ICBA Bancard - News and Information - Fraud Newsletter - December 2007

Fraud Newsletter

December 2007

December 27, 2007

Forward| Bancard Site| Subscribe
Today's Headlines:
CNP Best Practices for Merchants & Acquirers
Vishing for Civic-Minded Fraud Victims
Payment Card Data System Needs Security Overhaul
UK says “Yes” to Fraud
Ninety-Percent of Sensitive Data Breaches Can be AVOIDED
New Online Fraud Threat: Phishing Attacks on Auto Pilot
Beyond Phishing, Pharming and Man in the Middle
Effective Data Encryption: Best PCI Compliance Practices
A Friendly Reminder – Useful Best Practices to Help Reduce Exposure
Did You Know

CNP Best Practices for Merchants & Acquirers

The holiday season is a fraudster's paradise, and recent trends show an increase in the number of online merchants becoming victims of fraud. These "scams" usually involve fraudulent orders that are placed with stolen credit card information.  Unfortunately, merchants and their banks are not provided the same protection as the consumer when it comes to credit card fraud. In fact, telephone and online merchants, and their merchants' acquirers could find themselves at serious risk if best practice procedures are not followed at all times.

Technological advancements in fraud prevention are showing some promise in combating fraud.  Merchants, Acquirers and Issuers are creating innovative solutions, such as software advancements and becoming PCI compliant to reduce fraudulent transactions and lower disputes and merchant chargeback rates.

One of the main challenges with fraud prevention is the delay between the time a fraudulent transaction occurs and the time when it is detected. On average, the delay between the transaction date and the dispute of a charge can run between 60-120 days. This means that, if no fraud prevention tools are in place, one or more fraudsters could easily generate significant damage to a business before any or all affected entities even realize that there is a problem. When interacting in a card-not-present (CNP) environment, merchants are wise to take a little extra time to prevent fraudulent transactions from filtering through.

Acquirers should urge their merchants to implement and follow a strict set of guidelines that include:

  • Taking necessary steps to validate each telephone or online order.
  • Not accepting orders unless complete information is provided by the cardholder, which should include full address and phone numbers.
  • Using AVS (Address Verification) for all credit card orders whenever possible.
  • Being mindful of orders with different "bill to" and "ship to" addresses.
  • Collecting the Internet Protocol (IP) address of your online visitors for fraud tracking purposes.
  • Adopting rules that govern the acceptance of orders and purchase requests that come through free email services. Many oversees criminals open free, anonymous email accounts in another person's name and then send product order request using the fake email account and a fraudulent credit card number.
  • Asking follow-up questions on transactions that seem suspect.
  • Implementing Verified By Visa or MasterCard Secure Code online risk tools
  • Using compliant POS terminals and software that does not store sensitive customer data elements.
  • Providing easy to understand return policies and customer service information with every shipment.

The best method of managing fraud is prevention. Strong fraud controls and proper oversight, including acquires periodic review of their merchant portfolio, can be powerful tools. By guiding and educating their merchants, acquirers can help them learn to spot fraudulent transactions before they are authorized.


Back to Article List

Vishing for Civic-Minded Fraud Victims

In the relatively new "Jury Duty Scam," a fraudster telephones prospective victims, posing as a local court official and states that the victim has failed to report for jury duty. The perpetrator then explains that the victim's failure to report has resulted in a warrant being issued for their arrest.

Response: Most people will legitimately claim they never received any jury duty notifications.

To "clear things up," the fraudster then asks for either personal identifying information such as SSN and DOB for "verification" purposes, or payment information such as credit card number, bank account details, etc. for collecting alleged "fines".

Background: The "jury duty" scheme is a variation of phishing—the practice of using social engineering or manipulation techniques to trick victims into divulging sensitive information that is later used to commit credit card fraud and other crimes. While phishing usually is perpetrated via E-mail scams, similar fraud schemes, including the "jury duty" version can take place over the telephone. This is referred to as "vishing" or voice-phishing.

Though not a new concept, this scam is a classic example of a vishing scheme with a new twist— exploiting civic-minded individuals.


Visa, the FBI and Snopes.com all advise consumers to never give out confidential or personal information in response to unsolicited phone calls or E-mails.

With specific regard to the "jury duty" scheme, consumers should be informed that legitimate court personnel will never ask for private information over the phone and typically only communicate via traditional mail.

Additional Precautions:

  • Always verify the legitimacy of the caller by asking for official company or agency contact information, and then using directory assistance to verify and cross-reference the information given.

  • Never rely solely on the phone number the caller provides as a means of verifying the authenticity of the call. "Vishers" will often have an accomplice answer the phone and pose as a representative of the legitimate organization in the event of a return call.

Click here for additional tips on identity theft prevention.


Back to Article List

Payment Card Data System Needs Security Overhaul
Peter Goldmann, Editor & Publisher, White-Collar Crime Fighter

Gartner analyst Avivah Litan says that to focus solely on retailers' card data security is to take a narrow view of the situation; instead, efforts should be directed toward revamping the payment system's security as a whole. According to Litan, "the banks and the credit card companies could solve this [data security issue] more easily" than the retailers could.  Presently, merchants have to retain cardholder data to protect themselves against charge backs and to manage recurring  charges and refunds. Banks already have stronger data security measures in place so perhaps they could store the data. Another option would be to require personal identification numbers (PINs) for each transaction; fraud from signature debit transactions is considerably higher than  fraud from PIN debit transactions.

Get More Information


Back to Article List

UK says "Yes" to Fraud

Through an emerging type of fraud in the UK, criminals are able to override a PIN by copying existing debit card details and overlaying a new PIN onto the cloned card, known as a "Yescard".

More prevalent on the continent, where Chip and PIN has been commonplace for several years, the name "Yescard" comes from the idea that the card is designed to accept ANY four digit PIN code typed in by the user. "Yescard" fraud is starting to grow in the UK, as fraudsters continue to look for new loopholes in the payments system. 

The "Yescard" enables criminals to make withdrawals on any cash machine or device that is working offline, or not connected directly to the bank. Since offline machines only verify transactions periodically, to minimize costs to the bank, the slight time delay with the bank's database affords the fraudsters more time to commit the crime.

Back to Article List

Ninety-Percent of Sensitive Data Breaches Can be AVOIDED

Financially motivated attacks on confidential electronic data are becoming more prevalent and new vulnerabilities continue to be reported. But 90% of these attacks can be avoided—without requiring any increase in security spending.

Important: The biggest information security risk to enterprises comes from targeted attacks. In addition, phishing and identity theft attacks have fueled a rise in "credentialed" attacks—where the attacker fraudulently uses the credentials of a legitimate user.

Added risk: Malicious software (malware) attacks also allow internal executables to be used to forward information to an external attacker.

Urgent: Being aware of such "inside-out" communications and being able to block them as effectively as "outside-in" attacks is becoming increasingly important.


According to latest research, the cost of a single sensitive data breach will increase 20% per year through 2009.

(Editor's note: When measured by the Ponemon Institute's recent finding that the theft of individual confidential records costs an average of $197, this growth estimate is a sobering prospect)

Important trend: While by-now conventional mass attacks such as worms and viruses continue to plague organizations, the massive investments made to protect against these threats have paid off; these simple mass attacks now succeed much less often than in recent years.

Problem: Cyber-attackers are now more financially motivated than ever and have launched new waves of attacks that, when successful—as in the devastating TJX breach— cause massive damage to the bottom line.

Essential now: Shift your approach to information security from a reactive stance to a mix of strategic planning and rapid tactical execution. Identify major technology changes and start reducing the cost of dealing with today's "mature" threats — such as viruses, worms and denial-of-service attacks —in order to free up financial and human resources to build effective security measures into the new systems and business processes that are being created today and that will inevitably bring on the next generation of financially-motivated information security threats.

White-Collar Crime Fighter sources:
John Pescatore, vice president and research fellow at Gartner Research, an arm of  Gartner, Inc., and Ray Wagner, PhD., managing vice president of the Secure Business Enablement Group, a part of the Information Security and Privacy research organization of Gartner Research.


Back to Article List

New Online Fraud Threat: Phishing Attacks on Auto Pilot

The Bedford, MA-based information security firm, RSA reports that it recently discovered a tool which enables fraudsters to automatically trace vulnerable Web servers for the purpose of hosting phishing attacks, Trojan sites or other malicious content.

According to the RSA report, this new tool is based on an IRC bot and automatically searches the Internet for servers that have a specific vulnerability which enables phishers to hijack them at a later time.

Key: When a new vulnerability is found in a Web application, the tool will publish the vulnerability and an exploit for it. The fraudsters are specifically interested in what is known as "remote file inclusion" vulnerabilities which make it especially easy for them to execute their code and gain control of these Web sites.

When such a vulnerability is published, fraudsters can then launch Web search commands, programmed to find Web sites that are vulnerable.

Example: They could search for a specific word that appears in the vulnerable Web application name. This search command is built into the IRC bot.

Once a list of vulnerable Web sites has emerged, fraudsters can launch phishing Web site installations on these Web sites. RSA's phishing forensics lab has found that these IRC bots have become very active in recent Web attacks.

Problem: Using such techniques, fraudsters will be able to automate the entire process of deploying a phishing site – beginning with the tracing of a vulnerable server, hijacking the server and creating new phishing sites.

The good news: The automated creation of phishing attacks does not make them harder to detect or shut down. Once the attack is live and phishing E-mails are sent, the detection and shutdown efforts are the same as in any other phishing attack.

Source: RSA Monthly Online Fraud Report, September 2007, by RSA Security Inc., Bedford, MA


Back to Article List

Beyond Phishing, Pharming and Man in the Middle

The Internet security service provider, F-Secure, warns computer users of an upsurge in attacks against Web banking sites using a new generation of malicious code to steal account holder data.

The new technique, known as "Man in the Browser," represents the latest stage in the evolution of Internet banking fraud technologies from methods such as phishing, pharming and "Man in the Middle," F-Secure says.

How it works: A PC is infected with malicious code that is triggered only when the Web user visits a bank's site. The malware intercepts the HTML code on the user's Web browser to retrieve security information that is entered on a legitimate bank site's logon page. According to F-Secure, "This personal data is then sent directly to an FTP site where the cyber-criminal stores it, before selling it on to the highest bidder."

Security products using behavioral analysis offer the best defense against "Man in the Browser" attacks, as the malicious code involved in these attacks is designed specifically for certain banking sites, according to F-Secure. Unlike phishing attacks, Man in the Browser attacks aren't distributed en masse to Internet users.


Back to Article List

Effective Data Encryption: Best PCI Compliance Practices

Encryption of stored cardholder data is unquestionably one of the best ways to minimize the risk that this information will be exploited by criminals or other unauthorized parties. This is why PCI standards specifically require that stored cardholder data be safeguarded by keeping it in a format that is unreadable.

Caution: Encryption is effective only if it is properly implemented—something that is often easier said than done.

For many organizations storing cardholder data, optimal encryption can only be achieved by implementing encryption systems from both of two main categories: file-or folder-level encryption and full-disk encryption.

  • File- or folder-level encryption systems encrypt data via a third-party software application or by a feature of the file system itself.
    • Advantages:
      • Optimal "granular" control over the specific information requiring encryption. Data requiring encryption can be stored in a specified file or folder, while non-sensitive data can be stored elsewhere.
      • File-level products usually allow integration of access level restrictions, thereby allowing you to effectively manage who has access to which data.
      • Logging and auditing capabilities. Some file-level applications enable you to track who attempts to access a file...and when. This can be a valuable added security measure since the majority of data breaches today are executed by insiders.
    • Disadvantages:
      • May not be granular enough if the organization requires access to certain columns of a database while others require no restriction.
      • File-level encryption may cause encryption of more data than required by PCI standards.
  • Full-disk encryption—also known as "whole disk" encryption—encrypts every file stored on the network's drives—including the operating system/file system. This is achieved by encrypting every file as it is written to disk and decrypting any file that is removed from the disk.
    • Advantages:
      • Every byte of data on your disks is encrypted—eliminating any concern about whether any cardholder data requiring encryption is left vulnerable to a breach.
      • Most full-disk programs offer pre-boot authentication features which require the user to logon prior to the boot process.
      • Hard or soft tokens or passwords can be used for pre-boot authentication.
    • Disadvantages:
      • Some full-disk encryption systems slow down data access times.
      • Fragmentation is a potential side-effect of full-disk encryption.
      • Encryption key management is required.
      • Password management protocols must be formulated and enforced. This can cause problems when an end-user loses or forgets his or her password.

"Defense-in-depth" is the secret of optimal cardholder data security. While file-or folder-level encryption and full-disk encryption are highly effective when properly implemented, your organization may also want to consider building in a database level (column-level) encryption system as well. This allows for encryption of specifically designated data such as what PCI DSS refers to as Personal Account Numbers (PAN).

Key: Multiple levels of data protection minimize risk of a breach as well as the risk of running afoul of PCI data storage requirements.

Source: PCI Compliance. Understand and Implement Effective PCI Data Security Standard Compliance, edited by Tony Bradley, Guide for the Internet/Network Security site at About.com (Syngress Publishing Inc., www.syngress.com)

Back to Article List

A Friendly Reminder – Useful Best Practices to Help Reduce Exposure

ICBA Bancard and FIS have teamed up to bring you some helpful security best practices reminders. Listed below are best practices that both banks and consumers can utilize to help safeguard themselves from card fraud exposure.
Bank Security Best Practices:

  • Promote to your cardholders the added security protection already provide today to guard their account, such as real-time fraud monitoring, and 24-hour online account access thru MyCardStatement.com.
  • Educate bank staff of the importance to having updated cardholder contact information on file:
    • Remind staff to regularly ask customers if the phone numbers they have on file are up to date whenever speaking with them on the phone or at the branch.
    • Consider statement inserts of statement messages facilitated through FIS to obtain valid phone numbers.

Remember that the FIS Fraud Prevention Department can increase the contact rate with your cardholders to validate suspicious activity when they have updated phone numbers on file.

  • Consider reviewing your Real-Time Decisioning exclusion for those customers who identify they will be traveling or on vacation. The FIS Neural Network (Falcon) service allows you to exclude specific cardholders from real-time as a customer convenience (recognize the exposure is still on the bank).
  • Remind staff to closely monitor the fraud prevention system reports and fraud alert faxes/emails provided by FIS Fraud Prevention.
  • Act swiftly to all Visa and MasterCard compromise alerts. If using FIS' COMPROMISE MANAGER to manage your alerts, review your current process in reviewing account exposure and blocking criteria.
  • Update or Implement a Security section on your bank website to include important security protection information for your customers:
    • Provide customers information on how to obtain a free credit report once a year as a way to guard against identify theft.
    • Update the site with helpful tips about the fraud protection services you have in place today.
      • Explain the process by which a fraud specialist or automated system may contact the cardholder if suspicious activity is noticed on their account (including FIS asking for the last 4 digits on their account number as a validation method)
    • Include the Fraud Departments of each of the three major credit bureaus:
         Equifax 1-800-525-6285
         Experian 1-888-397-3742
         Trans Union 1-800-680-7289

Cardholder Security Best Practices:

  • When obtaining receipts - Watch for credit card numbers printed in their entirety. It is poor protocol, but it is legal for the merchant's copy of the receipt to display your full credit card number. If you encounter a machine of this type, bring it to the attention of the establishment. Most companies are perfectly willing to allow you to mark out all but the last four numbers.
  • Be cautious when using credit or debit cards at festivals, fairs or temporary shops, etc. These locations often have less modernized business practices because of their transient nature.
  • Create a separate location outside your wallet for frequent shopper cards. This makes it easier for you to realize if a credit or debit card is missing.
  • If you opted to open a new credit card to receive extra discounts on purchases, SAVE the receipt of the initial purchase. Make sure it includes the time, date, location and name of the checkout person in case an issue should arise later.
  • When washing or fueling your car in public places, do not dispose of receipts or mail in a public trash can. These documents should be properly disposed of using a modern cross-cut shredder or professional shredding service.
  • When shopping be aware that using debit cards and pin numbers does not necessarily mean that you are secure. Be cautious of individuals near you at ATM machines and checkout counters. When you are putting in your pin number, someone may appear to be on their cell phone, when in fact they are creating videos or photos of your pin number entry or personal information.
  • Make it a habit to review your account information regularly via online access. Quick identification of suspect card activity is one of the best ways to reduce card fraud exposure.


Back to Article List

Did You Know
Holiday Credit Card Fraud: What Time is It?

Internet credit card fraud peaked between 2 p.m. and 3 p.m. on Christmas 2006.

Other trends: 62% of on-line card fraud on Christmas, 2006 originated from IP addresses outside the United States, compared to 39% on a normal day. Ghana proved to be the country of origin in 15% of the day's fraudulent transactions.

Source: Carl Clump, CEO, Retail Decisions, a UK-based issuer, processor and credit card fraud prevention services provider, www.redplc.com/.


Good News About On-Line Banking Security

When the Federal Financial Institutions Examination Council (FFIEC) issued guidelines in late 2005 to push the U.S. banking industry toward stronger security measures for consumer online banking, the industry was predictably slow to respond.

Today, new research from TowerGroup, the leading financial services research firm, shows that 95% of U.S. banks now comply with - - or are close to complying with -- the FFIEC''s authentication guidance.

Details: In implementing risk-based authentication -- often using a combination of device identification, IP geolocation, and challenge/response questions-- banks have finally struck an effective balance between anti-fraud related authentication and customer convenience.

You are receiving this e-mail because you are a participant of ICBA Bancard or you registered to receive it. Note: When available, Web links are provided as a convenience. However, the location or accessibility of links may change during or after publication.

To change your e-mail address, please
go here. If you wish not to receive ICBA "Bancard E-News", please opt-out here. If you prefer not to receive any future e-mails from ICBA Bancard, please unsubscribe here. View our Privacy Policy.

Calendar & Events:

Fraud Training Calendar:

Jan. 9
The KNOWN and UNKNOWN Fraud Equation
Request More Info

Jan. 30
The KNOWN and UNKNOWN Fraud Equation
Request More Info

Please refer to the ICBA Bancard Calendar for more fraud training.

Product Hightlights:

Visa Security ToolKit

Visa USA's Marketing, Corporate Relations and Risk team has created a security breach response toolkit entitled: "Understanding a Data Compromise and How to Respond." Effective communications can in fact make the difference between a data-breach incident that is contained and managed and one that could threaten your organization's core relationship with your customers.

Download the Toolkit

Real-Time Processing for eNFACTSM is Generally Available (FISERV EFT Clients Only)

The Fiserv EFT neural network transaction fraud detection system, eNFACT, utilizes Falcon software technology to detect the likelihood of a transaction being fraudulent. eNFACT fraud case management has previously been available in a near real-time environment.

eNFACT Real-Time is an add-on product offering that can be added to a client's existing Case Management or Near-Time program. eNFACT Real-Time allows clients to set filters at the card base that determine which transactions will be scored in real-time and potentially denied during authorization processing based on the score. These filter options are:

  • ATM Amount – Any ATM debit transaction equal/greater than this amount will score in real-time.
  • POS Amount – Any POS debit transaction equal/greater than this amount will score in real-time.
  • International – Transactions that originate from a country other than the issuer's domestic country will score in real-time.
  • TranBlocker Denote & Continue – Transactions that "bump up" against a TranBlocker rule but are not denied will be scored in real-time.
  • CardTracker Compromised Card – Transactions for card numbers that are flagged as compromised via CardTracker will score in real-time.

No additional support on your business unit's part is required beyond what is required for Case Management or Near-Time product support.

www.fisriskmanagement.com (FIS Clients Only)
This newly developed website will allow for better communication between clients, company partners, and processor regarding recent fraud trends as well as the latest products and services FIS is using to combat fraud and maximize recovery. (Available NOW!)

Merchant Statement Program
(FIS Client Only)

Merchants who accept credit cards are required to be compliant with PCI Data Security Standards. The critical focus of these security standards is to help merchants:

  • Improve the safekeeping of cardholder information by enhancing their security standards.
  • Tighten these standards to help reduce the likelihood of experiencing breaches and financial losses.
  • Avoid the possibility of fines and penalties levied by Visa and MasterCard.

In an effort to better educate merchants about compliance and validation requirements of these standards, the FIS merchant team recommends the inclusion of a brief message in each monthly merchant statement. We encourage you to submit your own unique message or authorize us to include a message informing your merchants of the importance of being responsive to Visa and MasterCard compliance mandates, deadlines and other related information.

The administrative cost of this campaign is a monthly flat fee of $25 per bank (or per your agreement) regardless of the number of merchants. In order to facilitate the delivery of this statement message, we ask that you submit your approval to your merchant representative via email. If you have any questions, please feel free to call 727 227-5088.

Fraud Loss Protection Plan

This "Members only" program assists your bank in recouping losses that would otherwise be unrecoverable.

Coverage included for cards:
• Lost & Stolen
• Not Received Issued
• Counterfeit
• Skimmed Counterfeit
• Account Take Over
• Identity theft

More information

Confirm coverage

Online Fraud Claims Tool

Allows ICBA Bancard Fraud Loss Protection Plan participants to track status of reimbursement claims.

• Track claims from date of
   receipt to completion
• View processing comments
   entered by analysis
• View compensation amounts
   processed for your bank
• Examine or print any claims
• Secure login access

View claims

Custom Portfolio Consultation:

As a dedicated resource to all community banks, ICBA Bancard offers risk, marketing, and operational consultations at no cost to community banks.

Request a free consultation today

TCM Bank

This limited purpose credit card bank is designed to position community banks in the credit card business, promoting the bank's identity while limiting or eliminating the bank's exposure to risk and marketing costs.

More Info About TCM


PCI Security Standards
Merchant 911
Visa (CISP)
MasterCard Online
Fidelity (FIS)
Fiserv EFT
Visa Online

Prevention Hightlights:

Web-based Fraud Awareness Training for Bank Employees:

FraudAware is the leading customizable on-line course that equips employees with the knowledge to prevent, detect and report:

• Credit card fraud
• Debit card fraud
• Check fraud
• Internal theft
• Other financial crimes 
   affecting issuing banks.

More information


This technology makes use of Behavior-Metrics science that individually or concurrently authenticates that the correct people are accessing and/or receiving information in a secure and efficient environment.

More Info

Bancard Fraud Quarterly
Published by ICBA Bancard
© 2007 ICBA

Contact Editors of
Bancard Fraud Quarterly

1615 L Street NW
Suite 900
Washington, DC 20036
Ph: (202) 659-8111