naccu card fraud and identity theft

COPYRIGHT Wachovia CONFIDENTIAL

Card Fraud and Identity TheftMichael D. Herr, VP, Card Fraud Strategy Manager3/7/2007

Cyber Crime Hits the Big Tim

e in 2006

Experts Say 2007 Will Be Even M

ore Treacherous

Online

job s

cam

mer

s st

eal m

illio

ns

Elabora

te c

on is 'o

ut of c

ontrol,'

auth

oritie

s sa

y

Debit card thieves get around PIN obstacle

Wave of ATM fraud indicates criminals have upped the ante

Easy check fraud technique draws scrutiny

Ever written a check? Your account could be targeted, too

Ameritrade warns 200,000 clients of lost data

Account information, including SSNs, on missing tape

ATMs may be an

easy target fo

r thieves

Police uncover debit-card skimming at Calgary gas station 1

Table Of Contents

•Introduction•Historical Fraud Evolution•Today’s Fraud Paradigm – A Convergence of Threats

•Sophisticated - Complex – Multiple Focal Points•Types Of Fraud

•Today’s Fraud•Myths - Classification - Problem Dictates Remedy

•How Can Consumers Be Protected?•Financial Institutions•Industry Associations•Merchants/Schools/Other Data Retention Points

•How Can Consumers Protect Themselves?

2

Introduction

The fraud environment relating to all payment channels has become extremely challenging.

Challenges are multi-faceted, relating to fraud structure, payments landscape, and general environment.

Even though challenging, the “Sky Is Not Falling”. However, the underlying causes of today’s fraud should be understood to better enable financial institutions, educational institutions, businesses, etc to defend against it.

Fraud Specifics

Rapid evolution in criminal focus• Shift in targeted segments – PIN Based fraud

•Traditionally, relative secure points targeted•“PHISHING” – Customers assisting the criminals

Methodology changes in criminal environment•Data Acquisition/Aggregation•Volume of data/Integrity of the data•Different contributing sources for multiple pieces of consumer data•Adoption techniques – Ability to respond to countermeasures deployed•General sophistication and organization of the fraudulent attacks•Multi-segment fraud characteristics - Multiple focal points of attack

3

Introduction (Continued)

Payments Landscape

Customer Convenience Environment •One stop shopping for financial services•Customer convenience•Transaction speed•Electronification by merchants/education/insurance/government etc.•Effort expended to make convenient, not necessarily to control•Exploitation by criminals

General Environment

Media Coverage/Consumer Advocacy Groups•Myths reinforced – Playing on consumer fears•Industry “Experts” – Erroneous Information, Partial Information•Potential reputation harm to payment/data touch points

Regulatory Landscape•Righteous indignation – Leading to hastily prepared regulatory remedies, that despite good intentions, do not fully address the problem and potentially harm consumers.

4

Historical Fraud Evolution

It is important to understand the past fraud environment to understand how the recent fraud evolution is significantly altering the risk dynamic associated with consumer accounts.

Historically, most fraud scenarios impacted single consumers and typically only had a single type of fraud.

CURRENCYCREDIT APP

CREDIT CARD

Physical remove of checks. Purse stolen, vehicle stolen, house burglarized.

Occasional forgeries or alterations or counterfeit

Occasional mail theft

Single consumer impact

Physical removal of card. Purse/Wallet stolen, vehicle stolen, card physically left somewhere.

“Card Not Present” (Phone/ Internet)

Occasional mail theft

Occasional counterfeit cards

Single or limited cardholder impact

Utilizing stolen information or invalid information to apply for credit with another persons credentials

Partial information


Physical removal of cash from consumer.

Purse/Wallet, desk, auto or home are common sources


CHECK

Most fraud scenarios, were preceded by the physical removal of the financial instrument.

Quality of counterfeit devices or information was average at best. Each scenario has different, relatively reliable control mechanism that could be could be applied to control the fraud events and limit impact.

5

Today’s Fraud – A Convergence of Threats

In today’s financial environment, consumers have been given a myriad of choices in products and services. More importantly, additional access conduits have added speed and convenience. However, the additional access conduits have created challenges in securing the environment.

LOANS

CHECKING

SAVINGS

INVESTMENTS

LOC’s

BRANCH

PHONE

ATM

WEBSITE

ATM

ACH

CHECKS

DEBIT CD

WIRE

CREDIT CD

MERCHANTS

INSURANCE

EDUCATION

MEDICAL

GOVERNMENT

MAIL

STORE

PHONE

KIOSK

WEBSITE

MAIL

Financial Products Access Points Transaction Conduits

Consumer Relationships

Access Points

SECURITY

SOFTWARE VENDORS

TEMP EMPLOYEES

RECORD STORAGE

PROCESSORS

Merchant Relationships

CUSTOMER

CRIMINAL

SKIMMINGWEB SPOOFINGKEY LOGGINGMAIL THEFTPHISHING HACKING DATA THEFT BURGLARY

6

Today’s Fraud – Data Acquisition/Aggregation

Arguably, the most troubling aspect of today's fraud is organized data acquisition and aggregation by criminal entities.Analysis of fraud and law enforcement intelligence indicates that sophisticated criminal syndicates are operating almost as a corporate structure:

•Multiple operating units•Acquiring consumer data•Aggregating data – Bringing different components together•Marketing the data to other criminal entities•Utilizing it themselves

The single three largest points of concern are:Quantity – There is an unprecendented amount of information in criminal hands.

•Traditional – Skimming – A few hundred cards•Today – Large scale merchant/processor breach – Hundreds of thousands of cards

Quality – The data is accurate. •Traditional – Creditmaster – inaccurate expiration dates, invalid account numbers•Today – Expiration Date, CVV2, Customer Billing Address and VbV/Secure Code User Id’s /Passwords correct

Data Type – New types of data, rarely compromised before now routinely seen.•PIN Data

7


Criminals utilize hacking techniques to identify merchants or other entities inappropriately storing card Non-Magnetic stripe data.

Card Non-Track data (CVV2, EXP Date, E-Mail Address, Name, Phone #, Address) obtained by criminals.

Nikon World Magazine Moneygram International

Credit/Debit Card Non-Magnetic Stripe

Information

AggregatedData

Warehouse

TJX Enterprises Card Systems Solutions

Credit/Debit Card Magnetic Stripe

Information

Criminals utilize hacking techniques to identify merchants or other entities inappropriately storing card magnetic stripe data.

Card track data (CVV, Name, EXP Date, Service Code, PIN Block & Card Number obtained by criminals.

PHISHING/Key Loggers

PROBING - .COM/VRU

Criminals employ various techniques such as PHISHING e-mails designed to look like financial institution correspondence or Key Loggers to covertly acquire data.

Also brute force attacks , that employ repetitive attempts at non-traditional points that utilize the PIN# as authentication (VRU/.COM)

Data captured not limited to PIN, CVV2, e-mail address, address, card number, VbV sign-on password also at risk

Personal Information

Credit Monitoring Services

DMV//Universities

Criminals employ various hacking techniques to gain access to non-financial institution databases that contain personal information. Examples include; Credit Monitoring Agencies, Universities, DMV’s etc.

Alternatively, criminals infiltrate the above institutions with employees.

Additional non-card related data captured such as; Maiden Name, DOB, PH #’s, Place of Birth, Residence Info, Vehicle Info, Driver Info and Credit Info.

Debit Card PIN #

8


Card Track Data

4060000000001234|0809|TESTSUBJECT|001|09|1|A

Other Card Data

487|TESTSUBJECT|6141231234|111MAINST|COLUMBUS|OH|12345|[email protected]

PIN # + Additional

1234|765|[email protected]|111MAINST|COLUMBUS|OH|VBVPURCH|9999

Personal Information

TESTSUBJECT|BROWN|06041969|6141231234|123121234|WASHINGTONDC|GMCENVOY05

NET RESULT - CONSUMER DATA COMPILED FROM MULTIPLE SOURCES IS AGGREGATED AT SINGLE SITE!

DATA COMPILED CAN BE UTILIZED FOR:

• Counterfeit Cards (Signature/PIN Trans Capable), E-Commerce Transactions

• Existing Account Takeover (Non-Card Transactions), Fraudulent Account Opening

• Effectively undermines most existing financial institution authentication techniques for on-line access, VRU access, Wire transfers, ACH initiation, HELOC access etc. - “Keys to the Kingdom”

9

Today’s Fraud – Educational Facilities - Data Breaches

Institution Date # Of Individua

ls

Information

Institution # 1 Feb 2007 65,000 Exposed on university website. Names Addresses, SSN#, Some Credit Card #’s

Institution # 2 Feb 2007 750 Envelopes not folded properly on IRS1098T Form SS#’s exposed.

Institution # 3 Jan 2007 5,015 Financial Aid Applications From 2 Stolen Computers. Data Included Names, SS#’s, DOB, PN#’s, DL #’s And Asset Lists

Institution # 4 Dec 2006 15,000 Document Containing SS#’s of 15,000 Students Transmitted Over Non-Secure Connection

Institution # 5 Dec 2006 35,000 Records Including SS#’s, Home Address, PN#'s #, Email Add May Have Been Exposed VIA Network Intrusion

Institution # 6 Dec 2006 800,000 Hackers Gained Access To Database Containing Names, Addresses, SS#’s, DOB

Institution # 7 Nov 2006 22,500 Laptop Stolen SS#’s And Other Student Data

Institution # 8 Sept 2006 13,084 Various Combinations of SS#’s, DOB’s, Addresses, PN#’s, Grades. Information Contained Within Stolen Computers

Institution # 9 June 2006 180,000 Hacker Compromised University Server Containing Names, Addresses, Credit Card #’s, SS#’s,

Educational institutions have become extremely attractive targets for data thieves. Numerous higher institutions of learning have fallen victim to various forms of data compromise.

•Education experts – Not security experts•Nature of information can be utilized in defeating security routines at higher value targets such as financial institutions.

Source: www.privacyrights.org – A Chronology Of Data Breaches

10

http://www.privacyrights.org/

Today’s Fraud – Criminal Focus – PIN Based Focus

PIN Based fraud losses, both PIN POS and ATM have seen significant growth during 2005 & 2006.

This has occurred in spite of significant industry process with the deployment of neural network fraud detection platforms monitoring PIN Based transactions.

•Not a failure – Projections indicated had many industry players not aggressively implemented PIN Based monitoring increase could have been dramatically higher.

This is an industry problem

WHY???

The primary goal for criminals has always been CASH. Segments of various PIN Based transactions give the opportunity for criminals to get CASH either in:

• An unsupervised manner at an ATM machine or;• At merchant locations that are not financial institutions

• Casinos• PIN POS Cash-Back Merchants• Quasi Cash Merchants

Subtle environmental changes combined with criminal refinement, have made acquiring the PIN # much easier than in the past. This problem is exacerbated by the traditional financial institution thinking that the PIN itself secures the transaction.

11

Today’s Fraud – Criminal Focus – PIN Based Focus – Contributing Factors

Over reliance on PIN as sole mitigant PIN Based fraud monitoring – non-existent

or immature Other controls overlooked – CVV/PIN Edits Fragmented data inhibit analysis Absence in most cases, of granular fraud

transaction data

BANKS

Consumer Behavior Proliferation of PIN Based POS

terminals/ATM’s – Enter PIN into anything mentality

Responding to PHISHING with sensitive information

Readily Guessable PIN #’s

CONSUMERS

Data Security Storing Track Information In some context storing PIN Values or PIN

Blocks and or encryption keys to decode PIN POS Cash Back – Increasing $

available to consumers at POS

MERCH/ACQUIERS/PROCESSORS

CASH Preferred PHISHING – Other Remote Techniques Self preservation Path of least resistance Skimming devices multiply

CRIMINAL

12

Today’s Fraud – Criminal Focus – Magnetic Stripe “Skimming”

“Skimming” is the capture/retention of magnetic stripe information originating from a valid customer transaction.

•The captured stripe information is then re-encoded onto a different magnetic stripe, in effect creating a fictitious access device that is capable of completing transactions.

4060111111111111341212320974JOHNQDOE0905*121240601111111111110905*1

Where does “Skimming” occur?

Just about anywhere that physical card transactions are present! It can also occur at telecommunication points and processing sites that handle card transactions!

What is Magnetic Stripe “Skimming”?

13

http://www.merchantamerica.com/creditcardterminals/index.php?ba=product_enlarge&product=9631

Today’s Fraud - “Skimming” Variants - Device Examples

Pass Through Reader – ATM “Skimming”

PIN-Hole camera placed in close proximity to machine, captures PIN

Fictitious card reader with exceptionally good craftsmanship

Imposed over existing card reader of machine

14


Transaction Inhibiting Device – ATM “Skimming”

Screen of false front actually is Pocket PC

Partial front constructed with separate card reader (white). Imposed over existing ATM Screen.

Helpful sign to “assist” cardholder.

It advises the cardholder

“ATM operations have changed and directs cardholder to swipe card and enter PIN # on touch screen or follow on-screen instructions”.

15


Internal Re-Wiring or Completely Fictitious Machine

Completely fictitious machine or existing machine (Requires vendor/employee collusion.

Inner workings completely re-wired to capture stripe and PIN in clear before encryption occurs.

16


Traditional POS – “Skimming” Devices

+

OR

+

Traditional splice Computer + POS Terminal

Traditional Wedge + POS Terminal

17


Emerging POS – Potential “Skimming” Devices

Pocket PC attachment magnetic stripe readers $ 229.99 – Next Day

Shipping

Not to exclude PALM OS fans, yours cost $199.99

Significant improvement in technology and availability. More storage, no specific format limitations (any magnetic stripe), wireless transmission capability.Imagine potential implications – Card Data + Drivers License Magnetic Stripe Data = Skimming + ID Theft – 1 Stop Shopping, instant retention + transmission

18

Today’s Fraud - PHISHING

Although technically, a subset of the data aquistion/aggrgration component that was discussed earlier, PHISHING because of its prominence in today’s fraud environment deserves separate mention.

What is PHISHING

PHISHING are attacks utilizing both social engineering and technical subterfuge to fraudulently acquire sensitive data such as on-line passwords, personal or financial information.

•PHISHING, at least the social engineering component is unique in that the consumer is an active participant and actually gives the criminals what they need.

What is the difference between Social Engineering Versus Technical Subterfuge?

•Social engineering variants of PHISHING “trick” a consumer to divulge sensitive information. This is done by sending the consumer fictitious emails that ultimately leads the consumers to fraudulent websites where they subsequently release sensitive information.

•Technical subterfuge schemes are more aggressive, in that criminals plant malicious software onto PC’s to steal credentials directly. Trojan horse key logging software is a very common example of this type of PHISHING.

PHISHING can also completed VIA more traditional communication channels such as the telephone.

19

Today’s Fraud - PHISHING

PHISHING in all of it forms continues to experience robust growth.

•As mentioned previously criminal enterprises are utilizing the various forms of PHISHING as a central component in their data aquistion/aggregation activities.

Financial Services are the most targeted industry sectors.

•During December 2006 – 89.7% of PHISHING attacks targeted this segment

•ISP’s are the next common PHISHING target with 4.1% of PHISHING attacks targeting them

Unique PHISHING Sites 12/ 2005 - 12/ 2006

5,000

10,000

15,000

20,000

25,000

30,000

35,000

40,000

Dec-05

Jan-06

Feb-06

Mar-06

Apr-06

May-06

Jun-06

Jul-06

Aug-06

Sep-06

Oct-06

Nov-06

Dec-06

PHISHING Reports 12/ 2005 - 12/ 2006

10,000

15,000

20,000

25,000

30,000

35,000

Dec-05

Jan-06

Feb-06

Mar-06

Apr-06

May-06

Jun-06

Jul-06

Aug-06

Sep-06

Oct-06

Nov-06

Dec-06

Source: www.antiphishing.org 20

http://www.privacyrights.org/

Today’s Fraud – PHISHING - Examples

Typical PHISHING example targeting a financial institution.

•Plays on consumer worries “Account may have been accessed”.

•Encourages customer to go to on-line banking session to review account history and tells the customer that they will need to fill in required information.

•Provides the customer a “convenient link”

21


Initial screen after login appears to be an on-line banking entrance screen

•Key Differences

•The User ID Password section does nothing. Will continue to next screen regardless of what is entered.

•If consumer enters valid credentials….. criminal now has on-line sign-on and passwords

•Potentially more – many consumers utilize same sign-on’s or similar sign-on’s for other relationships when possible.

• ADDRESS, ADDRESS, ADDRESS …. Key item address does not begin with https, a clear indicator that site is fictitious

• Site even keeps security messaging of original site which warns customers not to do what they are actually in the process of doing

22


Final screen…. “Keys To The Kingdom”

•Quantity and Quality

•A vast amount of data requested

• 10 separate items – 12 if you count the on-line ID and password from previous screen

•Extremely sensitive data requested

• PIN Number

•No reputable financial institution would EVER request PIN # from you to authenticate you from contact via an unsolicited e-mail.

•If they do close your accounts and bank elsewhere

•Information requested will not only jeopardize this account, but potential other accounts with other institutions as primary authentication tokens and secrets given away by the consumer.

•Data acquisition/aggregation

•Variants to this scam include authentication screens that have partial correct information already completed

•Data acquisition/aggregation

•Lulls consumer into false sense of security

23

Fraud Myths – Classification – Problem Dictates Remedy

A significant problem in effectively combating fraud is the myths and misperceptions that exist today.Arguably, one of the biggest misperceptions is the definition of ID theft itself and the general disagreement that exists relating to it.

• FTC revised it’s definition of identity theft several years ago to include card and other payment channel transaction fraud as an identity theft sub-type

• In effect the definition change/inclusion has brought about media attention with the perspective that the “sky is falling” which is a myth.

• The media involvement now fostered a fear environment among consumers. Now everything is Identity Theft.

FTC Reported ID Theft Complaints

0

50,000

100,000

150,000

200,000

250,000

300,000

2000 2001 2002 2003 2004 2005

Source: www.ftc.gov

24

http://www.ftc.gov/

Fraud Myths – Classification – Problem Dictates Remedy

Not to downplay the problem, because Identity Theft is a significant daily issue but it is absolutely critical that distinctions are made between “True” Identity theft and payment channel transactional fraud.

Most industry fraud practitioners consider Identity Theft and Card Transaction fraud to be mutually exclusive.

•Problem Should Dictates Remedy – A simple concept• Problem – True Identity Fraud - Customer information utilized to takeover existing accounts,

open new accounts, apply for employment, or acquire a drivers license without customer knowledge

• Remedy – More effective authentication protocol, that effectively establish that, not only is the information being utilized to open the account is valid but also, that it is being presented by the appropriate “carbon based entity”.

• Fraud Resolution – Credit Bureau notifications to control inquiries, removal of tainted records. Deletion of financial obligations.

• Problem – Access Channel Fraud – Existing transaction channels utilize to perform fraudulent transactions (Check, Card, ACH, etc)• Remedy – Transactional monitoring tools, that continuously monitor transactional

patterns in an effort to proactively detect unusual transaction characteristics• Fraud Resolution – Make the customer financially whole, reissue account to customer

Two clearly distinctive problems are being lumped together in a universal definition. This does not drive proper remedy and masks where breakdowns occur.

Well known fact within the card industry - Card transaction fraud is at historical lows from a rate perspective.

25

How Can Consumers Be Protected – Financial Institutions

Financial institutions are aggressively attacking the fraud problem with a layered approach in an effort to protect consumers.

This multi-layer approach consists of the following primary components:•Transactional Monitoring•Education•Data Security

Transactional Monitoring

Financial institutions in general have/are deploying a variety of systems with varying degrees of sophistication that are designed to review transactions and detect abnormalities.

Wachovia is among industry leaders in this space. Deploying state of the art neural scoring engines that:

•Monitor card transactions in real-time•24X7, 365 days a year coverage•Can intercede in real-time with suspicious activity and limit the fraud exposure•Learn customer spending patterns, to continuously get better•Generate immediate customer contact after suspicious transactions occur

26


Education

Many financial institutions are expending large resources to educate both the public and their employees about fraud.

Wachovia again is at the forefront of the industry, educating its employees at all levels via internal communications about characteristics about emerging fraud events and more importantly how to spot it to protect our valued customers.

Additionally, Wachovia provides very good resources to consumers at its website www.wachovia.com. Consumers can get a variety of materials relating to fraud to educate them and ultimately better protect themselves including:

•Tips to secure your PC•Tips on protecting your passwords and access codes•Links to additional security site resources•E-Mail alerts on how to detect PHISHING e-mail attempts•Tips to minimize risk of fraud in general•Resources on ID theft on – how to prevent•How to resolve if you do become a victim of fraud•Links to acquire your credit report

27

http://www.wachovia.com/


Data Security

Financial institutions, generally are setting the example on how to safeguard information.

Wachovia takes data security very seriously and has robust policies in place that govern all aspects of data security both electronic and physical including:

•Robust password/authentication guidelines for its employees and for consumers•PC Data security including the encryption of laptop computers•Guidelines on laptop issuance and data that can be stored on laptops

•Sensitive data should be stored on internal network drives•Lock cables for laptop computers are purchased to minimize theft•Standards that define who can access information•Require any vendors to protect information in a robust manner•Rules requiring sensitive information to be secured in locked areas to prevent theft

28

How Can Consumers Be Protected – Industry Associations

Industry associations are a good method to champion improvements in security and process that benefits consumers.

Wachovia actively participates in numerous industry associations to encourage development of industry uniform standards, processes and best practices that enhance security.

Associations are and should continue to focus on collaborative industry efforts that focus on:

•Data security requirements that• Mandate strong encryption of data• Prohibit storage of sensitive data

•Develop best practices/minimum standards for securing payment networks and databases•Develop best practices/minimum standards for payment software platforms•Develop best practices/minimum standards for third party processors•Develop standards relating to fraud reporting and communication protocols for fraud events to ensure rapid notification

•Develop standards relating to customer liability that exceed government standards• Visa/Wachovia Zero Liability Program

•Generally foster a robust security environment.• PCI Security Standards Council – www.pcisecuritystandards.org• Visa CISP – Cardholder Information Security Program – www.visa.usa.com

29

http://www.pcisecuritystandards.org/

http://www.visa.usa.com/

How Can Consumers Be Protected – Merchants/Schools/Other Data Points

Data exists everywhere. It needs to be protected better. Electronification has sped delivery of goods and services but has also exposed weaknesses that are being exploited.

The electronification of data has forced entities that are not experts in either fraud or systems to become experts or put at risk vast quantities of data.

•Many entities have not implemented robust security•Many entities have not even reviewed their systems at the most elementary level effectively.

When data is not protected and subsequently is exposed through malicious deeds it is not good for anyone.

•The breached entity sustains reputational risk and has potentially significant financial and legal implications.

•The consumer potentially sustains fraud on their account

Many publicized data compromises were not acts of genius. They were the exploitation of very basic systems weaknesses.

•Most breaches would have been eliminated had fundamental security precautions been in place

The following will outline prudent security measures that should be considered to enhance controls that will ultimately reduce risk.

30


Transaction Data

DO NOT RETAIN & STORE Card Transactional Data•Especially Track Data – Never

•No business purpose for track storage

•If storage of a portion of the data is necessary for legitimate business purposes truncate the data so its not in its full form.

•Utilize strong encryption software to protect it.•Do not allow generic access to it. •Specialized access rights based on business need•Do not allow it to be stored in any form on laptop PC’s - Software Filters•If storage is a must network storage is preferable•Set up defined retention schedule if data storage is required

•Though not mentioned above, the same safeguards should be deployed for other payment conduits such as DDA account payments.

Transaction Processing

Utilize all available security features available for transaction processing

31


•Card Not Present – Card Transactions•CVV2/CVC2 security values•AVS (Address Verification Service) – Proper response•Verified By Visa/Secure Code – Participate

•Card Present – Card Transactions•Utilize Track # 1 – Contains Name

Ensure transaction processors have been certified as CISP/PCI compliant

Ensure POS terminals/PIN Pads have been certified as CISP/PCI compliant

Ensure POS software has been certified as CISP/PCI compliant•Ensure from software manufacturer that software has been configured properly to ensure transaction storage does not occur

•After testing routines or maintenance is completed ensure that logging components of software have been turned off

If wireless protocols established ensure they are very secure•Many industry breaches the result of compromised wireless networks

Protect your merchant ID’s, dial-in authorization #’s and merchant account passwords

•Many thieves acquire these items and utilize your terminal to test the validity of counterfeit cards

32


Internal Systems

Limit universal access to network drives.•Access should always be on a business need only.

Ensure robust firewalls are deployed across the network and individual PC’s to minimize outside intrusions

•Limit ability to change configuration of firewall settings on individual machines

Install and vigorously update Anti-Virus/Spyware detection software•Ensure that automated updates are continuously completed•Ensure sweeps of incoming e-mails automatically occur

Utilize strong encryption software to encrypt all hard drives on PC’s•Absolutely essential for laptops•Data thresholds to dump data after XXX # of invalid logon attempts

Install locks at workstations •Simple common sense – approximately 30% - 40% of data compromise incidents relate to stolen equipment

•Only issue laptops to those that need them•Another simple security protocol that actually saves your company/business money

33


Internal Systems

Implement data security standards – Limit data kept on internal machine drives•Network only storage of sensitive data

Purchase software that scans drives for sensitive data by format•SS#•Credit/Debit Card #•Utilize email filter software that prohibits outbound transmission of sensitive data

Purchase email encryption software•Mandate its utilization

Deploy robust network monitoring software that is designed to detect abnormalities that may be linked to malicious attempts to access internal networks

Develop robust password protocols•Robust passwords – Letter, symbol, number combinations•Case sensitive•Force certain formats that limit readily guessable passwords•Periodic changes

Perform periodic audits to ensure systems are performing as they are designed

34

How Can Consumers Protect Themselves

Consumers are able to significantly reduce the threat of various fraud schemes by changing their behaviors and performing relatively simple tasks.

This is a key component to securing information. Even if every financial institution, college, government entity, merchant, etc. had incredibly robust systems and practices in place, if consumers practice bad habits then data security is still potentially compromised.

System Security

Basic practices, that are often ignored.

Protect your PC – Deploy up to date anti virus software, spy ware, etc.•Update regularly

Encrypt your home PC•Protected encrypted files are a very good defense against data thief's

Utilize caution when storing personal data period•Do you really need it•Understand what data programs store (Turbo Tax)

35


Practice good password habits•Don’t use the same passwords•Robust formats – No sequential ascending/descending, no same 4 characters•Do not link to personal information that may have been obtained from other entities – DOB, YOB, and SS# are good examples of this

•Same logic should be utilized for card based PIN #’s

Utilize administrator settings on your PC that requires passwords to change system settings.

•Access as user if not changing anything at that moment

•Practice good browsing security

•Do not click on unsolicited links contained within emails that take you to sites that request personal information!•You are not on a secure site, if it does not begin with https:!•Financial institutions (reputable) would NEVER ask you for your PIN # for authentication via an unsolicited email with a link!

•If asked for this information via email do not click the link – Open a new browser window and type the familiar website your institution utilizes

•Utilize .com banking sites, most have secure email built into the sites for secure communication between the consumer and the financial institution

36


Transaction Security

Be mindful of where your putting your card and where your entering your PIN #•When possible utilize bank owned ATM machines•If an ATM machine, looks suspicious or if pieces of it look out of place – DON’T USE IT

•Report it to the financial institution

Choose PIN #’s that provide some challenge for the criminals to guess•Stay away from sequential numbers either ascending or descending, same 4 character numbers and PIN #’s with personal significance – DOB, YOB, Last 4 SS#, etc.

Be aware of what could and does happen when your card leaves your hand•Possibly reconsider letting a waiter or waitress take the card from you, insist on paying at the register yourself.

Limit the information to only the essentials that are printed on your checks•Name and address only•Refrain from SS#, Phone Number, E-Mail, etc.

Consider card transactions as opposed to check or ACH transactions•Checks have far more information then a card transaction – name, address, phone # routing #, account #

• Nothing encrypted• Ultimate transaction monitoring systems much less mature and not as effective as card transaction monitoring systems.

37


Transaction Security

Consider separate account for internet spending purchases•Can limit potential damage by physically limiting funds available to thief if compromise scenario occurs

Consider automatic payment structures on recurring payments• Less manual entry, less susceptible to key loggers that could have been maliciously placed unknowingly on your PC.

Conceal PIN # entry when you complete purchases or make ATM withdrawals•Shielding entry with your hand can defeat many (not all) of the methods utilized by criminals to obtain your PIN #

Shop at merchants who utilize robust security in their websites•VBV/Secure Code, CVV/CVV2, Billing Address on Card• If they are not secure protecting themselves – why would you have faith that they protect your data

Be observant even when sales clerk is in front of you•Look for secondary swipes on your card at non-pos terminal devices

Practice prudent bookkeeping•Shred your receipts• If you use duplicate check registers insist that the company does not include your routing and account numbers on the duplicate item

Utilize check stock with anti-counterfeiting and anti-tampering security features on them

38


General Education/Awareness

Access your accounts frequently/daily•Immediately question any unusual transactions with the financial institution

Report unsolicited e-mails that seek to verify personal information to the entity that the email is allegedly from

•Not only helping yourself, but also helping other consumers who are not as educated as you

Obtain at minimum annual copies of your credit bureau report.•www.annualcreditreport.com - Legal entitlement/Free

•Consider signing up for credit monitoring services. These services will contact you anytime credit is applied for in your name.

•Great way to stop criminals from applying for accounts in your name.•Wachovia offers an exceptional product that combines traditional credit monitoring service with identity theft fraud insurance• IDENTITY GUARD® CREDITPROTECTX3SM

Ensure your financial institutions offers comprehensive protection against fraud, not only from a monitoring standpoint but also from a resolution standpoint. Wachovia utilizes a holistic approach to customer protection in the form of:

•Transaction Monitoring•Check/Debit Card – Zero Liability Policy and On-Line – Online Services Guarantee•Complete recovery toolkit if impacted by identity theft

39

http://www.annualcreditreport.com/

COPYRIGHT Wachovia CONFIDENTIAL 40

naccu card fraud and identity theft

Documents