Have you ever come to work: Cams Alerts – Visa Alerts MasterCard Alerts Fraud Notices and it’s only 8:10 in the morning
March 2012 – April 2012 There have been some bumps in road! There have been some bumps in road! Major Compromise
Atlanta-based processor Global Payments just confirmed that they discovered a breach. March 23 rd Visa and MasterCard told the banks & credit unions that the cards were exposed between Jan. 21 and Feb. 25 April 4 th new exposure dates of December 12, 2011 through January 15, 2012
What are you going to do? A Compromise takes on its own Life
Distribute CAMS & MasterCard Alerts March 23 rd Known Fraud Unlikely Fraud Possible Fraud Imminent Danger of Fraud Your work began
When a bank is notified of a large compromise; do they look at all cards for the associated risk or is the decision made to reissue all cards? Ultimately you make the decisions
Decisions based on Priorities of risk to your Financial Institution. From: Highest Risk to the Least Risk
The criminal’s goal is to leverage and exploit human and technology weaknesses that exist in everyday life. Social engineering
Social engineering and Fraud Today Two composite case studies 1. Team Manipulation that’s us 2. Phishing you and yours
Case Study: Financial Institution here in the Northwest
The financial institution’s call center gets a call asking to have a card activated. The caller cannot provide the mother’s maiden name or date of birth. ACCESS: Team manipulation: DENIED
A second call is received by the same team member from the “same cardholder” sounding agitated requesting assistance with activating the card. The mother’s maiden name and date of birth are not correct. ACCESS: Team manipulation: DENIED
The “cardholder” calls in again, gets a different team member and aggressively requests assistance in getting their card activated. Because the first team member had shared their experience with the others. The required information could not be provided. ACCESS: Team manipulation:
The “cardholder” now calls the main number to the institution and presses random numbers. They are connected with the loan department. The “cardholder” nicely explains the system must have his wife’s last name and date of birth instead of his mother’s, and he would like to confirm the information. Team manipulation: This team member provides the information from the system to the caller.
Approved The “cardholder” activates the card, ACCESS: Card is used by the crook until it is blocked. The following day the “cardholder” again calls the institution, this time to inquire why the card is no longer working! Team manipulation:
Our willingness to serve Customer is #1 Whatever we can do Tools of the Criminal: “That which hath made us (financial institutions) strong; can be our greatest weakness” Aggression from the “cardholder” Persistence from the “cardholder” Kindness from the “cardholder”
Best Practices: Train your entire staff about the social engineering tricks used by crooks. Teach your team to trust their gut, block the card, then ensure “they” speak to the true cardholder or an authorized user to verify the contact. Limit who on your team can provide information to “callers.”
Protect Share information with co-workers and write relevant notes for others to view Have a solid list of follow up questions Develop and use a robust activation criteria Best Practices:
Is fraud continuing to grow at a steady rate, or has it plateaued? We continue to see fraud on the rise; however some of it can be driven by the increase in card use. Look at your card portfolio’s and card usage. It has probably increased right along side the fraud. Our new motto but old saying: “It’s not a matter of IF; it’s a matter of WHEN ”
Are anti-skimming devices advanced enough to keep up with the current types of fraud occurring at the ATM? Today – Maybe Tomorrow – No Guarantee Day after Tomorrow – No
Does Visa/MC ever hold merchants responsible for compromises and penalize them? Two part Question: 1.Hold Merchants Responsible: 2.Penalize Them: YES NO THEY TRY NOT VERY OFTEN NO YES Focus on Prevention!
How can we make merchants accept liability for their practices to help deter risk? MasterCard and Visa are continually working with merchants to be PCI compliant. They started with the largest merchants and are now working with the smaller merchants
EMV = Europay, MasterCard &Visa which is the global standard for inter-operation of integrated circuit cards or chip cards. What the heck is EMV?
EMV history 2. The first version of EMV standard was published in 1995. 1. The international payment brands MasterCard, Visa, and Europay agreed in 1993 to work together to develop the specifications for smart cards 3. EMVco, the company responsible for the long- term maintenance of the system a. Upgrades: 2000 & 2004
What is Liability Shift? With Visa’s liability shift, the party that is the cause of a chip-on-chip transaction not occurring (i.e., either the issuer or the merchant's acquirer) will be financially liable for any resulting card-present counterfeit fraud losses. If the issuer is EMV compliant and acquirer is non- EMV compliant, cardholder will not be liable for any chargeback, if he claims that he did not participated in the transaction. Visa October 1, 2015 MasterCard October 2015 Liability Hierarchy?
What is Liability Shift? Fuel-selling merchants will have an additional two years, until October 1, 2017 before a liability shift takes effect for transactions generated from automated fuel dispensers. Exception
EMV - What Now? Don’t Panic it’s time to make a plan