Fraud Prevention and Detection

Know at what point your customer’s card was compromised Source as little as two to three cards which have experienced confirmed fraudulent transactions to find the Point of Compromise. A common point of purchase across all cards should emerge Identify other cardholders who may potentially be at risk Write rules to monitor compromised cards for unusual spending activity Use real time decline or automatic blocking to reduce monetary fraud loss if fraud attempts are made on compromised card Early Detection: Point of Purchase/Compromise

Reviewing every transaction manually for signs of fraudulent activity Involves a exceedingly high level of human intervention Can prove to be very expensive and time consuming Unable to detect some of the more prevalent patterns of fraud (use of a single credit card multiple times on multiple locations (physical or web sites) in a short span) Manual Review

Applicable in card-not-present scenarios. Matches the first few digits of the street address and the ZIP code information given for delivering/billing the purchase to the corresponding information on record with the card issuers. A code representing the level of match between these addresses is returned to the merchant. Not much useful in case of international transactions. Address Verification System (AVS)

A 3- or 4-digit numeric code printed on the card but not embossed on the card and not available in the magnetic stripe. Ensures that the person submitting the transaction is in possession of the actual card (the code cannot be copied from receipts or skimmed from magnetic stripe). Doesn’t protect merchants from transactions placed on physically stolen cards. Fraudsters who have temporary possession of a card can, in principle, read and copy the CVM code. Card Verification Methods (CVM)

Automatic card number generators represent one of the new technological tools frequently utilized by fraudsters. These programs, easily downloadable from the Web, are able to generate thousands of ‘valid’ credit card numbers. The traits of frauds initiated by a card number generator are the following: Multiple transactions with similar card numbers (e.g. same Bank Identification Number (BIN)) A large number of declines Acquiring banks/merchant sites can put in place prevention mechanisms specifically designed to detect number generator attacks. Lockout Mechanisms

Negative list : database used to identify high-risk transactions based on specific data fields. Example : SAFE file distributed by MasterCard to merchants and member banks Positive files are used to recognize trusted customers (by their card number or address) and bypass certain checks Important tool to prevent unnecessary delays in processing valid orders. Negative and Positive Lists

Black Lists Proxy server lists Known Fraud IP address lists Known Fraud address lists Zombie/hacked computer lists Fraudulent Merchant Lists List of merchants who have been known for being involved in fraudulent transactions in the past. Provide useful information to acquirers at the time of merchant recruitment MATCH from MasterCard Negative and Positive Lists

The User Data Validation Module gives businesses the ability to verify a customer's contact information. Additionally, to ensure financial loss from returned shipping or inaccurate billing, this module automatically detects and corrects spelling and typographical errors. User Data Validation Matters Will: Identify false names, false addresses, fake phone numbers and stolen banking information Deliver detailed information including actual bank name, phone number, location. Conduct a detailed GeoIP analysis of order to determine user location. Compare all collected data for inconsistent fault points contributing to an overall dynamic fraud score User Data Validation

In the cat and mouse game of fraud and detection, a traditional tactic of fraudsters is to hide their location through the use of proxy servers. This module then compares the true data with the data the customer wants you to see. True IP Detection Will: Identify public visible and local LAN IP address Provide GeoIP lookup information for both visible IP addresses Identify discrepancies between Used Supplied Data and IP data Validate proxy server and net block information True IP Detection

Social Network Validation detects user profiles by searching for them on most common networks. The module compares information made public by the customer against information received in the order. Since fraud typically includes mixed-and-matched contact and billing information from multiple stolen identities, this module is another key in determining the legitimacy of a transaction. Social Network Validation

Discussion: What Would You Do? You have been asked by your manager to assess what type of monitoring product you would need. Your monitoring system will provide a range of results, you have been asked to interpret these results You have been asked by your manager to reduce the false positives results in your fraud detection system. You have been asked to change the rules in your neural network, you are unsure what rules to put in place.

Intelligent Fraud-Detection Systems Spot Fraud Before it is Reported by the Cardholder Card companies continue to increase the effectiveness and sophistication of customer-profiling neural network systems that can identify unusual spending patterns and potentially fraudulent transactions. The card company will then contact the cardholder to check whether the suspect transaction is genuine. If not, an immediate block can be put on the card.

Automated Transaction alerting Method used to improve customer service and detection: Use automated alerts to decrease fraud staff workload and enable more efficient work practices Use auto alerting to allow customers to set their own security parameters and enable you to deliver a more personalized banking service

Simple Rule Systems Involve the creation of ‘if...then’ criteria to filter incoming authorisations/transactions. Rely on a set of expert rules designed to identify specific types of high-risk transactions. Effectiveness increases over time (more rules are added to the system) ✘ Disadvantage: can increase the probability of throwing valid transactions as exceptions − This limitation can be overcome to some extent by prioritising the rules and fixing limits on number of filtered transactions.

Neural Network Technologies Based on the ‘statistical knowledge’ contained in extensive databases of historical transactions, and fraudulent ones in particular. A neural network is a computerized system that sorts data logically by performing the following tasks: Identifies cardholder’s buying and fraudulent activity patterns. Processes data by trial and elimination (excluding data that is not relevant to the pattern). Finds relationships in the patterns and current transaction data

Neural Network Technologies Advantages: These models are able to learn from the past and thus, improve results as time passes. Can extract rules and predict future activity based on the current situation. Disadvantage Needs feeding with fraud data continually No data the profile built up will decay

Basien Technology A more advanced form of Neural Networks Self learning. Does not need continual data to preserve profiles June 16Caribbean Electronic Payments LLC20

Fraud analytics Allows to have a better view/perspective on trends in fraud occurrences Enables using trends identified to improve preventive measures and controls Added benefit of customer profiling using data mining Defines false positives and false negatives as what they are

Risk Scoring Technologies Tools based on statistical models designed to recognize fraudulent transactions, based on a number of indicators derived from the transaction characteristics Provide one of the most effective fraud prevention tools available. Comprehensive evaluation of a transaction being captured by a single number. Transactions can be prioritized based on the risk score and given a limited capacity for manual review, only those with the highest score would be reviewed.

Products Alaric AI Corporation Fraud Labs Volance FICO BankCard Quatrro Analytics Ethoca Adeptra Oscar Kilo CyberSource Visa/MasterCard Monitoring Tools

Agenda and Learning Objectives Emerging technology that brings in a new level of security to business-to-consumer. Various solutions can be implemented: Two-factor Authentication EMV/Chip 3D-Secure Discussion

Two-factor Authentication Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of "two or more" of the three authentication "factors: Something the user knows (e.g., password, PIN); Something the user has (e.g., ATM card, smart card); and Something the user is (e.g., biometric characteristic, such as a fingerprint).

Something you have Tokens with a display (disconnected tokens) Connected tokens USB tokens Virtual token MFA Smartcards Audio Port tokens Wireless Dallas iButton Casque Magnetic stripe cards Soft tokens One-time pads – UniOTP Mobile phones – Vulnerability to attacking – Assignment to the bearer – SMS one time password – Smartphone push – Additional phone token – Mobile signature – Mobile applications

Something you are Biometrics Biometric authentication also satisfies the regulatory definition of true multi- factor authentication. Users may biometrically authenticate via: finger print verification hand based verification retinal and iris scanning dynamic signature verification. Disadvantages: vulnerable to a replay attack user resistance positive and negative outputs compromised data cannot be changed. Hybrid or two-tiered authentication methods (private keys encrypted by fingerprint inside of a USB device)

EMV/Chip Global standard for credit and debit payment cards based on chip card technology. Payment chip cards contain an embedded microprocessor providing strong security features More secure than a traditional magnetic stripe card. EMV chip card payment provides security benefits in the following areas: With online authorization, a dynamic cryptogram protects against the use of skimmed data and stolen account data With offline authorization, a PIN capability protects against lost and stolen card fraud, and data authentication protects against counterfeit cards Limits on offline activity protects against credit overruns and fraud

3D Secure 3-D Secure is an XML-based protocol used as an added layer of security for online credit and debit card transactions. Developed by Visa (Verified by Visa), MasterCard (SecureCode), and by JCB International (J/Secure). American Express (SafeKey) This authentication is based on a three domain model: Acquirer Domain Issuer Domain Interoperability Domain (the infrastructure provided by the credit card scheme to support the 3-D Secure protocol). A transaction will initiate a redirect to the website of the card issuing bank to authorize the transaction. Each issuer can use chosen authentication method: password authentication; smart card readers; security tokens

3D Secure Implementing 3D Secure Visa/MasterCard member banks must use compliant software supporting protocol specifications, and perform integration testing with payment system server ACS providers: Access Control Server is implemented on issuer side. MPI providers: merchant plug-in providers are authorised to send requests to card system servers Disadvantages of 3D Secure Cardholder may see their browser connect to unfamiliar domain names, which may make it easier to perform phishing attacks. Mobile browsing may throw up compatibility problems (no popups) Users are generally discouraged if the authentication process is too complicated or take too long