Transcript EMV COSTS and OPPORTUNITIES

Fraud Prevention and
Detection
Early Detection: Point of Purchase/Compromise
 Know at what point your customer’s card was compromised
 Source as little as two to three cards which have experienced
confirmed fraudulent transactions to find the Point of
Compromise. A common point of purchase across all cards
should emerge
 Identify other cardholders who may potentially be at risk
 Write rules to monitor compromised cards for unusual
spending activity
 Use real time decline or automatic blocking to reduce
monetary fraud loss if fraud attempts are made on
compromised card
Manual Review
 Reviewing every transaction manually for signs
of fraudulent activity
 Involves a exceedingly high level of human
intervention
 Can prove to be very expensive and time
consuming
 Unable to detect some of the more prevalent
patterns of fraud (use of a single credit card
multiple times on multiple locations (physical
or web sites) in a short span)
Address Verification System (AVS)
 Applicable in card-not-present scenarios.
 Matches the first few digits of the street address and the ZIP
code information given for delivering/billing the purchase to
the corresponding information on record with the card
issuers. A code representing the level of match between
these addresses is returned to the merchant.
 Not much useful in case of international transactions.
Card Verification Methods (CVM)
 A 3- or 4-digit numeric code printed on the card but not
embossed on the card and not available in the magnetic
stripe.
 Ensures that the person submitting the transaction is in
possession of the actual card (the code cannot be copied
from receipts or skimmed from magnetic stripe).
 Doesn’t protect merchants from transactions placed on
physically stolen cards.
 Fraudsters who have temporary possession of a card can, in
principle, read and copy the CVM code.
Lockout Mechanisms
 Automatic card number generators represent one of the
new technological tools frequently utilized by fraudsters.
These programs, easily downloadable from the Web, are
able to generate thousands of ‘valid’ credit card numbers.
The traits of frauds initiated by a card number generator
are the following:
 Multiple transactions with similar card numbers (e.g. same
Bank Identification Number (BIN))
 A large number of declines Acquiring banks/merchant sites
can put in place prevention mechanisms specifically
designed to detect number generator attacks.
Negative and Positive Lists
 Negative list : database used to identify high-risk
transactions based on specific data fields.
 Example : SAFE file distributed by MasterCard to merchants
and member banks
 Positive files are used to recognize trusted customers (by
their card number or email address) and bypass certain
checks
 Important tool to prevent unnecessary delays in processing
valid orders.
Negative and Positive Lists
 Black Lists
 Proxy server lists
 Known Fraud IP address lists
 Known Fraud E-mail address lists
 Zombie/hacked computer lists
 Fraudulent Merchant Lists
 List of merchants who have been known for being involved in
fraudulent transactions in the past.
 Provide useful information to acquirers at the time of
merchant recruitment
 MATCH from MasterCard
User Data Validation
 The User Data Validation Module gives businesses the ability to
verify a customer's contact information. Additionally, to ensure
financial loss from returned shipping or inaccurate billing, this
module automatically detects and corrects spelling and
typographical errors.
 User Data Validation Matters Will:
 Identify false names, false addresses, fake phone numbers and
stolen banking information
 Deliver detailed information including actual bank name, phone
number, location.
 Conduct a detailed GeoIP analysis of order to determine user
location.
 Compare all collected data for inconsistent fault points contributing
to an overall dynamic fraud score
True IP Detection
 In the cat and mouse game of fraud and detection, a
traditional tactic of fraudsters is to hide their location
through the use of proxy servers. This module then
compares the true data with the data the customer wants
you to see.
 True IP Detection Will:
 Identify public visible and local LAN IP address
 Provide GeoIP lookup information for both visible IP addresses
 Identify discrepancies between Used Supplied Data and IP
data
 Validate proxy server and net block information
Social Network Validation
 Social Network Validation detects user profiles by searching
for them on most common networks. The module compares
information made public by the customer against
information received in the order. Since fraud typically
includes mixed-and-matched contact and billing information
from multiple stolen identities, this module is another key in
determining the legitimacy of a transaction.
Discussion: What Would You Do?
 You have been asked by your manager to assess what type of
monitoring product you would need.
 Your monitoring system will provide a range of results, you have
been asked to interpret these results
 You have been asked by your manager to reduce the false
positives results in your fraud detection system.
 You have been asked to change the rules in your neural
network, you are unsure what rules to put in place.
Intelligent Fraud-Detection Systems
Spot Fraud Before it is Reported by the Cardholder
 Card companies continue to increase the effectiveness and
sophistication of customer-profiling neural network systems
that can identify unusual spending patterns and potentially
fraudulent transactions.
 The card company will then contact the cardholder to check
whether the suspect transaction is genuine. If not, an
immediate block can be put on the card.
Automated Transaction alerting
 Method used to improve customer service and detection:
 Use automated alerts to decrease fraud staff workload and
enable more efficient work practices
 Use auto alerting to allow customers to set their own security
parameters and enable you to deliver a more personalized
banking service
Simple Rule Systems
• Involve the creation of ‘if...then’ criteria to filter
incoming authorisations/transactions.
• Rely on a set of expert rules designed to identify
specific types of high-risk transactions.
• Effectiveness increases over time (more rules are
added to the system)
✘ Disadvantage: can increase the probability of throwing
valid transactions as exceptions
−
This limitation can be overcome to some extent by prioritising
the rules and fixing limits on number of filtered transactions.
Neural Network Technologies
 Based on the ‘statistical knowledge’ contained in extensive
databases of historical transactions, and fraudulent ones in
particular.
 A neural network is a computerized system that sorts data
logically by performing the following tasks:
 Identifies cardholder’s buying and fraudulent activity patterns.
 Processes data by trial and elimination (excluding data that is not
relevant to the pattern).
 Finds relationships in the patterns and current transaction data
Neural Network Technologies
 Advantages:
 These models are able to learn from the past and thus, improve
results as time passes.
 Can extract rules and predict future activity based on the current
situation.
 Disadvantage
 Needs feeding with fraud data continually
 No data the profile built up will decay
Basien Technology
 A more advanced form of Neural Networks
 Self learning.
 Does not need continual data to preserve profiles
March 17
Caribbean Electronic Payments LLC
20
Fraud analytics
 Allows to have a better view/perspective on trends in fraud
occurrences
 Enables using trends identified to improve preventive
measures and controls
 Added benefit of customer profiling using data mining
 Defines false positives and false negatives as what they are
Risk Scoring Technologies
Tools based on statistical models designed to recognize
fraudulent transactions, based on a number of indicators
derived from the transaction characteristics
 Provide one of the most effective fraud prevention tools
available.
 Comprehensive evaluation of a transaction being captured by a
single number.
 Transactions can be prioritized based on the risk score and given
a limited capacity for manual review, only those with the highest
score would be reviewed.
Products











Alaric
AI Corporation
Fraud Labs
Volance
FICO BankCard
Quatrro Analytics
Ethoca
Adeptra
Oscar Kilo
CyberSource
Visa/MasterCard Monitoring Tools
Agenda and Learning
Emerging technology that brings in a new level of security to
Objectives
business-to-consumer. Various solutions can be implemented:
 Two-factor Authentication
 EMV/Chip
 3D-Secure
 Discussion
Two-factor Authentication
Two-factor authentication (TFA, T-FA or 2FA) is an approach to
authentication which requires the presentation of "two or more"
of the three authentication "factors:
 Something the user knows (e.g., password, PIN);
 Something the user has (e.g., ATM card, smart card); and
 Something the user is (e.g., biometric characteristic, such as a
fingerprint).
Something you have
Tokens with a display
(disconnected tokens)
 Connected tokens
 USB tokens
 Virtual token MFA
 Smartcards
 Audio Port tokens
 Wireless
 Dallas iButton
 Casque
 Magnetic stripe cards
 Soft tokens
One-time pads
– UniOTP
Mobile phones
–
–
–
–
–
–
–
Vulnerability to attacking
Assignment to the bearer
SMS one time password
Smartphone push
Additional phone token
Mobile signature
Mobile applications
Something you are
Biometrics
Biometric authentication also satisfies the regulatory definition of true multifactor authentication. Users may biometrically authenticate via:
• finger print verification
• hand based verification
• retinal and iris scanning
• dynamic signature verification.
Disadvantages:
• vulnerable to a replay attack
• user resistance
• positive and negative outputs
• compromised data cannot be changed.
Hybrid or two-tiered authentication methods (private keys encrypted by
fingerprint inside of a USB device)
EMV/Chip
 Global standard for credit and debit payment cards based on chip






card technology.
Payment chip cards contain an embedded microprocessor providing
strong security features
More secure than a traditional magnetic stripe card.
EMV chip card payment provides security benefits in the following
areas:
With online authorization, a dynamic cryptogram protects against
the use of skimmed data and stolen account data
With offline authorization, a PIN capability protects against lost and
stolen card fraud, and data authentication protects against
counterfeit cards
Limits on offline activity protects against credit overruns and fraud
3D Secure
 3-D Secure is an XML-based protocol used as an added layer of security for
online credit and debit card transactions.
Developed by Visa (Verified by Visa), MasterCard (SecureCode), and by JCB
International (J/Secure). American Express (SafeKey)
 This authentication is based on a three domain model:
 Acquirer Domain
 Issuer Domain
 Interoperability Domain (the infrastructure provided by the credit card
scheme to support the 3-D Secure protocol).
 A transaction will initiate a redirect to the website of the card issuing bank
to authorize the transaction.
 Each issuer can use chosen authentication method: password
authentication; smart card readers; security tokens
3D Secure
Implementing 3D Secure
 Visa/MasterCard member banks must use compliant software
supporting protocol specifications, and perform integration testing
with payment system server
 ACS providers: Access Control Server is implemented on issuer side.
 MPI providers: merchant plug-in providers are authorised to send
requests to card system servers
Disadvantages of 3D Secure
 Cardholder may see their browser connect to unfamiliar domain
names, which may make it easier to perform phishing attacks.
 Mobile browsing may throw up compatibility problems (no popups)
 Users are generally discouraged if the authentication process is too
complicated or take too long