A technological battle fought on banking’s front lines
The problem with debit cards is that they are easy – easy to use, and easy to clone.
"We’re victims of our own technology," said Doug Kidder, vice president and manager of corporate security at Umpqua Bank.
How it’s done
Data breaches usually occur at retailers or third-party transaction-processors, either by computer hackers or "card skimming," whereby criminals install devices at ATMs, gas pumps and other places. Criminals also lure people into disclosing information via fraudulent emails and websites.
Criminals then sell card data to fraud rings, who commit "white card fraud" by imprinting and encoding blank, white magnetic-strip cards, available on the Internet for as little as $50. These fake cards are increasingly common in foreign countries. Terry Long, senior vice president of operations technology at Riverview Community Bank, estimates that 80 percent of debit card fraud rings are located outside the U.S. Clark County financial institutions aren’t immune to this trend.
"Recently, a number of local financial institutions sustained some good-sized losses due to significant fraudulent activity originating outside of the United States from a handful of merchants," said Marcia Carr, assistant vice president of security and safety at First Independent Bank.
In 2004, debit-card fraud losses nationwide totaled $2.75 billion, according to Gartner, a national technology research and consulting company. Its 2006 Global Security Survey showed that 78 percent of participating financial services organizations experienced a security breach from outside the organization.
Carr concurred with startling data.
"First Independent has topped its prior average two-year check card losses during the first 80 days of 2007," she said. Long said debit card fraud costs Riverview tens of thousands per year.
How it’s undone
To counteract criminals’ misuse of technology, financial institutions turn to technology to protect themselves and their customers. The 2005 Global Security Survey showed that 64 percent of financial institutions’ future investment plans center around security tools, while the 2006 survey indicated that 95 percent of participants said their information security budget grew over the past year.
Riverview is rolling out new transaction-blocking software that will allow the bank to block transactions in specific countries. They may also be able to block specific merchants.
"We’ve been pushing for this for a long time," said Long. "We’re terribly excited to be offering this additional security to our customers."
iQ Credit Union uses no less than twelve separate technology-based solutions to reduce card fraud. These range from fairly simple solutions, such as daily point-of-sale purchase and ATM withdrawal limits, card activation and member-chosen PINs, to more advanced solutions including neural networks.
Neural networks are complicated software applications that constantly monitor card activity, analyze transactions, evaluate customers’ purchasing habits and assess transaction risk. If the risk rating is high, the transaction can be blocked in real-time. In contrast, older technology monitored card activity only part of the time and identified fraud only after at least one transaction went through. Steve Kenny, senior vice president of risk management and general services at Columbia Credit Union, said that Columbia noticed a "significant reduction in losses" after they implemented a neural network in October 2006.
Another technology-based solution commonly used by financial institutions is CVV, or Card Verification Value. Card data is encrypted into the magnetic strip on the back of an authentic card. Many times, fraudulent cards do not have this data. By verifying the CVV data on the card, financial institutions can block many fraudulent transactions.
Obviously, blocking all transactions would be the safest approach – but hardly what customers have in mind. Kenny said that financial institutions try to limit losses to one-tenth of 1 percent of gross purchases, which allows them to continue making a profit. Interchange fees – which are charged to merchants by card processors and financial institutions, and average $2 for each $100 purchase – also help. Financial institutions receive 70 percent to 90 percent of these fees – $21 to $27 billion in 2006, according to The Nilson Report.
While banks must write fraud off as an operating loss, credit unions used to be able to buy fraud insurance. But that cost is now "skyrocketing," according to Jim Morrell, vice president of support services and chief information officer at iQ Credit Union, and Kenny said, by way of explanation, that when a credit union files for a fraud loss, they get reimbursed – but the next year premiums and deductibles go up.
Weak spot is merchants
According to several bank and credit union executives, the weak spot in security is merchants who store card data permanently, in violation of VISA USA Inc. rules. Roger Michaelis, president and CEO of iQ Credit Union, said that VISA and MasterCard are reluctant to strictly enforce their data-storage rules because they fear it would impinge on the ubiquity of card acceptance. To make matters worse, when a data breach occurs, merchants often don’t notify financial institutions for three to six months.
In non-swipe transactions, such as online purchases, if there is a dispute, the financial institution can charge the disputed purchase
back to the merchant. But in swipe transactions, if the merchant follows the rules by getting a signature, a financial institution cannot charge-back the disputed purchase. Swipe transactions are more secure if they require a PIN – but not all merchants require this.
The U.S., said Michaelis, has been slow to adopt PIN-based technology, compared to other countries such as France, which has used secure cards based on biometrics and card chips for years.
In short, financial institutions have a financial incentive to minimize fraud, but merchants don’t. If a financial institution can prove a merchant didn’t follow the data-storage rules, they can file a VISA compliance claim – but the process can take more than seven months, and the average recouped amount is about $1 per compromised card – compared to $5 to $20 for blocking the old card and issuing a new one.
"Security protection will continue to be enhanced on the back-end processing side, but also (there will be) increased focus on enforcement of the rules that govern the acceptance of credit cards at merchants," Morrell said.
Kenny agreed, saying that "the industry has identified issues that need to be resolved – now we need to make people follow the rules and processes to reduce data accessibility."
The Massachusetts House of Representatives is considering a bill that proposes that companies whose security systems are breached assume full financial responsibility for fraud-related losses. The bill would also require retailers to positively identify all consumers. If it passes, the Massachusetts bill could serve as a model for other states.
In addition, Barney Frank, a U.S. Congressman from Massachusetts, is drafting a similar federal bill he expects to introduce to Congress in the next few months.
"Hopefully, things are gong to turn with respect to storage of data," said Kidder.
Morrell identified another trend, stating that financial institutions are increasingly likely to hire programmers, software developers and network security experts.
"For the past six to 10 years, we have had to ensure we have top-notch technical support staff," said Morrell.
The Washington Data-Breach Notification Statute
Washington’s data-breach notification statute went into effect in July 2005. The law requires businesses that own or license computerized data that includes "personal information" to notify state residents if the data is reasonably believed to have been acquired by an unauthorized person. Delays that serve law enforcement are allowed. Individuals must be notified unless the cost of notification exceeds $250,000; in that case, the company can use email, post the information to a website, or notify statewide media.
It is recommended that if your business uses computerized personal information, you should implement policies that regulate access to the data and require an audit of data access. Formal "incident response policies" may also be required, that address who decides if notification is appropriate and other related decisions.
You can find a comparison of all 35 state-level data-breach laws at the following URL: www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf.