Card Fraud: Issuers Are Pivotal
Issuers Learning to Quell Massive LossesIt seems payment card fraud is a modern-day reality we're just going to have to live with.
We spend quite a bit of time talking about the vulnerabilities of the magnetic-stripe - an outdated payments technology that could be improved, if only we took a page from the payments book of our European brethren ... and adopted the more-advanced chip and PIN method.
But payments pundits say U.S. card issuers are doing more behind the scenes to triumph in small skirmishes than we might think.
Brian Riley, senior research director of bank cards at TowerGroup, says as details about the Michaels card breach are gradually revealed, it will be clear financial institutions, as card-issuers, are the ones that picked up on the common fraud link - Michaels.
How did they do it? By closely monitoring transactions via behavioral analytics.
"The behavioral scoring in this was really high," Riley says. "The pattern of transactions showed that all of these affected accounts had Michaels' purchases in their history. Behavioral scoring is really where it's at in card transactions."
We are learning how to defeat the fraudsters in battle, Riley says, even if we never succeed at ending the war.
Even advanced card technology, such as EMV chip and PIN, which takes the skimmable magnetic-stripe out of the equation, would not have helped in the Michaels' breach, Riley says. The Michaels POS PIN pad tampering scheme used to capture card details from Michaels' purchases can compromise chip and PIN. [See 3 Tips to Foil POS Attacks.]
"With a tampered POS device, you can get around EMV," Riley says. "A good, robust scoring system is the only way to really pick up on this. That's why behavioral scoring is so important. That's, quite often, how these things are discovered."
From a card-fraud perspective, PIN pad swapping is not so prevalent. And it's not likely to become a huge trend. The Michaels incident is somewhat of an anomaly in that regard. As Doug Johnson, vice president of risk management policy at the American Bankers Association, is quick to point out: "This was a particularly audacious move, to take out those point-of-sale terminals and replace them. It's risky. Usually, the more anonymous the criminals can be, the better they feel."
Typical card-fraud schemes, which rely on basic skimming devices - often attached to unattended kiosks, such as pay-at-the-pump terminals and ATMs, which allow the fraudster to remain anonymous - will continue to be the greatest worry for card issuers. And any enhancements we can make to improve our card technology and curb fraud losses, which a move to EMV would provide, should be welcomed. But it's clear that even if we do move to a more advanced card technology, we still need the analytics on the back-end to track the fraud.
One industry insider rightly coined it as the CSI Phenomenon. "We are seeing evidence of a dead body first and relying on people to report the crime, rather than preventing the crime from happening in the first place," says Adam Dolby, who heads up online security and authentication systems for Gemalto North America.
I could not agree more. And Johnson wraps that thought well, when he says banks might not have direct control over card fraud that is perpetrated at the merchant level, but "they can pick up on it with behavioral or transactional analytics."
And then comes breach notification. What happens after a breach occurs? What role do banks, credit unions and merchants play? In the Michaels case, most agree the card issuers are absolved of any notification responsibility. But is that a realistic approach? After all, when all is said and done, the fraud always comes back to the bank.
How banks and credit unions, as card issuers, respond should be decided on an individual basis. Having a notification plan or course of action built in to a crisis response plan is what most experts advise.
Disaster Recovery
Crisis management can include a lot of things, the least of which is how to respond during and after a disaster. My colleague, Howard Anderson, who oversees sister site HealthInfoSecurity, offers some insights this week about disaster recovery during an interview with hospital security officer Terrell Herzig. Herzig's message: Cross-training is the best way to prepare for any disaster.For Herzig, who works for Alabama-based UAB Hospital, having a thorough disaster recovery plan in place helped the hospital maintain its information systems after tornadoes swept through Alabama, knocking out power, communications and preventing many members of the IT staff from making it in to work.
"We had just completed six months ago a disaster test where we simulated a fire in our computer facility and, on paper, we took out a few of our key staff, like our network director and our server manager, just to see how the team would respond," Herzig says. "So, no one individual holds a monopoly on any role."
Please listen to the Herzig interview for more insight on crisis management.