Security Concerns in Electronic Payments Scott Dueweke VP, Government and Security Concord EFS, Inc. Major Forms of Government Electronic Payment Consumer credit cards Debit cards Purchasing cards Electronic checks Paper check conversion ACH EBT 2
Major Forms of Government Electronic Payment Consumer credit cards Debit cards Purchasing cards Electronic checks Paper check conversion ACH EBT 3 Electronic Payments to the Government Have Skyrocketed Online revenue collections by government projected to increase from $5.1 billion to $602.4 billion by 2006 4
Fraud Problem Areas 5 U.S. Issuer Fraud Types: Percentage 100% 80% Counterfeit Card not present 60% 40% Stolen 20% 0% Lost 3Q96 1Q97 3Q97 1Q98 3Q98 1Q99 3Q99 1Q00 3Q00 1Q01 3Q01 Source: Visa 2002 6
U.S. Issuer Fraud Types: Dollar Volume in millions $70 $60 $50 $40 $30 Lost Stolen $20 $10 $0 NRI Counterfeit Card Not Present Acct Takeover 3Q96 2Q97 1Q98 4Q98 3Q99 Fraud Apps 2Q00 1Q01 Source: Visa 2002 7 E-Commerce Fraud $15 0.40% $12 $9 $6 CNP 0.35% 0.30% 0.25% 0.20% 0.15% $3 $0 1Q99 2Q99 3Q99 4Q99 1Q00 2Q00 3Q00 4Q00 1Q01 2Q01 Fraud $ Fraud % 0.10% 0.05% 0.00% Source: Visa 2002 8
Check Usage 90 80 70 60 Electronic 29.5 50 Checks 40 5.0 30 49.6 20 32.0 10 0 1979 2000 Source: The Green Sheet 1999 Billions Source: Federal Reserve Payments Study, 2002 Consumer Check Payments Bill payment Casual POS Other 9 Annual Cost of Fraud Retailers lose $12 to $15 billion due to bad checks Financial institutions absorb $1 to $2 billion due to bad checks Identity theft costs consumers and businesses between $2 and $4 billion New account fraud generates almost one-third of fraud losses at financial institutions Check fraud is increasing 15% to 17% per year 10
Identity Theft Identity theft is currently the nation's fastest-growing white-collar crime, victimizing an alarming 500,000 Americans each year 11 However, We Have Defenses! Counter-measures for: Credit card Checks Debit card EBT 12
Credit: Verified by VISA New service that allows a cardholder to assign a personal password to their Visa Card only accepted at merchants who support Verified by Visa when the password is verified by the card Issuer Challenge Consumer security fears limiting online buying Disputes and fraud financially impacting retailers and banks Cost of accepting payments How Verified by Visa Helps Visa cardholders are given the means to control their exposure to fraud resulting in more online buyers and increased purchasing by existing buyers Retailers and banks have the ability to lower their operating costs by reducing fraud and dispute activity Low investment cost to support Verified by Visa means faster return for retailers and banks 13 Credit: MasterCard Service Universal Cardholder Authentication Field Secure Payment Application Site Data Protection Service Description Standard interoperable method of passing accountholder authentication data among issuers, merchants, and acquirers Provides explicit evidence that a transaction was originated by the authorized party, reducing charge backs from accountholder purchase disputes Comprehensive multi-tiered set of global security services to help protect websites and online merchants against hackers 14
Credit: American Express LockIT - authenticates that both card member and card are present for the transaction with smart card technology based on the EMV (European MasterCard & Visa). One-Time-Use American Express Card account number to transact online that is linked to your actual Card account each time you shop. 15 Checks: STAR CHEK 16
How STAR CHEK Works Contributor National Shared Account & Transaction Data Repository 166+ Million Inquirer Financial Institution A Financial Institution B Checking Account Status Information Updated Daily Check Level Information Repository of: Account, Transit Inquiry, & Check Level Status Inquiries Warnings Account Level Stop Payment Return Item STAR CHEK Financial Institution C 17 STAR CHEK Data Elements Over 166 million accounts Status of account (present, closed, etc) Stop payment information 100% of contributors draftable demand deposit accounts (DDA) Updated daily Reflects status as of open of business each day at institution s host system More than 50% of checking accounts nationwide 18
Current Data Contributors 19 STAR CHEK Summary One of a kind positive data source Updated daily Make better check decisions Reduce fraud exposure Integrates with existing check program Includes payroll checks Improves customer service Clear migration to real time check electronification 20
Debit Card Growth % of total payment transactions 35% 30 Checks 25 20 Credit 15 10 5 0 Debit 2000 2005 2010 Total trans 112 billion 132 billion 154 billion Source: The Nilson Report, December 2001. 21 Debit: Retailer ID Program Utility Bill Payments Available via the Internet 10/01 Available to regulated to utilities only Merchant/processor authenticates the consumer Merchant/sponsoring FI accepts risk All STAR cards participate Pilot underway Operational requirements STAR will not perform stand-in PINless debit transaction 22
Entitlement Programs Switching to EBT In 2001 over 17 million people per month received Food Stamps 80% of the $15.5B in Food Stamps last year were paid via EBT By eliminating paper coupons that may be lost, sold, or stolen EBT eliminates much of the black market food stamp economy If the card is lost or stolen, it can't be used by anyone who doesn't know the PIN, and it can be easily canceled and replaced 23 ID Forgeries IDs are used to gain access to our trusted systems, whether they be financial, informational, transportation, or others ID security is only as good as the ID used to validate their identity 24
The Problem Over 900,000 ID theft cases reported last year State Issued Fake ID 25 Obtaining a Fake ID is Easy Search Web Sites: FAKE ID Top 10 Web Site Results of 4,554,159 for: Fake ID Show Summaries View by URL FakeIDZONE.com Fake ID, Fake ids URL: http://www.fakeidzone.com/ Jakin4Beats URL: http://www.bestfakeids.com/ Fake ID Kit Center Fake Drivers License and Fake id Templates URL: http://www.fakeid.ultramailweb.com/ FAKE ID fake id Fake ID Belvine The ID Card Specialists URL: http://www.belvine.co.uk/ Fake ID, FakeIDs, How to create a Fake ID URL: http://www.fakeid.net/ False-ID.net False Ids, Fake Ids, Fakeid, Novelty ID, Photo ID URL: http://www.id-2000.net/ next 10 results 26
Logix Company Spring Break 2001 Over 10,000 Fake ID s Confiscated 27 Readability Map 39 States and 256 Encoding Formats 4 Canadian Provinces Military ID Cards 28
Terminals Reads and stores all electronic data from driver s license or other government issued documents Lavinna L-100 Hypercom ICE 5500 & 6500 LCD with touch screen Stores 4,000 64,000 records Magnetic stripe reader (internal) Smart card reader (internal) Barcode reader (attachment) Fingerprint reader (attachment) Internal Modem w/internet interface Touch-screen with customized prompts Barcode attachment Magnetic stripe LCD touch-screen display Internal modem w/internet interface Internal Printer Wireless capabilities 29 IDENTITY CHEK sm Today used by 76% of all bank branches to catch fraud rings, saving millions Using existing financial fraud control tools to identify: Money Laundering Rings Drug Rings Terrorist Cells Anyone using our own systems of authentication and security to gain access to trusted communities 30
Batch 1 HAMZA ALGHAMDI KHALID AL-MIDHAR KHALID S. ARDIRIBI WALID ALSHEHRI (2) SAEED ALGHAMDI ABDUL AZIZ ALOMARI (3) Batch 1 Same Addr Same SSN and DOB KHALID AL-MIDHAR KHALID S. ARDIRIBI SAEED ALGHAMDI Batch 2 WALID ALSHEHRI (2) ABDUL AZIZ ALOMARI (3) Invalid DL HAMZA ALGHAMDI KHALID S. SULEMELMANI MAJED M.G.H. MOQED AHMED ALHAZNAWI ABDUL AZIZ ALOMARI (4) WAIL ALSHEHRI (1) MOHALD ALSHEHRI
Same Addr Batch 1 Batch 2 Same SSN and DOB Invalid DL KHALID AL-MIDHAR KHALID S. ARDIRIBI KHALID S. SULEMELMANI MAJED M.G.H. MOQED SAEED ALGHAMDI AHMED ALHAZNAWI WALID ALSHEHRI (2) ABDUL AZIZ ALOMARI (3) ABDUL AZIZ ALOMARI (4) WAIL ALSHEHRI (1) HAMZA ALGHAMDI Invalid DL/SSN Batch 3 MOHALD ALSHEHRI NAWAF ALHAZMI MARWAN ALSHEHHI (1) AHMED ALNAMI WAIL ALSHEHRI (2) LUIS MARTINEZ-FLORES (1) Same Name & SSN Dif DOB Same Addr Same SSN/DOB Invalid DL KHALID AL-MIDHAR KHALID S. ARDIRIBI KHALID S. SULEMELMANI MAJED M.G.H. MOQED SAEED ALGHAMDI AHMED ALHAZNAWI WALID ALSHEHRI (2) ABDUL AZIZ ALOMARI (3) ABDUL AZIZ ALOMARI (4) WAIL ALSHEHRI (1) HAMZA ALGHAMDI Batch 1 Batch 2 MOHALD ALSHEHRI Invalid DL/SSN Batch 3 Batch 4 Different DOB Different Name Same Addr NAWAF ALHAZMI MARWAN ALSHEHHI (1) MARWAN ALSHEHHI (2) MOHAMED ATTA WAIL ALSHEHRI (2) AHMED ALNAMI LUIS MARTINEZ-FLORES (1) Same Name Different Addr LUIS MARTINEZ-FLORES (2) ZIAD JARRAH NAWAQ ALHAZMI Invalid DL/SSN Same Name & SSN Dif DOB Different Name, Same SSN, & DL
Same SSN and DOB Same Addr Invalid DL KHALID AL-MIDHAR KHALID S. ARDIRIBI Batch 1 Batch 2 KHALID S. SULEMELMANI MAJED M.G.H. MOQED ABDUL AZIZ ALOMARI (3) Batch 3 ABDUL AZIZ ALOMARI (4) MOHALD ALSHEHRI SAEED ALGHAMDI Invalid DL/SSN WALID ALSHEHRI (2) NAWAF ALHAZMI MARWAN ALSHEHHI (1) WAIL ALSHEHRI (1) AHMED ALHAZNAWI HAMZA ALGHAMDI Same Name & SSN Dif DOB AHMED ALNAMI Different Name, Same SSN, & DL MOHAMED ATTA Invalid DL/SSN LUIS MARTINEZ-FLORES (1) Same Name Different Addr WAIL ALSHEHRI (2) Same Name Different Addr FAYEZ AHMED SATAM AL SUQAMI Different DOB NAWAQ ALHAZMI Same Name Different Addr SALEM M.S. ALHAZMI Batch 4 Batch 5 LUIS MARTINEZ-FLORES (3) ABDUL AZIZ ALOMARI (1) MARWAN ALSHEHHI (2) ZIAD JARRAH LUIS MARTINEZ-FLORES (2) Different Name Same Addr Same Addr KHALID AL-MIDHAR KHALID S. ARDIRIBI Same SSN and DOB KHALID S. SULEMELMANI Invalid DL MAJED M.G.H. MOQED Invalid DL/SSN NAWAF ALHAZMI MARWAN ALSHEHHI (1) AHMED ALHAZNAWI SAEED ALGHAMDI Same Name & SSN Dif DOB AHMED ALNAMI WALID ALSHEHRI (2) ABDUL AZIZ ALOMARI (3) ABDUL AZIZ ALOMARI (4) WAIL ALSHEHRI (1) WAIL ALSHEHRI (2) LUIS MARTINEZ-FLORES (1) HAMZA ALGHAMDI MOHALD ALSHEHRI Same SSN Batch 1 Batch 2 Batch 3 Same Name Different Addr Different Name, Same SSN, & DL Batch 4 Batch 5 Same SSN Batch 6 Same Addr Invalid DL/SSN AHMED ALGHAMDI MOHAMED ATTA Different DOB MARWAN ALSHEHHI (2) ZIAD JARRAH NAWAQ ALHAZMI Different Name Same Addr SALEM M.S. ALHAZMI Same Name Different Addr FAYEZ AHMED SATAM AL SUQAMI LUIS MARTINEZ-FLORES (2) LUIS MARTINEZ-FLORES (3) ABDUL AZIZ ALOMARI (1) Same Name Different Same Name Different Addr Addr Same Addr HANI S.H. HANJOUR WALID ALSHEHRI (1) Same Name Different Addr Same Info Dif DOB ABDUL AZIZ ALOMARI (2) Same Addr Same Name Different Addr LUIS MARTINEZ-FLORES (4)
Terrorists Test Test conducted on terrorists from Sept. 11th FBI publicized some information on the Internet Information on only 12 of 21 terrorists Names, address, some SSN, some DOB, some DL# Information run through IDENTITY CHEK 11 out of 12 created a warning! We can tell fraud patterns they used If we could obtain the rest of the information, we could give a more complete picture of terrorist s patterns 37 Terrorist s Fraud Patterns One person using several addresses Several people using same address Two people using similar DL# or same DOB One person using two DOBs One person with slight change in name (Example: Wail / Walid) Invalid DL# SSN issued late in life Possible invalid SSN (based on forecast) 38
Government applications Applications for IDENTITY CHEK: Prescreen airline ticket purchasers USA Patriot Act help financial institutions comply with Treasury Dept. regulations (and OFAC compliance) Gun control screen fire arms purchasers Issuing passports Issuing drivers licenses 39 Summary Fraud remains manageable Tools are emerging to help combat new threats Debit and checks, as well as credit cards need to considered EBT users have largely eliminated their fraud Purchasing cards can eliminate internal misuse with many other benefits Point of payment is a perfect time to gather enough data to catch the bad guys Existing financial industry mechanisms can help New authentication systems/mechanisms emerging 40
Thank You Scott Dueweke VP, Government and Security Concord EFS, Inc. 540.636.2541 sdueweke@neteps.com 41