Another breach. Another day. Another fraud strategy?
An overwhelming volume of merchant data breaches in the United States is the current condition facing banks. To be strategically managing them with the degree of precision that is necessary to maintain solid control over the environment is a tremendous challenge, and this requires extraordinary governance.
The ID Theft Resource Center suggests that the first half of this year is about on par with the whole of 2011 in terms of data breaches, and I remember that year having some significant merchant compromises in the US (Pizzapocolypse, anyone?). Effectively, we are now required to control twice the number of breached records, with the same resources. However, in this situation, automation using compromised card strategies that can scale across channels ultimately should be the go-to solution in order to match the massive volumes of today’s data breaches.
Back in January, I wrote about breach exhaustion…the result of unrelenting volume of data compromises that impact banks, merchants and acquirers. Long investigations, difficult decisions involving the unknown risks and flare-ups of ‘thought to be’ extinguished incidents may continue to haunt us. I get it, it’s a lot of pressure, there is no let-up, and if we look off the ledge, it’s a long way down. The compromise du-jour is worse than the one preceding it and the frequency of massive compromises is increasing.
And it’s going to get a lot worse before it gets any better. In the countdown to the EMV transition in the USA, we have seen new attack vectors focused on merchant networks, POS system exploits and remote access solutions, which wreak havoc on our plastic-focused consumer payment ecosystem. Clearly, the hackers, who sit far abroad, can practice their craft on our merchants with near complete impudence. They have scaled up, grown their niche with incredible sophistication and business acumen. The recognition of the fact that there is another massive merchant network intrusion already developing should be enough for us to realize that if we do not have a well-defined strategy for this, either as merchants or as issuers, we’re not going to keep up. Clearly, people are not going to slow their use of plastic, and I expect technology like Apple’s new Apple Pay to continue contributing to the climb. We are linking account numbers to new payment products like mobile wallets, further expanding the exposure into new channels with unknown risks.
Here is a classic operational risk (rhetorical) question: Is a card breached twice (with the same data lost) at dissimilar merchants riskier than a card breached only once? Clearly it is, by a measure, but at some point we realize the card will likely be used for fraud only once, before we detect and block it. At this point, we can accept that compromised cards can be managed in similar strategies based on risk, respective of their breach.
Start a checklist:
- Is there a strategy for compromised and counterfeited cards used at brick and mortar merchants?
- Is there a strategy for recent reset of PINs on compromised cards, which may result in ATM fraud?
- Is there a strategy for alternative risks, such as travel guidance on a recently compromised card?
With a review of the common typologies that we experience in all the most recent massive compromises, we can build a considerable inventory of attack patterns, and build controls to meet these threats.
- Cards with a merchant breach with no local counterfeit risk, no PIN?
- Cards compromised, with customer information and with the potential for VRU PIN changes resulting in ATM fraud and account takeover risks?
- Rules that reference this common list and work in cross channel fraud types when unusual callers request travel exceptions?
Our goal is to challenge the fraudsters, and decline them with the same impudence they offer us; rapidly developing, testing, and deploying rules that are both automated and aligned to a larger compromise strategy. Instead of focusing on the short term, scalable compromise processes should be implemented to illustrate how to evolve a financial institution with cross-channel controls. Instead of this breach being another opportunity to have a glut of compromised cards to re-issue, the proactive stance is loading a list and reducing the anxiety of breach exhaustion.
Related Blog Posts
How Italian Banks and Processors Can Capitalize on Digital Transformation
The European payments landscape is in an era of significant change thanks to PSD2 and other macro factors, but there is more than one way to deliver real-time and open payments to meet PSD2 requirements and its technical standards. Banks and processors must manage this alongside their own set of domestic challenges and opportunities.
Overcoming Cyber Threats to Payments Security
Recently, Gene Scriven, chief information security officer at ACI, spoke at NACHA Payments 2019 on the ever-changing landscape of cybersecurity. Here are a few highlights from his session, including the impacts of cybersecurity breaches, today’s emerging threats and the new strategies to keep your organization safe.
Removing Gender Bias and Enabling Women to Succeed in Leadership Roles
The recent UK Women in Payments (WIP) Symposium 2019 took place in London, recognizing unique leaders who help uplift women in the payments industry. Among those recognized was ACI’s Melissa McKendry, vice president, Retail Banking Implementation Services, who was honored by WIP as the 2019 Advocate for Women.
Regulating for Real-Time: The Role of Government in Payments Modernization
Dr. Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments and the findings of the new white paper, Get More from Real-Time.
Payments and Fraud: The Paradox Twins
Digital commerce through web and mobile is where merchants predominantly experience shopper growth today. This has become a hugely important domain for their focus. It offers a means for international growth, new market penetration and a way to engage with shopper-hungry Millennials in their culture. Merchants frequently adopt a Digital-First, eCommerce-First or Mobile-First strategy to ensure full corporate buy-in to this strategy.
Open Payments Systems for Merchants: Don't Close Down Your Options
Remember “Open Systems”?
It was a big industry nom du jour in the 80s and 90s. Every IT system had to be open and therefore flexible and future-proof. Nobody can argue with the logic behind this; making systems easy to integrate with other systems, ensuring vendors could cooperate with one another; creating agility to improve time to market and drive down costs.
Issuing and Acquiring in a Real-Time and Open Payments Ecosystem – The Global Picture
Dr Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments, stemming from the findings of the new white paper, Get More from Real-Time. See part one.
Why It’s Time for Women to Rise UP
As a senior software engineer at ACI Worldwide, Rawan Shawar helps to guide her team’s priorities and enhance processes at both the team and organizational level. Recently, Rawan was selected by the organizers of Money20/20 Asia to be part the Rise Up Class of 2019.
Can Digital Payments Be Kind?
There is no doubt that the era of less (or minimal) cash is truly upon us. According to the Access to Cash Review, cash could fall to just 10 percent of all payments in the UK within the next 15 years.
Other countries, such as Sweden, have already seen significant changes – cashless payments have grown so quickly that only 10 percent of the 20 SEB banks in Stockholm now hold cash. Beyond Europe, China is leading the way with USD$12.8 trillion in mobile payment transactions in 2018.