Presenter: Dennis Pope Executive Manager Merchant Fraud, Compliance & Chargebacks National Australia Bank (NAB) Ph: 03 8697 6627 Mob: 0411 248 558 Email: Dennis.Pope@nab.com.au

How is NAB Supporting its Merchants? Merchant Fraud Team - our aim is to assist merchants through the use of sophisticated fraud tools and pro-active merchant education in fraud detection and prevention, to help minimise the risk of merchants being exposed to such fraud losses. ‘Pro-active Risk Manager’ or PRM - monitors irregular trading patterns. When a Transaction occurs outside the normal trading behaviour of a merchant and or meets a ‘rule’ criteria the transaction will alert to a team member for assessment and follow up. In many instances, the use of PRM has resulted in the NAB alerting a merchant to the use of counterfeit cards or other fraudulent activity in a real time environment and resulting in a saving to the merchant.

NAB Fraud Education February 2007 Nab released it’s new look education material and a revised Merchant Agreement. The documents work in conjunction with each other and are now distributed to all new merchants to the NAB at sign up. The Merchant Fraud Education Pack contains a DVD and reference booklet along with a card security features poster. Education is also provided in the form of statement messages and the NAB Talking Shop Magazine issued each quarter. Educational seminars are also held in conjunction with the Card Schemes for merchants and members of Law Enforcement.

How Can Card Data Be Compromised ? Lost/Stolen Fraudsters steal a cardholder’s card from wallets or via the mail. If stolen via the mail they may sign the cards with their own signature and in some instances provide fake ID with the transaction that matches the card. Alternatively they may skim the card and create a counterfeit card with new identity details i.e.: change cardholder name.

Skimming What is Skimming? The contents of the magnetic stripe of a genuine card are read with an electronic device or via bluetooth and recorded. The information is then encoded onto the magnetic stripe of another card either stolen or counterfeit.

Counterfeit Cards Factories Creating Counterfeit Cards

Card Number Generation Fraudsters have developed programs to generate card numbers using only the BIN (first 6 digits) of any card. Card numbers are tested by processing transactions via websites, which is commonly known as a BIN attack. Fraudsters do not know if the card numbers are valid or if they have not been blocked nor do they know the expiry dates on the cards. BIN attacks can be identified as they will utilise smaller ticket sizes, there will be a large number of declines and the transactions will usually be within seconds of each other. Information obtained via skimming devices or via data compromises may also be tested in the same way however in these instances, BIN’s and card numbers may differ from transaction to transaction.

Data Compromise Information held on databases or payment gateways that is not protected or encrypted may be accessed by hackers. Information such as card details, names, addresses, expiry dates and possibly CVV2 data may be stolen possibly allowing an identity takeover. This information is usually then on sold via hacker websites, via auction sites, the black market or in person. How the information is then used is dependant on the quality and amount of information obtained. For this reason the Payment Card Industry Data Security Standard (PCI DSS) has been introduced to restrict the type of information stored and to ensure that cardholder data is protected.

Card Acceptance Card Present - typically these transactions are face-to-face where the customer presents a card and the card and transaction details are captured either electronically by ‘swiping’ the card or by the use of a manual imprinter. Card NOT Present - these transactions are generally non face-to-face transactions such as Mail Order / Telephone Order ( MOTO) and Internet transactions. Fallback/Offline Transactions - are transactions that are processed when the terminal is not communicating with the Bank i.e.: Technical failure

Acceptance Risk

Recent Fraud Trends Email orders requesting goods be shipped to Nigeria/Ghana and additional funds be transferred via Western Union to non-existent shipping companies. False merchant applications with the purpose of processing refunds or counterfeit cards. Funds are withdrawn from the settlement account next day. Additional goods or services requested with original sale that the merchant does not usually sell i.e.: mobile phones and laptops. Large orders cancelled and refunds requested via a telegraphic transfer or to a credit card other than the original purchase card.

International Orders   While all international orders carry an increased risk, transactions originating from the below locations have shown to generate high levels of credit card fraud: Nigeria Ghana Indonesia Singapore Eastern Europe

Fraud Scenarios Cardholder attempted to purchase a Ferrari over the phone. Merchant processed $310K over 3 domestic counterfeit cards.($10,000 approved). PRM alerted on transactions and merchant was contacted. Compromised US cards were used to book accommodation ($24,591 attempted and $10,791 approved) Merchant was also asked to pay a commission to a car rental business via Western Union. Merchant became suspicious, contact NAB fraud team and did not proceed with the transaction. Email received from a ‘Reverend” requesting a caravan be sent to orphanage in Africa. The merchant was asked to split the transaction over 3 US Cards. Merchant became suspicious, contact NAB fraud team and did not proceed with the transaction. Over a 6 week period an employee stole $15K by processing refunds to their own card. Merchant fraud contacted proprietor to advise and employee has since been arrested.

Fraud Scenarios cont… Mobility Scooters to Ghana ($14,000) Golf tours for the deaf to Ghana ($70,000) Plasma TV to Indonesia ($40,000) Sunglasses to Indonesia ($260,000) Car Rental pre-auth completions ($332,000) Piano to Togo ($9,000) Staff Refunds ($65,000 ) BIN Attack on US Cards ($159,000) Syndicated merchant facility applications Proprietor Transactions

Contact Us Merchant Fraud Team: Ph: 1300 668 046 Fax: 03 8697 6683 eMail: merchant.fraud@nab.com.au Or Visit: www.national.com.au/merchantfraud After hours contact EFTPOS support helpdesk: Ph: 1300 369 852

thank you