I’m Joaquim Menezes, senior online editor at IT Business. Our guest today is Jas Anand, product and risk strategy manager at Actimize. We’ve had Jas on this program before. Today he’s going to be discussing a very interesting topic: card fraud and mass compromise. Actimize had conducted a study on this topic, and we’ll be talking to Jas about that.
Jas could you tell us about the “peer review study”, what the objectives were, who was polled and so on?
We had 113 respondents across the globe, 40 per cent from the U.K., 40 per cent from North America, and the rest spread across Africa and Asia.
Could you give us an idea of how many Canadians were polled in this study, specifically?
I think there were two Canadian banks polled.
VIDEO – Jas Anand on how to fight card fraud
READ RELATED STORIES
The study indicated that financial institutions saw double-digit growth in ATM and debit fraud in 2008, and actually expect the same this year. Why such a spurt in ATM fraud?
Yes, 60 per cent of respondents said they saw an increase in ATM debit card losses in 2008, as compared to 2007. But more than 80 per cent expect that increase to continue in 2009, as compared to 2008. So there is the fear of a continued “loss” trend and it’s attributed to a few things: particularly mass compromises — which we’ll describe — and card skimming.
“Banks are using broad-scale measures to reduce risk – your credit card limits are going down, overdraft limits are going down … These are very aggressive steps that aren’t in line with the scale of the problem.”
Jas Anand, product and risk strategy manager, Actimize
The most recent breach was the Heartland Payment breach – and they’ve just arrested the perpetrators involved. They believe the same people were involved in the TJX breach as well. It’s really the theft of data encoded on the mag stripe. And data is stolen in a way that allows the perpetrators to re-encode that information on other mag stripes. So they can take gift cards, buy white plastics, or even use hotel cards to encode the information on to the mag stripe. Then they would use that as a counterfeit card.
Your study indicates the recession has had an impact on the day-to-day financial transactions of many people. For example, 44 per cent of the respondents reported a decrease in the number of cards carried by customers. And the same percentage saw a reduced overdraft limit on accounts attached to debit cards. Shouldn’t these factors have had some impact on reducing debit card fraud?
Yes, and I think that they’re very aggressive steps that are probably not in line with the size of the problem. Reducing overall limits shrinks the consumer’s access to funds. I think that’s a good strategy when limited to high-risk accounts.
What we’ve seen banks do is use broad-scale measures to reduce risk – to your credit card limits are going down, overdraft limits are going down, and in essence they are reducing the overall credit you can have available to you. I think this is a very harsh measure that can be toned down a little to allow good customers to take advantage of credit, while still minimizing liability on the select few higher risk accounts.
One interesting finding of your study was that 55 per cent of respondents expect U.S. card fraud levels to increase or even dramatically increase after Canada adopts chip or PIN technology. Is the argument that with the introduction of such technology committing fraud here in Canada will be that much more difficult, so criminals will go after softer targets in the U.S? Is that the reasoning?
Yes. I think that’s definitely a part of it. But there’s also the evidence we’ve see across Europe. So when the U.K. implemented chip and PIN and it slowly spread throughout Europe, fraud migrated to the closest country that hadn’t yet implemented chip and PIN. [Fraudsters] were stealing data, shipping it to the closest location they could use it, and creating the cards there.
So I think it’s that specific activity of the perpetrators that’s migrating. People who are currently producing [fraudulent] cards in Canada will still steal the data here, but then move to the U.S. to produce the cards. It’s easier to ship data across the border than it is physical cards. So with the movement of the card production facilities over to the U.S., there will be increased crime associated with those facilities – and so they’ll skim more U.S.-based cards as well. Then U.S. losses will go up. If Canadian cards are used in the U.S., the Canadian banks are still responsible.
The study said that 15 per cent of banks polled issued new cards to 20 per cent of their customers. This seems like overkill – and it involves additional expenses on that part of the bank. Are there proactive ways for banks to address the issue of fraud without scaring off the customer on the on hand, and incurring huge costs on the other?
The survey really highlighted one key differentiator, and that was the ability to make real time decisions on [possible fraudulent] transactions. By that I mean while the customer is at the ATM, while they’re shopping you can make a decision before the approval comes back to the unit.
So in a matter of 10s of milliseconds I can score that transaction, evaluate the risk of fraud on that, and run through a series of policy rules that dictate what action will result from that transaction. Having that ability to stop a transaction in flight would decrease fraud losses – based on the benefit of real time. If there’s one technology that can reduce the curve of increase from 2008 to 2009, it’s going to be use of real time detection technologies at the point of sale and at the ATM.
Could you give us specific examples of real time detection applications?
Sure. With counterfeit cards there are generally two cards at play. So a lot of the models and rules use geo-velocity calculations. You cannot be in Toronto and in Vancouver within 10 minutes, it they are both “card present” transactions.
[Card] data gained through mass compromises is generally sold in bulk – hundreds of thousands of card numbers – to people who would encode those plastics on stripes to transact. Those locations are often not close to locations where the customers normally transact. We can use known patterns of behaviour to stop transactions that are abnormal or out of character, or those that are impossible, because of location.
Your study indicates that a very small percentage of bank accounts really experience fraud – so how crucial are these steps you’ve outlined?
The study was referring to incidents of fraud associated with mass compromises. So out of 100 million cards associated with the Heartland compromise, what percentage of cards actually experience fraud? It was 4 per cent overall. But there are specific losses with Hearland and TJX where up to 20 – 30 per cent of the exposed cards have experienced fraud.
With the recent implementation of chip and PIN in Canada this issue will become even more important. The reason is the chip and PIN cards are still encoded with the mag stripe. So although perpetrators cannot steal the chip information, they can still steal the mag stripe.
They may not be able to use that card in Canada. But they would use those cards in different locations – the closest location is the U.S. and the U.S. has not implemented chip and PIN. So counterfeit cards will definitely migrate over the border to the U.S. And that’s why it’s even more important for Canadians to use real time detection to identify legitimate activity in the U.S. versus counterfeit activity, and stop it before it gets acute.
Thanks for your insights Jas, and it was great having you on the program.
Thank you. It was a pleasure being here.