Optimize Your Fraud Prevention Engine:Prevention Engine: Fraud Tune-up Tips

The webcast will begin shortly.

CSCU Annual Meeting

S th D t !Save the Date!

Disney’s Yacht and Beach Club, Orlando, FL,

April 27 – May 1, 2011

•Registration: $350/person or $600 for two or moretwo or more

•Room Rate: $189/night

•Questions? Contact: CSCUAnnualMeeting@cscu.net

•To see last year’s presentations•To see last year s presentations and photos: www.cscu.net/annualmeeting

Upcoming Webcasts:December 15 2010 at 2pm ETDecember 15, 2010 at 2pm ETMasterCard Q1 2010 Marketing Calendar Michael Gomez, MasterCard

MasterCard offers a range of targeted and non-targeted marketing programs designed to help you drive profitable cardholder behavior.

January 11, 2011 at 2pm ETMaximizing Portfolio Growth in 2011Maximizing Portfolio Growth in 2011Cassie Melvin, CSCU and Bill Lehman, CSCU

Give your credit and debit card programs a boost with help from CSCU.

Register now at www.cscu.net/webcasts

Brian Mills, FIS,Risk Analyst, Fraud Prevention

Agendag

• Fraud Prevention– Fraud Landscape– Best Practices– System Parameters & Controls

Fra d b T pe Characteristics– Fraud by Type Characteristics– Responding to a Fraud Trend

The Fraud LandscapepATMs

MerchantsSkimmingPhishingCompromised ATM Check Fraud

ID TheftDeposit Fraud

Branches

pCounterfeit

Check FraudCard FraudLost/StolenMOTO

pCheck Fraud

Accounts

PhishingPharmingHacking

ID TheftDeposit FraudAcct Takeover Financial

InstitutionInternetBanking

Ch k

Accounts ac gID Theft

ID TheftCounterfeitChecks

st tut o

VishingTelephoneBanking

CheckProcessing

Checks VishingSmishing

Current Fraud Trends

• Counterfeit• Data Compromises• Phishing/Vishing/SmShishing Schemes• Identity Theft

Fraud Prevention Best Practices

Fraud Prevention Best Practice • Neural Network Monitoring

24 x 7

• Neural Network Real Time

• Procedures for verification of address changes and PIN and/or plastic requests

• Cardholder education to prevent PhishingNeural Network Real Time Decisioning

• CVV/CVC Matching

• Card Activation

• Promote cardholder enrollment in Verified by Visa or MasterCard SecureCode

• Report Monitoring• Card Activation

• Expiration Date Matching

• Address Verification Service

Report Monitoring– Daily Authorization Reports– Excessive Activity– Foreign Transaction Listing– Card Activation Activity

Maintenance Activity• Address change confirmation letters

– Maintenance Activity

• Authorization Name Matching

• Issuer’s Clearinghouse Service fraud alerts (ICS)g ( )

• Daily parameter controls (spend limits, velocity controls)

Authorization Name Mismatch

• Compares the name in the authorization record (track 1 data) to the name in the embossing record

– If the name on both records match, authorization process continues – If the name on both records do not match, authorization is declined

• ANM does not apply if:– The merchant provides track 2 data

The merchant manually entered the card’s data for the transaction in the system– The merchant manually entered the card s data for the transaction in the system (not swiped through the POS terminal)

Issuer’s Clearinghouse Service g(ICS)

• ICS is a national database developed by Visa and MasterCard at the issuer’s request to help identify fraudulent information on new applicationsfraudulent information on new applications

• ICS collects the following customer information from sources such as issuers, Social Security Administration, and the U.S. Postal Service:

Valid and deceased person’s Social Security Number (SSN)– Valid and deceased person s Social Security Number (SSN)– Addresses and telephone numbers for hotels, prisons, and resorts– Unauthorized use of reports– Filings of bankruptcy petitions

• The ICS can help reduce U.S. issuer losses caused by the following:– Fraudulent credit card applications– Falsified lost and stolen card claims– Cards not received– Excessive credit application activity

Issuer’s Clearinghouse Service g(ICS)

• ICS supports all U.S. issuers by performing the following tasks:ICS supports all U.S. issuers by performing the following tasks:– Provides information about application activity and fraudulent card use reported by other

issuers– Alerts issuers about potential losses by identifying invalid or questionable application

information– Informs issuers of bankruptcy filings– Tracks home addresses, telephone numbers, and SSNs in new credit card accounts,

declined applications, and reports of fraudulent activity.• ICS requires the issuer to send SSNs, home addresses, and home telephone numbers to them for q p

the following types of transactions:– Approved accounts– Declined accounts– Fraudulent applicationspp– Account with fraudulent activity

System Parameters and Controls

Authorization Parameters

• Authorization parameters determine if a transaction should be accepted th h th tthrough the system

• Predetermined system rules govern the response code given on a transactiontransaction

• Authorizations that come into the system must generate a response code:– Approved– Declined– Refer to card issuer– Capture card or pick-up card– Code 10

Authorization Parameters

• Daily Parameter Controls:– Daily Limits – Velocity & Dollar Amount– Country Code Blocks– Foreign Authorizations

ATM A thori ations– ATM Authorizations– Over limit Levels– PIN Validation

• First Time at ATMFirst Time at ATM– Credit Line Management Controls

Parameter and System ControlsParameter and System Controls

• Parameter and system controls run automatically on the feature specification that have been predetermined by the control

– Issuers should change parameter settings as the fraudulent activity changes– Some changes may impact regular customer activityg y p g y

Parameter Settingsg

• Authorization parameter settings may control:– Number of transactions per day– Certain transactions may be restricted based on set criteria:

• Type of merchantMerchant co ntr• Merchant country

– Dollar limit within country

Parameter Settingsg

• Look for common threads in the fraud pattern then set parameter restrictions

• The most common parameters for fraud control are:– Cash Advance – Lost / Stolen, Counterfeit

P t All f d t– Payments – All fraud types• Booster Checks• Card Kiting

Characteristics By Fraud Type

Characteristics of Counterfeit Plastic • Fraud activity shows that card was present (POS 90)

– Indication that track data was captured (Track one or Track two, or full track data) and duplicated

– Result of either a skimming operation or database breach of a merchant or processor

• Excessive transaction activity within a short time frameExcessive transaction activity within a short time frame– Fraud transactions occur within minutes and in close proximity of each other.– In some cases, fraud can occur both in and out of the United States at the same

time depending on fraud ring• Times and geographical locations of transactions are outside of customers

normal spending pattern• Similar merchant patterns are noticeable

V i b f d t– Varies by fraudster• If applicable, Neural Net case created

Counterfeit Plastic

Counterfeit Plastic

Quiz! - True or False

• Track data can be compromised by the following methods:

– Compromised ATM– Skimming Device – Database Breach

Counterfeit Plastic True!• ATM skimmer over the card slot• Handheld skimmer or altered POS device designed to capture mag-stripe informationg p g p• Database base breach

Best Practices: Counterfeit Plastic

• CVC/CVV Matching• Neural Network monitoring 24x7x365• Neural Network Real-Time Decisioning• Report Monitoring• Authorization Name Match• Daily Parameter Controls (Spend Limits, Velocity Limits)

Characteristics of Card Not Present

• Fraud Activity shows as POS 01– Indication that account number, expiration date, and CVV/CVC2 were captured– Result of database breach, Social engineering attack such as Phishing, collusive

employee• Excessive activity from various ecommerce or Mail Order/Telephone Order• Excessive activity from various ecommerce or Mail Order/Telephone Order

merchants– Fraud transactions occur within a short amount of time between each other

• Similar merchant patterns are noticeableSimilar merchant patterns are noticeable– Varies by fraudster

• If applicable, Neural Net case created

Card Not Present

• Quiz! - Yes or No

• Can a criminals collect data through the following methods?– Phishing– Pharming– Database Breach– Vishing

SmShing– SmShing

Card Not Present Yes!

• Data is collected, harvested and sold on underground carding websites.

Best Practices: Card Not Present

• Neural Network Monitoring 24x7x365• Neural Network Real-Time Decisioning• CVV/CVC2 Matching• Address Verification Service• Report Monitoring• Expiration Date Match• Daily Parameter Controls (Spend Limit, Velocity Limit)

Characteristics of Lost/Stolen

• Fraud activity predominantly shows as POS 90 but could also include POS 01

• Fraud activity within 50 to 75 miles of customer• Customer is NOT in possession of plastic• Times and geographical locations of transactions are outside of customers

normal spending pattern• Similar merchant patterns are noticeable

V i b f d t– Varies by fraudster• If applicable, Neural Net case created

Best Practices: Lost/Stolen

• Neural Network Monitoring 24x7x365• Neural Network Real-Time Decisioning• Report Monitoring• Daily Parameter Controls (Spend Limits, Velocity Limits)

Characteristics of NRI (Mail Theft)( )

• Fraud activity predominantly shows as POS 90 but could include POS 01• Fraud activity could occur within distance of the mail stream

– Card present fraud

• Customer is NOT in possession of plastic• Customer is NOT in possession of plastic• Times and geographical locations of transactions are outside of customers

normal spending pattern– Only on re-issue plasticsOnly on re issue plastics

• Similar merchant patterns are noticeable– Varies by fraudster

• If applicable, Neural Net case createdpp ,

Best Practices for NRI (Mail Theft)( )

• Card Activation• Neural Network 24x7x365• Neural Network Real-Time Decisioning• Report Monitoring• Daily Parameter Controls (Spend Limits, Velocity Limits)

Characteristics of Account Takeover

• Address is changed from “true cardholder” to the address of the perpetrator– Initially done via phone or mail through customer service

• A new card and/or pin has been requested– Occurs after address change has taken place

• Fraud activity shows as POS 90• Times and geographical locations of transactions are outside of customers

normal spending patternSi il h t tt ti bl• Similar merchant patterns are noticeable

– Varies by fraudster• If applicable, Neural Net case created

Best Practices for Account Takeover

• Address Change confirmation letters to “old” address• Procedures for verification of address changes and plastics and/or PIN

requests• Neural Network monitoring 24x7x365• Neural Network Real-Time Decisioning• Report Monitoring• Daily Parameter Controls (Spend Limits, Velocity Limits)

Characteristics of Fraud Application

• Original plastic in use– Result of Identity theft or identity fraud (Example: family or friendly fraud)– Personal identifiable information was either lost or stolen– Results of a social engineering attack such as phishing, vishing, & smishing

Res lt of data breach either at cardholder or merchant le el– Result of data breach either at cardholder or merchant level• Fraud activity shows as POS 90

– Original plastic in use– Full track data involved as well as PINFull track data involved as well as PIN

• If applicable, Neural Net case created

Countermeasures: Fraud Application

• Quiz! - True or False

• You should cross check all information on new applications with the Issuer’s

Clearinghouse Service (ICS) alerts before making a decisionClearinghouse Service (ICS) alerts before making a decision.

Fraud Application • True!• ICS alerts provides information p

about application activity and fraudulent card use reported by other issuers

• Alerts issuers about potentialAlerts issuers about potential losses by identifying invalid or questionable application information

• Informs issuers of bankruptcy• Informs issuers of bankruptcy filings

• Tracks home addresses, telephone numbers, and SSNs in

dit d t d li dnew credit card accounts, declined applications, and reports of fraudulent activity.

Best Practices for Fraud Application

• Issuer’s Clearing House (ICS) fraud alerts• Report Monitoring• Daily Parameter Controls (Spend Limits, Velocity Limits)• Neural Network 24x7x365• Neural Network Real-Time Decisioning

Plan of ActionSteps to respond to a fraud trend:

• Evaluate the situation:• Evaluate the situation:– Identify the fraud type– Identify the number of accounts involved– Review the fraud pattern

• Review and adjust your current parameters and controls settings– Daily limits – Velocity & Dollar Amount, etc.

• Notification of recent eventsLaw Enforcement– Law Enforcement

– Fraud Management Group– Staff members

• Network within surrounding community

Additional Fraud Prevention Best P tiPractices

• Phishing – Obtain entire email (link included) to help get the site shut down– Web site protectionWeb site protection

• Check your site often• Look for unauthorized links

– Implement good quality anti-virus, content filtering, and anti-spam solutions– Monitoring Services

• Vishing/SMiShing – Obtain the phone number used in attack– Collect all details of the phone conversation or recorded message

N tif b th t ff d t tt k h b id tifi d– Notify both staff and customers as soon as an attack has been identified• Consumer Education

– Newsletters– Warnings on your website– Warnings on your website– Educational material in your lobbies

Additional Fraud Prevention Best Practices

• Report Phishing/Vishing • Contact Law Enforcement in all cases• Internet Crime Complaint Center

– http://www.ic3.gov• Federal Trade Commission

– http://www.ftc.org• Anti-phishing Working Group (Phishing Attacks Only)

– http://www.antiphishing.org

Questions? C t ?Comments?

Thank you!