ICBA Bancard - News and Information - Fraud Newsletter - July 2009

Fraud Newsletter

July 2009

August 3, 2009

Forward| Bancard Site| Subscribe
Today's Headlines:
Help for Frustrated FACT Act Implementers
See How Fraudsters Manufacture Bogus Cards
Don’t Let Recession-Driven P-Card Abuse Cost You
The State of Credit Card Fraud: Time to Get Serious About Controls
Real-Time Falcon Statistics
Social Networking ID Fraud: Do You Know Who Your REAL Friends Are?
Your Sensitive Data May be Flowing Out the Door
The Value of Proactive Fraud Prevention

Help for Frustrated FACT Act Implementers

The Federal Trade Commission (FTC) has launched a Web site to help businesses and non-profits comply with the so-called Red Flags Rules on identity theft contained in the Fair and Accurate Credit Transaction Act (FACTA).

 

The FTC will begin enforcing the Red Flags Rule — effective November 1, 2008 - this month.

 

The Red Flags Rule mandates anti-identity theft programs for businesses and non-profits to identity potential misue of personally identifiable information (PII) of employees, customers, medical patients, etc. such as Social Security numbers, driver’s license numbers and medical information.

 

The new FTC site provides articles and guides to helping to create identity theft prevention programs—a key requirement of the rules. The most useful offering is a “how-to” guide called Fighting Fraud with the Red Flags Rule.

 

Click here to obtain the guide and additional useful compliance information.

 

 

Back to Article List


See How Fraudsters Manufacture Bogus Cards

In a rare glimpse into the actual process by which stolen credit card data is used to create bogus duplicate cards, the Newport Beach, California Police Department has made a video showing the machinery and techniques involved in the global crime.

Click here to view the video.

 

Back to Article List


Don’t Let Recession-Driven P-Card Abuse Cost You

Corporate credit card fraud typically increases during economic recessions.

The most common form of abuse: the use of purchase cards (P-Cards) or company-sponsored expense cards for personal purchases.

This risk is often greater during staff cutbacks, as employees rush to make personal purchases before turning in their cards. Unfortunately, it's the organization that may be liable for such purchases even if they are issued to individuals.

Self-defense for bank employers:

  • Increase manual reviews of corporate card statements. Screen for signs of alterations on receipts or statements.
  • Tighten restrictions on authorized use of P-cards and ensure that departing employees’ card accounts are immediately cancelled.
  • Educate employees on P-card abuse to help management detect potential fraud and staff better understand fraud and misconduct that should be reported. Communicate appropriate channels to report P-Card fraud, such as whistleblower hotlines.
  • Reinforce the organization’s commitment to ethical conduct and emphasize that fraud will not be tolerated under any circumstance.
  • Review segregation of duties with regard to reviewing and approving P-Card documentation and expenses

Source: Carl Lackstrom, associate director, Litigation, Restructuring & Investigative Services Practice, Protiviti Inc, writing in White-Collar Crime Fighter.


Back to Article List


The State of Credit Card Fraud: Time For U.S. to Get Serious About Controls

Reports by the Association for Payment Clearing Services, (APACS), the umbrella body for the UK payments industry, indicate that Chip and PIN technology has reduced Card Present (CP) fraud in countries where it is deployed by 35% since its introduction in 2005.

Chip and PIN (also known as Smart Cards) combine an embedded microchip requiring a manually entered PIN.

Problem: Chip and PIN has been pushing card fraudsters to countries where Chip and PIN is not in use and to the Card Not Present (CNP) world of E-commerce. Now APACS is reporting a 190% increase in overseas CNP fraud in the same periodi.

By 2010, Chip and PIN will be used throughout Europe. And Canada has recently completed a full market test of the technology and will be rolling it out nationwide over the next few years. However, to date, the U.S. card companies have no plans to change.

Prediction: The U.S. will therefore become a juicy target for CNP fraudsters in the Internet’s global economy because it will be one of the few countries without Chip and PIN.

Card Fraud: The Foreign Threat

Credit card fraud perpetrated by overseas criminals is becoming increasingly sophisticated. A recent article in the UK Times Online, citing information from British police and US counterintelligence sources, reported that Chip and PIN readers located throughout Europe had been rigged with sophisticated electronic devices that prompted the readers to record MasterCard numbers and PINs and wirelessly “phone” the data to a known Al-Qaeda group in Pakistan.

Lesson: The global nature of credit card commerce means that US issuers, merchants and processors are also potential targets of such high-tech fraud.

SOURCES OF FRAUD
Until the record-setting Heartland Payment Systems breach in January, there hadn’t been a credit or debit card-related breach as large as the TJX fiasco of 2007 in which some 94 million credit card records were stolen by cyber-thieves. Nonetheless, 2008 data loss reports are up almost 70 percent over the prior yearii, and there was a marked rise in ATM hacksiii. Though definitive totals of credit card records lost in the Heartland event have yet to be reported, 2009 is certain to go down in credit card fraud history as one of the most devastating.

Important lesson for issuers, merchants and cardholders: The fraudsters are getting more sophisticated and too many companies are still as careless as ever about handling Personal Identifying Information (PII.)

Equally distressing is the number of reports of lost backup tapes, missing disk drives, and other improper handling of well over 30 million records related to credit cards, debit cards, or PII.

Examples: Medical Mutual of Ohio lost a disk drive with the personal information of 36,000 people. The City of Indianapolis posted Social Security numbers, names, and dates of birth of about 3,300 on a public Web site. National Offender Management Service lost a disk with 5,000 confidential records, and Blue Cross and BlueShield of Georgia sent 202,000 medical records to the wrong address.

Important: These incidents could have been prevented by nothing more than diligent tracking of data.

AS IF THINGS WEREN’T BAD ENOUGH…
The slumping global economy has been pushing more and more people to commit credit card fraud that they might not have previously attempted. Many see it as a matter of survival…especially if they’ve lost their jobs and credit cards become the last resort for paying bills.

WHAT CAN BE DONE?
In the short term, extra vigilance is the best answer for all parties—merchants, issuers, processors and cardholders.

All organizations involved in financial transactions must take the necessary steps to protect themselves and their customers against fraudulent chargebacks, theft of credit and debit cards, employee card fraud and skimming, on-line CNP fraud, etc.

Additional Anti-Fraud Steps to Take Now:

  • Make every effort to assure complete PCI compliance. If some good came from the breach in 2008 of the Hannaford Brothers grocery chain, it was the release by card companies of PCI-DSS version 1.2 that went into effect on October 1, 2008.
  • Upgrade from the older wireless encryption standard known as Wired Equivalent Privacy. PCI Security Standards require merchants to have eliminated it by June 2010.
  • E-commerce merchants should review their manual fraud screening procedures to make sure they are doing everything they can to weed out fraud. The initial investment in fraud screening technology like Payer Authentication, IP-Geolocation and neural networks could pay huge dividends.
  • Make sure that employees know how to spot counterfeit cards and know the procedures to follow if one is presented. A recent report noted the practice of slicing the numbers off of expired cards and then carefully gluing them onto another card in the sequence of a legitimate account number (either stolen, purchased on the black market or otherwise obtained) also known as “shaving” iv. These poorly counterfeited cards require manual keying and can be easily caught with as little as five minutes of training.

COMING SOON…
The credit card companies are working on some fraud solutions including a display and keyboard built into the credit card to generate one-time passcodesv. That’s taking place in Australia now but don’t look for it in the U.S. anytime soon, especially since the cost is keeping Chip and PIN away.

Source:
Tom Mahoney, founder and director of Merchant 911.org, a leading Internet information exchange for E-merchants seeking to prevent online fraud. This article is adapted in part from one contributed by Mahoney to White-Collar Crime Fighter newsletter.


i - http://www.apacs.org.uk/APACSannounceslatestfraudfigures.htm
ii - http://www.thetechherald.com/article.php/200827/1382/
iii - http://www.merchant911.org/blog/index.php/2008/07/03/more-atm-hacks-a-disturbing-trend/
iv - http://www.creditcards.com/credit-card-news/shaving-credit-card-identity-theft-scam-1282.php
v - http://www.heise-online.co.uk/news/Visa-plans-credit-card-with-onboard-TAN-generation--/110939

Back to Article List


Real-Time Falcon Statistics

  Total YTD

# of Actual Fraud Cases
#of Actual Fraud Accounts
Fraud $'s Saved*
January - June 09
104,307
2,770
$12,271,470

* Potential loss if entire credit line had been compromised

For more information on Falcon statistics and ways that you can protect your bank from fraud attacks, contact Alan Nevels, Senior Vice President, Card Risk at (800) 242-4770 or visit ICBA Bancard's Online Risk Management & Prevention Center.

Back to Article List


Social Networking ID Fraud: Do You Know Who Your REAL Friends Are?

Lately, scams perpetrated via Facebook, MySpace, LinkedIn and the other major social networking sites to which some 70 million Americans subscribe have become the subject of increasing concern.

It works like this: you get a message from an online "friend" inviting you to check out a new profile page. When you click on the provided link you're directed to a page and asked to log on again. In reality, you're handing over your confidential password to the “friend” who happens to be a fraudster. And while there’s not much the fraudster can do to hurt you financially inside the network with that information, if you use the same login information to pay your credit card bill for example, the fraudster now has that information and can obtain the card data he needs to make fraudulent purchases using your account.

Caution: Beware of any links that ask you to sign on a second time. This is very unusual, if not unheard of, if you're already signed on to the network. If the invitation comes via email, contact the friend to confirm he/she actually sent it.

Source: Scambusters.com

Back to Article List


Your Sensitive Data May be Flowing Out the Door

A firewall is no defense against an irresponsible employee. A recent study by the Ponemon Institute, an Information Security research think tank found that more employees than ever are sharing passwords with others and using USB drives to transport sensitive information outside the office.

The study, entitled Trends in Insider Compliance with Data Security Policies: Employees Evade and Ignore Security Policies, found that in 2008, 61 percent of employees misused an insecure USB stick in the workplace, representing a staggering 20 percent jump from the 51 percent level found just one year earlier.

Equally troubling: 36 percent of employees still share passwords with others, after years of being instructed not to. While this represents an increase of only two percentage points % from 2007, the fact that it is rising at all is indicative of a communications failure, an attitude of apathy on the part of many employees or a combination of these and potentially other unfavorable factors.

“The Ponemon Institute believes these results show overall lack of urgency by companies on the need to address data security, said Ponemon Institute Chairman Larry Ponemon. Unfortunately, our studies have also shown that it often takes a data breach incident before an organization will finally get their wake-up call and take data security seriously.”

The financial services industry, which includes banks, credit card companies and brokerage firms, represented 17 percent of respondents.

Sources:

  • Trends in Insider Compliance with Data Security Policies: Employees Evade and Ignore Security Policies, study by Ponemon Institute, Traverse City, MI
  • Dr. Ponemon’s Blog

Back to Article List


The Value of Proactive Fraud Prevention

WHAT IS THE VALUE OF HAVING A DOCUMENTED FRAUD PREVENTION PLAN? 

 

There’s an old saying that “preventing losses is far easier than chasing money that has already left the bank.” It’s also more economical – fewer cases mean fewer investigators trying to recover funds that have left the bank. Working fraud alerts quickly is far more efficient than conducting long, drawn out investigations. It results in better customer service when you proactively protect accounts against fraud. It leads to lower attrition because customers who have experienced fraud on their accounts (even though you made them whole financially) may have lost confidence in your bank, and leave for another institution.

 

The value of effective fraud prevention has many components…lack of an all encompassing fraud prevention plan can lead to enormous risk.

 

Source: Shirley Inscoe, director of Financial Services Solutions, Memento Inc., writing at Bank Fraud Forum, Shirley held a variety of senior positions in payments strategy, enterprise fraud, compliance and operations during her 29-year banking career at Wachovia. She has chaired the BITS Fraud Reduction Steering Committee for several years.

 

 

Back to Article List


You are receiving this e-mail because you are a participant of ICBA Bancard or you registered to receive it. Note: When available, Web links are provided as a convenience. However, the location or accessibility of links may change during or after publication.

To change your e-mail address, please
go here. If you wish not to receive ICBA "Bancard E-News", please opt-out here. If you prefer not to receive any future e-mails from ICBA Bancard, please unsubscribe here. View our Privacy Policy.

Calendar & Events:

Fraud Training Calendar:

August 11
Webinar: Enhanced Risk Blocking

12:00 p.m. EST
Register >>

August 11
Webinar: COMPROMISE MANAGERTM Webinar

2:00 p.m. EST
Register >>
 

August 13
Webinar: Lost, Stolen, Fraud & Disputes

2:00 p.m. EST
Register >>

September 30
Webinar: Chargeback Services: How to Manage the Fraud & Dispute Resolution Process

2:00 p.m. EST
Register >>

Please refer to the ICBA Bancard Calendar for more fraud training.


Training Opportunity:

FraudAware, the leading provider of Web-based employee fraud awareness training has a limited number of slots for ICBA member banks to sign up for FACT ACT Red Flags employee training. This is the ONLY EMPLOYEE education on red flags -- in compliance with latest regulatory guidelines. For a free, no-obligation consultation call Peter Goldmann, Training Developer at 1-800-440-2261 or E-mail pgoldmann@fraudaware.com.







ADCR Qualified Events




PCI Validation List

Applications that Store Sensitive Data


Fraud Loss Protection Plan

This "Members only" program assists your bank in recouping losses that would otherwise be unrecoverable.

Coverage included for cards:
• Lost & Stolen
• Not Received Issued
• Counterfeit
• Skimmed Counterfeit
• Account Take Over
• Identity theft

More information

Confirm coverage



Online Fraud Claims Tool

Allows ICBA Bancard Fraud Loss Protection Plan participants to track status of reimbursement claims.

Highlights:
• Track claims from date of
   receipt to completion
• View processing comments
   entered by analysis
• View compensation amounts
   processed for your bank
• Examine or print claims
• Secure login access

View claims



Custom Portfolio Consultation:

As a dedicated resource to all community banks, ICBA Bancard offers risk, marketing, and operational consultations at no cost to community banks.

Request a free consultation today



TCM Bank

This limited purpose credit card bank is designed to position community banks in the credit card business, promoting the bank's identity while limiting or eliminating the bank's exposure to risk and marketing costs.

More Info About TCM



USEFUL WEBSITES:

PCI Security Standards
Merchant 911
Visa (CISP)
MasterCard Online
Fiserv EFT
Visa Online
Bankrate.com
Consumer.gov
FTC
AnnualCreditReport.com



Prevention Hightlights:

Neokinetics

This technology makes use of Behavior-Metrics science that individually or concurrently authenticates that the correct people are accessing and/or receiving information in a secure and efficient environment.

More Info


Merchant PCI Compliance Solution – Coming Soon
(FIS Clients Only)

Merchants who accept credit cards are required to be compliant with PCI Data Security Standards. The critical focus of these security standards is to help merchants:

  • Improve the safekeeping of cardholder information by enhancing their security standards.
  • Tighten these standards to help reduce the likelihood of experiencing breaches and financial losses.
  • Avoid the possibility of fines and penalties levied by Visa and MasterCard.

In an effort to assist merchant Acquirers and better educate merchants about compliance and validation requirements, the FIS merchant team, in partnership with Data Delivery Services (DDS), is rolling out a one stop PCI solution for ICBA clients.  By Utilizing the FIS program, acquiring banks can monitor their merchant's compliance efforts with a sleek and easy to use web based solution.  Additionally, merchants will have the ability to complete the appropriate Self Assessment Questionnaire online and have access to an Approved Scanning Vendor for merchants that conduct transactions using software connected to the internet.  As an added bonus, all merchants that are enrolled will have access to DDS' web based customer service module which allows merchants to monitor their batches, view statements and much more. Contact Alan Nevels at (800) 242-4770 for more information.



Bancard Fraud Quarterly
Published by ICBA Bancard
© 2008 ICBA

Contact Editors of
Bancard Fraud Quarterly

1615 L Street NW
Suite 900
Washington, DC 20036
Ph: (202) 659-8111

bancard@icba.org