Portals & Rails

« January 2013 | Main | March 2013 »

February 25, 2013

Focus on Fraud: Targeting the Weakest Link

A recent story in the Wall Street Journal recapped how bank robberies had declined almost 50 percent over the last decade. In addition to citing the increased physical security measures at banks and tougher sentencing for bank robbers, especially if a firearm is involved, the alternative criminal target of the Internet was cited as being more lucrative and having a lower risk, and therefore more attractive. The article offers the logic of the proven security adage that the more sophisticated criminal is more likely to focus on the weakest link in the overall security ecosystem of the targeted victim.

Online fraud offers a number of advantages for the criminal over the old-fashioned "stick-'em-up" bank robbery. The criminal doesn't have to be physically present at the point of the crime. In fact, the further away, the better with regards to investigative difficulties and jurisdictional issues. Also, compared to a typical bank robbery, the potential take for card and online fraud is significantly higher. Based on FBI statistics for 2010, the average bank robbery netted about $7,500. The Javelin Research 2011 Identity Fraud Survey (2010 data) reports that the average debit card fraud amount was $2,529, and the average credit card fraud amount was $3,741. Noncard account fraud added an average of another $3,000. Obtaining just a handful of cards or account numbers through skimming or other illegal methods can quickly result in tens of thousands of dollars in ill-gotten proceeds at a relatively low risk to the criminal.

Fraud risk mitigation is a constant effort by the banking industry and merchant community to stay ahead of the criminal element in their criminal techniques and efforts for identity and account theft. As new payment methods emerge and gain adoption, they will increasingly gain attention from the criminal element looking to exploit a weak link. Javelin's 2012 Identity Fraud Industry Report reveals that consumers with smartphones have a higher incidence of fraud than nonsmartphone consumers by approximately one-third. Key behavior weaknesses cited included failure to update the phone operating software with security patches, saving account log-in information on the phone and not using the phone lock feature—allowing the information to be accessed by anyone finding the phone. In the meantime, consumer advocacy and educational groups, the banking industry, and mobile carriers are making efforts to educate consumers on the best way to safeguard their personal and banking information against such attacks.

The Mobile Payments Industry Workgroup (MPIW), facilitated by the Federal Reserve Banks of Atlanta and Boston, regular discusses risk associated with this emerging payments method with telephony and payments security experts. In the coming months, a subgroup of the MPIW will be working to evaluate the various security issues with mobile payments and making recommendations to the overall workgroup to ensure that the mobile payments ecosystem is sound and as safe as necessary. Portals and Rails will continue to report on the efforts of this and other groups to improve the security of our payments system. As always, we encourage your comments.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 25, 2013 in mobile payments, online banking fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee8b98b40970d

Listed below are links to blogs that reference Focus on Fraud: Targeting the Weakest Link:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 11, 2013

Is Growing Fraud Really a Catalyst for EMV?

My payments news feed has been filled with a heavy dose of EMV-related news these last few days. Take the January 2013 article from the American Banker that looks at the incidence of increasing fraud losses as the United States continues to lag on the implementation of EMV chip cards. This one especially caught my attention given that I had written a paper on this topic early in 2012.

In recent SEC filings, both Discover Financial Services and Capital One reported significant increases in fraud losses. Based on calculations using figures from Discover's latest annual report, its fraud rate on sales volume increased from 4.8 basis points in 2010 to 7.2 basis points in 2011, and reached 8.8 basis points in 2012. Because of our nation's continued reliance on magnetic-stripe cards, "we are the weakest link around the world," according to one analyst. According to another, "the fraud comes here." Given this trend of rising fraud losses, is fraud finally becoming a bigger part of the business case for EMV with card networks' liability shifts for counterfeit fraudulent transactions a little more than two years out?

I don't think that it is. While the American Banker article, and even my paper, paints a somewhat discouraging picture of the fraud situation, the fact remains that fraud is but a small, albeit growing, expense on an issuers' income statement. For example, Discover reported $93 million in fraud losses for 2012, or roughly $8 million more than it spent on postage. By comparison, net charge-offs from credit card debt cost them over $1.2 billion in 2012 and as much as $3.7 billion in 2010. Fraud risk as measured by fraud losses is just "another expense" to issuers while credit risk, measured by credit losses, has one of the largest, if not the largest, negative impact on an issuers' bottom line. Is it possible that fraud losses will have a larger negative impact further down the road? Absolutely, and I think they will. I also recognize there are other "soft costs" associated with card fraud in terms of cardholder inconvenience and overall payment safety perception.

Further, EMV does not address the entire fraud loss problem. It's no secret by now that while EMV has been excellent at reducing face-to-face fraud, card-not-present (CNP) fraud continues to rise because EMV does not effectively prevent it in today's online environment. For example, since the rollout of chip-and-PIN in 2008 in Canada, CNP fraud increased from C$128 million to C$259.5 million in 2011. This is another example of fraud moving to the weakest link in the payments chain. Ultimately, EMV as it exists today only solves part of the fraud equation. Until a cost-effective and consumer-friendly CNP fraud reduction solution gains traction, I believe a business case for EMV built around fraud losses will remain difficult to build. For some, the costs to implement EMV may be viewed as an insurance policy against a widespread compromise of the mag-stripe technology.

It has been more than 17 months since Visa announced its EMV U.S. migration plan and a year since MasterCard announced its EMV "Roadmap." Still, issuance and acceptance of EMV cards remains tepid, if that, here in the United States. With a little over two years until the first liability shifts for the U.S. are scheduled to take place in April 2015, issuers will need to make EMV migration decisions soon if they intend to take advantage. But is the business case there currently?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 11, 2013 in card networks, cards, chip-and-pin, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d40f3aa2f970c

Listed below are links to blogs that reference Is Growing Fraud Really a Catalyst for EMV?:

Comments

My view on EMV is that it is a fundamentally more secure payment vehicle than typical magnetic stripe cards - plain and simple.

There are many benefits outside of just fraud savings. Consider missed transactions that international travelers might incur with a traditional card. Aite analysis reveals that card issuers missed out on $4 billion in charge volume in 2008 because of problems cardholders had with their cards while traveling abroad.

Then there is consumer perception. Ask a consumer today if he/she would like to own a car without air bags? The answer is likely no. The same is likely to hold true for EMV cards. If I have two options, traditional or EMV, I'm likely to choose EMV because it's safer. We all need to protect and enhance the consumer experience.

One cannot accurately predict future fraud costs with any degree of certainty. The pie for fraudsters is getting smaller, and if I'm a bank or credit union I don't want to be in the cross-hairs, especially if those vulnerable are getting smaller. CNP fraud is escalating. The payments industry will need to solve for that.

Chris Slane, VP, Business Development, Quatrro Processing Services

Posted by: Chris Slane | February 28, 2013 at 07:41 AM

Excellent article. One that takes the credit card fraud issue head-on and establishes that issuers and merchants have more serious issues to worry about than controlling fraud. I also found @MikeB's comment - especially the part about "issue that matters most for consumers and that is False Positives and the need for their cards to always work, particularly for when they need them most" - very sensible.

Posted by: Ketharaman Swaminathan | February 17, 2013 at 12:41 PM

I think you need to add other costs in (eg, PCI-DSS compliance and fraudulent portion of charge-offs) to obtain the correct cost/benefit calculation.

Posted by: Dave Birch | February 15, 2013 at 02:26 AM

Douglas,
Very interesting article and I agree that it appears that the EMV benefit is perhaps not worth the industry expense particularly if you're also shifting fraud from CP to CNP. In addition, it seems that here in the US, we're poised to move to new payment technologies such as Digital Wallets, NFC and/or Bar-codes that are more inline with the American customer, who I'm sure won't want to slow down at the point of sale to put in a PIN number on a Credit card transaction.

We conducted trials in the UK last year that I believe get to the issue that matters most for consumers and that is False Positives and the need for their cards to always work, particularly for when they need them most. By using Location-Based Analytic, we saw a 55% reduction of false positives while at the same time seeing a 30% increase in fraud detection . All of this in a non-intrusive manner, allowing the consumer the convenience of just swiping their card and moving on.
Mike

Posted by: Mike Buhrmann, CEO Finsphere | February 12, 2013 at 02:11 PM

Fraud may continue to be manageable from a cost perspective, but it is ultimately damaging to the user experience and the network brand experience. Consumers are increasingly frustrated by dealing with fraudulent charges (even with zero liability), receiving notices that their accounts are being breached, receiving re-issued cards, and having to re-configure their automatic payments. The networks are the ones pushing EMV because ultimately it's confidence in their systems that is taking the hit.

Posted by: Aaron Press | February 11, 2013 at 04:26 PM

Your comments raise an interesting question, namely, how much of what banks allocate as net charge-offs are actually fraud losses - especially in cases of account takeover fraud. The bad guy gains access to an account, changes the address, runs up a huge balance and bolts. As these balances get stale, the bank can either categorize them as fraud or simply charge them off.

Posted by: Chip Wickenden | February 11, 2013 at 10:23 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 04, 2013

The Promises and Pitfalls of Big Data

In reviewing one of my recent credit card statements, I noticed a marketing message offering $5 off for an online purchase using their credit card at one of the online retailers I frequently visit. At first I thought this was a bit strange as I had not used that particular credit card at that merchant. Then I realized this was likely "Big Data" in action. Evidently, this credit card issuer had gotten information from some database, perhaps from the retailer, that I was a frequent customer of that retailer. The card issuer then checked its records and found that its card wasn't the one I used for the purchases, so it tried to entice me with $5 savings to switch my card usage habits.

A recent Harris Interactive poll of 1,000 U.S. Internet users showed that the typical consumer has an extremely high level of concern about the amount of personally identifiable data (PID) that is collected about them from public databases, e-mails, web access, and private data aggregators and how that information is being used. Big Data has opened a new world of marketing opportunities for companies with the capability to analyze and use such a wide array of information. In addition to marketing opportunities, Big Data technology can also provide enhanced risk assessment capabilities.

Card issuers have used data analysis at both the macro and individual cardholder level for several decades for fraud management purposes. With sufficient transaction history, the issuer creates a cardholder's purchase profile and evaluates future transactions against that profile. In the early stages of such efforts, if a transaction fell outside the normal profile parameters, the issuer was likely to authorize the purchase and then attempt to contact the cardholder later to verify its legitimacy. Before the wide usage of cell phones or text alerts, contacting the customer was often delayed by days until he or she could be reached on a landline. With advances in software and processing technology, some issuers risk rate transactions as they are received for authorization and may deny a transaction with a high risk score or one that exceeds parameters the customer has personally established. Of course, the downside to such a process is a false denial resulting in a less-than-satisfied cardholder.

While few may find fault with using data for financial risk management purposes, the line is blurry between privacy and data analysis for behavioral activity. Let's say you normally use a particular prescription medication for treatment of a chronic medical condition. Data analysis can tell how frequently you should be getting refills of that medication from your pharmacy. On the positive side, the pharmacy can use this information to send you reminders that it is time to order a refill. But what if the data shows that your refills are spaced further apart than the quantity and dosage level dictate? Is it ethical for the online pharmacy to notify your insurance provider that you appear to have significant lapses in taking your medicine when doing so could affect future coverage? At what point does "Big Data" become "Big Brother"?

In 2013, data security and privacy—the issues associated with Big Data—will be a major area of focus for the Retail Payments Risk Forum. In addition to looking at these issues in our Portals and Rails posts, we will be publishing white papers and convening forums with designated stakeholders to further discuss these issues. We welcome your input on what topics you would like to see us cover.

Oh, and as to that $5 offer, I think I'm going to hold out for a few months and see if they are willing to raise the ante. If this blog is being data scrubbed, I think $10 will do it!

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


On a different note, the Retail Payments Risk Forum would like your feedback on our blog. We would be grateful if you would take a moment to complete our survey. It really is very short.

February 4, 2013 in cards, consumer protection, privacy | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee8360ee4970d

Listed below are links to blogs that reference The Promises and Pitfalls of Big Data:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in