enhancing debit card security: the life of a counterfeit card (credit union conference presentation)
DESCRIPTION
In this 2011 NAFCU Annual Conference presentation you will discover the latest and greatest card fraud mitigation strategies and tactics. Learn about the rise in data breaches, the evolution of criminal organizations, and the perceptions of today’s cardholders.Presented by David Mattei, EFT Product Manager, VantivFor a video of this session and more information visit http://www.nafcu.org/vantivTRANSCRIPT
National Association of Federal Credit Unions l www.nafcu.org
Enhancing Debit Card Security: Life of a Counterfeit Card
Presented by David Mattei
VP, Fraud Solutions
National Association of Federal Credit Unions l www.nafcu.org
Agenda
• Common forms of card compromises
• Review of the criminal network
• Fraud trends and stats
• Best practices for credit unions
• Future fraud solutions
National Association of Federal Credit Unions l www.nafcu.org
Data Breaches
• Heartland Jan 2009 130,000,000 cards
• TJX Jan 2007 94,000,000 cards
• Hannaford Mar 2008 4,200,000 cards
• RBS Dec 2008 1,500,000 cards
• LexisNexis May 2008 40,000 cards
• ALDI Sept 2010 25,000 cards
• Sony Mar 2011 77,000,000 cards
• Michael’s May 2011 Unknown # cards
National Association of Federal Credit Unions l www.nafcu.org
Common Skimming Locations
National Association of Federal Credit Unions l www.nafcu.org
Skimming Technology
Common skimmer at a restaurant
(aka “The Wedge”)
Wireless skimmer at pay-at-the-pump
National Association of Federal Credit Unions l www.nafcu.org
ATM Skimming Technology
National Association of Federal Credit Unions l www.nafcu.org
The Various “ishings”
• Other techniques to collect data:
– Phishing (emails)
– Vishing (land line phone calls)
– Smishing (cell phone SMS/text messages)
– Pharming (redirection of users to criminal copy of a web site)
• All are meant to collect account and/or card data
National Association of Federal Credit Unions l www.nafcu.org
Underground Criminal Network
• Carding – unauthorized use of card data
• Carders – the criminals involved in carding
• Carding Forums – web sites dedicated to buying/selling card data
– Tutorials, message boards, network intrusion tools/software, good list/bad list of criminals
• Dumps
– Track 1 data, Track 2 data, Track 1&2, PIN, personal data
National Association of Federal Credit Unions l www.nafcu.org
Common Uses of Card Data
• Carders commit 1 of 4 types of fraud:
– Carding online (CNP)
– In-store carding (CP)
– Cashing (ATM)
– Gift card vending (buy/sell gift cards)
National Association of Federal Credit Unions l www.nafcu.org
Criminal „End Product‟
36,000 counterfeit cards shipped from Hong Kong to US
Production facility in Vancouver, Canada
Captured in arrest of Australia cell
National Association of Federal Credit Unions l www.nafcu.org
Fraud Trends
National Association of Federal Credit Unions l www.nafcu.org
Fraud Losses
Past Year Global Basis Points Current Year Global Basis Points
Comparison of 4 Consecutive Quarters Q3 2009 through Q2 2010
National Association of Federal Credit Unions l www.nafcu.org
Best Practices
• There is no silver bullet
• Multi-prong strategy
National Association of Federal Credit Unions l www.nafcu.org
Solutions in Each Fraud Stage
Pre Authorization
Time of Authorization
Post Authorization
On Going Fraud
Management
National Association of Federal Credit Unions l www.nafcu.org
Pre-Authorization
• Require card activation
• Watch for drifting / poor card limits
• Set prudent expiration dates
• Educate your members
National Association of Federal Credit Unions l www.nafcu.org
Drifting / Poor Card Limits Card Limit Levels High Dollar Transactions
Authorization
Number Settled Date
Settled
Amount
512647 12/24/2010 $9,004.17 206341 10/16/2010 $9,000.00 424820 11/30/2010 $9,000.00 532177 11/04/2010 $9,000.00 728167 12/29/2010 $6,692.18 188318 10/13/2010 $6,496.11 060121 10/01/2010 $6,415.85 259294 12/22/2010 $5,158.00 072817 11/23/2010 $5,000.00 00000N 11/05/2010 $4,591.10 863149 11/26/2010 $4,544.00 249544 10/22/2010 $4,522.00 372217 12/08/2010 $4,500.00
Card On-Line
Limit Num of Cards
$99,999 1 $25,310 14 $25,000 502 $23,310 1 $11,009 3 $10,999 1 $10,909 1 $10,799 1 $10,609 2 $10,599 1 $10,509 16 $10,499 4 $10,309 102 $10,000 6279
$9,999 9844 $310 2
6,928 cards
6 unique cardholders performed these trans
National Association of Federal Credit Unions l www.nafcu.org
Time of Authorization
• Implement smart authorization parameters
– Daily card limits
– ATM / POS limits
• Validate track data
– Expiration date matching
– CVV matching
– Address matching
– Name matching
National Association of Federal Credit Unions l www.nafcu.org
Post Authorization
• Review authorizations for fraud
• Verify transactions with members
• Report fraudulent transactions per Visa/MasterCard Compliance rules
National Association of Federal Credit Unions l www.nafcu.org
Ongoing Fraud Management
• Review your CAN/CAMS alerts
• Maximize your chargeback rights
• Implement a 24x7 Lost/Stolen service
• Monitor new fraud trends
• Identify common points of compromise
• Partner with other credit unions in your area to share information
National Association of Federal Credit Unions l www.nafcu.org
Future Fraud Solutions
• EMV
• Magnetic stripe fingerprinting
• Smart phones
• One-time passwords (OTP)
• Dynamic CVV / CVC values
National Association of Federal Credit Unions l www.nafcu.org
OTP and Dynamic CVV Cards
National Association of Federal Credit Unions l www.nafcu.org
Implementation Effort
Solution Issuer
Impact
Acquirer
Impact
Cardholder
Impact
Processor
Impact
EMV High High Low Med
Magnetic stripe
fingerprinting
Low High Low Med
Smart phones Low Low/Med Med Med
One-time
passwords
Med/High Low/Med Med Med
Dynamic CVV / CVC
values
Med/High Low/Med Low/Med Med
National Association of Federal Credit Unions l www.nafcu.org
Perfection is Not Needed
• Run faster than the credit union next to you
National Association of Federal Credit Unions l www.nafcu.org
Questions