Little Shazam€¦ · number to report fraud or lost/stolen cards Proprietary & Confidential....
Transcript of Little Shazam€¦ · number to report fraud or lost/stolen cards Proprietary & Confidential....
10/9/2017
1
Power Up Your Fraud Mitigation PotentialIowa Bankers Association 2017 Technology Conference
Liz Little SHAZAM Fraud Consultant
October 24, 2017
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Agenda
Fraud statistics Fraud trends Compromised cards Tools to prevent or reduce fraud losses Best practice reminders
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Fraud statistics
$0.00
$500,000,000.00
$1,000,000,000.00
$1,500,000,000.00
$2,000,000,000.00
$2,500,000,000.00
$3,000,000,000.00
$3,500,000,000.00
$4,000,000,000.00
$4,500,000,000.00
Lost Stolen NRI Fraud App Counterfeit AcctTakeover
CNP
US Worldwide
Fraud Statistics 2016 — VISA®
10/9/2017
2
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Fraud statistics
Fraud Statistics 2016 — MasterCard®
$0.00
$200,000,000.00
$400,000,000.00
$600,000,000.00
$800,000,000.00
$1,000,000,000.00
$1,200,000,000.00
$1,400,000,000.00
$1,600,000,000.00
$1,800,000,000.00
Lost Stolen NRI Fraud App Counterfeit AcctTakeover
CNP
US Worldwide
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Fraud trends
• Skimming• Keyed card present• Phishing• EMV Fallback
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Skimming
• ATM• Pay at Pump• POS Overlay
10/9/2017
3
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Does this look suspicious?
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
ATM skimming
Regularly check terminals multiple times daily
Look for signs of tampering
• Adhesive residue• Skimmer devices
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
ATM skimming
Monitor outages Video
• View daily• Position correctly
Notify law enforcement if skimming is detected
10/9/2017
4
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Skimming and EMV liability shift
Liability Shift Date Extended• U.S. AFD (Automated Fuel
Dispenser) terminalso October 2020
ATMs• MasterCard October 2016• Visa October 2017
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
POS overlay skimming
Fraudster distracts merchant Applies overlay Gains card information
10/9/2017
5
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Shimming
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Keyed card present
Card is present Transaction is key-entered No PIN used May not meet counterfeit
card (swiped) rules Rules can be set to decline
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Phishing
Increase in attempts to gain information
PIN CVV2 CVC2
10/9/2017
6
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Phishing
Social engineering
Microsoft® scam
Results in PIN-based
Internet fraud
FI scam
Using EMV reissuance as part of scam
IRS scam
During tax time
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
EMV fallback fraud
Magnetic stripe compromised
Applied to Chip card stock
How to identify
• POS Entry Mode = 80 or 90 (magnetic stripe read)
• Service Code = 2 (indicates Chip card)• Terminal Capability Code = 5 (merchant is
chip enabled)
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
EMV fallback fraud
10/9/2017
7
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
EMV fallback fraud
• Loss to issuer
Liability shift does not apply
Need effective Fallback decline rules to combat
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
What to do when you see a fraud trend
Three or more PANs with similar fraud
Is it being caught by fraud detection system?• If not, may need new
rules or blocks
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
What to do when you see a fraud trend
Utilize blocking tools for specific activity
Check past compromised card notices
Run queries to try and identify CPP• Common Point of
Purchase• Identify other cards at risk
10/9/2017
8
Compromised cards
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
MasterCard
ADC-1234-US-17• Account data compromise• Sequential alert number — 4 digit• Region in which compromise occurred• Last two digits of year• May designate sequential alerts
o ADC-1234-US-17-2
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Visa
US-2017-1234-PA• Region and year in which
compromise occurred• Sequential alert number — 4 digits• Type of alert
o PA — proactive alerto IC — Internet compromise
• May designate sequential alertso US-2017-1234-PA-2
10/9/2017
9
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Compromised card reimbursements
May receive reimbursements for qualified events
May receive offer to accept an additional recovery amount (ARO)• Accepting additional offer may waive right to join
class action suits
• Effective 10/14/17 – Visa will include CNP events and eliminate reimbursement for magnetic stripe only cards
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Best practices
Download files and save with alert number
Cross reference merchant name, if
known
Keep as handy reference if
needed later
Note action taken on each PAN, or
group with similar action
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Best practices continued
Create special rules
Track 2 Card Not Present
Track 2 & PIN
10/9/2017
10
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Handling options
Hot card and reissue• Call cardholder and
advise• Hot card or use
temporary block• Could allow cards
nearing expiration to reissue naturally
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Handling options continued
Force reissue• Risk until new card is received
by cardholder and activated• Cardholder can keep same PAN
and PIN• Expiration date and security
values change so card is no longer at risk with old data
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Handling options
Transaction control & blocking• Cardholder can use service to
block card unless they are going to use ito Can prevent fraud, if used
correctly Transaction alert
• Notifies cardholder when card is being used
Lower daily limits Fraud monitoring
10/9/2017
11
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Risk and exposure
What data is at risk? What is window of exposure?
Track 1 and 2 puts card at risk for card present
counterfeit fraud
Card Not Present –PAN, expiration date,
CVV2, CVC2
Check window of exposure
• No chargeback rights• Unless EMV liability shift
• Risk for Internet or MO/TO fraud
• Potential chargeback rights
• Determine if PAN on list has reissued after end date
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Risk and Exposure
Data Breaches and EMV
If merchant is NOT EMV, magnetic stripe is at risk If merchant is EMV, but plastic is not, magnetic stripe
at risk*
If merchant AND plastic are EMV, only CNP data at risk* Account number and expiration date only
*Kmart, Buckle
Tools to prevent or reduce fraud
10/9/2017
12
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Fraud monitoring tool
24/7 review
Decline/Create cases for
suspicious activity
Temporarily block if
cardholder cannot be reached
Ability to create custom rules
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Fraud Rules
Rules Counterfeit fraud Card present swiped EMV Fallback Card present/key entered Specific trends
Card Not Present fraud Testing Specific trends
Compromised Cards Track data Track data and PIN Card Not Present data
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Alerts and controls
Transaction alerting & Blocking Dollar amount Internet International
Suspicious activity alerts Transaction control
If alert received that is fraud, cardholder can immediately block
Cardholder can proactively block card until they want to use
Success Story!
10/9/2017
13
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Blocking
Transaction blocking options
State/MCC (Merchant Category
Code)
State/MCC/Dollar
amountCountries MCC’s
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
EMV
What is EMV?• Chip technology used for Card Present transactions• Meant to reduce counterfeit card fraud
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
EMV issuance
10/9/2017
14
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
EMV
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
EMV
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Other tools
Daily Limits Keep low, but manageable
Mobile payment devices Apple Pay® Samsung Pay® Android Pay Microsoft® Wallet
Reports
TM
10/9/2017
15
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Best practice reminders
Use on-hold time and website for cardholder education
Take advantage of anti-fraud marketing materials
Keep daily limits low, but manageable Make sure after-hours recordings provide a 24/7
number to report fraud or lost/stolen cards
Proprietary & Confidential. ©2016 SHAZAM, Inc. Information is of general applicability and current as of date of presentation.
Best practice reminders
Establish or join local fraud group• Including law enforcement
community• Networking and information
sharing Designate an after-hours
fraud contact Educate cardholders to use
PIN when possible to avoid inconvenience
Thank You!QUESTIONS?