Skip to content

Another breach. Another day. Another fraud strategy?

An overwhelming volume of merchant data breaches in the United States is the current condition facing banks. To be strategically managing them with the degree of precision that is necessary to maintain solid control over the environment is a tremendous challenge, and this requires extraordinary governance.

The ID Theft Resource Center suggests that the first half of this year is about on par with the whole of 2011 in terms of data breaches, and I remember that year having some significant merchant compromises in the US (Pizzapocolypse, anyone?). Effectively, we are now required to control twice the number of breached records, with the same resources. However, in this situation, automation using compromised card strategies that can scale across channels ultimately should be the go-to solution in order to match the massive volumes of today’s data breaches.     

Back in January, I wrote about breach exhaustion…the result of unrelenting volume of data compromises that impact banks, merchants and acquirers. Long investigations, difficult decisions involving the unknown risks and flare-ups of ‘thought to be’ extinguished incidents may continue to haunt us. I get it, it’s a lot of pressure, there is no let-up, and if we look off the ledge, it’s a long way down. The compromise du-jour is worse than the one preceding it and the frequency of massive compromises is increasing. 

And it’s going to get a lot worse before it gets any better. In the countdown to the EMV transition in the USA, we have seen new attack vectors focused on merchant networks, POS system exploits and remote access solutions, which wreak havoc on our plastic-focused consumer payment ecosystem.  Clearly, the hackers, who sit far abroad, can practice their craft on our merchants with near complete impudence. They have scaled up, grown their niche with incredible sophistication and business acumen.  The recognition of the fact that there is another massive merchant network intrusion already developing should be enough for us to realize that if we do not have a well-defined strategy for this, either as merchants or as issuers, we’re not going to keep up.  Clearly, people are not going to slow their use of plastic, and I expect technology like Apple’s new Apple Pay to continue contributing to the climb. We are linking account numbers to new payment products like mobile wallets, further expanding the exposure  into new channels with unknown risks.

Here is a classic operational  risk (rhetorical) question: Is a card breached twice (with the same data lost) at dissimilar merchants riskier than a card breached only once? Clearly it is, by a measure, but at some point we realize the card will likely be used for fraud only once, before we detect and block it. At this point, we can accept that compromised cards can be managed in similar strategies based on risk, respective of their breach.

Start a checklist:  

  • Is there a strategy for compromised and counterfeited cards used at brick and mortar merchants?
  • Is there a strategy for recent reset of PINs on compromised cards, which may result in ATM fraud?
  • Is there a strategy for alternative risks, such as travel guidance on a recently compromised card?

With a review of the common typologies that we experience in all the most recent massive compromises, we can build a considerable inventory of attack patterns, and build controls to meet these threats.  

  • Cards with a merchant breach with no local counterfeit risk, no PIN?
  • Cards compromised, with customer information and with the potential for VRU PIN changes resulting in ATM fraud and account takeover risks?
  • Rules that reference this common list and work in cross channel fraud types when unusual callers request travel exceptions?

Our goal is to challenge the fraudsters, and decline them with the same impudence they offer us; rapidly developing, testing, and deploying rules that are both automated and aligned to a larger compromise strategy.  Instead of focusing on the short term, scalable compromise processes should be implemented to illustrate how to evolve a financial institution with cross-channel controls.  Instead of this breach being another opportunity to have a glut of compromised cards to re-issue, the proactive stance is loading a list and reducing the anxiety of breach exhaustion.