Payments Fraud: It's Not Fun & Games

Payments Fraud: It's Not Fun & Games Claudia Swendseid Senior Vice President Payments Information & Outreach Office Federal Reserve Bank of Minneapolis NACHA Payments 2015

Claudia Swendseid Senior Vice President Federal Reserve Bank of Minneapolis Serves on the Minneapolis Bank s senior management committee Provides executive oversight to operations, customer service, technology & payments functions, as well as to the Financial Services Policy Committee Support Office Conducts industry relations on behalf of the Federal Reserve System, serving as a liaison to selected national banking & business associations Vice Chair, Accredited Standards Committee X9, Financial Industry Standards Federal Reserve Banks Provide financial services to depository institutions & U.S. government Supervise & regulate financial institutions Establish & execute U.S. monetary policy Maintain a stable financial system & contain systemic risk 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 2

Agenda Interactive Format for Session Payment Fraud Attempts & Losses Fraud Schemes Fraud Mitigation Methods Disclaimer: The opinions expressed are those of the individual presenter & not those of the Federal Reserve System or any Federal Reserve Bank 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 3

Fraud Attacks 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 4

Payment Fraud Attempts & Losses What are the top 3 payment types where financial institution (FI) respondents experienced the highest number of fraud attempts (regardless of actual financial losses) in 2013? 100% 80% 60% 40% 20% 0% 87% 83% Debit signature Top 3 Payment Types with Highest Number of Fraud Attempts by % of FS Respondents with Fraud Attempts 57% 54% 46% 45% Checks Debit PIN 26% 25% 16% 15% ACH debits Credit cards 15% 6% Wire ACH credits 2014 (N=308) 2012 (N=668) 4% 2% 2% 2% 1% 0% Cash Prepaid cards Source: Federal Reserve 2014 Payments Fraud Survey - Summary of Consolidated Results 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 5

Payment Fraud Attempts & Losses What percentage of FIs (A) & businesses (B) experience financial loss due to payments fraud? Percent of FS Organizations with Payment Fraud Losses in 2013 Percent of Businesses with Payment Fraud Losses in 2013 Experienced losses 76% Experienced losses 30% No losses 16% No losses 51% Don't know 8% (N=386) Don't know 19% (N=293) Source: Federal Reserve 2014 Payments Fraud Survey - Summary of Consolidated Results 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 6

Unauthorized Transactions by Payment Method What payment type has the highest loss rate due to unauthorized transactions? Source: 2013 Federal Reserve Payments Study 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 7

Payment Fraud Losses What are the top 3 payment types where FIs (A) & businesses (B) experienced their highest financial loss due to payments fraud? A: Top 3 Payment Types Identified by % of FS w/ Fraud Losses (N=278) 1. Debit Signature (94%) 2. Debit PIN (60%) 3. Checks (55%) B: Top 3 Payment Types Identified by % of Biz w/ Fraud Losses (N=87) 1. Credit Cards (67%) 2. Checks (63%) 3. Debit Signature (20%) Fraud loss pain points differ for FIs & Businesses Source: Federal Reserve 2014 Payments Fraud Survey - Summary of Consolidated Results 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 8

Fraud Schemes 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 9

Fraud Schemes What are the top 3 most used fraud schemes involving payments by or on behalf of FI customers? Source: Federal Reserve 2014 Payments Fraud Survey - Summary of Consolidated Results 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 10

Source of Data Used in Payment Fraud Schemes What are the top sources used by fraudsters to obtain sensitive" information? Top 3 Information Sources Used in Fraud Schemes Source: Federal Reserve 2014 Payments Fraud Survey - Summary of Consolidated Results FS (N=310) Biz (N=191) All Org. (N=501) Information obtained from lost or stolen card, check, document or device while in consumer's control 45% 30% 40% Email & webpage cyber attacks to obtain "sensitive" customer information, e.g., phishing, spoofing 35% 24% 31% Physical device tampering, e.g., use of skimmer 37% 10% 27% Data breach due to computer hacking 34% 9% 25% Org's info obtained from a legitimate check issued 18% 35% 25% Information about customer obtained by family or friend 25% 9% 19% 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 11

Payment Card Skimmers What asset is most affected w/ card skimmers? ATM (terminal) Gas Terminal (terminal) Access Reader (network) PED Pad (terminal) POS Terminal (user dev) Backup (server) Database (server) Mail (server) Mainframe (server) Proxy (server) 9% 2% 2% 2% 1% 1% 1% 1% 1% 87% Source: Verizon 2014 Data Breach Investigations Report 0% 20% 40% 60% 80% 100% 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 12

Publicly Reported Data Breaches In publicly reported 2013 data breaches, how may millions of records were exposed? Millions of Records (left scale) Breaches (right scale) 600 500 400 300 200 100 0 871 789 848 625 182 211 121 26 63 1189 1115 547 2008 2009 2010 2011 2012 2013 1200 1000 800 600 400 200 0 Records Exposed Incidents Note: The number of records exposed is a lower bound because the number is not available in 35 percent of breaches. Source: FRB Kansas City Economic Review, Oct. 2014 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 13

Risk Mitigation 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 14

Internal Controls & Procedures Internal Controls & Procedures Currently Use Very Effective (% (% of of FS) FS) Address exception items timely 98% 76% Periodic internal/external audits 98% 74% Logical access controls to network/payment applications 95% 85% Verify controls applied via audit or management review 94% 73% Dual control/separate duties w/in payment processes 93% 82% Reconcile bank accounts daily 93% 82% Transaction limits for payment disbursements 92% 72% Authentication/authorization controls to payment processes 92% 85% Physical access controls to payment processing functions 91% 81% Review card-related reports daily 89% 72% Restrict/limit employee Internet use from org's network 84% 56% Prohibit use of BYOD for processing of org s payments 83% 77% Transaction limits for corporate card purchases 80% 70% Separate banking accounts by purpose or payment type 75% 68% Employee hotline to report potential fraud 44% 52% Dedicated computer to conduct transactions w/fi or FS 35% 82% FIs are (% of FS Using) heavy users of internal controls What controls are rated very effective by 80% or more of FIs using them? Source: Federal Reserve 2014 Payments Fraud Survey - Summary of Consolidated Results 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 15

Customer Authentication Methods Customer Authentication Methods Currently Use Use Very Effective (% of (% FS) of FS) Multi-factor authentication 90% 90% 76% PIN authentication 89% 89% 56% Signature verification 85% 85% 43% Customer authentication for online transactions 82% 82% 60% Magnetic stripe authentication 77% 77% 35% Verify card security code (CVV2, CVC2, or CID codes) 73% 73% What 36% Positive ID of purchaser for in-store/person transactions 68% 68% methods 65% are Real-time decision support during account application or POS 66% 66% 66% rated very Token authentication (USB token or fob) 45% 45% 89% Out-of-band authentication 44% 44% effective 75% by Mobile device to authenticate person 27% 27% 70% or 73% more Verify customer ID is authentic (magnetic stripe) 26% 26% of FIs using 56% Biometrics authentication 6% 6% 71% them? Card chip authentication 2% 2% 71% Source: Federal Reserve 2014 Payments Fraud Survey - Summary of Consolidated Results Effectiveness (% of FS Using) of authentication methods change 50% of FIs plan to use card chip authentication by 2016 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 16

Transaction Screening & Risk Management Methods Transaction Screening & Risk Management Methods Currently Use Use (% (% of of FS) FS) Methods Very Effective used (% of FS are Using) manual & automated What methods are rated very effective by 50% or more of FIs using them? Provide staff education on payment fraud risk mitigation 93% 93% 46% Human review of payment transactions 79% 79% 49% Fraud detection pen for currency 76% 76% 54% Buy insurance coverage to minimize risk 75% 75% 40% Provide customer education on payment fraud risk mitigation 72% 72% 26% Participate in fraudster databases & receive alerts 71% 71% 39% Fraud detection software with pattern matching 63% 63% 57% Centralized risk management department 52% 52% 55% Centralized fraud info database - one payment type 45% 45% 52% Centralized fraud info database - multiple payment types 32% 32% 54% Source: Federal Reserve 2014 Payments Fraud Survey - Summary of Consolidated Results 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 17

FS Risk Services Offered to Commercial Account Holders Currently Offer Risk Services Offered to Business Clients (% of FS) Very Online Effective (% of FS (% of Biz Offering) information Using) services & multi-factor authentication are offered by most FIs to their biz clients Are FIs offering tools that are rated most effective? Very Effective Online information services, e.g., statements 90% 60% 67% Multi-factor authentication to initiate payments 83% 78% 88% Account alert services 69% 51% 64% Payment fraud prevention training 61% 42% 51% Account masking services 50% 47% 70% ACH debit blocks 48% 67% 90% Fraud loss prevention services 43% 49% 60% Card alert services for commercial/corporate cards 39% 67% 71% Check positive pay/reverse positive pay 32% 68% 93% ACH debit filters 31% 66% 91% Check payee positive pay 21% 70% 94% ACH positive pay 20% 77% 83% Post no check services 19% 73% 96% Tokenization of sensitive information 15% 80% 92% ACH payee positive pay 14% 76% 83% Source: Federal Reserve 2014 Payments Fraud Survey - Summary of Consolidated Results 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 18

Opportunities to Reduce Payments Fraud 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 19

Controlling Fraud Losses What key changes to payments risk management practices are FIs making to mitigate payments fraud losses? Key Changes Made to Payments Risk Management Practices by % of FS Respondents that Made Changes (N=251) Staff training & education Enhanced fraud monitoring system Enhanced internal controls & procedures Increased use of risk mgmt tools offered by financial service provider Enhanced methods to authenticate customer 73% 67% 54% 47% 46% Source: Federal Reserve 2014 Payments Fraud Survey - Summary of Consolidated Results 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 20

Most Needed Improvements What are the top two most needed improvements to reduce payments fraud? Most Needed New or Improved Methods to Reduce Payments Fraud FS (N=297) Non-FS (N=185) All Orgs (N=482) Replacement of card/magnetic stripe with EMV chip technology 75% 50% 65% Controls over Internet payments 62% 44% 55% More aggressive law enforcement 48% 45% 47% Consumer education on fraud prevention 49% 27% 40% Controls over mobile payments 44% 30% 39% Information sharing on emerging fraud tactics conducted by criminal rings 35% 45% 39% Industry specific education on best prevention practices for fraud 26% 37% 30% Industry alert services 26% 36% 30% Tokenization of sensitive information 27% 35% 30% Image survivable check security features for business checks 11% 19% 14% Source: Federal Reserve 2014 Payments Fraud Survey - Summary of Consolidated Results 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 21

Preferences in Adoption of Authentication Methods Why is Chip & PIN preferred? Smart chip cards/devices contain embedded microprocessors that provide strong security features against counterfeit fraud in card present transactions Dynamic data authentication is an authentication technique used in chip transactions & protects against card skimming, counterfeiting & replay fraud Chip & PIN authentication is more secure because it requires two factors for authentication what you have, the chip (in a card or a mobile device) & what you know, the PIN Authentication Method Preferences Source: Federal Reserve 2014 Payments Fraud Survey - Summary of Consolidated Results FS (N=295) Biz (N=151) All Orgs (N=436) Chip & PIN requirement 80% 27% 70% Chip for dynamic authentication 68% 18% 56% Multi-factor authentication 48% 20% 44% PIN requirement 30% 18% 31% Physical Token 27% 18% 29% Mobile device to authenticate person Out-of-band/channel authentication to authorize payment 32% 12% 28% 33% 6% 25% Biometrics 18% 7% 16% 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 22

Main Barriers to Fraud Mitigation What is the top barrier? Main Barriers FS (N=250) Non-FS (N=154) All Orgs (N=404) Lack of staff resources 60% 55% 58% Lack of compelling business case (cost vs. benefit) to adopt new or change existing methods 36% 53% 42% Consumer data privacy issues/concerns 37% 25% 32% Corporate reluctance to share information due to competitive issues Cost of implementing commercially available fraud detection tool/service 24% 36% 28% 21% 8% 16% Cost of implementing in-house fraud detection tool/service 17% 12% 15% Source: Federal Reserve 2014 Payments Fraud Survey - Summary of Consolidated Results 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 23

What Should FIs & Others Be Doing? Ensure fraud prevention & detection is an organizational objective Set policies, establish procedures, monitor compliance, & take action on exceptions Leverage cost effective tools & processes to address vulnerabilities Use a layered approach Educate & train employees on fraud prevention Educate consumer & corporate customers on fraud; promote prevention services, as appropriate Monitor & measure fraud attempts & losses Update defenses; best practices today may not be best practices tomorrow 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 24

Resources 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 25

Resources Federal Reserve Bank of Minneapolis & our payments information resources https://www.minneapolisfed.org/about/what-wedo/payments-information 2014 Federal Reserve Payments Fraud Survey Ninth District & Consolidated Results Industry & Government Information-Sharing Resources Related to Payments Fraud Payments Fraud Liability Matrix Federal Reserve System 2013 Federal Reserve Payments Study http://www.frbservices.org/communications/payment_system_res earch.html Summary & Detailed Reports Strategies for Improving the U.S. Payment System https://fedpaymentsimprovement.org/ 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 26

Questions? 2015 Federal Reserve Bank of Minneapolis. Materials are not to be used without consent. 27