Fighting the Good Fraud Fight

Payments survey shows debit card fraud is rising, but defensive systems are working well

By Cary Whaley

When someone says there’s good news and bad news, I always opt to hear the bad news first. So here is the bad news: Payments fraud is on the rise and continues to be a thorn in the sides of community bankers, according to a recent fraud survey conducted by the Federal Reserve Bank in Minneapolis in cooperation with ICBA.

Ninety-seven percent of community banks have experienced fraud losses. And half of community banks say fraud increased in 2011 compared with 2010, with 10 percent reporting a fraud-loss increase by 10 percent or more, the report finds.

What’s interesting about the most recent fraud survey, says Claudia Swendseid, a senior vice president at the Minneapolis Fed, is the shift from checks to signature debit cards as the primary source of fraud attempts and losses. Swendseid explains that for more than 80 percent of community banks, signature debit cards were the target of the highest number of fraud attempts and the product responsible for the highest dollar losses from fraud followed by PIN-based debit and checks (at 47 percent and 43 percent, respectively for targets, and 48 percent and 41 percent, respectively for fraud losses).

The anticipated migration from the magnetic strip to a chip-driven EMV standard in the United States could help curtail such losses, reasons Swendseid. EMV (for Europay, MasterCard, Visa), the globally interoperable standard specification governing transactions between chip cards and terminals, can offer additional protection against counterfeit fraud over current magnetic-stripe technology, particularly when paired with a PIN, and also can reduce the number of lost and stolen cards through robust cardholder verification.

However, the effectiveness of brand-driven migration to chip cards has yet to be seen. In most countries, government laws and regulation nudged the migration forward. Currently, the card brands in the United States, led by MasterCard and Visa, have developed incentives for card issuers and acquirers that choose to migrate to the EMV standard rather than setting deadlines and sunset dates on the magnetic stripe.

Additionally, each card brand has a different end-goal in mind: Visa is pushing for chip-only transactions, while MasterCard favors chip transactions that are paired with a PIN.

Risk mitigation working

The good news, however, is that community bankers are employing a number of tactics covered under the Federal Financial Institution Examinations Council’s multifactor authentication guidelines to reduce fraud, some of which aim to thwart would-be fraudsters before they can do damage.

Seventy-four percent of banks with reductions in fraud changed their risk management practices to address the problem. Among the most used authentication technologies was customer authentication for online transactions (79 percent), which was also rated most frequently as very effective.

Sarah Fender, vice president of marketing and product management at Phone Factor, a company that uses the phone to verify online authorizations, isn’t surprised that transaction monitoring technologies have been so effective in helping community bankers curtail losses. There are no hardware costs (like with hard tokens), and the technology can be used to notify proactively a bank’s customer of a potential account compromise, she explains.

Fender recalls one instance in which an account holder was at a dinner party and received an authentication request from Phone Factor asking to validate a six-figure transaction: Not only was the cardholder unaware of the transaction, but he was able to take initial steps to mitigate the threat, including blocking the transaction and notifying the bank via a fraud alert.

Because the user was not required to input a username or password as part of the verification process, any malware installed on the machine was not able to compromise the authentication process, Fender adds.

Most of the company’s implementations are online today, Fender admits. But she says the authentication service can be used across channels; be integrated with other third-party fraud scoring systems; and is priced according to the implementation, number of users and authentication being secured.

Account takeover concerns

Another area of “serious concern for community banks,” according to the survey, is account takeover. While only 6 percent of respondents said wire transfer generated the highest number of fraud attempts, 5 percent of those polled equated it to their highest dollar losses. ACH debit, conversely, created the highest number of attempts at 17 percent of community banks, yet only 8 percent said it generated the highest dollar losses.

Among the solutions most frequently rated as very effective in fighting this type of fraud is pattern matching (59 percent), a technique used by Guardian Analytics to spot and flag atypical activities relative to a customer’s behavior. The company’s software analyzes not just transaction data, but also the full scope of the account and any deviation—from how, when and where a customer logs in to the order and the pace at which a transaction is performed to the dollar amount, type of payment and even payees assigned to a particular payment, explains Tiffany Riley, vice president of marketing at the Mountain View, Calif.-based company.

Swendseid’s recent online experience is a prime example of such technologies in action. Swendseid went to to make a camera purchase in late December, and her card was denied. When she called her financial institution to find out why, she was told that the transaction was flagged as suspicious given the amount of the transaction, the fact that she had never shopped at that retailer online before and the time of night at which the transaction was placed.

“The person I talked to on the phone was knowledgable and could succinctly explain why they denied the transaction,” Swendseid says. This excellent customer service experience offered her peace of mind to shop with confidence—which she did once the transaction was validated.

So the bad news is that criminals will continue to innovate. The challenge for community banks is to anticipate and block such actions before they can do damage to their bottom lines or reputations. And community banks have the opportunity to leverage their nimbleness and their technology to deploy robust, multilayered strategies to combat fraud. That’s very good news. endmark

Cary Whaley is vice president of payments and technology for ICBA.