Flash or Blitz, It's Card Fraud By Any Other Name

Sunday, November 07, 2010

Gartner analyst Avivah Litan recently wrote of a new kind of "flash attack" she's hearing of from banks. And last week Jasbir Anand, a fraud analyst at ACI Worldwide, described "blitz attacks," where mass data compromises of stolen card accounts are used overseas, all in a short time period, much like the card breach that led in February 2009 to $9 million being stolen from RBS WorldPay cardholders.

One thing is for sure: The industry will continue to see these attacks, both at ATMs and at retail locations. 

These attacks begin the same way, with criminals tampering with point of sale terminals to steal card data or take data from within the retailer's or business's payment network. Litan says that the twist comes when the criminals then turn and make hundreds or thousands of counterfeit debit cards and spread them among their army of accomplices, who use those counterfeit cards at the same time to withdraw as much money as they can before the issuers detect fraud and shut the cards off. In 10 minutes, the simultaneous withdrawals add up quickly -- $100,000 in stolen cash from the ATMs. Criminals repeat the same steps over a month and rack up a half-million.

These attacks are particularly worrisome because the cash transactions fly under the radar of existing fraud-detection systems -- they are typically small amounts that don't raise alarms. The only solution for institutions is to replace all of the compromised cards. Yes, it's a costly measure, but the alternative is having bank accounts drained.

FICO's senior director of global fraud solutions, Mike Urban, says debit card fraud is definitely becoming more of a concern. Compromises like the one Litan references have been taking place for many years, as have much larger-scale mass compromises of card information at merchants and processors. While the compromise of cards and PINs together is significantly less in the U.S., when compared with the compromise of the mag-stripe, criminals know they can get access to cash.

Technology to Fight Fraud

There are several effective technologies that have been developed to impact debit card fraud losses:

• Behavior-sorted lists learn the places cardholders go and how they transact. Understanding the habits of cardholders, including preferred merchants, ATMs and recurring transaction patterns, helps issuers spot fraudulent, out-of-pattern behavior, regardless of the dollar amount.

• Intelligent ATM profiles build on the activity at specific ATMs relative to their normal behavior. This is specifically developed to deal with flash attacks at ATMs. ATM profiles also are very useful for issuers of EMV chip cards, which can have the mag-stripe and PIN compromised in-country and used fraudulently in a non-chip-compatible country, such as the U.S.

• Adaptive cascading models are self-learning to an issuer's real-time fraud transactions. They identify specific transaction variables, such as dollar amount, location, transaction type and merchant. These are particularly useful when it comes to identifying fast-changing fraud patterns and reducing false positives.

Criminals Lie in Wait

The stamina of the criminals doing these crimes is indefatigable. They're keeping numbers and accounts stolen from past breaches and using them months and years later. Already this year, two different institutions, a bank in Colorado, First National Bank of Durango, and a credit union in Florida, MidFlorida Federal Credit Union, have experienced losses on cards stolen during the 2009 Heartland Payment Systems breach.

One thing is for sure: The industry will continue to see these attacks, both at ATMs and retail locations. ACI's Anand says that the card fraud spree seen in Seattle's Capitol Hill section last week also shows criminals are continuing to evolve their attack methods and the technology used to commit the fraud.