Terri Sands - The Rise Of Debit Card Fraud

The Rise of Debit Card Fraud

Debit Card Fraud Trends Handling Debit Card Fraud Knowing Your Options Fraud Mitigation Debit Card Fraud Education

Debit Card Fraud Trends

Account-to-account (A2A) transfers served as a primary driver for debit’s overall growth. Source: Debit Issuer Study, commissioned by PULSE

Debit Card Fraud continues to increase based on data breaches, social engineering, disaster events and A2A transfer popularity.

Disaster events such as COVID coupled with Economic Stimulus Payments creates confusion between what is real and what is fraud.

Data Breaches Malware that targets corporate servers Operation can be completely remote Mass amounts of data at once Information sold on internet “carder” sites EMV removes the magnetic stripe, compromised data cannot be reencoded onto card.

Data Breaches Through Social Engineering Smishing Text – generating a text to trick the individual to provide personal information. Pretext Calling - One way that wrongdoers improperly obtain personal information of bank customers so as to be able to commit identity theft is by contacting a bank, posing as a customer or someone authorized to have the customer's information, and through the use of trickery and deceit, convincing an employee of the bank to release customer identifying information.

Brute Force Attacks Systematically checking all possible keys or passwords until the correct one is found. In the worst case, this would involve traversing the entire search space. 4 9/29/2013 15:32 339.1 0 8638096 2501407 50-Lost/Stolen Card-Capture 04-CIR 1002-DDA WITH 5 9/29/2013 14:48 0 0 3055237 2373739 93-Authorized 70-MDS 1000-DDA INQ 6 9/29/2013 14:48 0 0 3055237 2373660 72-Invalid CVV/CVC 70-MDS 1000-DDA INQ 7 9/29/2013 14:48 0 0 3055237 2373577 72-Invalid CVV/CVC 70-MDS 1000-DDA INQ 8 9/29/2013 14:48 0 0 3055237 2373451 72-Invalid CVV/CVC 70-MDS 1000-DDA INQ 9 9/29/2013 14:48 0 0 3055237 2373331 72-Invalid CVV/CVC 70-MDS 1000-DDA INQ 10 9/29/2013 14:48 0 0 3055237 2373221 72-Invalid CVV/CVC 70-MDS 1000-DDA INQ 11 9/29/2013 14:48 0 0 3055237 2373071 72-Invalid CVV/CVC 70-MDS 1000-DDA INQ 12 9/29/2013 14:48 0 0 3055237 2372962 72-Invalid CVV/CVC 70-MDS 1000-DDA INQ 13 9/29/2013 14:48 0 0 3055237 2372846 72-Invalid CVV/CVC 70-MDS 1000-DDA INQ 14 9/29/2013 14:48 0 0 3055237 2372712 72-Invalid CVV/CVC 70-MDS 1000-DDA INQ 15 9/29/2013 14:48 0 0 3055237 2372605 72-Invalid CVV/CVC 70-MDS 1000-DDA INQ 16 9/29/2013 14:48 0 0 3055237 2372518 72-Invalid CVV/CVC 70-MDS 1000-DDA INQ 17 9/29/2013 14:48 0 0 3055237 2372425 72-Invalid CVV/CVC 70-MDS 1000-DDA INQ 18 9/29/2013 14:48 0 0 3055237 2372348 72-Invalid CVV/CVC 70-MDS 1000-DDA INQ 19 9/29/2013 14:48 0 0 3055237 2372252 72-Invalid CVV/CVC 70-MDS 1000-DDA INQ

Handling Debit Card Fraud

Handling Debit Card Fraud STRATEGIZE – Debit card fraud and disputes must have a strategy based on evolving fraud. INVENTORY – Inventory all types of debit card fraud and how you mitigate fraud. TRAIN – Train your front line and investigators. DOCUMENT – Clearly document the strategy and fraud management and mitigation and dispute handling. clearly. REPORT – Gather the data to know how to mitigate ongoing fraud.

Training the Front Line Train the front line on differentiating between the consumer NOT authorizing the transaction and authorizing the transaction that resulted in fraud. Under no circumstance when a dispute is made should your front-line staff indicate they will not investigate. It is important to get the information regarding was the transaction Unauthorized vs. Authorized Fraud.

Train on how Third-Parties Educates YOUR Customers

Knowing how Zelle Educates is Important

Knowing how Zelle Educates is Important

Elder Financial Exploitation through P2P Criminals are continuing to use P2P services such as CashApp as its payment source when tricking elder adults to send money. Financial institutions should be aware of CashApp, how it works, and how to communicate and educate elder adults. Pay attention to Regulation E claims from Elder Adults as the debit (offset) to the P2P credit could be the result of elder financial exploitation.

Documenting the Dispute Ensure the documentation reflecting the dispute is comprehensive and clearly states the consumer’s intent. Know your bankcard association rules (reach out to VISA/MC/Discover) to obtain UPDATED operating rules that reflects their investigation requirements). Ensure your team understands bankcard association’s recommendations for gathering information on Unauthorized vs. Authorized Fraud.

Investigating Obtain all the facts regarding the transaction. Know Authorized Fraud vs. Fraud. Understand Evolving Fraud based on Different ways to load Debit Cards e.g., Understand Regulation E requirements regarding investigations as it applies to third-parties.

14(a) Electronic Fund Transfer Service Providers Subject to Regulation 1. Applicability. This section applies only when a service provider issues an access device to a consumer for initiating transfers to or from the consumer's account at a financial institution and the two entities have no agreement regarding this EFT service. If the service provider does not issue an access device to the consumer for accessing an account held by another institution, it does not qualify for the treatment accorded by § 1005.14. For example, this section does not apply to an institution that initiates preauthorized payroll deposits to consumer accounts on behalf of an employer. By contrast, § 1005.14 can apply to an institution that issues a code for initiating telephone transfers to be carried out through the ACH from a consumer's account at another institution. This is the case even if the consumer has accounts at both institutions.

It is important to understand what is being provided to consumers.

Debit Card Fraud Mitigating Tools

Data Breaches Through Social Engineering and Data Breach Mitigating Tools Monitor Balance inquiry requests Implement velocity settings Public Awareness Smishing & Phishing

Debit Card Stop Payment Preauthorization Payment Cancellation Services (Stop Payment for Debit Cards) – The Preauthorized Payment Cancellation Service (PPCS) is a cost-effective way for Issuers to handle customers’ stop payment requests for preauthorized electronic funds transfers, such as recurring and installment payments. Using the service, issuers can inform acquirers and their merchants, via an authorization response, that a cardholder has requested a stop payment for either one specific payment or all subsequent payments. Stop Payment Order – Enables a consumer to stop a specific preauthorized payment. Revocation of Authorization Order – Enables a consumer to stop all future preauthorized payments from a particular merchant. Revocation of all Authorization Orders – Enables an Issuer to cover all automatic bill payment revocations for multiple merchants with one Preauthorization Payment Cancellation Services order.

Customer Debit/Credit Card “Switch On and Off Option” This fraud mitigation and prevention feature puts customers in the driver’s seat of controlling their debit card access. This control has the ability to ability to block anyone from using their debit card, and allows them to unblock it after they find the card. Volume is growing based on the usage of mobile devices. More convenient and customers feel more in control over the use of their cards. Generally offered through third-party services or as a “value-added” service from core providers.

Third-Party Fraud Threshold Review and Blocks This fraud mitigation and prevention feature is normally offered by your third-party provider (check with your thirdparty to determine if it is offered). This threshold block allows you to set thresholds for certain apps. A transaction is pended and the consumer must contact the third-party provider to “approve” the transaction. This assists you if the consumer claims the transaction is unauthorized (e.g. the consumer is then double authorizing the transaction). Technology provides the financial institution with a tool for mitigating unnecessary disputes.

Third-Party Fraud Department Third-Party Providers may provide the ability to provide financial institutions investigations support. Your fraud disputes may be outsourced to your core provider of debit card services. This provides more options for investigating and may increase your efficiencies. This option allows you to service your clients while fraud investigations are being performed.

Debit Card Dispute and Fraud Reporting

Report the Trends As part of documenting your Key Risk Indicators, begin reporting type of debit card fraud. This data provides you with the education you will need to provides and the mitigating tools needed to implement. Discuss debit card fraud trends with your provider (remember VISA/MC/Discover and your Debit Card Provider are partners).

Debit Card Evolving Customer Education

Customer Education: Practical, Proactive and Transparent Next Generation Customer Education Financial institutions are spending more time on their fraud identification, prevention and recovery training for customers. Marketing departments have begun focusing more on security and fraud training (e.g. placement on website, in online banking, more statement stuffers on fraud). Reactive training has become antiquated and customers feel better with financial institutions that have a focus on security.

Customer Education: Practical, Proactive and Transparent Next Generation Customer Education Card Fraud Training is focused and applicable. Training is delivered across multiple participants: Financial Institutions Bankcard Associations Core Providers Merchants Acquiring Financial Institutions Third-Party Provider Fraud Services Regulators (e.g. Consumer Federal Protection Bureau)

Customer Education: Practical, Proactive and Transparent Next Generation Customer Education Card Fraud Training is focused and applicable. Different type of training is based on the following: Fraud Trends Specific Financial Institution Fraud (e.g. banners on specific fraud events, specific fraud trends the financial institution is experiencing and how to handle). New card fraud services offered (e.g. additional value added card fraud prevention services, why it is important and what is accomplishes). Lessons Learned (e.g. significant fraud events and what the financial institution learned).

Don’t Be on an Island by Yourself Trying to Mitigate Debit Card Fraud

Secura provides the following services specific to Debit Card Fraud and Prevention Strategies tsands@securariskmanagement.com Debit card enhancement projects Efficiency Reviews of Debit Card Fraud Program Implementation of Debit Card Reporting Implementation of Fraud Systems

Handling Debit Card Fraud STRATEGIZE- Debit card fraud and disputes must have a strategy based on evolving fraud. INVENTORY - Inventory all types of debit card fraud and how you mitigate fraud. TRAIN - Train your front line and investigators. DOCUMENT - Clearly document the strategy and fraud management and