/2010 $9,000.00 728167 12/29/2010 $6,692.18 188318 10/13/2010 $6,496.11 060121 10/01/2010 $6,415.85 259294 12/22/2010 $5,158.00 072817 11/23/2010 $5,000.00 00000N 11/05/2010 $4,591.10 863149 11/26/2010 $4,544.00 249544 10/22/2010 $4,522.00 372217 12/08/2010 $4,500.00
Card On-Line
Limit Num of Cards
$99,999 1 $25,310 14 $25,000 502 $23,310 1 $11,009 3 $10,999 1 $10,909 1 $10,799 1 $10,609 2 $10,599 1 $10,509 16 $10,499 4 $10,309 102 $10,000 6279
$9,999 9844 $310 2
6,928 cards
6 unique cardholders performed these trans
National Association of Federal Credit Unions l www.nafcu.org
Time of Authorization
• Implement smart authorization parameters
– Daily card limits
– ATM / POS limits
• Validate track data
– Expiration date matching
– CVV matching
– Address matching
– Name matching
National Association of Federal Credit Unions l www.nafcu.org
Post Authorization
• Review authorizations for fraud
• Verify transactions with members
• Report fraudulent transactions per Visa/MasterCard Compliance rules
National Association of Federal Credit Unions l www.nafcu.org
Ongoing Fraud Management
• Review your CAN/CAMS alerts
• Maximize your chargeback rights
• Implement a 24x7 Lost/Stolen service
• Monitor new fraud trends
• Identify common points of compromise
• Partner with other credit unions in your area to share information
National Association of Federal Credit Unions l www.nafcu.org
Future Fraud Solutions
• EMV
• Magnetic stripe fingerprinting
• Smart phones
• One-time passwords (OTP)
• Dynamic CVV / CVC values
National Association of Federal Credit Unions l www.nafcu.org
OTP and Dynamic CVV Cards
National Association of Federal Credit Unions l www.nafcu.org
Implementation Effort
Solution Issuer
Impact
Acquirer
Impact
Cardholder
Impact
Processor
Impact
EMV High High Low Med
Magnetic stripe
fingerprinting
Low High Low Med
Smart phones Low Low/Med Med Med
One-time
passwords
Med/High Low/Med Med Med
Dynamic CVV / CVC
values
Med/High Low/Med Low/Med Med
National Association of Federal Credit Unions l www.nafcu.org
Perfection is Not Needed
• Run faster than the credit union next to you
National Association of Federal Credit Unions l www.nafcu.org
Questions