Transforming the Customer Experience When Fraud Attacks

Transcription

1 Transforming the Customer Experience When Fraud Attacks

2 About the Presenters Mike Young, VP, Product Team, Everbank Manages consumers and business banking products, as well as online and mobile banking services 20 years in financial services industry Former product manager for Merrill Lynch Credit Corporation Sean Daly, COO, IDT911 Oversees IDT911 worldwide expansion and financial strategies 25 years in financial industry Former SVP & CFO at Camden National Corporation, a $2.3 billion publicly traded community bank Page 2

3 Breaches of Note Page 3

4 Security and the Customer The security of a customer s financial accounts their basic privacy is jeopardized every time there s an internal security incident or cyber-attack on a retail firm like Target, Home Depot or JPMorgan Chase. What we do after a security incident occurs is as important as what we do proactively to try and prevent them. Page 4

5 Definitions Data Breach sensitive, protected or confidential data that has potentially been viewed, stolen or used by an individual unauthorized to do so personal health information (PHI) personally identifiable information (PII) trade secrets or intellectual property Security Incident a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices Page 5

6 Definitions Customer Fraud money or purchases made by fraudulently posing as the customer through use of a credit/debit card or other method Customer Identity Theft the fraudulent acquisition and use of a consumer's PII for personal gain financial medical tax child Page 6

7 Attacks and Impacts Page 7 Source: 2014 CDW US bank manager survey

8 Failures that Lead to a Breach Physical Lost control over a physical asset Documents Portable storage media Computer hardware Logical Intentional access to information by unauthorized insider or outsider exploiting a vulnerability Procedural Mishandling information exposing it to unauthorized parties Website Misdirected faxes, mailings, & s Improper disposal or abandonment Page 8

9 Security Incidents Impacts Having personal and/or credit card data stolen is traumatizing and presents a host of difficulties to consumers. As more transactions take place online, opportunities for fraud and identity theft increase. Estimates indicate data breaches cost $5.9 million for affected companies. Ponemon Institute 2014 Cost of a Data Breach Study: Global Analysis Companies affected by a data breach incur average costs of $201 per compromised record, and in a typical data breach, more than 29,000 records are compromised. Ponemon Institute 2014 Cost of a Data Breach Study: Global Analysis Page 9

10 Security Incidents Impacts Banks spend $10 per card to cancel and reissue. "The True Cost of Data Breaches" Bank Systems & Technology (08/08/14) Yurcan, Bryan Consumer Reports survey indicates one in seven U.S. consumers notified of personal data breaches in Page 10

11 Defining The Problem Page 11 Source: 2014 CDW US bank manager survey

12 Looking Inward Breach Avoidance Utilize a layered security approach no security filter will catch all fraud attempts but a layered approach can help prevent most Make it intuitive (easy) enough for customers to navigate but tough enough to prevent fraud Page 12

13 Security Incident Avoidance Conduct annual security assessments Maintain system access controls & reporting Manually review large transactions and exceptions Mask account numbers Monitor inactive and returned mail accounts Manage Vendors Employee Training Customer Education Monitor transactions Provide mobile and alerts I was happy that my online account was suspended when I hadn't logged in for a while. Thank you for that. Real Reaction from EverBank Customer Page 13

14 Unauthorized Access Avoidance Account Opening Implement and maintain a vigilant account opening review/approval process Utilize 3 rd party resources to verify applicant identity Address verification Credit history Out of Wallet questions Establish approval authorities and usage levels Business confirmation I love the security features you have in place to keep our information secure. I wish all banks would do the same. Real Reaction from EverBank Customer Page 14

15 Unauthorized Access Avoidance On-Going Account Management Utilize device identification (fingerprinting) Protect against account takeover with 3 rd party technology solutions Offer Debit Blocks and Positive Pay Utilize step-up authentication Block IP address of known fraudsters Account was disabled after a couple of attempts, my call was answered quickly and issue was resolved, I appreciate security measures being tight. Page 15 Real Reaction from EverBank Customer

16 Unauthorized Access Avoidance On-Going Account Management Implement call center authentication codes Utilize session timeout and lockout users that enter incorrect credentials multiple times Require token and dual control usage Limit transaction size Don t store sensitive data on devices I greatly appreciate the security. Most likely, the best way for a thief to rob a bank is to go online and hack somebody's account. For this reason, I am extremely appreciative that EverBank is vigilant and secure. Page 16 Real Reaction from EverBank Customer

17 Post Security Incident Incident Response Plan Have a plan in place for employees to follow whenever a security incident has occurred Practice the plan Have a dedicated group to handle customer inquiries who: Understand the difference between a lost/stolen card/checkbook and identity theft and how to service each situation Know the difference between an internal security incident and external fraud Have been trained to be empathetic and reassuring as they talk to customers that have experienced identity theft When hackers broke into our acct you noticed and contacted me right away. The issue was quickly resolved. Thank you! Page 17 Real Reaction from EverBank Customer

18 Post Security Incident Breach Notification Communication should be guided by legal counsel and professionals experienced with breach notification requirements, client relationship and brand management May be limited by state laws, regulator or law enforcement Avoid using industry jargon Don t just tell customers about a breach provide information about what they can do to protect themselves Include information on how to manage account takeover and identity theft situations Reassure customers their information and money are safe Page 18

19 Post Security Incident Breach Notification (cont.) Consider offering enhanced products and services (may be required) Appropriate offering will improve customer retention and minimize complaints California recently became the first state to require that its citizens impacted by a security breach be offered credit report monitoring Inform customers about free tools they can use to monitor their accounts Free apps like BillGuard Free credit reports available once a year from credit reporting agencies Page 19

20 Post Security Incident Account Takeover Don t close accounts unless necessary Monitor account(s) for suspicious activity Order replacement debit card(s) and send via overnight delivery Make online banking absolutely secure, as well as user-friendly. Real Reaction from EverBank Customer Offer an identity theft monitoring service like LifeStages Provide customers with information on things they can do to protect themselves against future fraud Advise customers to monitor accounts online and to call if they notice any suspicious activity Page 20

21 Post Security Incident External Identity Theft/Fraud Close account(s) and monitor for future activity Advise client of any activity on closed account to determine if transaction needs to be transferred to new account or if it s fraud Expedite delivery of new debit card and checks Transfer online banking payees and external transfer accounts to new account Provide clients with information on things they can do to try and protect themselves against future fraud (client education) Page 21

22 Bank/Customer Disconnect Page 22 Source: 2014 CDW US bank manager survey

23 Customer Identity Theft Avoidance Offer easy to understand educational materials to customers Use real-life, relatable examples Advise customers to: Manage passwords Change passwords regularly Use strong passwords Consider password management software Don t use the same password on multiple accounts Avoid phishing, malware and other online risks I was prompted to change my password. I appreciated the reminder. Real Reaction from EverBank Customer Regularly access accounts and immediately report suspicious activity Use anti-virus software Monitor credit activity Page 23

24 Fraud Service Offerings Fraud and identity theft services as a banking product Expands relationship beyond account focus Improves financial literacy Builds loyalty and trust Offers additional customer touch-point Enhances the institution s brand and competitive distinction Provides revenue enhancement with upsell of monitoring products Page 24

25 Defining The Problem Identity Theft Scenarios Compromised bank accounts Set-up wires Re-routed customer phone numbers to their mobile phones Moved cash to Eastern Europe Man-in-the-browser malware; session takeover Fraudsters attempted to set-up new ACH transfer account Transfers require token to log-in and token to transfer funds Fraud stopped due to second layer of security; funds not transferred Page 25

26 Post Security Incident Customer Feedback Identity Theft Assistance From my very first contact, I had expert and caring support in solving my problem. Bridgette went way beyond what I was expecting in resolving the issue. Her access to the right people answered questions quickly and her advice was extremely valuable. Her follow-up was a service rarely seen these days. Bridgette was fantastic and caring. Stephen is the best! At a time when our financial world was in chaos, Stephen stepped in and helped us manage a meaningful way forward out of the morass. Having Stephen explain what happened and what we could expect really kept us on track and allowed us to breathe easier. Page 26

27 Key Takeaways: Transforming the Customer Experience When Fraud Attacks 1. Use technology and services to protect customers before a breach and provide peace of mind after. 2. During any security incident, communicate quickly and clearly to maintain customer trust. 3. Train employees how to handle these situations and consider a dedicated group to help customers that experienced a breach. 4. Provide customer educational materials and consider expanding to identity management services. Page 27

28 2015 Predictions: Transforming the Customer Experience When Fraud Attacks Tokenization random numbers that take the place of account numbers when data is transferred between retailers and payment processors With the launch of ApplePay, the payment industry will be working diligently to take advantage of this new security feature offered through Visa/MasterCard Biometric Authentication measureable characteristics used to identify individuals Fingerprints Facial recognition Voice recognition Iris scans Page 28