Data Breach Management 15th Annual ATM, Debit & Prepaid ... · •To protect against losses, banks...

Confidential and Proprietary© Fifth Third Bank | All Rights Reserved

Data Breach Management 15th Annual ATM, Debit & Prepaid Forum,

Oct. 4, 2007

Presented by Angela Brown, SVP, Fifth Third Bank

&

Chris Roberts, SVP, Wachovia Bank

2Confidential and Proprietary

© Fifth Third Bank | All Rights Reserved

Industry Overview

Overview

•Breaches undermine brand and consumer confidence in the payments industry.

‐ Criminals abilities to impersonate a customer, or a Merchant, are rising.

‐ Losses from identify theft are estimated at $52B annually

‐ Fraud poses a growing threat to the security of information used in payment systems.

‐Institutions using an in‐house system can experience 10‐11 lost basis points in card fraud losses.



Industry Overview

Overview

•Account data compromise trend continues to be a significant concern for the industry

–Potential of fraud losses for financial institutions–Issuer costs and cardholder impact–Adverse media publicity–Legislative interest



Industry Overview

Current Trends

•Cyber crime is growing in sophistication•Exploitation of vulnerabilities in value chain is increasing•POS systems are frequent targets

–Magnetic strip data is stolen from data logs as opposed to traditional databases–Sensitive data is unknowingly stored –Hackers are targeting centralized servers with Internet connectivity



Industry Overview

Current Trends

•Globally organized criminals are involved in hacks •SQL injection is the most common attack method•Remote Control Software

–PC Anywhere/VNC commonly used



Cost of an IdentityAn identity – including a U.S. bank account, credit card, date of birth and government-issued identification number – was available for between $14-18

A recent going rate for a U.S. individual's entire identity, complete with mother's maiden name and Social Security number, was $13

Typical costs of goods and services in chat rooms:

—$150: Driver's license

—$150: Birth certificate

—$100: Social Security card

Financial Fraud

—$6000, average new account fraud loss; doubled from 2005-20061

—$2500, average unauthorized credit card charge; 4X loss from 20051

Criminal Attraction

Sources: Symantec Corporation, Internet Security Threat Report, Mar. 2007BusinessWeek, “Coming to Your PC's Back Door: Trojans,” Jan. 2006USA Today, “Cybercrime flourishes in online hacker forums,” Oct. 2006

Current Trends

Industry Overview



Industry Overview

A Growing Reputation Risk

Other* 1%

YTD September 2005

*Includes Law Enforcement Recovery, Operation Stop IT, ATM Compromise, ATM Skimming, Merchant Bust-Out and CPP

Compromised Accounts by Geography

U.S. 99%

Non U.S. 1%

Compromised Accounts by Category

Merchant Burglary1%

Merchant Hack98%



Industry Overview

“The Sky is Not Falling‐But It Could”• Security as a differentiator

‐ Bolstering fraud strengthens loyalty and provides an ROI on technology investments.

• Technology advancements are making it possible to “deputize” the customer.

• Fundamental to Fraud loss is having the right technology prevention AND the right processes in place to mitigate risk if a breach occurs.

Quote by Orson Swindle, chair of the Center for Information Policy Leadership for Hunton & Williams, an international law firm, who

participated in a two day conference designed to bring together diverse stakeholders in the payments industry: “Facing Up to the Challenges”.



Industry Overview

Complexity

•Complexity of processing in today’s environment

–Multiple participants in the value chain–Thousands of vendor’s, MSP’s, ATM processors, and gateways

•Need for increased level of education and awareness of stakes, for all participants



Industry Overview

Regulatory and Compliance Arena

• Payment Card History (PCI) Data Security Standards, Audits, and Self‐Assessment

•CUNA 2006 Guidelines

•Visa & MasterCard Compliance Validation

•Safe Harbor

•What will be the next “3DES‐like”mandate?



Industry Overview

Fighting Fraud Methods

Fraudsters•RAM Raids•Skimming•CVV Brute Force Attacks•System Breaches•Biometrics



Industry Overview

Fighting Fraud Methods

eThreats•Malware

•Phishing

•Directory Harvesting

•Data Breaches



Industry Overview

Financial Implications of Phishing

# of E-mails Sent 100,000 1,000,000 10,000,000

Click-through Rate 0.10% 0.10% 0.10%

Accounts Compromised 100 1,000 10,000

$ per Account Compromised: 5.00$ 5.00$ 5.00$ Fraudster Income: 500$ 5,000$ 50,000$

Fraud per Account Comprimised: 350$ 350$ 350$ Fraudster Income: 35,000$ 350,000$ 3,500,000$



FTPS Portfolio Approach

Implications for Fifth Third

• Fifth Third Processing Solutions–Processes over 17 Billion Transactions per year–Processes for more than 147,000 Financial Institutions and Merchant locations nationwide–Drives over 12,200 ATMs in 11 countries–Supports more than 33 Million debit cards

•Continual Investment in Technology




Fraud Mitigation Best Practices

CASHSECURITY

ATMTRANSACTIONAL

SECURITY

PIN & ENCRYPTION

SECURITY

ATM PHYSICALSECURITY

CARDHOLDER SECURITY

CARDSECURITY

CYBER SECURITY

ATMCONNECTIVITY

SECURITY





• Automatic Chargebacks• Card Activation Block

• Card Compromise Alerts

• Custom Debit Card Authorization Strategies• CVV/CVC Brute Force Protection

• Expiration Date Matching

• Identify Theft Alert• Lost/Stolen Support





• PRISM

• Reporting and Issuer Direct

• Review of Card Limits

• Two Year Re‐Issue Cycle

• Verified by Visa & MasterCard Secure Code




PRISM

•PRISM is an information processing system which “learns” to recognize and differentiate data through exposure to repeated patterns.

•“Neural Net System” based on neural algorithms and modeling.

•“Rules Based” means a “rule” can be written to match criteria passed within the incoming authorization data or fields within Prism.

•Real time vs Real Near Time



PRISM ‐How Does it Work?PRISM ‐How Does it Work?

IssuerAcquirer

Request

Response

Electronic Alert Deliveryto End UserNeural

Network

Authorizations

Authorization Switch

Evaluation

CardholderContact

Request

Response

Evaluation

MerchantWE

ACCEPT




Year One PRISM Results

724,283 Alerts reviewed

26,496 frauds detected

Mores than 70M loss averted




Card Compromise Support

•CAN/CAMS alerts FI of card compromise, so the FI can conduct a risk evaluation.

• FI provided tools that allow investigation down to the card level.

•FI initiates process to automatically generate new card, close existing cards and minimizing the impact to the cardholder.

•Fifth Third pulls the FI request, issues new cards, and old cards are closed within 2 weeks, automatically.




CVV /CVC Brute Force Protection

• Criminals attempt to gain CVV/CVC value by using multiple authorization requests in rapid succession.

•With CVV/CVC Brute Force Protection, the system detects transactions that appear to be unique “swipes” coming from different merchants, but originating from a single source.




CVV /CVC Brute Force Protection

The card is auto‐blocked on the signature side at the sixth swipe to prevent fraud masters from gaining the correct value. Customer can use PIN side of their card, until re‐issued.



Next Generation of Fraud Tools?

Advanced Identity Analytics

Looks at patterns associated with identify theft.

Fraud patternTwo SSNs are associated with one address, yet one SSN is associated with two names



Conclusions

Conclusions

The entire payment system must work together to combat ID Theft

• To protect against losses, banks and issuers must overcome disconnects between current capabilities to stay ahead of emerging fraud patterns.Consumer confidence matters

— Consumers don’t differentiate between ID Theft and Card Fraud

• Fraud will continue to be a risk factor requiring diligence— Technology and Compliance

— Branding and Appearance

Data Breach Management 15th Annual ATM, Debit & Prepaid ... · •To protect against losses, banks...

Documents

Transcript of Data Breach Management 15th Annual ATM, Debit & Prepaid ... · •To protect against losses, banks...