payment trends: fraud, risk management, & emv utility payment conference october 21, 2014 matt...
TRANSCRIPT
Payment Trends: Fraud,Risk Management, & EMV
Utility Payment ConferenceOctober 21, 2014
Matt Davies, AAP, CTP, CPPFederal Reserve Bank of Dallas
1
Payments Fraud & Controls (AFP)
2014 AFP Payments Fraud & Control Survey (tenth annual)
Overall, slight decrease in corporate payments fraud and heightened interest in security risks
However, 2013 still saw an increase in credit and debit card fraud
Criminals/schemes becoming increasingly sophisticated
2
Payments Fraud & Controls (AFP)
Changes in payments fraud experienced in 2013 compared to 2012:– 27% - increase;
– 16% - decrease;
– 57% - no change
Payment types targeted by fraudsters:– 82% - Checks
– 43% - Credit/debit cards (corp. & consumer), up from 29% in 2012;
– 22% - ACH debits, down from 27% in 2012;
– 14% - Wires, up from 11% in 2012;
– 9% - ACH credits, up from 8% in 2012
Payments Fraud & Controls (AFP)
70% of companies exposed to actual or attempted fraud in 2013 experienced no financial loss as a result.
For those companies that did incur financial loss, the typical loss incurred was $23,100.
80% of companies that experienced actual or attempted payments fraud found it originated outside the organization.
Check Fraud
Number of incidents of check fraud experienced by organizations in 2013:– 1-5 – 42%
– 6-10 – 15%
– 20+ – 27%
Check Fraud
Check fraud methods:– counterfeiting by altering the MICR line on a check (62%)
– alteration of the payee name on issued checks (52%)
– alteration of the dollar amount on issued checks (37%)
– counterfeited check with a name drawn on a fake or another organization’s account information (31%)
Check Fraud Prevention
Positive Pay/Reverse Positive Pay/Positive Pay with Payee Verification– 2010 check fraud case: Cincinnati Insurance Co. v.
Wachovia Bank
Daily reconciliation
Segregation of accounts
“Post no checks” restriction
Check Fraud Prevention
Internal controls/separation of duties, e.g.:– purchase order;
– establishment of vendor;
– A/P authorizes Cash Mgmt area to print checks;
– Accounting does bank recon
– Financial authorizations policy (e.g., approval/signature thresholds for manager, director, SVP)
– Internal audit/Risk Management
Checks received at “tellers”: If converting to ACH or to images, what is your policy for destruction of physical items? (e.g. 14 days)
Check Fraud Prevention
Make large dollar payments electronically.
Avoid using laser checks.
Use a controlled stock of high security checks, with safety features such as a true watermark, thermochromatic (heat sensitive) ink and reactivity to various chemicals.
Check Fraud
Organizations incurred financial loss from check fraud because:– Check was cashed by check-cashing service (cited by 38% of AFP
survey respondents)
– Account reconciliation or positive pay view was not timely (28%)
– Internal fraud (21%)
– Did not use positive pay, reverse positive pay or payee positive pay (17%)
– Client-initiated check return was untimely (10%)
– Did not use “post no checks” services on electronic payment account (10%)
Mobile RDC
Some FIs—particularly larger ones—are rolling out mobile remote deposit capture (mRDC) to corporate customers.
For risk mitigation, FIs:– Usually have protections in place to block duplicate deposits
– Might not offer mobile RDC to all customers; “qualify”
– Place limits on dollar amount that can be deposited/frequency of deposits
– Use restrictive endorsements
Customer Refund Check Fraud
Issued from separate account? Different check stock?
Customer calls to say check was lost; check is voided and customer instructed not to deposit if found; customer “finds” first check and deposits both; OR
Customer deposits refund check through mobile RDC; cashes paper check at check casher
Positive pay will catch the duplicate, but…
Holder in Due Course
Customer Refund Check Fraud
If customer claims a check was lost, place a stop payment on that check with your bank
Encourage local check cashers to call utility to verify if the check is legitimate?– A utility in Texas did this
Potential for similar situations with employee payroll checks
ACH Fraud
Encourage your customers to use passwords for your Web site that are different from the passwords they use on other sites. (I know, easier said than done!)
Unauthorized return time frames:– NACHA Rules: 60 days from settlement date of transaction
– Regulation E: 60 days from day statement cuts
How does your bank handle unauthorized returns that are made outside of these time frames?
ACH Fraud (Corporate Accounts)
ACH Fraud
Prevention:– ACH Debit Block
– ACH Debit Filter
– ACH Positive Pay
ACH Fraud
Reasons organizations were victims of ACH fraud: – Did not use ACH debit blocks or ACH debit filters (cited by
50% of AFP survey respondents)
– Account reconciliation was not timely (38%)
– ACH return not timely (38%)
– Not using ACH positive pay (38%)
– Internal fraud (13%)
Fraud Prevention at Point of Sale
Check acceptance?– Some merchants (e.g., Wendy’s) do not accept checks
Manual entry of card transactions?– One large convenience store chain has disabled the ability
for its cashiers to key-enter transactions.
– This led to a significant decrease in their in-store fraud
Fraud Prevention for Merchants
Storage/use of customer data?– An airline is working to minimize collection/retention of data;
e.g., trying not to have kiosks used for check-in for a flight collect card # when doing verification.
– Products/services through which merchants share data with others on the platform (e.g., Accertify)• Uses a scoring-based or risk-based method, similar to a negative database.• Airline is no longer using address verification service (AVS) to authenticate
transactions.• Also looking at dropping use of the cardholder verification value (CVV2);
already not using on telephone transactions, and looking at not using it on Web transactions.
Fraud Prevention for Merchants
U.S. Bank is making e-payment kiosks available to its customers
Can help companies shrink lines during busy times
Lines are often not just for making payments; also for customer service, etc.
Kiosks can help steer customers to a more automated option
Targeting companies, government entities, utilities and nonprofits that accept payments from users/ customers
Fraud Prevention for Merchants
Free-standing machines, similar to ATMs
Accept cash, checks, credit and debit cards
Can be customized
View which consumers have used them to make payments
Display targeted messages to kiosk users
Fraud Prevention for Merchants
May be used to reach consumers who have not yet begun to use the Web or mobile devices– According to research cited by the bank, more than 1 in 5 consumers pay
bills in person
Piloted by Detroit Water & Sewage– Installed a self-service kiosk in its downtown Detroit office to collect bills
from residents.
In addition to customer service, kiosks may be beneficial for fraud/risk management purposes– Cashiers are not handling payments
– Reduction in cash “shrinkage”/associated fraud
Call Center Fraud Prevention
Products/Services that allow call centers and/or other groups to confirm the identity, location and type of device used by callers
Voice biometrics and other technology allows for analysis of the audio aspects of calls to identify suspicious call origins, caller ID spoofing and other potential signs of fraud
Corporate Account Takeover (CATO)
What is it?– Malware
• In 2Q13, for example, new types of malware exceeded 18 million (McAfee)
– Keylogging
– “Phishing” Attacks
– “Money Mules”
Global corporate account takeover losses will total US$627m in 2014 (Aite)
23
Corporate Account Takeover
Individual Americans are protected by Reg E & are liable for a maximum $50 if a cyber-thief strikes.
Companies have no such guarantees.
In the US, corporate customer liability is governed by the Uniform Commercial Code (UCC).
Companies are responsible for stolen funds if:– they have agreed to a security procedure with the bank,
– the bank followed it, and
– the procedure was ‘commercially reasonable.’24
FFIEC Guidance
FFIEC Supplemental Guidance on Internet Authentication– Released June 2011
– Supplement to Authentication in an Internet Banking Environment guidance issued October 2005
– Lays out broad steps banks should take to guard against malware attacks.
– Establishes minimum requirements for educating customers about online fraud.
FFIEC Guidance
Prescribes layered security for business accounts
– Includes the ability to detect and respond to suspicious activity when logging in and initiating transactions [anomaly detection].
– Stop relying on tokens, passwords and cookies– Instead, use “layered security,” including software
that flags unusual behavior such as multiple transfers within minutes to new recipients
– Out-of-band authentication
FFIEC Guidance
Directs FIs to add security for business accounts, including enhanced controls over admin functions, where privileged users’ passwords, if stolen, can give hackers direct access to a company’s bank accounts.
Does not endorse any specific technology for doing so
FIs should make clear to business customers that they are not protected by Reg E.
Corporate Account Takeover
Experi-Metal v. Comerica
PATCO Construction v. Peoples United (former Ocean Bank)
Choice Escrow & Land Title v. BancorpSouth Bank
Prevention of CATO
Daily account reconciliation
Employee education – employees should know whom to notify and how regarding any suspicious activity.
Security– Use of firewalls, antivirus, anti-spyware, anti-malware, etc.
– Use products that form a “suite”; “Security programs from multiple companies sometimes do not work well together, often working against each other.”
Multifactor authentication
E-mail alone is insufficient to authorize a wire
Prevention of CATO
Dedicated PC(s) for performing online banking functions
Minimize the number of employee user accounts with admin rights; many malware programs can infect a PC only if the user has admin rights.
Limit use of social networks, personal e-mail, general Internet usage
Restrict use of flash drives to those provided by your IT dept.
Prevention of CATO
Preparedness: A company’s risk profile/risk assessment should include information about CATO.– How will you attempt to prevent it (operational)?
– How will you mitigate the risks associated with it (financial/reputational)?
– Each organization’s plan may vary.
“In Case of Emergency. . .”
Work with FI to ensure online access to user accounts is disabled; all online banking users will need to change online banking passwords, or open new accounts, if necessary.
Review all recent transactions and authorizations on the account; if any are suspicious, cancel or reverse them ASAP (and if possible).
Ensure that hackers have not created any new users or payees, requested a change of information such as address or phone number, changed access levels of any user, altered ACH batch or wire transfer templates, or ordered new cards, checks or other documents.
“In Case of Emergency. . .”
File a police report.
– May help you in working with FIs, insurance companies or other entities that may need to be involved in subsequent investigations.
– Keep detailed records of what has happened and steps you have taken to resolve the situation.
You may need to take additional action if your organization accepts credit cards.
“Masquerading”
Combination of social engineering and a confidence scam, using high-tech tools.
Fraudster sends an email that appears to be from an executive at a company, or calls, spoofing the executive’s phone number.
The fraudster then gets the target at the organization to do something, such as send a wire or initiate an ACH payment.
Source: Penny Crosman, “This Banker Is on a Mission to Warn About ‘Masquerading’ Scams,” Aug. 1, 2014
Tax Return Fraud
Identity thieves file fake federal returns using taxpayers’ SSNs; taxpayer who files subsequently finds his or her return rejected because someone already received a return using that identity.
641,052 taxpayers affected by ID theft in 2011, more than double the number affected in 2010
IRS detected 940,000 fake returns for 2010, in which ID thieves tried to obtain $6.5 billion in refunds
Tax Return Fraud
Prevention:– IRS now uses a code to identify taxpayers who have died, so
their numbers cannot be used by thieves
– IRS has issued more than 250,000 identity protection numbers to ID theft victims to use to prove they are the legitimate taxpayers when they file returns.
– IRS will be implementing measures to resolve cases faster.
– Taxpayers should guard SSN, and file tax returns as early as possible
SOURCE: Eileen Ambrose, “Protect Your Tax Return from Identity Thieves,” The St. Louis Post-Dispatch, Sunday, May 27, 2012, p. D2
Credit Card Acceptance/EMV
Do you have point-of-sale terminals?
Do you have field staff who accept payments via credit card using a Square or Square-like device?
EMV
“EMV” = Europay, MasterCard, and Visa
1994: Founded the global standard for credit and debit payments based on chip card technology.
Today, Europay is owned by MC; EMV standards are set by EMVCo, a joint venture of Visa, MC, AmEx, JCB, Discover and UnionPay.
38
EMV
“Chip cards,” “chip and PIN cards,” and “smart cards” are used interchangeably.– Plastic cards that contain a microchip that sends a dynamic
protected value unique to each transaction
Though “chip and PIN” is often used with EMV, the standards allow for cardholder verification via signature (PIN is most common in other countries).
U.S. Implementation: “Chip and choice”
39
EMV
EMV standards have been adopted in many other countries, but the U.S. has lagged behind.– Reluctance due to the cost of changing payment terminals
to accept chip payments.
– Some U.S. card issuers have begun issuing cards containing EMV chips (e.g., to frequent international travelers so that they don’t have payments problems abroad), but many have yet to move in that direction.
– The cost of terminal and card migration may be as high as $12bn (Javelin).
40
EMV
Two Ways of Accepting Chip Card Payments
Contact (“dipping” the card): Cardholder inserts card into POS device. Card remains in device until completion of the transaction. If a customer removes the card before the charge is approved, the transaction will fail and the customer will be required to provide the card again.
Contactless (“tap-and-go”): Cardholder waves the card by the chip card-enabled POS device to provide payment information. Once the transaction has been authorized, customer might then be prompted to enter PIN or sign a receipt.
Dynamic Authentication
EMV relies on dynamic authentication: use of changing variables unique to each individual card transaction
When mag-stripe cards are swiped at POS terminal, data, such as primary account number (PAN) and expiration date, are transmitted to the card issuer.
The data—known as static data—remains the same for each transaction.
Card Associations & EMV
Visa roadmap to EMV (August 2011)– Expand TIP: Visa will expand its Technology Innovation
Program (TIP) to merchants in the U.S. • TIP ends the mandate for merchants to validate compliance with the PCI
Data Security Standard (PCI DSS) for any year in which 75% of the merchant’s Visa transactions stem from chip-based terminals.
• To accommodate the Visa mandate, merchants must use terminals that support both contact and contactless chip technology.
• “Qualifying merchants must continue to protect sensitive data in their care by ensuring their systems do not store track data, security codes or PINs, and that they continue to adhere to the PCI DSS standards as applicable.”
43
Card Associations & EMV
Liability Shift: Visa will institute a U.S. liability shift for domestic and cross-border counterfeit card-present POS transactions, eff. Oct. 1, 2015. – Fuel-selling merchants have until Oct. 1, 2017, before the liability shift
takes effect for transactions at automated fuel dispensers, due to the added expense of updating.
Encourages EMV adoption:– Currently, POS counterfeit fraud is largely absorbed by card issuers.
– With liability shift, if a contact chip card is presented to a merchant that has not adopted, at minimum, contact chip terminals, liability for counterfeit fraud may shift to the merchant’s acquirer.
– The acquirer will likely shift that liability down to the merchant.
44
Card Issuers & EMV
JPMC– First major card issuer to adopt chip-and-signature model
for U.S. cards
– Announced 2/25/2014 that it would begin issuing chip-and-PIN cards this year. Will others follow suit?
45
Merchants & EMV
Merchants ultimately will bear the cost of new POS hardware, software, and changes in their payment-processing operations to accept chip cards.
Only about 10% of the POS terminals in the U.S. are EMV-ready
Wal-Mart has been pushing for EMV adoption for years.
Wal-Mart, Home Depot and AMC Theaters all prefer PIN in U.S. EMV scheme
Oct. 2011: Wal-Mart turned on EMV acceptance at fewer than 100 stores (of approx. 3,600 in U.S.)– Most in areas that draw foreign visitors, such as Orlando, FL
46
Merchants & EMV
March 2014: Wal-Mart turned on EMV acceptance at about 1,000 of its US stores.
Its whole network of US stores will be ready to accept EMV cards before the end of the year.
Cards in EMV countries typically still come with a mag-stripe.
The US will likely be in this “dual” environment for a long time!
When a cardholder in a Wal-Mart store (for example) equipped with EMV terminals tries to swipe a chip card at a terminal, which would activate the mag-stripe, the terminal prompts the cardholder to “dip” the card in the device so that it reads the chip.
Questions?
Matt Davies, AAP, CTP, CPPPayments Outreach Officer
Federal Reserve Bank of DallasPhone: 214-922-5259
E-mail: [email protected]
Follow us on:
@DallasFed DallasFed