FRAUD
Over 50 public sector clients with over 100 live programmes and £12 million GBP loaded monthly 10 staff in our fraud team Every Council transaction is monitored by our fraud engine In the news recently: 145m eBay customers had to reset passwords after hack 32m Twitter accounts hacked and passwords leaked Fraudsters can clone 15 bank cards a second with hi-tech contactless device How Even the FTC’s Lead Technologist Can Get Hacked….. Even billionaire tech entrepreneurs get hacked! (Admitted re-using passwords) Some PFS Statistics
One example – BIN range attempts Generating multiple card numbers based on known BIN/card numbers Use software to generate the numbers – hundreds per second in sequential order (with the same expiry date) Card numbers that generate a ‘hit’ are then ‘tested’ with merchants, usually for a very small value transaction Numbers that prove successful are then used at other internet sites Fraudsters have no personal details in these instances PFS is exposed to this type of attack in the same way as every other debit, credit and prepaid card provider is globally PFS invest millions into security and fraud prevention annually
Example A – 8 Cards targeted 7 cards successfully declined by our fraud engine 1 card attempt successful for £ – a counterfeit card was created Fraud loss refunded in full by PFS within 3 days (if this was cash it would have been lost forever) New fraud monitoring rules implemented as a result of this attack Example B – 46 cards targeted £0.03p transactions all for University of Toronto book store (which has very little security – easy target) No transactions were successful as our fraud engine detected and declined all The cards were placed in a “Deposit Only” status where no spend can occur Cards were replaced instantly PFS report the cards to Mastercard as being compromised 2016 Fraud Attempts
Other fraud types and our anti-fraud rules Lost cards Identity theft Skimming/cloning (using a magnetic card reader to copy the genuine card details on the blank card) We use a variety of rules to monitor card activity which are constantly reviewed and refined and updated as fraudsters are constantly coming up with new ways to attack us: –Velocity rules – multiple transactions made within a certain timeframe –Geo-location rules – multiple transactions are made within a certain timeframe in a higher risk country –Volume rules – large amounts of money are spent in a certain timeframe –Security rules – multiple invalid PIN/CVV attempts are made –Loading rules – card load is immediately followed by a cash withdrawal –Merchant rules – a transaction occurs at certain higher risk merchants
3D Secure PFS have enrolled all public sector programmes to 3D secure (Three Domain secure.) Designed to improve both cardholder and merchant confidence in internet purchases and to reduce disputes and fraudulent activity related to card use Cardholder creates a unique password to authorise payments on-line as part of the authentication process prior to approving transactions Merchant does need to be 3D enabled (we should win chargebacks if fraud was committed with a merchant who did not enable this.) 3D secure requires 4 identifiers Name Valid mobile telephone number Date of Birth Postcode Enrolment process procedure document available
Cash –No monitoring possible, if money is stolen there is no audit trail, no comeback, no reclaim/chargeback process (for prepaid the chargeback process applies) –Safeguarding issues Bank accounts/debit cards –The Public sector organisation has no oversight, no monitoring access –Cannot liaise with the bank due to data protection rules so account holder must do so PFS will invoke the chargeback policy and retrieve funds instantly Cards will be replaced immediately In most cases we will refund the cardholder whilst the chargeback process progresses (as we did in the scenarios detailed earlier) Cards v Alternatives (re. Fraud)
Deanna Fernandez & Lee Britton Anti-Fraud Team Contact Us