technical assistance - acamsfiles.acams.org/webcasts/20110914/verafin_ppt.pdf · financial crime...

Financial Crime Trends: What You Should Know About Card Fraud

Technical Assistance • Send a message via the Q & A box

• Or Call WebEx Technical Support:

(US & Canada) 866-229-3239 (International) 916-229-3239

Attendee instructions on how to use Audio Broadcast • Do not close the Audio Broadcast panel

• If you are not able to listen to the audio on your computer speakers, press the

stop button, wait 5 seconds then press play.

• Make sure to adjust the volume button on your computer speakers and also

adjust the volume on your sound card. To do this, go to the Start Menu, click

Control Panel, then click Sound & Audio Devices and adjust accordingly.

• If you do not have speakers, please refer to your login instructions for the

Teleconference Domestic and International Numbers and Access Code.

• You may request the Teleconference Number by clicking “Request” under the

attendee box on your left hand side.


• Can you hear the

sound check?

• It has begun


To send a question:

• Locate the Q & A box on the bottom right

hand corner of the WebEx platform.

• Type in your question and click send!


Financial Crime Trends:

What You Should Know

About Credit/Debit Card Fraud


Today’s Presenters


Co-founded Verafin (BSA/AML Compliance & Fraud Detection software company) in 2003

Frequent speaker at industry conferences and key presenter for Verafin’s anti-financial crime thought leadership webinar series

Verafin has more then 750 financial institution customers across North America

BRENDAN BROTHERSCo-FounderVerafin


Certified Fraud Examiner

Ex-Chair of the Canadian Bankers Association, Banking Crime Prevention & Investigation Office

Responsible for setting RBC Royal Bank fraud management strategic direction

RBC is Canada’s largest bank with more than 18 million customers in 55 countries.

JAY STARKVP, Fraud ManagementRBC Royal Bank


The World of Debit Cards

a brief synopsis…


Why Debit Fraud is a Growing Concern

38 billion transactions (2009)

Annual debit transaction volume in US

Over 1 billion debit & credit cards

Over 10 million merchant POS terminals


2010 Federal Reserve Payments Study December 2010

© 2010, Federal Reserve System 5

changes in the composition of economic activity, regulatory developments, and population

growth may also have influenced these trends.

Exhibit 2: Distribution of the Number of Noncash Pa yments

2006 2009

23%

26%32%

Prepaid card4%

ACH

15% Credit card

Debit card

Checks

paid

20%

35%

22%

Prepaid card 5%

Credit card

18%

Debit

card

Checks

paid

ACH

The check collection process has become substantially more electronic since the last

survey. Depository institution accountholders’ use of check image deposit services

(“remote deposit capture”) and replacement of paper exchange with image exchange

between depository institutions has expanded. Approximately 13 percent of checks were

deposited as images at the bank of first deposit, and 96 percent of “interbank” checks –

those deposited at one depository institution but drawn on another – involved electronic

clearing. The latter compares to an estimate of 43 percent in the 2007 study.

ACH transactions grew at 9.3 percent per year from 2006 to 2009, result ing in 19.1 billion

entries at the end of the period. Interim data demonstrate that ACH gro wth decelerated

between studies: the number of ACH entries grew more rap idly early in the three-year

period than at the end.

Since 2006, the debit card has eclipsed the check as the most used non cash instrument.

This was not only because the number of debit card transactions increa sed at 14.8 percent

per year from 2006 to 2009 but also because the number of checks paid declined 7.2

percent per year. The number of checks written also continued to decline, albeit at a

somewhat slower pace (6.1 percent) than checks paid. The rates of decline in checks

The 2010 Federal Reserve Payments Study


Means of Committing Debit Fraud

Lost and stolen card

Account Takeover +Card not received

Internet, mail ortelephone order

Counterfeit card


Counterfeit Card

Card information is obtained through skimming or data breaches

Customer still has original card

Information is used to create counterfeit card


Authentication of Debit Card Transactions

Because of the weakness of mag stripe - there are lots of ways to fraudulently get the first one

Something you have (plastic card)

Something you know (PIN) or something you are (signature)


Mag Stripe Info is Like Gold to Fraudsters

Can conduct fraudulent transactions with the info

Can use the info to create a counterfeit card

Can sell mag stripe info and/or counterfeit card on black market


Debit Fraud Losses Are Becoming More Widespread

Debit card fraud losses estimated at $788M in 2008

Number of banks that incurred debit card fraud losses

Source: ABA

2006 – 74%2008 – 94%


Debit Fraud Losses Are Becoming More Widespread

Nilson Report:$6.7 billion (2009, global)

Aite Group:$8.6 billion (US only)

Mercator Advisory Group:$16 billion (total cost)


Global Debit Card Trends


Australia

Source: APCA (Australia Payments Clearing Association)


Canada

Source: Interac


United Kingdom

Source: Financial Fraud Action UK


EMV (a.k.a. Chip-and-PIN)

More secure than mag stripe + PIN because reading chip does not provide enough info to duplicate it

Over 1 billion EMV cards have been issued globally.


EMV (a.k.a. Chip-and-PIN)

FIs should have additional protection from transaction monitoring systems

Researchers have found flaws - stolen card can be used without PIN


Canada EMV

All POS and ATM transactions will be EMV-only by 2015


Implications for Organized Crime

online (e-commerce, mail/phone order)

stolen cards

check fraud

vulnerable geographies (US)

EMV cards provide a challenge

Crime will migrate to other areas


EMV Gets a Push From

Fed Banks, Industry Groups

We may become the only substantial economic power dependent on a payments standard that is less secure than that of the rest of the world.

That means that criminals, intent on profiting from card fraud, will continue to migrate to the United States.

Criminal Gangs Expected to Target US

Federal Reserve Bank of Atlanta

Source: American Banker, September 2010

Richard Oliver, Executive Vice President


Debit Fraud Scenarios


Elder Abuse


For many people, debit fraud stems from the simple act of having one’s

card stolen or abused.


Meet Jack and Jill.

They live with Jack’s grandma, taking care of her health needs, and her finances.


Grandma is Delores Fairbanks.

She built up a small fortune in the clothing industry.


Jack and Jill have asimple plan.

Every now and again after Grandma has gone to bed, one of them slips out with her debit card to do a little personal shopping.


As time goes by without Grandma noticing, they get bolder.

Before long they’ve stolen thousands of dollars from the elderly woman.


Age of customer

Unusual volume and value of transactions for customer

Unusual transaction locations for the customer

Elder Abuse Indicators

Intention is not to drain the account, rather to siphon over a long period


Card Flipping


Meet Dmitri, another runner in Boris’ gang.


Dmitri heads to a nice secluded ATM at around 2 a.m. with a stack of cards.


His plan: Use each card once to take $200 - $300.

He’ll try to stay no longer than 15 minutes.

He could get away with $2000 if he’s fast enough.


Then he’s off to the ATM across the street to continue his wave of fraud.

Card Flipping is designed to hit many accounts as fast as possible.


Similar activity takes place in quick succession at the same ATM

Time of transaction is typically late at night or very early in the morning


Card Flipping Indicators


Card Chameleon (a.k.a. Shopping Spree)


Data breaches are one of the most common ways a gang can gain access to data for

thousands of cards.


Chameleons are armed with fake cards and sent out to take advantage of the spending habits of vacationers.


They target large malls and shopping areas in cities known for high tourism spending.


They buy what you‟d buy on holiday.

And then sell the „goods‟ on the black market.


Chameleon Indicators


Purchases made in vacation areas with no travel related transactions (hotel, airline ticket, restaurant, etc.)

Multiple high value purchases occurring in rapid succession

Purchases are quickly draining the account


Card Skimming


A well placed skimming device can get information on hundreds of accounts in a very short time.


Fake cards arequickly made…


… and given to “runners”, whose primary job within the gang is to commit

the actual fraudulent acts at the ATMs.


Boris is a runner,

who works late at

night.

His job is to

quickly get as

much money out

of an account

as possible.


At around 11 p.m. he takes $400 from one account.


Then he‟s off to the money mart across the street to buy $900 in travelers checks.


A little past midnight he returns to the ATM and takes out another $400.


When the funds run out, he deposits an empty envelope so he can take some more.


Card Skimming Indicators

Time of transaction is typically late at night, very early in the morning, or during a long weekend

Unusual transaction volume and value for the customer



Flash Attack


The following story is inspired by true events


This is Yuri and Alex, senior members in an organized fraud ring.


They travel from the west coast to a mid-west city and set up skimming devices at local gas stations.


After a day or two, they remove the devices and extract the card data.


They create a few cards and test them, ensuring the data is good.


Then they head back to the west coast, where they create a couple hundred counterfeit cards, complete with PINs.


With the help of other gang members known as “handlers”, the cards get passed out to money mules.


The mules are located in cities throughout the country, and are given very strict instructions.


1. Conduct the transactions beginning at exactly 5:00 a.m. Saturday morning.

2. Withdraw $300 on each card.

3. Stay no longer than 5 minutes


This well-choreographed attack nets the gang over$100K in just five minutes.


This type of debit card fraud

is called a flash attack.

Despite the effort required to coordinate such an attack, the pay out can be substantial.


Lots of cash in short period of time

Very hard to stop

Why all at once?


Common Points of Purchase (CPP)


What is a CPP?

Common Point of Purchase Compromise

CPP stands for Common Point of Purchase

a.k.a.

Common Point of Compromise (CPC)


Skimming device placed at a terminal grabs card details for a short period of time (hours, days, or weeks)

When cloned and used fraudulently, the card history is available for review by FI

By comparing the history of two or more cards, the location and time of the skimming device can be determined

The location and times of the actual frauds have nothing to do with CPP determination

Use that information to cancel other cards before more fraud can take place

The Concept is Simple


Time

Fraudulent Debit Card Use

Common Location


Skimmer placed on terminal

Skimmer removed from terminal

Time

1 2 3

Debit cards with known fraudulent transactions

Skimmed Terminal

Debit cards skimmed but not yet used fraudulently


There are some pitfalls

2 incidents of debit card fraud might look similar but not be related at all - so CPP detection will not work.

If a CPP is found, you will find a range of dates and times during which the device was compromised - but you might not get the full range of actual compromise.

What to do if cards were used at the same location weeks apart?

It’s possible that the device was present for a long time, but also possible that the cards happened to be used at the same place.

With more cases of fraud mapping to the same common point, the likelihood of compromise rises dramatically.


Not strictly

Most commonly, a single device will be compromised with a skimmer, which will collect data for dozens of cards

A single location (store, gas station) could also be compromised with multiple skimmers at multiple terminals

Sometimes a chain is hit in a particular area, with multiple stores getting compromised (one or more terminal per store)

Even possible that an online site that collects debit/credit card numbers is breached

Does it have to be a single terminal?


Dealing with a CPP


What is the range of dates/times that the transactions took place?

a small range more likely indicates a skimmer

more transactions mean it is more likely a skimmer

Contact the merchant

Contact law enforcement

1. Once you find a CPP you need to determine if it is reasonably a point of compromise


You have definite range during which the skimmer was present, so cancel any card used in between

Expand the ranges a bit, to account for the skimmer being present for longer than you have data

example, on January 1 at a gas station on a busy interstate - likely that it was present for most of the Christmas holidays

2. Cancel Cards


If your transaction monitoring system allows it, expand your range again and flag any cards as high risk

This will ensure even moderately suspicious activity generates an alert

Flagging is a compromise so that you don’t have to cancel cards that you feel are less risky

3. Flag Cards


The compromise could be bigger than you suspect (more related locations, longer time)

If new cases come up, investigate whether they are actually related to the existing fraud scheme

4. Continue to Monitor


How to determine CPPs

News (Michaels arts & crafts stores)

Other financial institutions

Card processor

Law enforcement

Merchants

You might simply be told of a known or suspected compromise location


A rather amusing (but highly unusual way) to detect a CPP3600 cards were recently skimmed from gas pumps in 2 locations in CA


he alerted the police who installed an alarm system in the pump

when he opened the pump – he found a circuit board and wires (components of the skimmer)

when the skimmers returned to open the pump- it tripped the alarm and the police arrested the duo

a gas station attendant received an error message at one of the pumps


Verafin / RBC Card Fraud Webinar

RBC Fraud Management

September 2011


Evolution of Capture

Shoulder surfing and card capture

Rudimentary ATM, Card and PIN capture

•Doors

•PIN Pads

Separate swipe and camera

•Gas stations

•False ATM front

Integrated POS (devise swapping)

Sophisticated ATM overlay

Dummy terminals


Evolution of Spend

Before and after midnight

Multiple cards per runner

Mass runners

Slow bleeds and foreign attacks

•mixture of captures

•limited card usage

•white label

•foreign spends


Lock Boxes


Criminal Commentary

Organized crime

Ability to mobilize quickly

Constant regression

Willingness to exploit weak issuers

Cottage industry participants

Generations of skimming devices

Path of least resistance

Adjudication issues


Fraud Management Pillars

Client Experience

Loss Reduction

Cost

Risk Management


Fraud Value Chain

Post Fraud

“Root Cause”

Analysis

Intelligence PreventionInvestigation

Prosecution

Detection

Asset RecoveryCustomer Satisfaction


Response: Core

Know they will get your cards

Detection (must prevent rather than only identify)

•CPP

•RTD (several generations)

•Bypass intermediary detection strategies

Supplements Chip roll-out

RTD supports a DBS


Response: Best Practice

Industry Consortium

Simple: Project Mike

Moderate: CPP detection

RTD: opportunity for a broader application of

detection strategies at the issuer or consortium level

Chip implementation


Response: Supplementary

Clear first mover advantage in the evolution

Opportunity in your market

• Measurement and regression

• FDI (green things), PIN shields and jitter technology

• Surveillance cameras and vestibule monitoring

• Auto blocking/RTD

• IFD and analysis

• Chip roll-out

• DBS

Reimbursement protocols

• Objectives

• Contact strategies


A Major Factor in Mitigating Card Fraud Losses


“Flash attacks” which rely on coordinated, often international, efforts to simultaneously withdraw funds from multiple ATMs, are just the beginning.

The banks that are successful at mitigating these attacks and stopping them before they do too much damage are the ones that are able to find the point of compromise very quickly.

They can stop it, if they figure out where the point of compromise was.”

Source: Avivah Litan, VP Gartner Research, 2011

“Card fraud will increase in 2011…attacks will be more sophisticated and globally coordinated.


Q&A

• Locate the Q & A box on the bottom right

hand corner of the WebEx platform.

• Type in your question and click send!


If you have additional questions for today‟s expert,

please send them to

[email protected]

Thank you for joining us today!

mailto:[email protected]

technical assistance - acamsfiles.acams.org/webcasts/20110914/verafin_ppt.pdf · financial crime...

Documents