Workshop E: Fighting Fraud and Cyber Crime: WTF…"Where's the Fraud"
Upcoming SlideShare
Loading in...5
×
 

Workshop E: Fighting Fraud and Cyber Crime: WTF…"Where's the Fraud"

on

  • 355 views

 

Statistics

Views

Total Views
355
Views on SlideShare
355
Embed Views
0

Actions

Likes
0
Downloads
7
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Workshop E: Fighting Fraud and Cyber Crime: WTF…"Where's the Fraud" Workshop E: Fighting Fraud and Cyber Crime: WTF…"Where's the Fraud" Presentation Transcript

  • Fighting Fraud and Cyber Crime:WTF….”Where’s the Fraud”John MortonChief Risk OfficerGreenDot CorporationJames DeanPresident/CEOTrueCourse Advisory Services, LLCFriday, June 28, 2013Workshop EDan LarkinDirector of Strategic OperationsNational Cyber Forensic Training AllianceDeb GeisterSr. Vice PresidentMetaPayLori BreitzkePresidentE & S Consulting© 2013 Network Branded Prepaid Card AssociationTimothy P. LearySr. Special Anti Money LaunderingExaminerFederal Reserve Board1
  • Thank You To Our SponsorsPresenting SponsorsSupporting Sponsor Welcoming Reception SponsorAssociate SponsorsFounding Sponsors
  • • The Power of Collaboration• Obstacles of Collaboration• Regulator’s View of Prepaid Cards• Industry’s View of Prepaid Fraud Mitigation• NBPCA’s Collaboration• Discussion with the Panel of Experts3Agenda
  • POWER OF COLLABORATION4
  • Law Enforcement Alliancefor Prepaid (LEAP)• New program with selected Prepaid Anti Fraud Forummembers to participate in this more direct connect with lawenforcement thru NCFTA & others (IAFCI)• Information sharing for company and industry level benefits• Bi-weekly action calls with NCFTA• Monthly NCFTA/LEAP industry status reporting• Quarterly research papers• Coordination of reporting standards/CyFin• Establish Best Practices for LE communication• Aggregation of crimes for prosecution• Special projects5
  • LEAP Evaluation Background• Approximately 6 week review• 7 member companies tasked with the review• Activities included;– Development of evaluation criteria– Onsite reviews & system demos– Weekly calls & reviews– Interviews with NCFTA Staff and industry imbeds– Interviews with members using services on trial basis– Development of findings, benefits, ROI potential and recommendations• Results – Recommendations, Presentation and Report• Positive presentation• Contract entered into• Kickoff meetings conducted and program underway6
  • Primary LE Complaint“Difficult for LE to track down who to speak to in order toidentify account information for investigations and fundrecovery efforts.”LEAP Response• Created a resolution pursuit team• Focused on analyzing the root cause, and recommending resolution• Conducted problem walk-thru with NCFTA and interviews with otherLE officers• Created initial inventory of financial contacts• Added findings to NBPCA best practices and with ongoing NCFTAcollaboration to update and refine• Scenarios: what’s really being found in the field and how to address7
  • Three Scenarios1. “Suit case in the field”Cards are found in the field by LE officers. Due to suspicious circumstance,the field officers wish to find out quickly if cards are stolen, havesuspicious balance, etc.2. “Investigation of seized cards”During an arrest, a large number of cards are seized, or a large number ofaccount numbers are uncovered and investigating officers need researchby FI’s into the accounts.3. “Electronic Loads into Prepaid accounts”Outbound funds appear to be wired or ACH to what appears to be PPDaccounts. LE or FI’s. LE or FI’s wish to contact the PPD FI to freeze orrecover funds8
  • Objective•Law enforcement is trying to collect evidence of suspiciousactivity regarding potential prepaid cards identified duringa stop – the goal is to make an arrest.•Chain of evidence is NOT neededQuestionsto ask•What is LE trying to determine?•Is the card(s) real, counterfeit or stolen?•Have there been suspicious transactions?•Is the Balance at a suspicious level?•Immediate response IS neededLE Actions•Call customer service number on back of card•Asked to be transferred to fraud managementhotline for FI’s prepaid products•Tell them LE believes the card is involved incriminal activity and wish to determine 1-3•Provide them with items 1 -7“Suit Case in the Field”Data Points LE has:(may vary by product)The Card1. Name of issuingbank2. Network Brand3. Marketing Brand4. Card number5. CVV number6. Date of expiration7. Name on card8. Website9
  • NBPCA Best Practices FindingsIndustry Best Practices• Thru NBPCA create and maintain Fraud managementcontact information• Publish information through NCFTA• Determine methodologies to identify PPD Accounts,and sub-accounts in Pooled accounts, from ACH &Wire transfers.Electronic LoadsIndustry Best Practices• Through NBPCA create and maintain Fraudmanagement contact information• Publish information through NCFTA• Determine methodologies to identify PPDAccounts, and sub-accounts in Pooled accounts,from ACH & Wire transfers.Seized cardsIndustry Best Practices• Establish PPD LE 24/7 Hotline• Train Customer Service to direct LE calls to hotline• Develop inventory of products and contact numbersof Responsible party• Require responsible parties to create hotlineField Operations10
  • NCFTA Prepaid Report• Value of working across industry and agency– Predictive– Preventive– Fraudsters are product indifferent…justlooking for weak points. Thus, apply learningsfrom mature products to emerging products• Value in being proactive vs. reactive inIndustry/Agency collaboration• Prepaid as a model of young industry– Getting in front of fraud trends while theindustry is young• NCFTA written report: Increased Interest inAnonymous Prepaid– Trends in US vs. International– Findings in types of accounts– Virtual currency related to Prepaid11
  • Financial CyberCrime ChainIntrusionsData BreachKey LoggingNetworkApplicationsATOsIshing(S)FalseidentitiesStolen cardsServicesForumsMarketsRecruitmentScamsFraudId theftATOsLoadingACHWireW/UCash outATM’sW/UVirtualPurchasesCrimeManager(s)CrimeSponsor(s)FundingStrategyRecruitingManagementBudgetingHackers Hosters Phishers/Hackers MulesMoneyLaunderingFraudIdentity TheftCounterfeitingCyberCrimeDrugsTraffickingPornGamblingFuturecrimesCommittedCrimes(AML)18m 3-6m 1-3 m 12-24hrs12
  • Next Steps – Expand the Blocks• Specific threats• Actors• Prepaid value chain target• Risk Level• Metrics– Volume– Velocity• Case StudiesATOsIshing(S)FalseidentitiesStolen cards• Best Practices• Defensive resources– Partners– Tools– Products & Vendors• Reaction Plans– Management/Media• LE involvement pointsThreat characteristics Mitigation protocols13
  • Govt/L.E Hurdles• Defining problem/threat too narrowly = pipes• Rhetoric vs. Reality “collaborating- sharing” Really??• Re-inventing wheels every 2-4 years…• Slight re-wording = same results. (see above)• Continuity of Teams (Including Executive Management)• Need to sync L.E with regulators (Fin, Telco, Cable)• Need to adopt universal “OC” (people focus) model14
  • Joint Initiative Approach(Refined Partnerships)• SLAM-SPAM• Digital Phishnet (DPN)• Stock-Aid• Cy Fin• Pharm-Assist• Telco/Mobile– (Int Reshipping/Money Laundering)15
  • NCFTA SuccessesNCFTA provided intelligence tolaw enforcement who thenarrested Jason Jordan for the saleand distribution of counterfeitairbags. The indictment seeksprison time, the forfeiture of$57,063 in seized proceeds, and amoney judgment of $669,732 incalculated proceeds.16
  • OBSTACLES TO COLLABORATION17
  • Bringing together a growing pool of cross-sectorSubject Matter Experts, real time to rapidlyidentify, mitigate and ultimately neutralizeglobal cyber based threats. 18
  • • Networks• Employees• Customers• Suppliers – vendors –sub-contractors• Proprietary information19
  • HOW IT WAS.orCitizen/Cyber ComplaintFBILocal OfficeCyber SSA Way too small:LOW priority.Trash or “O” FileLocalBigBusinessINFRAGUARDDIRECTFBILocal OfficeCyber SSA“Russia –No Way!”ThumbsDown.- declined*Major assumption thatindustry would actuallyreach out at all to L.E.*U.S AttorneyComplaints from victims…Complaints from companies…Historical Cyber Threat Intelligence – Path to L.E20
  • HOW IT IS.ISP/Telcos AV SecurityMultipleIndustryHQ LevelL.E.Real Time IntelNCFTAAnalystsFBI L.E.AnalystsCONSENSUSSTEP#1ActionableIntelIIR’sCaseInitiativeDevelopmentActionableIntelPSA’s,etc.FeedbackLikely not to happenunder old model**** ***Did not exist in old modelSTEP#2Adopting the NCFTA & CIRFU Models….21
  • Govt/Law EnforIndustry/NCFTAFBI –HQ = 13Other Gov = 1-4DHS = 2-4DoD = 1-2DEA = 1International = 2-6PG HTTF = 3 -5Total @ 25 – 40+Specific Industry = 10+Funded industry = 10-12Analyst/Teams = 20 +NCFTA Admin & IT = 12Total @ 50 +Neutral “Meet in the Middle” (Non-Profit) SpaceIntel ReportsAnalysisAlerts -PSAsCase DevelopmentCase ReferralsProactive Support22
  • Industry Inhibitors• View of the problem – Scope (in-house, within sector)• L.E. can’t help– or will hurt! Can’t find them “declined”• Think they can’t share intell, believe L.E won’t either..• View of available resources (who is part of my team?)• Acquisitions/outsourcing – where is best early warning?• Who owns that intell?• Who needs (wants) help understanding context?• Who wants to remain blissfully ignorant?• Regulation or L.E encouragement?23
  • Industry inhibitors & L.E Hurdles=drive the need for NCFTA & CIRFU models1) Focus on Cross-Sector Intelligence sharing (2-way)2) Build Model that emphasized resource sharingincl:1) People2) Tools3) Live it, Prove it! Re-conditioning-thinking-doing=24
  • Pop3scanSMTP RelaysCompromisedPOP AccountsPlx_ssh2.cssh brute forceWarez?Load Modified ApacheLoad IVM Answering AttendantLoad Fast Email ExtractorFonosipInphonexCallfireCall-em-allLeaddiamondIfbyphoneAutomsMarketingburstCoatelecenterJunctionnetworksVoiceblastvontoo3rd Party Calling ServicesWWWCompromised AsteriskSystemsArea CodeEmail ListBankCredit UnionCard InfoVictims call in to get Voice Response UnitIVM Answering AttendantMules cash out in:RomaniaSpainSan DiegoChicagoNYCLAInfrastructureBank – CUCustomers(et al)25
  • • Cooperation and sharing of information between firms allowed forthe establishment of trends and investigation of this case. It is nowaiding the FBI in their criminal investigation.• Spoofing of User Agents is a new and real threat. This threathighlights the importance of capturing and sharing additional UAinformation including: js useragent, screen resolution, and timeoffset.WHAT IS THE SIGNIFICANCE?26
  • Victims of success…• GAO– In a 2007 report on Cyber Crime, the U.S. Government Accountability Office(GAO) acknowledged the economic cyber crimes and the resultant threats toU.S. national security. Mitigation efforts noted by GAO included the creation ofcybercrime “partnerships” between public and private sector entities designedto facilitate cooperation and information sharing. The GAO specificallyacknowledged the NCFTA as a partnership example.• President Obama’s 60 day Cyber SecurityStudy– The NCFTA is the first partnership of its kind in the nation and was recentlynoted in the President’s 60-day, comprehensive, “clean-slate” review to assessU.S. policies and structures for cyber-security cited the NCFTA as one of threeinternational examples as an “effective model” which “has a clearly definedinstitutional mission, well-defined roles and responsibilities for participants,and a clear value proposition that creates incentives for members toparticipate” and “mitigates concerns that would otherwise discourageparticipation by establishing and maintaining an environment of trust amongthe members.”27
  • NCFTA – Built to:• Fit and evolve primarily to industry needs• Serve as a cross-sector bridge to assets (Industry& Govt/L.E) that can help• Identify and engage key “responsible”stakeholders- towards building Best Practices28
  • Joint Initiative Process• Industry describes threat/problem• Industry consensus achieved (broader buy in)• Law Enforcement (Criminal Context) buy in• Focus Group meeting convened– Scope of threat and intelligence collection defined– Process for sharing intelligence & other resources– Key SME resources (embedded & remote) defined– Near & longer term goals & objectives defined29
  • Partnerships—Global & Growing• Support from International Law Enforcement andIndustry in 34 nations…• TDY and in-country model– Australia– Canada– U.K.– Germany– Romania– Italy– India– Turkey30
  • 31
  • BCP CyFINFRAUDSTOPRETAILIRCBROKERAGEROMANIANAUTOAUCTIONBPHOSTINGSMSVOIPMOBILEMALWAREPTP - BRAND TRADEMARK MALWARE ANTI MONEY LAUNDERING TELCOPREPAIDRELOADABLEMONEY TRANSMITTERSVIRTUAL CURRENCYIPR – ECONOMICESPIONAGEHEALTH AND SAFETYHEALTHCARE - CYBERFAKE IDSOCIAL MEDIA/GAMINGPHARMACOUNTERFEITGOODSMALWARE/BOTNETSBANKINGPAYMENTCARDSHACTIVISMFULL TIMEFORUMSFORUM RESEARCH – RUSSIAN/ROMANIAN/GERMANIFA32
  • NCFTA – CIRFU/LESpaceDPNDBSPAMDBOtherDBIDS Co’sie SymantecDB’sL.EDBsISP’sDB’sFinancial SrvsPartnersDB’sSoftware CoDB’s viaBSAOther FusionCentersIntelMerchantsvia MRCDB’sFBI SecureSpaceUS CERTDHSUS Postal &Internat’l– L.E33
  • 1 FRAUD CASE, 6 INDUSTRIESEMAILPROVIDERSBROKERAGEFIRMSBANKSDATINGWEBSITESINTERNATIONALWIRESTELCO34
  • NCFTA SuccessesNCFTA providedintelligence to lawenforcement whocoordinated the arrest ofseven organized crimeleaders in Romania, theCzech Republic, the UK,and Canada who operatedan online auto auctionscam network.35
  • NCFTA providedintelligence to lawenforcement whoarrested more than 100cyber criminals inRomania and the US,who stole approximately$10 million via an onlineauto auction scam.NCFTA Successes36
  • Intelligenceprovided byNCFTA industrypartners led to thearrest of themoney muleAlexander KireevNCFTA Successes37
  • NCFTA was instrumentalin providing informationto law enforcement thatlead to the arrests of 32“Anonymous” Members.NCFTA Successes38
  • REGULATOR VIEW39
  • Discussion Points• Emerging technology• Prepaid Access – What is it and how does it work?• Open vs. closed loop products• Characteristics and features• Prepaid access payment chain• Assessing and managing anti-money laundering risks40
  • Emerging Technology GenerallyNew products and services:• Have changed how we do business – less face-to-facetransactions• Internet/ P-2-P transactions/ digital check imaging/mobile payments/ virtual worlds involving financialtransactions• Have impacted financial and social behaviors• Who is offering the new product or service? A bank? Amoney services business? An unregulated entity?• Have varying money laundering risks depending on theirfeatures and characteristics and how they are managed41
  • Prepaid Access: What is it?• Pay-in-advance• May be used like money• Likely transferable• Closed loop system: Starbucks card, masstransit cards• Open loop system: general purpose reloadablecards42
  • Prepaid Access• Prepaid products require the consumer to pay in advance forfuture purchases of goods and services. Each payment issubtracted from the balance of the card or product until thetotal amount is spent• Bank Secrecy Act (BSA) regulatory definition: Access to fundsor the value of funds that have been paid in advance and canbe retrieved or transferred at some point in the future throughan electronic device or vehicle, such as a card, code, electronicserial number, mobile identification number, or personalidentification number. (31 C.F.R. 1010.100(ww))• Some products permit consumers to pay bills, makepurchases, and withdraw cash from ATM networks43
  • Types Of Prepaid AccessScope Open Loop May be used by an unlimitednumber of merchantsClosed Loop Use is limited to a specificlocation, vendor, or systemStorageCapacityFixed Amount Purchased for a certaindenominationDoes not allow upgrades orreloadsReloadable Purchased for a certain amountAllows reloading after use, up toa certain denominationUpgradeable Allows for additional amounts tobe added after purchase44
  • Types - ContinuedAccess to prepaidfundsCash Accessible May obtain funds through ATMnetwork or point of sale (POS)Non-cashAccessibleMay not obtain funds through ATMnetwork or POSStorage Capacity Network Based Access information contained inmagnetic stripe (like a credit card)Value stored on a remote databaseChip Based Access information code oncomputer chip embedded in the card45
  • TechnologyChip and Pin Vs. Magnetic Stripe• Many countries outside the U.S. use the “chip and pin” (EMVstandard) technology, where a computer chip is embedded in theprepaid card and the consumer must also enter a personalidentification number at the point of sale (POS).• Different POS readers and infrastructure are needed for thisproduct than for the magnetic stripe prepaid products.• The magnetic stripe prepaid card, common in the United States,contains account data recorded on the stripe that is reviewed by amagnetic reader at POS, like a credit card.• These products clear and settle through or “ride the rails” of thenetwork branded credit card system.46
  • Open vs. Closed Loop• Open Loop Prepaid Product: Generallyunderstood to mean a network branded generalspend prepaid product that is acceptedeverywhere that Visa, MasterCard, AmericanExpress or Discover is accepted.– Some open loop products are reloadable and functionsimilar to traditional bank deposit accounts, oftenrequiring the collection of customer information beforeactivation.– Many open loop products are anonymous but others canalso be issued in the name of an individual.47
  • Open vs. Closed Loop(continued)• Closed Loop: This generally means a prepaidproduct used for a specific purpose or specificservice.– BSA Regulatory Definition - Closed loop prepaid access:Prepaid access to funds or the value of funds that can beused only for goods or services in transactions involving adefined merchant or location (or set of locations), such as aspecific retailer or retail chain, a college campus, or asubway system. (31 C.F.R. 1010.100 (kkk))48
  • Prepaid Transaction Chain• There is no one business model.• Some participants may serve in multiple roles.• A prepaid transaction chain may have limitedparticipants or many along the chain.• The terms for prepaid and for the participants aremany and there is no agreed upon vernacular.• Many participants along the transaction chainmay hinder financial transparency.49
  • Participants in the Transaction Chain• Program Manager: Runs the program’s day-to-day operations. This entitymay or may not also be the entity that creates the program and designs thefeatures and characteristics of the prepaid product.• Network: Any of the payment networks, including MasterCard, VISA,Discover and American Express, that clears, settles, and processestransactions.• Distributor: Ships prepaid products to endpoints.• Payment Processor: The entity that tracks and manages transactions andmay be responsible for card account set-up and activation; adding value toproducts; and fraud control and reporting.• Issuing Bank: A bank that offers network branded prepaid cards toconsumers and may serve as the holder of funds that have been prepaidand are awaiting instructions to be disbursed.• Seller or Retailer: A convenience store, drugstore, supermarket, orlocation where a consumer can buy a prepaid product.50
  • Key Concepts• BSA/AML compliance responsibilities attach toinstitutions (e.g., banks), not products.– Accurately assessing risk (e.g., due diligence, 3rd-party relationships)– Suspicious activity monitoring (“by, at, or throughthe bank”)– OFAC51
  • Risk Factors• Frequency – daily or monthly limits?• Dollar thresholds – maximum loads?• Anonymity• Ability to reload• International use• Ability to transfer funds• Ability to co-mingle funds• Primary purpose and use of the card52
  • Assessing Risk• As when introducing any new product, banksshould ensure their risk assessment is updated toaccurately reflect BSA/AML risks associated witha new payment system.– Existing or new customers?– Online capabilities and non-face to face transactions?– Existing or new geographies?– 3rd parties?53
  • Assessing Risk• Understand the specific product/program.– How will the bank and the partners manage theprogram?– Responsibilities, checks, and controls.– Usually contractual (pros and cons).– How will the bank’s name be used?– Who has what information?– Who sets limits and who enforces them?– Involvement of other third parties.54
  • 3rd Party Due Diligence• Program Managers, Independent Sales Organizations,Agents, Marketers, Processors– Company reputation? References?– Financial information, banking relationship– Ownership, principals, structure, beneficial owners– Location of operations? Web-based? Site visit?– Related parties? Other companies?– Internet, open source information– Who performs the due diligence?– Limited or negative information55
  • Suspicious Activity Monitoring• Fraud, discontinuing access to bank’s systems• Across multiple processors or programs?• Volume, compatibility of data• Average loads, balances• Common elements (address, TIN, e-mail)• Transaction locations, types, velocity• Series of transactions over time• MSB registration (provider or seller of prepaid access?)56
  • 2010 Exam Manual Updates Related toPayments Issues• Prepaid cards (Electronic Cash)• Remote Deposit Capture (Electronic Banking)• Cover payments (Funds Transfers)• International Automated Clearing HouseTransactions (ACHs)• Feedback or ideas for next update?57
  • Conclusions• As electronic payments volume, new products, and entrypoints continue to increase, financial institutions must haveeffective and comprehensive policies, procedures, andprocesses to identify, measure, and limit the risks associatedwith these activities.• Open, consistent, and effective interaction betweenoperations, business lines, and compliance is critical toidentifying and managing the risks associated with processingpayments.• Financial institutions that process payments for third parties,including payment processors and high-risk merchants, mustimplement enhanced risk management practices to protectagainst BSA/AML compliance and fraud risks.58
  • Closing Thoughts• The highest BSA/AML/OFAC risk is not necessarilyin the program with the greatest number of cardsor outstanding balances• “The issuing bank maintains ultimateresponsibility for BSA/AML compliance whetheror not a contractual agreement has beenestablished.” FFIEC BSA/AML Examination Manual(2010) at 236.59
  • Contact InformationTimothy P. LearyBoard of Governors of the Federal Reserve System(202) 452-2428Timothy.P.Leary@frb.govwww.frb.govInfobase: www.ffiec.gov/bsa_aml_infobase/default.htm60
  • INDUSTRY’S VIEW61
  • Common Types of GPR Fraud• Load Fraud• Tax fraud• Federal benefits fraud• Other ACH fraud (following account takeover)• Human Trafficking• Fraudulent cash loads• Credit/Debit card fraud loads• Mobile check deposit fraud• Spend Fraud• Unauthorized use (lost/stolen, card not present, compromised card,account takeover, etc.)• Frivolous Reg. E disputes• Authorization hold fraud62
  • 63Identity Thief TaxpayerIdentity thief steals taxpayer’spersonal information both toopen the prepaid card and filethe fraudulent returnIRSFraudulent return claimingrefund is filedIRS issues refund via ACH toprepaid card$Legitimate return may alsobe filedIf legitimate return filed after fraudone, IRS sends notice of duplicatefilingXTax Related ID Theft Incidents Identified by IRS2008 47,7302009 165,5242010 147,6802011 242,1422012 641,690Source: GAO
  • Stolen Identity Refund Fraud (SIRF)Overview• Victim profile:– Typically real identities with long established addresshistories– In 63% of the cases, there was a mismatch between theaddress used for CIP and the address on file in publicrecords databases• Ie. Person had always lived in Vermont and the card was signed upfor an address in Texas• Two distinct victim profiles:– Elderly—typically born prior to 1934– Very young— “Emerging credit” ages 18-2264
  • Stolen Identity Refund Fraud (SIRF)Overview• Little to no activity was seen on the card untila tax refund• Refund was typically in the “cardholder” name• Many times the amount was inconsistent withthe applicant data– Ie $10,000 tax refund for an 86 year old woman• Some cards attempted to put numerous taxrefund in different names on the card65
  • Tax Fraud – A Case Study• Review of accounts receiving mismatched tax refunds (SSN onrefund did not equal SSN on account) led to a suspicious accountthat had an unusual email format – SSN#@domain.com (e.g.123456789@yahoo.com)• Analysis of existing records identified thousands of unique emailaddresses using same format; these email addresses were thenlinked to specific accounts and physical addresses• Review of addresses led to the identification of a handful of highrisk addresses that had received the bulk of the plastics• Same address line 1/zip code combination but different unitnumbers (e.g. 12488 Oxnard St., North Hollywood, CA)66
  • Tax Fraud – A Case Study86% of tax funds deposited to accounts linked to this address had alreadybeen secured through blocks placed by other rule sets67A successful fraud deterrence strategy relies onnumerous fraud controls (defense in depth)
  • Federal Benefits Fraud – Typical Pattern• Stolen identity used to open a GPR card – almost always in victim’s name but typically witha different address than victim• Direct deposit re-routed to GPR card or paper check changed to DD• May involve phishing of victim to get information needed to re-route benefits payment• DD can be rerouted through a variety of channels including via phone (with benefitsprovider) or via prepaid program’s direct deposit enrollment (ENR) process• Funds are quickly withdrawn via same methods as tax fraud• Due to the often critical nature of these payments, victim may detect fraud quickly – usuallywithin days of missed payment68Source: Treasury FMS
  • Cash Load (Victim Assisted Fraud)Typical Pattern• Use of stolen identities and/or mules to open GPR cards• Perpetrators will have access to numerous cards spread across many different issuers/programmanagers; will use same identity across different programs• Confidence scam initiated where victim is required to pay fraudster money using cash reloadproduct; common scams include:• Lottery• Malware• Debt collection• Loan fees• Past due utility bill• Satellite TV upgrades• Product for sale• Victim buys reload product and provides reload “PIN” to fraudster, who then applies funds to acard in their control• Funds are withdrawn by fraudster via the usual methods or sold to cash out ring for X cents on thedollar (going rate appears to be 60 cents)• Only later does the victim realize they were duped at which point they may file adispute/complaint with reload network and regulatory agency (FTC)69
  • Cash Load (Victim Assisted Fraud)Case Study• Dispute filed with reload network by purchaser of cash reload product• Purchaser (victim) was contacted by “debt collection agency” related to a currentor previous payday loan• Victim threatened with foreclosure, jail time, job loss if payment not madeimmediately via cash reload product• Victim buys cash reload and provides reload PIN to “debt collector” to satisfydebt• Reload PIN immediately loaded to a GPR card that is part of the reload network• Victim later realizes this was not a legitimate debt collection and files dispute• Funds spent off of fraudsters’ GPR cards via a series of CNP transactionsconducted by what appear to be India-based debt collection merchants70
  • ACH FraudTypical Pattern• Fraudster, typically with a stolen identity, opens a GPR card as the receiving accountfor incoming ACH transfers from accounts at other financial institutions (FIs)• Account takeover occurs at another FI with fraudster initiating ACH transfers to GPRcard• Funds are then withdrawn from GPR via ATM withdrawal, cash back at POS, spend oncard• Funds can be stolen from any ACH enabled account including credit card rewardsredemptions• GPR issuer is typically RDFI in this scenario so doesn’t own any of the financial riskassociated with the fraudulent transfer – however reputational and regulatory riskremain• Due to high loss rates, some FI’s have blocked outbound ACH transfers to prepaid programs• Program managers/issuers should carefully consider risk associated with becoming an ODFIthat allows “pull” ACH transfers from another FI71
  • 72One identity used to open up 38 different prepaid cards across 34programs issued by 14 banks.
  • Human TraffickingOverview• There are both domestic and International laws against human trafficking• Human trafficking is a form of modern-day slavery.• Human trafficking is prevalent in many countries around the world. Different countriesmay be primarily sites of origin, transit, destination, and/or internal trafficking.• Cases of human trafficking have been reported in all fifty states of the United States(Free the Slaves).• Human trafficking is a market-based economy that exists on principles of supply anddemand. It thrives due to conditions which allow for high profits to be generated at lowrisk.• Common theme--“Compelled Service.” Can include:– Human trafficking– Forced Labor– Prostitution– Sex trades73
  • Human Trafficking• Myths and Misperceptions– Trafficking is not smuggling or forced movement.– Trafficking does not require transportation orborder crossing, and does not only happen toimmigrants or foreign nationals.– Trafficking does not require physical force,physical abuse, or physical restraint.– The consent of the victim is considered irrelevant,as is payment.74
  • Backpage.com• What is backpage.com?– Similar to Craig’s list– Allows the advertisement of “Adult Services”– Allows advertising of adult services in multiplecities at once– Most local posts are FREE– Adult services and postings in multiple citiescharge a fee75
  • Who Are Traffickers• Based on an analysis of human trafficking cases that havebeen identified, examples of potential traffickers include:– Pimps– Intimate partners/family members– Gangs and criminal networks– Brothel and fake massage business owners and managers– Growers and crewleaders in agriculture– Labor brokers– Employers of domestic servants– Small business owners and managers– Large factory owners and corporations76
  • Victimology• Unfortunately, due to the nature of trafficking there is not aclear victim profile that has emerged.• Based on U.S. federal law, trafficked persons in the U.S. canbe;– men or women,– adults or children,– foreign nationals or U.S. citizens.– Some are well-educated, while others have no formal education.– Some immigrant victims are currently in the U.S. legally, and others areundocumented.• Some form of vulnerability tends to be the common threadamongst all different trafficking victims.77
  • Typologies & Detection• Identifying issues– Spend on backpage.com purchases, typically multiple (5 per week fora total of more than $20 activity)– Travel activity seen on the card• Airfare• Hotels• Cash on• Cash off• Liquor stores• Bus tickets– Other Considerations• Money transfers• Business as a front• Geographic clustering78
  • Solutions• Identify the behavior patterns• Backpage.com and such sites are a good indicator• Triangulate with other behaviors• Understand the victim is typically the identity youwill see• Takes a much deeper dive to get to the suspect data79
  • FRAUD CONTROLS TO CONSIDER80
  • Prepaid Card Fraud &AML Control Framework81AdministrationReturn Mail Processing, Reg. E Disputes, Law Enforcement Support, SAR Filing, Federal Benefits Support, Cash Reload DisputeProcessingMoney Out (Spend/Withdrawal)Restricted Access on Temporary Card or Until Personalized Card Activation, Transaction Limits, Transaction Monitoring &Blocks, Refund MonitoringMoney In (Funds Loaded)Restricted Access on Temporary Card or Until Personalized Card Activation, Transaction Limits, Velocity Checks, High RiskReviews & Blocks, Name/SSN Match Logic, Out of Wallet QuestionsCard OutDevice ID, Velocity Checks, Invalid Application Data CheckCustomer In (Acquisition)USPS Address Standardization, Negative File, OFAC Check, Velocity Checks, Risk Based CIP, High Risk Indicators, Out of WalletQuestions, eMail & Cell Phone Verification
  • Customer In Control• Customer Identification Program (CIP)• Much of the GPR fraud begins with a stolen identity being used to opena prepaid card; therefore a robust CIP program should be your first lineof defense to mitigate fraud• Most GPR programs rely on non-documentary verification, which isgenerally less robust than a documentary verification process• Consider enhanced verification processes (e.g. out of wallet questions)for higher risk activations or transactions• Monitor fraud or suspicious activity rates by CIP response code todetermine which codes drive the highest rates; target additionalprocesses or review towards those codes• Many third party verification services provide high risk response codes• SSN invalid, never issued, deceased, issued prior to DOB, associated with multiplepeople; phone is pager or invalid; address is mail forwarding, mail drop, commercialaddress or prison address82
  • Customer In Controls• Address standardization – ensures address provided is deliverable per USPS database and put intostandard USPS format• Residential vs. commercial address confirmation• eMail verification• Passive confirms email domain is deliverable• Active requires customer to receive email and act on instructions• Cell phone verification, geo-location, one time passwords• IP location services; for example, does your program allow activations from foreign countries?• Negative or black list – list of application data elements (SSNs, addresses, phones, emails)previously used to commit fraud• Velocity Controls• # of cards per customer/SSN• # of online generated cards per customer/SSN• # of activations per ANI, IP or device ID• # of cards per phone, physical address or email address83
  • SIRF Solutions - Meta• All cards that will accept tax loads are required tomatch 4 of 4 CIP elements before load occurs• Preventing the identity fraud helps to reduce thenumber of fraudulent tax returns• Fraudulent loads decreased by 83% over last year• Current efforts by both the IRS as well as continuedMeta strategy refinement have contributed to thereduction84
  • Card Out Controls• # of cards or identities associated with a specific address, email orphone• # of cards/identities associated with a specific building (e.g.address line 1/zip code combination)• Cards activated by a specific device (web/mobile activations)• Cards activated with anonymized email domains (e.g.yopmail/hushmail)• Cards activated with same SSN but different last names• Reviewing recently opened accounts with returned mail• Address change limitations on recently opened accounts• Limit or eliminate expedited delivery (FedEx)85
  • Money In Controls• Max balance limits• Velocity (#) and/or volume ($) limits on different load types (e.g. cash, ACHloads); can be aggregated at card, SSN, address, phone, email level• Monitoring of ACH deposits from international locations• Geographic disparity between cash loads and card location• Account verification processes including micro debit/credit process– typicallyused to verify ownership of external funding source• Rules or regression based models to identify and interdict suspicious loads• Restrictions on ENR enrollments (e.g. OOW)• Specific tax fraud controls• Mismatch deposits – refund in different name/SSN than cardholder• Velocity of refunds received by same person• Refunds received in name of recently added secondary cardholder• Refunds received after tax season86
  • Money Out Controls• Velocity (#) and/or volume ($) limits on cash withdrawals and spendtransactions (includes daily ATM and spend limits); can be aggregated atcard, SSN, address, phone, email level• Velocity/volume limits on bill pay transactions• Specific limits or blocks on foreign activity (e.g. Jamaica or DominicanRepublic)• Monitoring of spend/withdrawal activity trends by country• Monitoring and aggregation of refund activity by account parameters(e.g. SSN, address, phone, email, etc.)• Rules or regression based models to identify and interdict suspiciousmonetary and non-monetary transactions (e.g. address change, cardrequests, PIN changes)87
  • NBPCA PARTICIPATION88
  • Conference Name Date City, StateACI Prepaid Compliance 1.29-30, 2013 Washtinton, DCABA Prepaid Roundtable 2.17.13 Orlando, FLRSA Conference 2.25-3.1, 2013 San Francisco, CAPrepaid Expo USA 2013 3.4-6, 2013 Orlando, FLCFSA 2013 3. 5-8, 2013 Dana Point, CABAI--Payments Connect 3.11-13, 2013 Phoenix, AZPMTS: INNOVATION Project 2013 3.20-21, 2013 Cambridge, MACard Forum 4.7-10, 2013 Boca Raton, FLUSPS/Financial Industry Mail Security Initiative 4.10.2013 Phoenix, AZCYFIN--Cyber Financial Crime 4.16-17, 2013 Pittsburgh, PANACHA 4.21-24, 2013 San Diego, CAIAFCI 5.15, 2013 Downey, CACNP Expo 5.20-23, 2013 Orlando, FLCFSI 6.5-7, 2013 Miami, FLPower of Prepaid 6.26-28, 2013 Washington, DCIAFCI 8.26-30, 2013 Denver, COCongressional Black Caucus--Legslative Conference 9.18-21, 2013 Washington, DCMTRA Conference 9.25-26. 2013 New Orleans, LAMoney 2020 10.6-9, 2013 Las Vegas, NVIAFCI Regional meeting 10.10-11, 2013 Williamsburg, VAATM, Debit and Prepaid Forum 10.20-23, 2013 Las Vegas, NVBAI--Retail Delivery 11. 5-7, 2013 Denver, CO2013 NBPCA ConferencesListed are the conferences which NBPCA, along with interested members,participates in, supports, or hosts. 89
  • QUESTIONS??90