The Fight Against Payment and Credit Card Fraud IMA D/FW Area Chapter Sept. 15, 2015 Matt Davies, AAP, CTP, CPP Federal Reserve Bank of Dallas 1
Online Banking Corporate Account Takeover Experi-Metal v. Comerica PATCO Construction v. Ocean Bank (People s United) Choice Escrow & Land Title LLC v. BancorpSouth Bank Invoice Hijacking Fraudsters intercept correspondence between 2 parties who have an existing contractual relationship, and invoice the target for services that have actually been rendered. Whale Fishing / Masquerading / The CEO E-mail / Business E-mail Compromise (BEC)
Business E-mail Compromise Business E-mail Compromise (BEC) a.k.a., Whale Phishing, Masquerading, or The CEO E-mail Criminals stole ~$750m from more than 7,000 U.S. businesses, Oct. 2013-Aug. 2015 Combined with international victims, FBI estimates that more than $1.2b has been lost due to BEC scams Majority of transfers going to banks in China and Hong Kong 3
Business E-mail Compromise May not be able to obtain insurance coverage for the loss New version of BEC scam: Fraudster contacts businesses via phone or e-mail posing as a lawyer handling confidential or time-sensitive information. Pressures victim to act quickly, perhaps even secretly, in transferring funds. Typically at the end of the business day or work week, to coincide with the close of business of international FIs. 4
FBI best practices: Implement a detection system that flags e-mails with extensions similar to the company e-mail. E.g., if your legitimate company is e-mail is @company.com, the e-mail @c0mpany.com would be flagged. Don t rely solely on spam filters to catch these emails. Krebs: Business E-mail Compromise» Spoofed emails used in BEC scams are unlikely to set off spam traps because the targets are not mass emailed.» And criminals sending them take the time to research the target organization s relationships, activities, interests, and travel and purchasing plans. Register all company domains that are similar to the actual company domain. 5
Business E-Mail Compromise Verify changes in vendor payment locations by adding additional two-factor authentication. E.g., have a secondary sign-off by company personnel Confirm requests for funds transfers. When using phone verification, use previously-known numbers, not the numbers provided in an e-mail request Know the habits of your customers when it comes to payment habits and amounts; flag anything out of the ordinary. Carefully scrutinize all e-mail requests for funds transfers to determine if the requests are legitimate. 6
If victimized: Business E-mail Compromise Immediately contact your bank and request that they contact the corresponding FI where the transfer was sent. Contact your FBI office if the transfer is recent. The FBI, working with FinCEN, might be able to help return or freeze the funds. File a detailed complaint with www.ic3.gov. Be sure to identify the incident as a BEC scam. SOURCE: BEC Scams: A $1.2 Billion Threat to Treasury & Finance, by Andrew Deichler, afponline.org, Aug. 31, 2015 7
Protection/Prevention? Talk to your bank E.g., Amegy allows customers free access to IBM Security Trusteer Rapport software, which targets malware and phishing. SOURCE: Hacked & Strapped: Houston Banks Spending Millions on Cybersecurity, by Suzanne Edwards, Houston Business Journal, Mar. 13, 2015
EMV EMV = Europay, MasterCard, and Visa Global standard for credit & debit payments using chip cards Chip cards, chip and PIN cards, and smart cards Cards include a microchip that sends a dynamic protected value unique to each transaction. Dynamic Data vs. Static Data Reduction in counterfeit card present fraud Cloning a chip card is virtually impossible
EMV Merchant point-of-sale (POS) terminal upgrades Contact ( dipping ) Contactless Chip is equipped with a wireless antenna so it can be tapped on an NFC reader FIs issue new credit/debit cards containing chips Chip & PIN Chip & Signature Chip & Choice [US]
EMV Liability Shift: Oct. 1, 2015 Fuel-selling merchants: Oct. 1, 2017 How much will the liability shift drive merchants/card issuers? Many community bank card issuers are in the queue with processors Merchants lag, especially small businesses Will even the big-box merchants merchants wait to activate chip acceptance until after this year s holiday season? ATM Liability Shift MasterCard: Oct. 2016 Visa: Oct. 2017
Visa: EMV Where are we? About 16% of Visa s 700m cards in the U.S. have been converted to EMV Forecast: 63% of the cards will be EMV by the end of the calendar year. Recent Visa studies indicated 83% awareness of chip cards amongst consumers in May; 89% in July Julie Conroy, Aite: 70% of all credit cards and 41% of debit cards will be EMV by the end of the year. SOURCE: The State of EMV, by the Numbers, by David Heun, PaymentsSource, August 12, 2015
EMV Most FIs issuing chip-and-signature Lost/stolen and card-not-received EMV can address this, if chip-and-pin U.S. is chip-and-choice ; most cards are being issued as chip-andsignature With chip and signature, fraudster can steal mail and use card without knowing PIN Will EMV implementation in the US lead to a rise in instances of non-receipt of mail?
EMV Brian Krebs, KrebsonSecurity.com, Aug. 2015, reported a shimmer found on an ATM in Mexico Shimmer: A thin device that sits between the card s chip and the chip reader when the cardholder inserts ( dips ) the card into the slot. Like a skimmer on a POS card readers, fuel pumps or ATM that steals mag-stripe payment card info The shimmer reported by Krebs was easily inserted into the ATM and reportedly could capture EMV card data. SOURCE: Does a Shimmer on a Mexican ATM Portend a Fraud Threat to U.S. EMV Chip Cards? by Jim Daly, Digital Transactions News, Aug. 13, 2015
Beyond EMV: Online Payments EMV does not address online card fraud Possible solutions: 3DSecure (Verified by Visa, MasterCard SecureCode, etc.) Online PIN Debit (e.g., Acculynk s PaySecure, which uses a floating PIN pad ) Card readers at home
Beyond EMV Tokenization Data at rest Merchant Mobile Devices (e.g. Apple Pay) Point-to-Point Encryption (P2PE) Data in transit
Mobile Banking Fraud Alerts Security Service FCU ($8.3b; 700,000 members in TX, CO and UT) Offers real-time credit and debit card text fraud alerts Free service (except where phone charges apply) Credit card fraud alerts: Members sign up online Debit card fraud alerts: Automatically enrolled the minute we detect any suspicious debit or credit card activity on the account, we send a text message asking for verification of the transaction. Howard Baker, EVP/chief risk officer, Security Service FCU
Mobile Banking Card Controls Customer/Member can: Turn credit/debit card(s) on and off Set locations where the cards can be used Set spending limits Control use by transaction and merchant types Examples: City Bank Texas, Lubbock Some CUs using CO-OP Financial Services CardNav Discover s Freeze It Free Can be used via mobile, online, or phone
Biometrics Mobile Banking - Security Touch ID Facial Recognition (e.g., USAA) Voice Recognition (e.g., USAA) Mobile treasury management functionality e.g., approve a wire transfer from a mobile device
Mobile Payments Cell phone, smart phone, tablet, watch, etc. Two types of mobile payments: Proximity Payment Mobile device with technology embedded in/displayed on it is used to make payment at POS e.g., using mobile phone to make payment at POS Remote Payment Mobile device used to initiate payment regardless of proximity to payee/pos e.g., using mobile phone to make payment via PayPal
Mobile Payments Evolving 2006-2008 2009-2010 2011 2012 2013-2015 Remote SMS & e- commerce Payments PayPal Text to Buy Amazon Text Buy It Mobile Web Payments Amazon QR Code Starbucks LevelUp PayPal Here Isis NFC Wallet [later Softcard, bought by Google 2/2015] Mobile Wallets Direct Carrier Billing Mobile App Stores Apple App Store Android Market RFID Contactless Cards Mobile Card Acceptance Square NFC Google Wallet Prepaid AmEx Cloud Digital Wallet Apple Passbook PayPal In-store Square Wallet (discontinued) NFC/Cloud Wallet Google Wallet Google Wallet KitKat HCE Beacon BLE PayPal Beacon Prepaid FI/Card network tokenization AmEx Bluebird TCH, EMVCo, X9 Mobile Bank Account 21 Green Dot GoBank
Mobile Payments Opportunities Consumer convenience Security Safer than cash Chip technology (card emulation) for better authentication to mitigate counterfeit cards and fraudulent payments Financial inclusion for unbanked International compatibility and global acceptance Cross-selling, convergence with ad and loyalty programs 22
Mobile Payments Challenges Slow consumer adoption Lack of standards and interoperability Proliferation of business models, including hardware and software Unclear and complex regulatory environment Security concerns
Mobile Payments Security PRO Geo-fencing, biometrics Mobile wallet in secure element, or digital wallet accessing cloud via token protects data Diverse platforms may mitigate systemic spread of malware Lose your Mobile wallet? Telco can remotely wipe or disable CON Malware in mobile is growing 60K malwares in McAfee database, TrendMicro says >10% of apps infected Consumers don t practice safe mobile computing Consumers say security is primary reason for avoiding mobile payments 24
Mobile Wallets a.k.a., digital wallets Mobile technology that functions like a physical wallet Can hold credit and debit cards, reward/loyalty cards, etc. Eventually, medical records; digital driver s licenses (e.g. initiatives in Iowa, Delaware) Generally, consumer adoption of mobile wallets to date has been limited. Mobile wallets don t necessarily solve a problem for consumers; swiping a credit card is not really that difficult!
Near Field Communication (NFC) Short-range wireless RFID technology As opposed to longer range used for toll tags, for example Credit/debit card info provisioned to the mobile wallet Credit/debit card information are encrypted and stored in a secure element (SE) in the phone (as opposed to in the cloud ) SE is often an embedded chip controlled by the handset manufacturer, or the SIM card, which is controlled by the mobile carrier Limited number of merchants are NFC-enabled Potential drivers of NFC upgrade at merchant POS: EMV; Apple Pay
Mobile Wallets: Apple Pay iphone 6 (Sept. 2014) Apple Pay (Oct. 2014) Apple Watch (Apr. 2015) Uses NFC technology to facilitate contactless payments at point of sale (POS) Also allows in-app payments NFC antenna across the top of the phone NFC protocol has encryption built into it Uses Passbook app (will be renamed Wallet in ios 9) Image credit: Apple Inc.
Apple Pay Uses iphone s TouchID fingerprint scanner as a form of authentication introduced in the previous iphone model, 5s built into iphone s home button iphone 6 has a new chip, a secure element (SE), in the phone handset Stores the cardholder s payment information though not the actual card number Image credit: Apple Inc.
Apple Pay Automatically uses consumer s card on file with itunes as default payment account Users add additional cards by scanning them with the phone s camera, or typing card details into Passbook app Apple verifies card account data with card issuer and places a digital rendering of the card in Passbook
Apple Pay Apple provides card issuing FI with information to help validate a new card: Potential customer s device name Current location Whether or not the customer has a long history of transactions within itunes Issuing FI decides if additional verification is needed Apple ios Security Guide. Depending on what is offered by the card issuer, the user may be able to choose between different options for additional verification, such as a text message, email, customer service call, or a method in an approved thirdparty app to complete the verification.
An FI might: Apple Pay Card Validation Ask cardholder to enter additional data to confirm his identity. Require cardholders to log into their online accounts to authorize Apple Pay. Asked cardholder to call customer-service rep to set up the card e.g., Wells Fargo: Requires some customers to provide additional verification to add a card. Customers are directed to call in to verify or to download the Wells Fargo Verify app. The app guides the customer through the verification process.
Apple Pay Apple Pay uses tokenization to remove payment card numbers from the transaction process. When a user adds a card, Apple does not store the actual card number Instead, creates a device-only account number for each card and stores it in the phone s SE Each time Apple Pay is used, Apple uses a one-time payment number, along with a dynamic security code Essentially, creates a one-time card use system, and Eliminates the need for static security code (CVV/CVC) on the plastic card Merchant never sees the cardholder s name, card number or security code
Apple Pay To make a payment using his default card, user does not need to open an app or wake the phone, because of the NFC antenna Holds iphone near merchant s contactless card reader Uses Touch ID (home button) to authenticate by fingerprint A subtle vibration and beep indicate payment information has been sent If user wants to pay with a card other than his default card, he must first open the Passbook app and select an alternate card
Apple Pay Fees Card-issuing FIs pay a per-transaction fee to Apple to be included in Apple Pay 15bps on credit cards transactions $.005 on debit card transaction
Apple Pay Banks/CUs 2,500 FIs have signed on to Apple Pay; 400+ live (8/2015) Security Service FCU (San Antonio) 425,000 credit and debit cardholders We are fighting a fierce battle for the hearts, minds and eyeballs of our members so we want to be relevant and exciting for them. Jim Laffoon, president/ceo, Security Service FCU See Apple s list at http://support.apple.com/en-us/ht6288 See Visa s list at http://usa.visa.com/clients-partners/technology-and-innovation/applepay/financial-institutions/index.jsp
Apple Pay - Issues Not ubiquitous; many retailers won t accept Apple Pay 8m POS in the U.S. As of 3/9/2015: Accepted at nearly 700,000 U.S. merchant locations, acc. to Apple 7/2015: Anticipate 1.5m+ locations by EOY 2015 How does Apple define a location? Acceptance terminal? Many of those are vending machines Number of iphones in consumers hands Originally only iphone 6 and iphone 6+, but Apple Watch enables payments (must be paired with the iphone to do so). Will extend Apple Pay to iphone 5, 5c, and 5s opens up Apple Pay to over 69% of devices on its OS (Javelin) Image credit: Apple Inc.
Apple Pay Future? As we continue to move away from plastic cards; will FIs be able to instantly issue card accounts into Apple Pay?, that will move the market for us. Jason Tinurelli, U.S. Bank s SVP retail payment solutions, digital strategy and innovation Quoted in Mobile Makes Headlines, But Plastic Makes Progress, by David Heun, PaymentsSource, Apr. 13, 2015
Mobile Wallets: Samsung Pay Samsung Pay will be available on the Galaxy S6 and S6 Edge in September 2/2015: Samsung announced purchase of LoopPay Magnetic Secure Transmission Users able to pay for purchases at 90% of mag-stripe payments terminals, as well as NFC terminals Could help Samsung Pay gain merchant acceptance quickly compared to Apple Pay 38
Samsung Pay Participants: Visa, Mastercard US Bank, Synchrony Financial (formerly GE Capital) In discussions with AmEx, BofA, Citi, JPMC, others... Security: Fingerprint reader Tokenization Samsung won t charge banks and credit-card issuers transaction fees. SOURCE: Samsung Pay Could Win Over Banks Faster than Apple Did, Bloomberg News, Aug. 14, 2015
Mobile Wallets: Android Pay 5/28: Google announced Android Pay Will be the Android solution for in-store and in-app payments Google Wallet will be a dedicated person-to-person (P2P) app for Android and ios Will come pre-loaded on new Android smart phones from Verizon, AT&T, and T-Mobile
Android Pay Like Apple Pay Near-Field Communication (NFC) but Host Card Emulation (HCE) variant of NFC Tokenization Fingerprint authentication
Risk: Double dipping (or triple, etc.) Mitigants: Mobile RDC FIs that offer mobile RDC should have protections in place to block duplicate deposits Do not have to offer mobile RDC to all customers; qualify Typically limit the dollar amount that can be deposited (daily, monthly) Restrictive endorsement
Mobile RDC Regulatory guidance: 2009 FFIEC Guidance Risk Management of RDC FRB Board RFC on proposed changes to Reg CC 2011: http://www.federalreserve.gov/newsevents/press/bcreg/20110303a.htm 2013: http://www.federalreserve.gov/newsevents/press/other/20131212a.htm
Mobile ATM Transactions Fidelity (FIS) piloting a mobile app that facilitates cardless ATM withdrawals Customer queues up an ATM transaction in mobile app before arriving at ATM ATM displays a QR code User scans QR code to complete the transaction Combats skimming Speeds up transactions: At ATM, 7-10 seconds per transaction as opposed to more than 45 seconds traditionally
Questions? Matt Davies, AAP, CTP Payments Outreach Officer Federal Reserve Bank of Dallas 214-922-5259 matt.davies@dal.frb.org