With credit card fraud dramatically on the rise, particularly in the form of card-not-present (CNP) fraud across Internet and Mail Order/Telephone Order (MOTO) channels, it is important for private label issuers to understand the depth of this problem and how it affects their merchant portfolio and their ability to accept private label cards. Private label cards were often considered to be “low risk”, relative to traditional bank cards, but our current analysis has shown the contrary: fraudsters are increasingly using private label cards as the payment instrument in CNP channels and merchants are at great risk if specific strategies are not put in place to stop it.
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
1. Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers The Problems, Tools, Techniques and Technologies Christopher Uriarte Chief Technology Officer & Head of International Development Retail Decisions PLRT Conference May 1, 2009 Philadelphia, PA
2.
3. Sample of ReD’s Clients and Focus Sectors Travel Telephony Retail Oil Banking Europe America Asia Pacific Other
4. Where We Sit & Where the Data Comes From Fraud Prevention & Gateway Services (CP&CNP) ReDShield TM ReD1Gateway TM CardExpress TM Fraud Prevention for Acquirers & Processors PRISM TM Fraud Prevention for Issuers PRISM TM Fraud Prevention for Merchants Fraud Prevention for Banking Institutions
5. Fraud Control Life Cycle Solutions implemented to reduce fraud Time lag for solutions to take affect New solution is implemented to reduce fraud Familiarity with weaknesses in cards and technology increases fraud Fraud begins to rise as new technologies are cracked and new weaknesses are found 2002 2009 ??? ??? Are We Here Now??? Implies Innovation Time Value of fraud
6.
7. Regular Occurrences of Organized & Social Engineering Efforts Arrests in card scam Wednesday, February 28, 2007 By Paul Grimaldi Journal Staff Writer Arraigned yesterday in the thefts of credit-card and debit-card information — and more than $100,000 The men allegedly stole the information by switching out checkout lane keypads with one of their own machines and then retrieving the units a few days later so they could copy the account data. To achieve this, they took shelf stocking positions at the supermarket, which gave them legitimate access to the facility during late hours in the evening. They recorded the stolen information on blank bank cards that they used to get money from ATMs in the area, the police said.
8. Implanted chips Criminals implant a chip directly into Point of Sale equipment The chip holds up to 1,000 account numbers Major occurrences in Taiwan, Malaysia and Brazil
9.
10. Personalizing the Card Low tech: Embossing only “ Higher tech”: Transplanting Skimmed Card Data 3712 345XX8 95004
11.
12.
13.
14.
15.
16.
17. Tool Example: IP Geolocation Instantly compare an online customer's registered address with his real-world location to flag potential fraud Pre-emptively block web site access to certain locales or IP origination points known to be frequent sources of fraud Real-world location
18. Technique Example: Combining IP Geolocation with Additional Transaction Analysis Unusual combinations of location details I.P. address in California Billing and/or Delivery address in London Card issued in Poland
22. The "More Tools Create Greater Complexity" Challenge No Matches Negative Data Device ID Check Address Validation Proxy Detection Neural Score Transaction Data Everything’ s OK; First time buyer Business Rules No History Address is Good; No match of Name to Address Could be behind a University proxy Score: 362 NOW WHAT? Should you accept it? Should you outright deny it? Should you manually review it? Challenge: Not just managing the individual components, but the sum of the parts!
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36. Day 1 Customer Case Study – Fraud Ring for Top 5 Jeweller Individual IP address, phone numbers, email address, card numbers & shipping addresses all shared and used in one attack 26
37. Day 3 Customer Case Study – Fraud Ring for Top 5 Jeweller Individual IP address, phone numbers, email address, card numbers & shipping addresses all shared and used in one attack 27
38.
39.
40. Christopher Uriarte [email_address] US: +1 732.452.2440 UK: +44 (0) 1483 728700 Thank You! Please feel free to contact me with any questions!
Hinweis der Redaktion
Slides 1-4 (3 Minutes) Brief Introduction to Retail Decisions to provide the context of who we are, why we see so many transactions and where my data is coming from Slide 5 (3 Minutes) Explain the “Fraud Control Lifecycle” and the correlation between fraud prevention tools and overall industry fraud rates Slides 7-12 (4 Minutes) Examples of how criminals obtain card data and how the cards are monetized Demonstrate the current complexity of fraud rings against merchants Slide 13-14 (4 minutes) Overview of the typical merchant fraud assessment process Introduction to the key metrics that merchants user in fraud prevention processes Slides 15-20 (10 Minutes) Examples of current fraud prevention system types and fraud prevention tools Slides 21-27 (5 minutes) Real-world examples of the complexities faced when using fraud prevention tools Slide 28-30 (10 minutes) Fraud in the Private Label space Slides 31-37 (5 minutes) Case studies – What can be accomplished when merchant fraud prevention systems are put in place Estimated time: 45 Minutes
MG
MG Seven Day Attack using 55 delivery addresses, 30 computers, 64 email addresses, 55 credit cards and 50 telephone numbers. Attempted to steal £30,000 worth of fraud Day One, two, three, four, five, six seven. As more fraudsters share details see the picture growing Start with one phone number the use of 14 credit cards Day two
MG Seven Day Attack using 55 delivery addresses, 30 computers, 64 email addresses, 55 credit cards and 50 telephone numbers. Attempted to steal £30,000 worth of fraud Day One, two, three, four, five, six seven. As more fraudsters share details see the picture growing Start with one phone number the use of 14 credit cards Day two
Seven Day Attack using 55 delivery addresses, 30 computers, 64 email addresses, 55 credit cards and 50 telephone numbers. Attempted to steal £30,000 worth of fraud Day One, two, three, four, five, six seven. As more fraudsters share details see the picture growing Start with one phone number the use of 14 credit cards Day two