Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Naccu Card Fraud And Identity Theft


Published on

  • Be the first to comment

  • Be the first to like this

Naccu Card Fraud And Identity Theft

  1. 1. Card Fraud and Identity Theft Michael D. Herr, VP, Card Fraud Strategy Manager 3/7/2007 Cyber Crime Hits the Big Time in 2006 Experts Say 2007 Will Be Even More Treacherous Online job scammers steal millions Elaborate con is 'out of control,' authorities say Debit card thieves get around PIN obstacle Wave of ATM fraud indicates criminals have upped the ante Easy check fraud technique draws scrutiny Ever written a check? Your account could be targeted, too Ameritrade warns 200,000 clients of lost data Account information, including SSNs, on missing tape ATMs may be an easy target for thieves Police uncover debit-card skimming at Calgary gas station 1
  2. 2. Table Of Contents <ul><li>Introduction </li></ul><ul><li>Historical Fraud Evolution </li></ul><ul><ul><li>Today’s Fraud Paradigm – A Convergence of Threats </li></ul></ul><ul><ul><ul><li>Sophisticated - Complex – Multiple Focal Points </li></ul></ul></ul><ul><li>Types Of Fraud </li></ul><ul><ul><ul><li>Today’s Fraud </li></ul></ul></ul><ul><ul><ul><li>Myths - Classification - Problem Dictates Remedy </li></ul></ul></ul><ul><li>How Can Consumers Be Protected? </li></ul><ul><ul><li>Financial Institutions </li></ul></ul><ul><ul><li>Industry Associations </li></ul></ul><ul><ul><li>Merchants/Schools/Other Data Retention Points </li></ul></ul><ul><li>How Can Consumers Protect Themselves? </li></ul>2
  3. 3. Introduction <ul><li>The fraud environment relating to all payment channels has become extremely challenging. </li></ul><ul><li>Challenges are multi-faceted, relating to fraud structure, payments landscape, and general environment. </li></ul><ul><li>Even though challenging, the “Sky Is Not Falling”. However, the underlying causes of today’s fraud should be understood to better enable financial institutions, educational institutions, businesses, etc to defend against it. </li></ul><ul><li>Fraud Specifics </li></ul><ul><li>Rapid evolution in criminal focus </li></ul><ul><ul><ul><li>Shift in targeted segments – PIN Based fraud </li></ul></ul></ul><ul><ul><ul><ul><li>Traditionally, relative secure points targeted </li></ul></ul></ul></ul><ul><ul><ul><li>“ PHISHING” – Customers assisting the criminals </li></ul></ul></ul><ul><li>Methodology changes in criminal environment </li></ul><ul><ul><ul><li>Data Acquisition/Aggregation </li></ul></ul></ul><ul><ul><ul><li>Volume of data/Integrity of the data </li></ul></ul></ul><ul><ul><ul><li>Different contributing sources for multiple pieces of consumer data </li></ul></ul></ul><ul><ul><ul><li>Adoption techniques – Ability to respond to countermeasures deployed </li></ul></ul></ul><ul><ul><ul><li>General sophistication and organization of the fraudulent attacks </li></ul></ul></ul><ul><ul><ul><li>Multi-segment fraud characteristics - Multiple focal points of attack </li></ul></ul></ul>3
  4. 4. Introduction (Continued) <ul><li>Payments Landscape </li></ul><ul><li>Customer Convenience Environment </li></ul><ul><ul><ul><li>One stop shopping for financial services </li></ul></ul></ul><ul><ul><ul><li>Customer convenience </li></ul></ul></ul><ul><ul><ul><li>Transaction speed </li></ul></ul></ul><ul><ul><ul><li>Electronification by merchants/education/insurance/government etc. </li></ul></ul></ul><ul><ul><ul><li>Effort expended to make convenient, not necessarily to control </li></ul></ul></ul><ul><ul><ul><li>Exploitation by criminals </li></ul></ul></ul><ul><li>General Environment </li></ul><ul><li>Media Coverage/Consumer Advocacy Groups </li></ul><ul><ul><ul><li>Myths reinforced – Playing on consumer fears </li></ul></ul></ul><ul><ul><ul><li>Industry “Experts” – Erroneous Information, Partial Information </li></ul></ul></ul><ul><ul><ul><li>Potential reputation harm to payment/data touch points </li></ul></ul></ul><ul><li>Regulatory Landscape </li></ul><ul><ul><ul><li>Righteous indignation – Leading to hastily prepared regulatory remedies, that despite good intentions, do not fully address the problem and potentially harm consumers. </li></ul></ul></ul>4
  5. 5. <ul><li>It is important to understand the past fraud environment to understand how the recent fraud evolution is significantly altering the risk dynamic associated with consumer accounts. </li></ul>Historical Fraud Evolution Historically, most fraud scenarios impacted single consumers and typically only had a single type of fraud. CURRENCY CREDIT APP CREDIT CARD Physical remove of checks. Purse stolen, vehicle stolen, house burglarized. Occasional forgeries or alterations or counterfeit Occasional mail theft Single consumer impact Physical removal of card. Purse/Wallet stolen, vehicle stolen, card physically left somewhere. “ Card Not Present” (Phone/ Internet) Occasional mail theft Occasional counterfeit cards Single or limited cardholder impact Utilizing stolen information or invalid information to apply for credit with another persons credentials Partial information Single consumer impact Physical removal of cash from consumer. Purse/Wallet, desk, auto or home are common sources Single consumer impact CHECK Most fraud scenarios, were preceded by the physical removal of the financial instrument. Quality of counterfeit devices or information was average at best. Each scenario has different, relatively reliable control mechanism that could be could be applied to control the fraud events and limit impact. 5
  6. 6. Today’s Fraud – A Convergence of Threats <ul><li>In today’s financial environment, consumers have been given a myriad of choices in products and services. More importantly, additional access conduits have added speed and convenience. However, the additional access conduits have created challenges in securing the environment. </li></ul>LOANS CHECKING SAVINGS INVESTMENTS LOC’s BRANCH PHONE ATM WEBSITE ATM ACH CHECKS DEBIT CD WIRE CREDIT CD MERCHANTS INSURANCE EDUCATION MEDICAL GOVERNMENT MAIL STORE PHONE KIOSK WEBSITE MAIL Financial Products Access Points Transaction Conduits Consumer Relationships Access Points SECURITY SOFTWARE VENDORS TEMP EMPLOYEES RECORD STORAGE PROCESSORS Merchant Relationships CUSTOMER CRIMINAL SKIMMING WEB SPOOFING KEY LOGGING MAIL THEFT PHISHING HACKING DATA THEFT BURGLARY 6
  7. 7. <ul><li>Arguably, the most troubling aspect of today's fraud is organized data acquisition and aggregation by criminal entities. </li></ul><ul><li>Analysis of fraud and law enforcement intelligence indicates that sophisticated criminal syndicates are operating almost as a corporate structure: </li></ul><ul><ul><ul><li>Multiple operating units </li></ul></ul></ul><ul><ul><ul><li>Acquiring consumer data </li></ul></ul></ul><ul><ul><ul><li>Aggregating data – Bringing different components together </li></ul></ul></ul><ul><ul><ul><li>Marketing the data to other criminal entities </li></ul></ul></ul><ul><ul><ul><li>Utilizing it themselves </li></ul></ul></ul>Today’s Fraud – Data Acquisition/Aggregation <ul><li>The single three largest points of concern are: </li></ul><ul><li>Quantity – There is an unprecendented amount of information in criminal hands. </li></ul><ul><ul><li>Traditional – Skimming – A few hundred cards </li></ul></ul><ul><ul><li>Today – Large scale merchant/processor breach – Hundreds of thousands of cards </li></ul></ul><ul><li>Quality – The data is accurate. </li></ul><ul><ul><li>Traditional – Creditmaster – inaccurate expiration dates, invalid account numbers </li></ul></ul><ul><ul><li>Today – Expiration Date, CVV2, Customer Billing Address and VbV/Secure Code User Id’s /Passwords correct </li></ul></ul><ul><li>Data Type – New types of data, rarely compromised before now routinely seen. </li></ul><ul><ul><li>PIN Data </li></ul></ul>7
  8. 8. Today’s Fraud – Data Acquisition/Aggregation Criminals utilize hacking techniques to identify merchants or other entities inappropriately storing card Non-Magnetic stripe data. Card Non-Track data (CVV2, EXP Date, E-Mail Address, Name, Phone #, Address) obtained by criminals. Nikon World Magazine Moneygram International Credit/Debit Card Non-Magnetic Stripe Information Aggregated Data Warehouse TJX Enterprises Card Systems Solutions Credit/Debit Card Magnetic Stripe Information Criminals utilize hacking techniques to identify merchants or other entities inappropriately storing card magnetic stripe data. Card track data (CVV, Name, EXP Date, Service Code, PIN Block & Card Number obtained by criminals. PHISHING/Key Loggers PROBING - .COM/VRU Criminals employ various techniques such as PHISHING e-mails designed to look like financial institution correspondence or Key Loggers to covertly acquire data. Also brute force attacks , that employ repetitive attempts at non-traditional points that utilize the PIN# as authentication (VRU/.COM) Data captured not limited to PIN, CVV2, e-mail address, address, card number, VbV sign-on password also at risk Personal Information Credit Monitoring Services DMV//Universities Criminals employ various hacking techniques to gain access to non-financial institution databases that contain personal information. Examples include; Credit Monitoring Agencies, Universities, DMV’s etc. Alternatively, criminals infiltrate the above institutions with employees. Additional non-card related data captured such as; Maiden Name, DOB, PH #’s, Place of Birth, Residence Info, Vehicle Info, Driver Info and Credit Info. Debit Card PIN # 8
  9. 9. Today’s Fraud – Data Acquisition/Aggregation Card Track Data 4060000000001234|0809| TESTSUBJECT|001|09|1|A Other Card Data 487|TESTSUBJECT|6141231234|111MAIN ST|COLUMBUS|OH|12345|TEST@AOL.COM PIN # + Additional 1234|765|TEST@AOL.COM|111MAINST| COLUMBUS|OH|VBVPURCH|9999 Personal Information TESTSUBJECT|BROWN|06041969|6141231234| 123121234|WASHINGTONDC|GMCENVOY05 NET RESULT - CONSUMER DATA COMPILED FROM MULTIPLE SOURCES IS AGGREGATED AT SINGLE SITE! <ul><li>DATA COMPILED CAN BE UTILIZED FOR: </li></ul><ul><li>Counterfeit Cards (Signature/PIN Trans Capable), E-Commerce Transactions </li></ul><ul><li>Existing Account Takeover (Non-Card Transactions), Fraudulent Account Opening </li></ul><ul><li>Effectively undermines most existing financial institution authentication techniques for on-line access, VRU access, Wire transfers, ACH initiation, HELOC access etc. - “Keys to the Kingdom” </li></ul>9
  10. 10. Today’s Fraud – Educational Facilities - Data Breaches <ul><li>Educational institutions have become extremely attractive targets for data thieves. Numerous higher institutions of learning have fallen victim to various forms of data compromise. </li></ul><ul><ul><ul><li>Education experts – Not security experts </li></ul></ul></ul><ul><ul><ul><li>Nature of information can be utilized in defeating security routines at higher value targets such as financial institutions. </li></ul></ul></ul>Source: – A Chronology Of Data Breaches 10 Hacker Compromised University Server Containing Names, Addresses, Credit Card #’s, SS#’s, 180,000 June 2006 Institution # 9 Various Combinations of SS#’s, DOB’s, Addresses, PN#’s, Grades. Information Contained Within Stolen Computers 13,084 Sept 2006 Institution # 8 Laptop Stolen SS#’s And Other Student Data 22,500 Nov 2006 Institution # 7 Hackers Gained Access To Database Containing Names, Addresses, SS#’s, DOB 800,000 Dec 2006 Institution # 6 Records Including SS#’s, Home Address, PN#'s #, Email Add May Have Been Exposed VIA Network Intrusion 35,000 Dec 2006 Institution # 5 Document Containing SS#’s of 15,000 Students Transmitted Over Non-Secure Connection 15,000 Dec 2006 Institution # 4 Financial Aid Applications From 2 Stolen Computers. Data Included Names, SS#’s, DOB, PN#’s, DL #’s And Asset Lists 5,015 Jan 2007 Institution # 3 Envelopes not folded properly on IRS1098T Form SS#’s exposed. 750 Feb 2007 Institution # 2 Exposed on university website. Names Addresses, SSN#, Some Credit Card #’s 65,000 Feb 2007 Institution # 1 Information # Of Individuals Date Institution
  11. 11. <ul><li>PIN Based fraud losses, both PIN POS and ATM have seen significant growth during 2005 & 2006. </li></ul><ul><li>This has occurred in spite of significant industry process with the deployment of neural network fraud detection platforms monitoring PIN Based transactions. </li></ul><ul><ul><ul><li>Not a failure – Projections indicated had many industry players not aggressively implemented PIN Based monitoring increase could have been dramatically higher. </li></ul></ul></ul><ul><li>This is an industry problem </li></ul>Today’s Fraud – Criminal Focus – PIN Based Focus WHY??? <ul><li>The primary goal for criminals has always been CASH. Segments of various PIN Based transactions give the opportunity for criminals to get CASH either in: </li></ul><ul><ul><ul><ul><li>An unsupervised manner at an ATM machine or; </li></ul></ul></ul></ul><ul><ul><ul><ul><li>At merchant locations that are not financial institutions </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Casinos </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>PIN POS Cash-Back Merchants </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Quasi Cash Merchants </li></ul></ul></ul></ul></ul><ul><li>Subtle environmental changes combined with criminal refinement, have made acquiring the PIN # much easier than in the past. </li></ul><ul><li>This problem is exacerbated by the traditional financial institution thinking that the PIN itself secures the transaction. </li></ul>11
  12. 12. Today’s Fraud – Criminal Focus – PIN Based Focus – Contributing Factors <ul><li>Over reliance on PIN as sole mitigant </li></ul><ul><ul><li>PIN Based fraud monitoring – non-existent or immature </li></ul></ul><ul><ul><li>Other controls overlooked – CVV/PIN Edits </li></ul></ul><ul><ul><li>Fragmented data inhibit analysis </li></ul></ul><ul><ul><li>Absence in most cases, of granular fraud transaction data </li></ul></ul>BANKS <ul><li>Consumer Behavior </li></ul><ul><ul><li>Proliferation of PIN Based POS terminals/ATM’s – Enter PIN into anything mentality </li></ul></ul><ul><ul><li>Responding to PHISHING with sensitive information </li></ul></ul><ul><ul><li>Readily Guessable PIN #’s </li></ul></ul>CONSUMERS <ul><li>Data Security </li></ul><ul><ul><li>Storing Track Information </li></ul></ul><ul><ul><li>In some context storing PIN Values or PIN Blocks and or encryption keys to decode </li></ul></ul><ul><ul><li>PIN POS Cash Back – Increasing $ available to consumers at POS </li></ul></ul>MERCH/ACQUIERS/PROCESSORS <ul><li>CASH Preferred </li></ul><ul><ul><li>PHISHING – Other Remote Techniques </li></ul></ul><ul><ul><li>Self preservation </li></ul></ul><ul><ul><li>Path of least resistance </li></ul></ul><ul><ul><li>Skimming devices multiply </li></ul></ul>CRIMINAL 12
  13. 13. <ul><li>“ Skimming” is the capture/retention of magnetic stripe information originating from a valid customer transaction. </li></ul><ul><ul><ul><li>The captured stripe information is then re-encoded onto a different magnetic stripe, in effect creating a fictitious access device that is capable of completing transactions. </li></ul></ul></ul>Today’s Fraud – Criminal Focus – Magnetic Stripe “Skimming” 4060111111111111341212320974JOHNQDOE0905*121240601111111111110905*1 Where does “Skimming” occur? Just about anywhere that physical card transactions are present! It can also occur at telecommunication points and processing sites that handle card transactions ! What is Magnetic Stripe “Skimming”? 13
  14. 14. Today’s Fraud - “Skimming” Variants - Device Examples Pass Through Reader – ATM “Skimming” PIN-Hole camera placed in close proximity to machine, captures PIN Fictitious card reader with exceptionally good craftsmanship Imposed over existing card reader of machine 14
  15. 15. Today’s Fraud - “Skimming” Variants - Device Examples Transaction Inhibiting Device – ATM “Skimming” Screen of false front actually is Pocket PC Partial front constructed with separate card reader (white). Imposed over existing ATM Screen. Helpful sign to “assist” cardholder. It advises the cardholder “ ATM operations have changed and directs cardholder to swipe card and enter PIN # on touch screen or follow on-screen instructions”. 15
  16. 16. Today’s Fraud - “Skimming” Variants - Device Examples Internal Re-Wiring or Completely Fictitious Machine Completely fictitious machine or existing machine (Requires vendor/employee collusion. Inner workings completely re-wired to capture stripe and PIN in clear before encryption occurs. 16
  17. 17. Today’s Fraud - “Skimming” Variants - Device Examples Traditional POS – “Skimming” Devices + OR + Traditional splice Computer + POS Terminal Traditional Wedge + POS Terminal 17
  18. 18. <ul><li>Significant improvement in technology and availability. More storage, no specific format limitations (any magnetic stripe), wireless transmission capability. </li></ul><ul><li>Imagine potential implications – Card Data + Drivers License Magnetic Stripe Data = Skimming + ID Theft – 1 Stop Shopping, instant retention + transmission </li></ul>Today’s Fraud - “Skimming” Variants - Device Examples Emerging POS – Potential “Skimming” Devices Pocket PC attachment magnetic stripe readers $ 229.99 – Next Day Shipping Not to exclude PALM OS fans, yours cost $199.99 18
  19. 19. Today’s Fraud - PHISHING <ul><li>Although technically, a subset of the data aquistion/aggrgration component that was discussed earlier, PHISHING because of its prominence in today’s fraud environment deserves separate mention. </li></ul><ul><li>What is PHISHING </li></ul><ul><li>PHISHING are attacks utilizing both social engineering and technical subterfuge to fraudulently acquire sensitive data such as on-line passwords, personal or financial information. </li></ul><ul><ul><li>PHISHING, at least the social engineering component is unique in that the consumer is an active participant and actually gives the criminals what they need. </li></ul></ul><ul><li>What is the difference between Social Engineering Versus Technical Subterfuge? </li></ul><ul><ul><li>Social engineering variants of PHISHING “trick” a consumer to divulge sensitive information. This is done by sending the consumer fictitious emails that ultimately leads the consumers to fraudulent websites where they subsequently release sensitive information. </li></ul></ul><ul><ul><li>Technical subterfuge schemes are more aggressive, in that criminals plant malicious software onto PC’s to steal credentials directly. Trojan horse key logging software is a very common example of this type of PHISHING. </li></ul></ul><ul><li>PHISHING can also completed VIA more traditional communication channels such as the telephone. </li></ul>19
  20. 20. Today’s Fraud - PHISHING <ul><li>PHISHING in all of it forms continues to experience robust growth. </li></ul><ul><ul><li>As mentioned previously criminal enterprises are utilizing the various forms of PHISHING as a central component in their data aquistion/aggregation activities . </li></ul></ul><ul><li>Financial Services are the most targeted industry sectors. </li></ul><ul><ul><li>During December 2006 – 89.7% of PHISHING attacks targeted this segment </li></ul></ul><ul><ul><li>ISP’s are the next common PHISHING target with 4.1% of PHISHING attacks targeting them </li></ul></ul>Source: www. 20
  21. 21. Today’s Fraud – PHISHING - Examples <ul><li>Typical PHISHING example targeting a financial institution. </li></ul><ul><ul><li>Plays on consumer worries “Account may have been accessed”. </li></ul></ul><ul><ul><li>Encourages customer to go to on-line banking session to review account history and tells the customer that they will need to fill in required information. </li></ul></ul><ul><ul><li>Provides the customer a “convenient link” </li></ul></ul>21
  22. 22. Today’s Fraud – PHISHING - Examples <ul><li>Initial screen after login appears to be an on-line banking entrance screen </li></ul><ul><ul><li>Key Differences </li></ul></ul><ul><ul><li>The User ID Password section does nothing . Will continue to next screen regardless of what is entered. </li></ul></ul><ul><ul><li>If consumer enters valid credentials….. criminal now has on-line sign-on and passwords </li></ul></ul><ul><ul><ul><li>Potentially more – many consumers utilize same sign-on’s or similar sign-on’s for other relationships when possible. </li></ul></ul></ul><ul><ul><li>ADDRESS, ADDRESS, ADDRESS …. Key item address does not begin with https, a clear indicator that site is fictitious </li></ul></ul><ul><ul><li>Site even keeps security messaging of original site which warns customers not to do what they are actually in the process of doing </li></ul></ul>22
  23. 23. Today’s Fraud – PHISHING - Examples <ul><li>Final screen…. “Keys To The Kingdom” </li></ul><ul><ul><li>Quantity and Quality </li></ul></ul><ul><ul><li>A vast amount of data requested </li></ul></ul><ul><ul><ul><li>10 separate items – 12 if you count the on-line ID and password from previous screen </li></ul></ul></ul><ul><ul><li>Extremely sensitive data requested </li></ul></ul><ul><ul><ul><li>PIN Number </li></ul></ul></ul><ul><ul><ul><li>No reputable financial institution would EVER request PIN # from you to authenticate you from contact via an unsolicited e-mail. </li></ul></ul></ul><ul><ul><ul><li>If they do close your accounts and bank elsewhere </li></ul></ul></ul><ul><ul><li>Information requested will not only jeopardize this account, but potential other accounts with other institutions as primary authentication tokens and secrets given away by the consumer. </li></ul></ul><ul><ul><ul><li>Data acquisition/aggregation </li></ul></ul></ul><ul><ul><li>Variants to this scam include authentication screens that have partial correct information already completed </li></ul></ul><ul><ul><ul><li>Data acquisition/aggregation </li></ul></ul></ul><ul><ul><ul><li>Lulls consumer into false sense of security </li></ul></ul></ul>23
  24. 24. Fraud Myths – Classification – Problem Dictates Remedy <ul><li>A significant problem in effectively combating fraud is the myths and misperceptions that exist today. </li></ul><ul><li>Arguably, one of the biggest misperceptions is the definition of ID theft itself and the general disagreement that exists relating to it. </li></ul><ul><ul><ul><li>FTC revised it’s definition of identity theft several years ago to include card and other payment channel transaction fraud as an identity theft sub-type </li></ul></ul></ul><ul><ul><ul><ul><li>In effect the definition change/inclusion has brought about media attention with the perspective that the “sky is falling” which is a myth. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>The media involvement now fostered a fear environment among consumers. Now everything is Identity Theft. </li></ul></ul></ul></ul>Source: 24
  25. 25. Fraud Myths – Classification – Problem Dictates Remedy <ul><li>Not to downplay the problem, because Identity Theft is a significant daily issue but it is absolutely critical that distinctions are made between “True” Identity theft and payment channel transactional fraud. </li></ul><ul><li>Most industry fraud practitioners consider Identity Theft and Card Transaction fraud to be mutually exclusive. </li></ul><ul><ul><ul><li>Problem Should Dictates Remedy – A simple concept </li></ul></ul></ul><ul><ul><ul><ul><li>Problem – True Identity Fraud - Customer information utilized to takeover existing accounts, open new accounts, apply for employment, or acquire a drivers license without customer knowledge </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Remedy – More effective authentication protocol , that effectively establish that, not only is the information being utilized to open the account is valid but also, that it is being presented by the appropriate “carbon based entity”. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Fraud Resolution – Credit Bureau notifications to control inquiries, removal of tainted records. Deletion of financial obligations . </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Problem – Access Channel Fraud – Existing transaction channels utilize to perform fraudulent transactions (Check, Card, ACH, etc) </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Remedy – Transactional monitoring tools , that continuously monitor transactional patterns in an effort to proactively detect unusual transaction characteristics </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Fraud Resolution – Make the customer financially whole, reissue account to customer </li></ul></ul></ul></ul></ul><ul><li>Two clearly distinctive problems are being lumped together in a universal definition. This does not drive proper remedy and masks where breakdowns occur. </li></ul><ul><li>Well known fact within the card industry - Card transaction fraud is at historical lows from a rate perspective. </li></ul>25
  26. 26. How Can Consumers Be Protected – Financial Institutions <ul><li>Financial institutions are aggressively attacking the fraud problem with a layered approach in an effort to protect consumers. </li></ul><ul><li>This multi-layer approach consists of the following primary components: </li></ul><ul><ul><ul><li>Transactional Monitoring </li></ul></ul></ul><ul><ul><ul><li>Education </li></ul></ul></ul><ul><ul><ul><li>Data Security </li></ul></ul></ul><ul><li>Transactional Monitoring </li></ul><ul><li>Financial institutions in general have/are deploying a variety of systems with varying degrees of sophistication that are designed to review transactions and detect abnormalities. </li></ul><ul><li>Wachovia is among industry leaders in this space. Deploying state of the art neural scoring engines that: </li></ul><ul><ul><ul><li>Monitor card transactions in real-time </li></ul></ul></ul><ul><ul><ul><li>24X7, 365 days a year coverage </li></ul></ul></ul><ul><ul><ul><li>Can intercede in real-time with suspicious activity and limit the fraud exposure </li></ul></ul></ul><ul><ul><ul><li>Learn customer spending patterns, to continuously get better </li></ul></ul></ul><ul><ul><ul><li>Generate immediate customer contact after suspicious transactions occur </li></ul></ul></ul>26
  27. 27. How Can Consumers Be Protected – Financial Institutions <ul><li>Education </li></ul><ul><li>Many financial institutions are expending large resources to educate both the public and their employees about fraud. </li></ul><ul><li>Wachovia again is at the forefront of the industry, educating its employees at all levels via internal communications about characteristics about emerging fraud events and more importantly how to spot it to protect our valued customers. </li></ul><ul><li>Additionally, Wachovia provides very good resources to consumers at its website . Consumers can get a variety of materials relating to fraud to educate them and ultimately better protect themselves including: </li></ul><ul><ul><ul><li>Tips to secure your PC </li></ul></ul></ul><ul><ul><ul><li>Tips on protecting your passwords and access codes </li></ul></ul></ul><ul><ul><ul><li>Links to additional security site resources </li></ul></ul></ul><ul><ul><ul><li>E-Mail alerts on how to detect PHISHING e-mail attempts </li></ul></ul></ul><ul><ul><ul><li>Tips to minimize risk of fraud in general </li></ul></ul></ul><ul><ul><ul><li>Resources on ID theft on – how to prevent </li></ul></ul></ul><ul><ul><ul><li>How to resolve if you do become a victim of fraud </li></ul></ul></ul><ul><ul><ul><li>Links to acquire your credit report </li></ul></ul></ul>27
  28. 28. How Can Consumers Be Protected – Financial Institutions <ul><li>Data Security </li></ul><ul><li>Financial institutions, generally are setting the example on how to safeguard information. </li></ul><ul><li>Wachovia takes data security very seriously and has robust policies in place that govern all aspects of data security both electronic and physical including: </li></ul><ul><ul><ul><li>Robust password/authentication guidelines for its employees and for consumers </li></ul></ul></ul><ul><ul><ul><li>PC Data security including the encryption of laptop computers </li></ul></ul></ul><ul><ul><ul><li>Guidelines on laptop issuance and data that can be stored on laptops </li></ul></ul></ul><ul><ul><ul><ul><li>Sensitive data should be stored on internal network drives </li></ul></ul></ul></ul><ul><ul><ul><li>Lock cables for laptop computers are purchased to minimize theft </li></ul></ul></ul><ul><ul><ul><li>Standards that define who can access information </li></ul></ul></ul><ul><ul><ul><li>Require any vendors to protect information in a robust manner </li></ul></ul></ul><ul><ul><ul><li>Rules requiring sensitive information to be secured in locked areas to prevent theft </li></ul></ul></ul>28
  29. 29. How Can Consumers Be Protected – Industry Associations <ul><li>Industry associations are a good method to champion improvements in security and process that benefits consumers. </li></ul><ul><li>Wachovia actively participates in numerous industry associations to encourage development of industry uniform standards, processes and best practices that enhance security. </li></ul><ul><li>Associations are and should continue to focus on collaborative industry efforts that focus on: </li></ul><ul><ul><ul><li>Data security requirements that </li></ul></ul></ul><ul><ul><ul><ul><li>Mandate strong encryption of data </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Prohibit storage of sensitive data </li></ul></ul></ul></ul><ul><ul><ul><li>Develop best practices/minimum standards for securing payment networks and databases </li></ul></ul></ul><ul><ul><ul><li>Develop best practices/minimum standards for payment software platforms </li></ul></ul></ul><ul><ul><ul><li>Develop best practices/minimum standards for third party processors </li></ul></ul></ul><ul><ul><ul><li>Develop standards relating to fraud reporting and communication protocols for fraud events to ensure rapid notification </li></ul></ul></ul><ul><ul><ul><li>Develop standards relating to customer liability that exceed government standards </li></ul></ul></ul><ul><ul><ul><ul><li>Visa/Wachovia Zero Liability Program </li></ul></ul></ul></ul><ul><ul><ul><li>Generally foster a robust security environment. </li></ul></ul></ul><ul><ul><ul><ul><li>PCI Security Standards Council – </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Visa CISP – Cardholder Information Security Program – </li></ul></ul></ul></ul>29
  30. 30. How Can Consumers Be Protected – Merchants/Schools/Other Data Points <ul><li>Data exists everywhere. It needs to be protected better. Electronification has sped delivery of goods and services but has also exposed weaknesses that are being exploited. </li></ul><ul><li>The electronification of data has forced entities that are not experts in either fraud or systems to become experts or put at risk vast quantities of data. </li></ul><ul><ul><ul><li>Many entities have not implemented robust security </li></ul></ul></ul><ul><ul><ul><li>Many entities have not even reviewed their systems at the most elementary level effectively. </li></ul></ul></ul><ul><li>When data is not protected and subsequently is exposed through malicious deeds it is not good for anyone. </li></ul><ul><ul><ul><li>The breached entity sustains reputational risk and has potentially significant financial and legal implications. </li></ul></ul></ul><ul><ul><ul><li>The consumer potentially sustains fraud on their account </li></ul></ul></ul><ul><li>Many publicized data compromises were not acts of genius. They were the exploitation of very basic systems weaknesses. </li></ul><ul><ul><ul><li>Most breaches would have been eliminated had fundamental security precautions been in place </li></ul></ul></ul><ul><li>The following will outline prudent security measures that should be considered to enhance controls that will ultimately reduce risk. </li></ul>30
  31. 31. How Can Consumers Be Protected – Merchants/Schools/Other Data Points <ul><li>Transaction Data </li></ul><ul><li>DO NOT RETAIN & STORE Card Transactional Data </li></ul><ul><ul><ul><ul><li>Especially Track Data – Never </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>No business purpose for track storage </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>If storage of a portion of the data is necessary for legitimate business purposes truncate the data so its not in its full form. </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Utilize strong encryption software to protect it. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Do not allow generic access to it. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Specialized access rights based on business need </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Do not allow it to be stored in any form on laptop PC’s - Software Filters </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>If storage is a must network storage is preferable </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Set up defined retention schedule if data storage is required </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Though not mentioned above, the same safeguards should be deployed for other payment conduits such as DDA account payments. </li></ul></ul></ul></ul><ul><li>Transaction Processing </li></ul><ul><li>Utilize all available security features available for transaction processing </li></ul>31
  32. 32. How Can Consumers Be Protected – Merchants/Schools/Other Data Points <ul><ul><ul><ul><li>Card Not Present – Card Transactions </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>CVV2/CVC2 security values </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>AVS (Address Verification Service) – Proper response </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Verified By Visa/Secure Code – Participate </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Card Present – Card Transactions </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Utilize Track # 1 – Contains Name </li></ul></ul></ul></ul></ul><ul><li>Ensure transaction processors have been certified as CISP/PCI compliant </li></ul><ul><li>Ensure POS terminals/PIN Pads have been certified as CISP/PCI compliant </li></ul><ul><li>Ensure POS software has been certified as CISP/PCI compliant </li></ul><ul><ul><ul><ul><li>Ensure from software manufacturer that software has been configured properly to ensure transaction storage does not occur </li></ul></ul></ul></ul><ul><ul><ul><ul><li>After testing routines or maintenance is completed ensure that logging components of software have been turned off </li></ul></ul></ul></ul><ul><li>If wireless protocols established ensure they are very secure </li></ul><ul><ul><ul><ul><li>Many industry breaches the result of compromised wireless networks </li></ul></ul></ul></ul><ul><li>Protect your merchant ID’s, dial-in authorization #’s and merchant account passwords </li></ul><ul><ul><ul><ul><li>Many thieves acquire these items and utilize your terminal to test the validity of counterfeit cards </li></ul></ul></ul></ul>32
  33. 33. How Can Consumers Be Protected – Merchants/Schools/Other Data Points <ul><li>Internal Systems </li></ul><ul><li>Limit universal access to network drives. </li></ul><ul><ul><ul><li>Access should always be on a business need only. </li></ul></ul></ul><ul><li>Ensure robust firewalls are deployed across the network and individual PC’s to minimize outside intrusions </li></ul><ul><ul><ul><li>Limit ability to change configuration of firewall settings on individual machines </li></ul></ul></ul><ul><li>Install and vigorously update Anti-Virus/Spyware detection software </li></ul><ul><ul><ul><li>Ensure that automated updates are continuously completed </li></ul></ul></ul><ul><ul><ul><li>Ensure sweeps of incoming e-mails automatically occur </li></ul></ul></ul><ul><li>Utilize strong encryption software to encrypt all hard drives on PC’s </li></ul><ul><ul><ul><li>Absolutely essential for laptops </li></ul></ul></ul><ul><ul><ul><li>Data thresholds to dump data after XXX # of invalid logon attempts </li></ul></ul></ul><ul><li>Install locks at workstations </li></ul><ul><ul><ul><li>Simple common sense – approximately 30% - 40% of data compromise incidents relate to stolen equipment </li></ul></ul></ul><ul><li>Only issue laptops to those that need them </li></ul><ul><ul><ul><li>Another simple security protocol that actually saves your company/business money </li></ul></ul></ul>33
  34. 34. How Can Consumers Be Protected – Merchants/Schools/Other Data Points <ul><li>Internal Systems </li></ul><ul><li>Implement data security standards – Limit data kept on internal machine drives </li></ul><ul><ul><ul><li>Network only storage of sensitive data </li></ul></ul></ul><ul><li>Purchase software that scans drives for sensitive data by format </li></ul><ul><ul><ul><li>SS# </li></ul></ul></ul><ul><ul><ul><li>Credit/Debit Card # </li></ul></ul></ul><ul><ul><ul><li>Utilize email filter software that prohibits outbound transmission of sensitive data </li></ul></ul></ul><ul><li>Purchase email encryption software </li></ul><ul><ul><ul><li>Mandate its utilization </li></ul></ul></ul><ul><li>Deploy robust network monitoring software that is designed to detect abnormalities that may be linked to malicious attempts to access internal networks </li></ul><ul><li>Develop robust password protocols </li></ul><ul><ul><ul><li>Robust passwords – Letter, symbol, number combinations </li></ul></ul></ul><ul><ul><ul><li>Case sensitive </li></ul></ul></ul><ul><ul><ul><li>Force certain formats that limit readily guessable passwords </li></ul></ul></ul><ul><ul><ul><li>Periodic changes </li></ul></ul></ul><ul><li>Perform periodic audits to ensure systems are performing as they are designed </li></ul>34
  35. 35. How Can Consumers Protect Themselves <ul><li>Consumers are able to significantly reduce the threat of various fraud schemes by changing their behaviors and performing relatively simple tasks. </li></ul><ul><li>This is a key component to securing information. Even if every financial institution, college, government entity, merchant, etc. had incredibly robust systems and practices in place, if consumers practice bad habits then data security is still potentially compromised. </li></ul><ul><li>System Security </li></ul><ul><li>Basic practices, that are often ignored. </li></ul><ul><li>Protect your PC – Deploy up to date anti virus software, spy ware, etc. </li></ul><ul><ul><ul><li>Update regularly </li></ul></ul></ul><ul><li>Encrypt your home PC </li></ul><ul><ul><ul><li>Protected encrypted files are a very good defense against data thief's </li></ul></ul></ul><ul><li>Utilize caution when storing personal data period </li></ul><ul><ul><ul><li>Do you really need it </li></ul></ul></ul><ul><ul><ul><li>Understand what data programs store (Turbo Tax) </li></ul></ul></ul>35
  36. 36. How Can Consumers Protect Themselves <ul><li>Practice good password habits </li></ul><ul><ul><ul><li>Don’t use the same passwords </li></ul></ul></ul><ul><ul><ul><li>Robust formats – No sequential ascending/descending, no same 4 characters </li></ul></ul></ul><ul><ul><ul><li>Do not link to personal information that may have been obtained from other entities – DOB, YOB, and SS# are good examples of this </li></ul></ul></ul><ul><ul><ul><ul><li>Same logic should be utilized for card based PIN #’s </li></ul></ul></ul></ul><ul><li>Utilize administrator settings on your PC that requires passwords to change system settings. </li></ul><ul><ul><ul><li>Access as user if not changing anything at that moment </li></ul></ul></ul><ul><li>Practice good browsing security </li></ul><ul><ul><ul><li>Do not click on unsolicited links contained within emails that take you to sites that request personal information! </li></ul></ul></ul><ul><ul><ul><li>You are not on a secure site, if it does not begin with https:! </li></ul></ul></ul><ul><ul><ul><li>Financial institutions (reputable) would NEVER ask you for your PIN # for authentication via an unsolicited email with a link! </li></ul></ul></ul><ul><ul><ul><li>If asked for this information via email do not click the link – Open a new browser window and type the familiar website your institution utilizes </li></ul></ul></ul><ul><ul><ul><li>Utilize .com banking sites, most have secure email built into the sites for secure communication between the consumer and the financial institution </li></ul></ul></ul>36
  37. 37. How Can Consumers Protect Themselves <ul><li>Transaction Security </li></ul><ul><li>Be mindful of where your putting your card and where your entering your PIN # </li></ul><ul><ul><ul><li>When possible utilize bank owned ATM machines </li></ul></ul></ul><ul><ul><ul><li>If an ATM machine, looks suspicious or if pieces of it look out of place – DON’T USE IT </li></ul></ul></ul><ul><ul><ul><ul><li>Report it to the financial institution </li></ul></ul></ul></ul><ul><li>Choose PIN #’s that provide some challenge for the criminals to guess </li></ul><ul><ul><ul><li>Stay away from sequential numbers either ascending or descending, same 4 character numbers and PIN #’s with personal significance – DOB, YOB, Last 4 SS#, etc. </li></ul></ul></ul><ul><li>Be aware of what could and does happen when your card leaves your hand </li></ul><ul><ul><ul><li>Possibly reconsider letting a waiter or waitress take the card from you, insist on paying at the register yourself. </li></ul></ul></ul><ul><li>Limit the information to only the essentials that are printed on your checks </li></ul><ul><ul><ul><li>Name and address only </li></ul></ul></ul><ul><ul><ul><li>Refrain from SS#, Phone Number, E-Mail, etc. </li></ul></ul></ul><ul><li>Consider card transactions as opposed to check or ACH transactions </li></ul><ul><ul><ul><li>Checks have far more information then a card transaction – name, address, phone # routing #, account # </li></ul></ul></ul><ul><ul><ul><ul><li>Nothing encrypted </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Ultimate transaction monitoring systems much less mature and not as effective as card transaction monitoring systems. </li></ul></ul></ul></ul>37
  38. 38. How Can Consumers Protect Themselves <ul><li>Transaction Security </li></ul><ul><li>Consider separate account for internet spending purchases </li></ul><ul><ul><ul><li>Can limit potential damage by physically limiting funds available to thief if compromise scenario occurs </li></ul></ul></ul><ul><li>Consider automatic payment structures on recurring payments </li></ul><ul><ul><ul><li>Less manual entry, less susceptible to key loggers that could have been maliciously placed unknowingly on your PC. </li></ul></ul></ul><ul><li>Conceal PIN # entry when you complete purchases or make ATM withdrawals </li></ul><ul><ul><ul><li>Shielding entry with your hand can defeat many (not all) of the methods utilized by criminals to obtain your PIN # </li></ul></ul></ul><ul><li>Shop at merchants who utilize robust security in their websites </li></ul><ul><ul><ul><li>VBV/Secure Code, CVV/CVV2, Billing Address on Card </li></ul></ul></ul><ul><ul><ul><li>If they are not secure protecting themselves – why would you have faith that they protect your data </li></ul></ul></ul><ul><li>Be observant even when sales clerk is in front of you </li></ul><ul><ul><ul><li>Look for secondary swipes on your card at non-pos terminal devices </li></ul></ul></ul><ul><li>Practice prudent bookkeeping </li></ul><ul><ul><ul><li>Shred your receipts </li></ul></ul></ul><ul><ul><ul><li>If you use duplicate check registers insist that the company does not include your routing and account numbers on the duplicate item </li></ul></ul></ul><ul><li>Utilize check stock with anti-counterfeiting and anti-tampering security features on them </li></ul>38
  39. 39. How Can Consumers Protect Themselves <ul><li>General Education/Awareness </li></ul><ul><li>Access your accounts frequently/daily </li></ul><ul><ul><ul><li>Immediately question any unusual transactions with the financial institution </li></ul></ul></ul><ul><li>Report unsolicited e-mails that seek to verify personal information to the entity that the email is allegedly from </li></ul><ul><ul><ul><li>Not only helping yourself, but also helping other consumers who are not as educated as you </li></ul></ul></ul><ul><li>Obtain at minimum annual copies of your credit bureau report. </li></ul><ul><ul><ul><li> - Legal entitlement/Free </li></ul></ul></ul><ul><li>Consider signing up for credit monitoring services. These services will contact you anytime credit is applied for in your name. </li></ul><ul><ul><ul><li>Great way to stop criminals from applying for accounts in your name. </li></ul></ul></ul><ul><ul><ul><li>Wachovia offers an exceptional product that combines traditional credit monitoring service with identity theft fraud insurance </li></ul></ul></ul><ul><ul><ul><ul><li>IDENTITY GUARD® CREDITPROTECTX3SM </li></ul></ul></ul></ul><ul><li>Ensure your financial institutions offers comprehensive protection against fraud, not only from a monitoring standpoint but also from a resolution standpoint. Wachovia utilizes a holistic approach to customer protection in the form of: </li></ul><ul><ul><ul><li>Transaction Monitoring </li></ul></ul></ul><ul><ul><ul><li>Check/Debit Card – Zero Liability Policy and On-Line – Online Services Guarantee </li></ul></ul></ul><ul><ul><ul><li>Complete recovery toolkit if impacted by identity theft </li></ul></ul></ul>39
  40. 40. 40