Data Breach Management 15th Annual ATM, Debit & Prepaid ... · •To protect against losses, banks...
Transcript of Data Breach Management 15th Annual ATM, Debit & Prepaid ... · •To protect against losses, banks...
Confidential and Proprietary© Fifth Third Bank | All Rights Reserved
Data Breach Management 15th Annual ATM, Debit & Prepaid Forum,
Oct. 4, 2007
Presented by Angela Brown, SVP, Fifth Third Bank
&
Chris Roberts, SVP, Wachovia Bank
2Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
Industry Overview
Overview
•Breaches undermine brand and consumer confidence in the payments industry.
‐ Criminals abilities to impersonate a customer, or a Merchant, are rising.
‐ Losses from identify theft are estimated at $52B annually
‐ Fraud poses a growing threat to the security of information used in payment systems.
‐Institutions using an in‐house system can experience 10‐11 lost basis points in card fraud losses.
3Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
Industry Overview
Overview
•Account data compromise trend continues to be a significant concern for the industry
–Potential of fraud losses for financial institutions–Issuer costs and cardholder impact–Adverse media publicity–Legislative interest
4Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
Industry Overview
Current Trends
•Cyber crime is growing in sophistication•Exploitation of vulnerabilities in value chain is increasing•POS systems are frequent targets
–Magnetic strip data is stolen from data logs as opposed to traditional databases–Sensitive data is unknowingly stored –Hackers are targeting centralized servers with Internet connectivity
5Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
Industry Overview
Current Trends
•Globally organized criminals are involved in hacks •SQL injection is the most common attack method•Remote Control Software
–PC Anywhere/VNC commonly used
6Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
Cost of an IdentityAn identity – including a U.S. bank account, credit card, date of birth and government-issued identification number – was available for between $14-18
A recent going rate for a U.S. individual's entire identity, complete with mother's maiden name and Social Security number, was $13
Typical costs of goods and services in chat rooms:
—$150: Driver's license
—$150: Birth certificate
—$100: Social Security card
Financial Fraud
—$6000, average new account fraud loss; doubled from 2005-20061
—$2500, average unauthorized credit card charge; 4X loss from 20051
Criminal Attraction
Sources: Symantec Corporation, Internet Security Threat Report, Mar. 2007BusinessWeek, “Coming to Your PC's Back Door: Trojans,” Jan. 2006USA Today, “Cybercrime flourishes in online hacker forums,” Oct. 2006
Current Trends
Industry Overview
7Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
Industry Overview
A Growing Reputation Risk
Other* 1%
YTD September 2005
*Includes Law Enforcement Recovery, Operation Stop IT, ATM Compromise, ATM Skimming, Merchant Bust-Out and CPP
Compromised Accounts by Geography
U.S. 99%
Non U.S. 1%
Compromised Accounts by Category
Merchant Burglary1%
Merchant Hack98%
8Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
Industry Overview
“The Sky is Not Falling‐But It Could”• Security as a differentiator
‐ Bolstering fraud strengthens loyalty and provides an ROI on technology investments.
• Technology advancements are making it possible to “deputize” the customer.
• Fundamental to Fraud loss is having the right technology prevention AND the right processes in place to mitigate risk if a breach occurs.
Quote by Orson Swindle, chair of the Center for Information Policy Leadership for Hunton & Williams, an international law firm, who
participated in a two day conference designed to bring together diverse stakeholders in the payments industry: “Facing Up to the Challenges”.
9Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
Industry Overview
Complexity
•Complexity of processing in today’s environment
–Multiple participants in the value chain–Thousands of vendor’s, MSP’s, ATM processors, and gateways
•Need for increased level of education and awareness of stakes, for all participants
10Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
Industry Overview
Regulatory and Compliance Arena
• Payment Card History (PCI) Data Security Standards, Audits, and Self‐Assessment
•CUNA 2006 Guidelines
•Visa & MasterCard Compliance Validation
•Safe Harbor
•What will be the next “3DES‐like”mandate?
11Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
Industry Overview
Fighting Fraud Methods
Fraudsters•RAM Raids•Skimming•CVV Brute Force Attacks•System Breaches•Biometrics
12Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
Industry Overview
Fighting Fraud Methods
eThreats•Malware
•Phishing
•Directory Harvesting
•Data Breaches
13Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
Industry Overview
Financial Implications of Phishing
# of E-mails Sent 100,000 1,000,000 10,000,000
Click-through Rate 0.10% 0.10% 0.10%
Accounts Compromised 100 1,000 10,000
$ per Account Compromised: 5.00$ 5.00$ 5.00$ Fraudster Income: 500$ 5,000$ 50,000$
Fraud per Account Comprimised: 350$ 350$ 350$ Fraudster Income: 35,000$ 350,000$ 3,500,000$
14Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
FTPS Portfolio Approach
Implications for Fifth Third
• Fifth Third Processing Solutions–Processes over 17 Billion Transactions per year–Processes for more than 147,000 Financial Institutions and Merchant locations nationwide–Drives over 12,200 ATMs in 11 countries–Supports more than 33 Million debit cards
•Continual Investment in Technology
15Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
FTPS Portfolio Approach
Fraud Mitigation Best Practices
CASHSECURITY
ATMTRANSACTIONAL
SECURITY
PIN & ENCRYPTION
SECURITY
ATM PHYSICALSECURITY
CARDHOLDER SECURITY
CARDSECURITY
CYBER SECURITY
ATMCONNECTIVITY
SECURITY
16Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
FTPS Portfolio Approach
Fraud Mitigation Best Practices
• Automatic Chargebacks• Card Activation Block
• Card Compromise Alerts
• Custom Debit Card Authorization Strategies• CVV/CVC Brute Force Protection
• Expiration Date Matching
• Identify Theft Alert• Lost/Stolen Support
17Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
FTPS Portfolio Approach
Fraud Mitigation Best Practices
• PRISM
• Reporting and Issuer Direct
• Review of Card Limits
• Two Year Re‐Issue Cycle
• Verified by Visa & MasterCard Secure Code
18Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
FTPS Portfolio Approach
PRISM
•PRISM is an information processing system which “learns” to recognize and differentiate data through exposure to repeated patterns.
•“Neural Net System” based on neural algorithms and modeling.
•“Rules Based” means a “rule” can be written to match criteria passed within the incoming authorization data or fields within Prism.
•Real time vs Real Near Time
19Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
PRISM ‐How Does it Work?PRISM ‐How Does it Work?
IssuerAcquirer
Request
Response
Electronic Alert Deliveryto End UserNeural
Network
Authorizations
Authorization Switch
Evaluation
CardholderContact
Request
Response
Evaluation
MerchantWE
ACCEPT
20Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
FTPS Portfolio Approach
Year One PRISM Results
724,283 Alerts reviewed
26,496 frauds detected
Mores than 70M loss averted
21Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
FTPS Portfolio Approach
Card Compromise Support
•CAN/CAMS alerts FI of card compromise, so the FI can conduct a risk evaluation.
• FI provided tools that allow investigation down to the card level.
•FI initiates process to automatically generate new card, close existing cards and minimizing the impact to the cardholder.
•Fifth Third pulls the FI request, issues new cards, and old cards are closed within 2 weeks, automatically.
22Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
FTPS Portfolio Approach
CVV /CVC Brute Force Protection
• Criminals attempt to gain CVV/CVC value by using multiple authorization requests in rapid succession.
•With CVV/CVC Brute Force Protection, the system detects transactions that appear to be unique “swipes” coming from different merchants, but originating from a single source.
23Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
FTPS Portfolio Approach
CVV /CVC Brute Force Protection
The card is auto‐blocked on the signature side at the sixth swipe to prevent fraud masters from gaining the correct value. Customer can use PIN side of their card, until re‐issued.
24Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
Next Generation of Fraud Tools?
Advanced Identity Analytics
Looks at patterns associated with identify theft.
Fraud patternTwo SSNs are associated with one address, yet one SSN is associated with two names
25Confidential and Proprietary
© Fifth Third Bank | All Rights Reserved
Conclusions
Conclusions
The entire payment system must work together to combat ID Theft
• To protect against losses, banks and issuers must overcome disconnects between current capabilities to stay ahead of emerging fraud patterns.Consumer confidence matters
— Consumers don’t differentiate between ID Theft and Card Fraud
• Fraud will continue to be a risk factor requiring diligence— Technology and Compliance
— Branding and Appearance
Confidential and Proprietary© Fifth Third Bank | All Rights Reserved
Thank You!