Fraud & Identity Management
By: Matt Sifferlen Ah, fraudulent behavior is currently enjoying a bright shiny moment in the sun in today\'s pop culture, particularly in the world of sports. Whether it\'s a college athlete being duped for months by telephone conversations with a non-existent girlfriend, or the world\'s best known cyclist coming clean on a lifetime of deceit, in both cases we\'re left shaking our heads and laughing, crying, or cringing while telling ourselves \"I\'m glad I\'m too smart to fall for any of this.\" But are you just kidding yourself? In the case of the college football player, most of us have been scratching our heads wondering how any adult could possibly get strung along for such an extended period of time by such a scam. But if you take a closer look at the interaction between the athlete and the fraudster, you\'ll see that the fraudster deployed some typical tactics that allowed him to keep the scam living and breathing. In particular, he continuously kept communicating with the athlete via phone and social media, reinforcing the perception that he\'s aboveboard and genuinely interested in the athlete\'s life. We see this in commercial fraud interactions too, where the commercial fraudster will perform expected, normal tasks and activities (e.g. making small payments on loans, placing phone calls to lender support staff) that will reinforce the lender\'s perception that the fraudster is just another normal client. But unlike the athlete\'s scenario where the fraudster\'s story unraveled due to no logical conclusion being planned, commercial fraudsters will string lenders along until they get what they want -- then they vanish. Lenders can\'t get too complacent in their fraud prevention efforts, assuming that the mere presence of normal account activity equates to a validation of a client\'s authenticity. To complicate things, while electronic communication methods like text messages, emails, and Twitter or Facebook messages offer many convenience advantages, they are ripe for manipulation by fraudsters who certainly find these methods preferable to any awkward face to face encounters with someone they\'re victimizing. The cyclist that admitted to a lifetime of lies also shines the light on some other tactics that commercial fraudsters might use -- using perceived image and reputation to deceive. Fraudsters will often steal identities of licensed professionals (think physicians, dentists) with favorable credit profiles and use their information to apply for commercial credit or services, knowing that they will likely be viewed favorably due to their impressive profiles, at least on paper. In today\'s world where lightly staffed underwriting teams struggle to keep up with their workloads, it\'s easy to see why this tactic can help increase the odds that an application might escape closer scrutiny. After all, it\'s a doctor\'s office so what could possibly go wrong? A lot, if you\'re approving someone who really isn\'t the doctor! An objective evaluation and screening process where underwriting and analyst staff consistently verify all applicant data and not just cherry pick the ones that look suspicious on paper can go a long way towards avoiding this typical trap set by commercial fraudsters. And in the final scenario of art imitating life, there is the recent release of a major motion picture comedy about identify theft. I\'m sure anyone who has been a victim of identity theft won\'t find hilarity in the scenes of the victim\'s life getting turned upside down, suddenly unable to use his credit cards at the gas station and being asked about transactions that took place somewhere else in the country that he\'s never visited. But undoubtedly many folks will find this humor hilarious because we probably know of some horror story that a friend or acquaintance has shared with us that is similar to one of the wacky scenarios covered in this movie. So we\'ll laugh and take comfort in the fact that we\'re too smart to get scammed like this, but if the FTC is stating that identity theft will affect 1 in 6 people each year then we\'re fooling ourselves in thinking that our number won\'t be up at some point soon. So what can be learned from these high profile pop culture events? I think a couple things. First, know your customers (or athletes, heroes, girlfriends). It sounds simple, but make sure they are who they say they are. Whether you\'re lending to a business or a consumer, there are tools out there that can enable you to objectively screen your applicants and minimize any bias that might get exploited by fraudsters in a manual review heavy process. If you\'re not cautious and get burnt, you might not have to go on Oprah or Dr. Phil to explain to your management team where things went horribly wrong, but the level of financial and reputational damage inflicted could be a painful lesson for you and your institution. Or if you\'re really (un)lucky, maybe they\'ll make a movie about your story -- wouldn\'t that be hilarious? (sarcasm intended)
By: Maria Moynihan Cybersecurity, identity management and fraud are common and prevalent challenges across both the public sector and private sector. Industries as diverse as credit card issuers, retail banking, telecom service providers and eCommerce merchants are faced with fraud threats ranging from first party fraud, commercial fraud to identity theft. If you think that the problem isn\'t as bad as it seems, the statistics speak for themselves: Fraud accounts for 19% of the $600 billion to $800 billion in waste in the U.S. healthcare system annually Medical identity theft makes up about 3% of 8.3 million overall victims of identity theft In 2011, there were 431 million adult victims of cybercrime in 24 countries In fiscal year 2012, the IRS’ specialized identity theft unit saw a 78% spike from last year in the number of ID theft cases submitted The public sector can easily apply the same best practices found in the private sector for ID verification, fraud detection and risk mitigation. Here are four sure fire ways to get ahead of the problem: Implement a risk-based authentication process in citizen enrollment and account management programs Include the right depth and breadth of data through public and private sources to best identity proof businesses or citizens Offer real-time identity verification while ensuring security and privacy of information Provide a Knowledge Based Authentication (KBA) software solution that asks applicants approved random questions based on “out-of-wallet” data What fraud protection tactics has your organization implemented? See what industry experts suggest as best practices for fraud protection and stay tuned as I share more on this topic in future posts. You can view past Public Sector blog posts here.
As we prepare to attend next week’s FS-ISAC & BITS Summit we know that the financial services industry is abuzz about massive losses from the ever-evolving attack vectors including DDoS, Malware, Data Breaches, Synthetic Identities, etc. Specifically, the recent $200 million (and counting) in losses tied to a sophisticated card fraud scheme involving thousands of fraudulent applications submitted over several years using synthetic identities. While the massive scale and effectiveness of the attack seems to suggest a novel approach or gap in existing fraud prevention controls, the fact of the matter is that many of the perpetrators could have been detected at account opening, long before they had an opportunity to cause financial losses. Synthetic identities have been a headache for financial institutions for years, but only recently have criminal rings begun to exploit this attack vector at such a large scale. The greatest challenge with synthetic identities is that traditional account opening processes focus on identity verification compliance around the USA PATRIOT Act and FACT Act Red Flags guidance, risk management using credit bureau scores, and fraud detection using known fraudulent data points. A synthetic identity ring simply sidesteps those controls by using new false identities created with data that could be legitimate, have no established credit history, or slightly manipulate elements of data from individuals with excellent credit scores. The goal is to avoid detection by “blending in” with the thousands of credit card, bank account, and loan applications submitted each day where individuals do not have a credit history, where minor typos cause identity verification false positives, or where addresses and other personal data does not align with credit reports. Small business accounts are an even easier target, as third-party data sources to verify their authenticity are sparse even though the financial stakes are higher with large lines of credit, multiple signors, and complex (sometimes international) transactions. Detecting these tactics is nearly impossible in a channel where anonymity is king — and many rings have become experts on gaming the system, especially as institutions continue to migrate the bulk of their originations to the online channel and the account opening process becomes increasingly faceless. While the solutions described above play a critical role in meeting compliance and risk management objectives, they unfortunately often fall short when it comes to detecting synthetic identities. Identity verification vendors were quick to point the finger at lapses in financial institutions’ internal and third-party behavioral and transactional monitoring solutions when the recent $200 million attack hit the headlines, but these same providers’ failure to deploy device intelligence alongside traditional controls likely led to the fraudulent accounts being opened in the first place. With synthetic identities, elements of legitimate creditworthy consumers are often paired with other invalid or fictitious applicant data so fraud investigators cannot rely on simply verifying data against a credit report or public data source. In many cases, the device used to submit an application may be the only common element used to link and identify other seemingly unrelated applications. Several financial institutions have already demonstrated success at leveraging device intelligence along with a powerful risk engine and integrated link analysis tools to pinpoint these complex attacks. In fact, one example alone spanned hundreds of applications and represented millions of dollars in fraud saves at a top bank. The recent synthetic ring comprising over 7,000 false identities and 25,000 fraudulent cards may be an extreme example of the potential scope of this problem; however, the attack vector will only continue to grow until device intelligence becomes an integrated component of all online account opening decisions across the industry. Even though most institutions are satisfying Red Flags guidance, organizations failing to institute advanced account opening controls such as complex device intelligence can expect to see more attacks and will likely struggle with higher monetary losses from accounts that never should have been booked.
By: Maria Moynihan State and Federal agencies are tasked with overseeing the integration of new Health Insurance Exchanges and with that responsibility, comes the effort of managing information updates, ensuring smooth data transfer, and implementing proper security measures. The migration process for HIEs is no simple undertaking, but with these three easy steps, agencies can plan for a smooth transition: Step 1: Ensure all current contact information is accurate with the aid of a back-end cleansing tool. Back-end tools clean and enhance existing address records and can help agencies to maintain the validity of records over time. Step 2: Duplicate identification is a critical component of any successful database migration - by identifying and removing existing duplicate records, and preventing future creation of duplicates, constituents are prevented from opening multiple cases, thereby reducing the probability for fraud. Step 3: Validate contact data as it is captured. This step is extremely important, especially as information gets captured across multiple touch points and portals. Contact record validation and authentication is a best practice for any database or system gateway. Agencies and those particularly responsible for the successful launches of HIEs are expected to leverage advanced technology, data and sophisticated tools to improve efficiencies, quality of care and patient safety. Without accurate, standard and verified contact information, none of that is possible. Access the full Health Insurance Exchange Toolkit by clicking here.
According to a recent Ponemon Institute study, 65 percent of study participants say their organization has had a data breach in the past two years involving consumer data outsourced to a third party. Most of these are preventable, as employee negligence accounts for 45 percent of data breaches and lost or stolen devices account for 40 percent.
Each year, more than $1 billion is stolen from accounts at small and mid-sized banks across the U.S. and Europe. Unless the nature of the threat is recognized and addressed, this amount will only continue to grow. This week, we released of our latest webinar, Fraud Moving Downstream: Navigating Through the Rough Waters Ahead. Julie Conroy, research director at Aite Group and I team together to address this growing risk for regional and mid-sized banks, providing an overview of the current threat landscape and explain how the existing conditions are creating the perfect storm for fraudsters. Key topics discussed in this webinar include: How Regional Banks are Enhancing Online Offerings: Regional banks are responding to customer demand for more offerings, especially mobile banking options, which exposes them to new threats. The Rise in Sophisticated Fraud Attacks: Fraud rings and other new attack types (malware, man-in-the-middle, man-in-the-browser, etc.) are occurring at a higher rate than ever and pose serious threats to regional banks that lack strong, multi-layered defenses. Regional Banks’ Lack of Resources: Second and third tier banks have less manpower and less sophisticated solutions in place, which makes reviewing transactions and identifying repeat and cross-channel attacks incredibly difficult. You can access the on-demand webinar here. Also be sure to check out our infographic that illustrates this growing threat of fraud for small and mid-size banks, found here.
First, it aims to drastically reduce payment acceptance costs through any and all means and Secondly – keep merchant data firmly within their purview. MCX – MerChants reduX: The post that follows is a collection of thoughts around MCX, why it deserves respect, and yet how it is indeed mortal and bleeds like all others. For those who are not familiar with MCX – it’s a consortium of over 30 leading national retailers with a singular purpose – that is, to create a seamlessly integrated mobile commerce platform. The website for MCX is http://www.mcx.com. The consortium is led by merchants like Walmart, Target, CVS, BestBuy, Gap, Sears etc. By 2012, the mobile payments space was fragmented as it is, which itself may have precipitated the launch of MCX. And to a number of solutions looking for traction, things ground to a halt when MCX conceptualized to the merchants a solution that needed no costly upgrades and a promise to route the transaction over low cost routing options. My friends on the issuer side privately confide that MCX has infact succeeded in throwing a monkey wrench in their mobile payment plans – and merchant acceptance looks to be ambiguous around incumbent initiatives such as Isis and GoogleWallet, as well as for alternative payment initiatives. It had been easy to call it mere posturing and ignore it in the early days, but of late there is a lot of hand wringing behind the scenes and too many furrowed brows, as if the realization finally struck that merchants were indeed once again crucial to mobile payment adoption. MCX – It’s raison d’etre Meanwhile, the stakeholders behind MCX have been religious in their affirmation that MCX lives by two core tenets: First, it aims to drastically reduce payment acceptance costs through any and all means and Secondly – keep merchant data firmly within their purview. I can’t seem to think that the latter was any more than an after thought, because merchants individually can choose to decide if they wish to share customer preferences or Level III data with third parties, but they need all the collective clout they can muster to push networks and issuers to agree to reduce card acceptance costs. So if one distils MCX down to its raison d’etre, then it looks that it is aimed squarely at No.1. Which is fair when you consider that the merchants believe card fees are one of their biggest operating expenses. In 2007, 146,000 convenience stores and gas stations nationwide made a total of $3.4B in profits, yet they paid out $7.6B in card acceptance costs(Link). And MCX is smart to talk about the value of merchant data, the need to control it, yada yada yada. But if that were indeed more important, Isis could have been the partner of choice – someone who would treat customer and transaction data as sacrosanct and leave it behind for the merchants to fiddle with(vs. GoogleWallet’s mine..mine..mine.. strategy). But the same way HomeDepot was disappointed when they first saw GoogleWallet – no interchange relief, incremental benefits at the point-of-sale, and swoops all their data in return, Isis also offers little relief to MCX or its merchants, even without requiring any transaction or SKU level data in return. Does it mean that Carriers have no meaningful role to play in commerce? Au contraire. They do. But its around fraud and authentication. Its around Identity. And creating a platform for merchants to deliver coupons, alerts to opted-in customers. But they seem to be stuck imitating Google in figuring out a play at the front end of the purchase funnel, to become a consumer brand. The last thing they want to do is leave it to Apple to figure out the “Identity management” question, which the latter seems best equipped to answer by way of scale, the control it exerts in the ecosystem, its vertical integration strategy that allows it to fold in biometrics meaningfully in to its lineup, and to start with its own services to offer customer value. Did we say Apple? Its a bit early to play fast and loose with Apple predictions, but its Authentec acquisition should rear its head sometime in the near future (2013 – considering Apple’s manufacturing lead times), that a biometric solution packaged neatly with an NFC chip and secure element could address three factors that has held back customer adoption of biometrics: Ubiquity of readers, Issues around secure local storage and retrieval of biometric data, Standardization in accessing and communicating said data. An on-chip secure solution to store biometric data – in the phone’s secure element can address qualms around a central database of biometric data open to all sorts of malicious attacks. Standard methods to store and retrieve credentials stored in the SE will apply here as well. Why NFC? If NFC was originally meant to seamlessly and securely share content, what better way to sign that content, to have it be attributable to its original author, or to enforce one’s rights to said content – than to sign it with one’s digital signature. Identity is key, not just when enforcing digital rights management on shared content, but also to secure commerce and address payment/fraud risk. Back to MCX. The more I read the more it seems MCX is trying to imitate Isis in competing for the customer mindshare, in attempting to become a consumer brand – than simply trying to be a cheaper platform for payment transactions. As commerce evolved beyond being able to be cleanly classified under “Card Present” and “Card Not Present” – as transactions originate online but get fulfilled in stores, merchants expect rules to evolve alongside reality. For example, when customers are able to order online, but pick up in-store after showing a picture ID, why would merchants have to pay “Card not Present” rates when risk is what we attribute higher CNP rates to, and why is there an expectation of the same amount of risk even in this changed scenario? And beyond, as technology innovation blurs the lines that neatly categorized commerce, where we replace “Card Present” with “Mobile Present”, and mobile carry a significant amount of additional context that could be scored to address or quantify risk, why shouldn’t it be?. It’s a given that networks will have to accommodate for reduced risk in transactions where mobile plays a role, where the merchant or the platform enabling the transaction can meaningfully use that context to validate customer presence at the point-of-sale – and that they will expect appropriate interchange reduction in those scenarios. MCX – A brand like Isis or a platform? But when reading portions of the linked NRF blog, and elsewhere – it reflects a misplaced desire on MCX’s part to become a consumer facing solution – an app that all MCX partners will embrace for payment. This is so much like the Isis solution of today – that I have written about – and why it flies in the face of reason. Isis – the nexus between Carriers and FI’s – is a powerful notion, if one considers the role it could play in enabling an open platform – around provisioning, authentication and marketing. But for that future to materialize, Isis has to stop competing with Google, and must accept that it has little role to play by itself at the front end of the funnel, and must recede to its role of an enabler – one that puts its partner FI brands front and center, allows Chase’s customers to pay using Chase’s mobile app instead of Isis, and drives down the fraud risk at the point of sale by meaningfully authenticating the customer via his location and mobile assets Carriers control, and further – the historical data they have on the customer. It’s those three points of data and the scale Isis can bring, that puts them credibly in the payments value chain – not the evaporating control around the Secure Element. In the same vein, the value MCX brings to merchants – is the collective negotiating power of over 30 national merchants. But is it a new consumer brand, or is it a platform focused on routing the transaction over the least cost routing option. If its the latter, then it has a strong parallel in Paypal. And as we may see Paypal pop-up as legal tender in many a retailer’s mobile apps and checkout aisles going forward, MCX is likely to succeed by emulating that retailer aligned strategy than follow a brand of its own. Further, If MCX wants customers to pay using less costly means – whether they be private label, prepaid or ACH – then it and its partners must do everything they can to shift the customer focus away from preferred payment methods and focus on the customer experience and resulting value around loyalty. MCX must build its value proposition elsewhere, and make their preferred payment methods the bridge to get the customer there. Another example where the retailer focused too much on the payment, and less so on the customer experience is the Safeway Fast Forward program. The value proposition is clear for the customer – Pay using your Safeway Fast Forward card number and a self assigned PIN for simpler checkout. However to set up your account, the customer must provide a State issued ID (Drivers License) and on top of it – his Social Security Number(Safeway Fast Forward Requirements Here). What customer would, for the incremental convenience of paying via his Fast Forward Card and PIN, be willing to entrust Safeway with his Social Security Number? Clearly Safeway’s Risk team had a say in this and instead of coming up with better ways to answer questions around Risk and Fraud, they introduced a non-starter, which killed any opportunity for meaningful adoption. MCX & adoption So where does that leave MCX? Why will I use it? How will it address questions around adoption? It’s a given that it will have to answer the same questions around fraud and authentication during customer on-boarding or at a transactional level. Further, its not enough these days to simply answer questions pertaining to the customer. Further, one must address questions relating to the integrity and reputation of the device the customer use – whether that be a mobile device or a Laptop PC. But beyond fraud and auth, there are difficult questions around what would compel a techno-luddite who has historically paid using a credit instrument to opt for an ACH driven(i am guessing) MCX payment scheme. Well, for one: MCX and its retail partners can control the purchasing power parity of MCX credits. If they so wish, and after aggregating customer profiles across retailers, MCX determines that the Addams family spends a collective $400 on average per month between all the MCX retailers. MCX could propose that if instead, the Addams family were to commit to buy $450 in MCX credits each month, they could increase their purchasing power an additional $45 credits that could be used on specific retail categories (or flat out across all merchandise)? Would Morticia be interested? If she did, what does that mean to MCX? It eliminated having to pay interchange on approx $500, and further it enabled its partners to capture an incremental spend of 10% that did not exist before. Only merchants will be able to pull this off – by leveraging past trends, close relationships with CPG manufacturers and giving Morticia new reasons to spend in the manner they want her to. But then again, where does MCX stop in providing a level playing field for its partners, and step back – so that merchants can start to compete for their customers and their spend? And finally, can it survive the natural conflicts that will arise, and limit its scope to areas that all can agree – for long enough for it to take root? Should MCX become the next Isis or the next Paypal? Which makes most sense? What do you think? Please leave your opinions below... (This blog post is an adaptation of its original post found - http://www.droplabs.co/?p=662)
By: Maria Moynihan Fact: In fiscal year 2011, the federal government allocated ~$608M to investigate and prosecute cases of alleged fraud in health care programs Fact: Medicare and Medicaid related scams cost taxpayers more than $60B a year These statistics are profound, especially when so many truly need–and rightfully deserve–access to health benefits. To make the facts a bit more tangible, how would you feel if you heard that neighbors of yours were submitting claims to Medicare for treatments that were never provided? In essence, you’ve got thieves for neighbors, don’t you? Thankfully, government agencies are responding. Even while being challenged with reduced budgets and limited resources; they are investing in efficient processes, advanced data, analytics and decisioning tools to improve their visibility into individuals at the point of application. By simply making adjustments to one or all of these areas, agencies can pinpoint whether or not individuals are who they say they are. Only with precision, relevancy, and efficiency of information, can fraud and abuse be curtailed. Below are a few examples of how to improve your eligibility systems or processes today. Or, simply download the Issue Brief, Beyond Traditional Eligibility Verification, for more detail. Use scores, models, and screening questions to assess a beneficiary’s true identity or level of identity fraud risk. Use income and asset estimation models to compare to stated income as a validation step in determination of benefits eligibility. Create a single system for automatic identification and verification of beneficiaries and businesses applying for service. Tighten controls around business identity to weed out fraud rings, syndicates and other forms of business fraud. The Bottom Line: Only with process, information, or system improvements, can government agencies move the needle on the growing and pressing issue of fraud and abuse.
By: Maria Moynihan Cyber Monday recently passed and I\'m curious to know if you were one of the many who contributed to the $1.465 billion spend online that day? ‘Tis the season - not only for increased online shopping, but for increased ID theft or risk of fraudulent activity. With a quick online search, you can find some good tips on how to protect your information. Here’s a great read on password protection. Other sources offer added tips, like the below, when submitting information online: 1) Ensure sensitive information is secure before submitting 2) Only access websites you know you can trust 3) Be sure you are comfortable with the information your mobile device is asking you to provide in specific apps Beyond the holidays and even beyond the type of organization you are interacting with, these online tips apply. Government agencies for instance, encourage similar cautionary behavior when interacting with them. In fact, several have even implemented tools and processes to ensure the proper level of information security, authentication, and checking occur. Take the Social Security Administration for example. Here is an agency that implemented a secure process for individuals to access their benefits online. By incorporating a step to quickly and efficiently cross check an individual’s identity, the agency was able to validate information, ensuring people seeking access to their information are truly who they say they are. Watch a video to see how the Social Security Administration offers secure real-time access to individuals’ benefits. And, most importantly, keep these important information safety tips in mind every day and enjoy a stress-free and peaceful holiday!
Six states are the top producers of turkeys: Minnesota at 46 million, North Carolina at 36 million, Arkansas at 29 million, Missouri at 17.5 million, Virginia at 17 million and Indiana at 16.5 million. This accounts for nearly two-thirds of turkeys produced in the United States as of September 2012. The average wholesale price for frozen whole turkey during fourth-quarter 2012 is projected to range from $1.10 to $1.14 per pound -- similar to the 2011 fourth-quarter average price of $1.11 per pound. The average retail price for whole frozen turkeys in September 2012 was $1.62, about 6 cents lower than the average retail price for whole frozen turkeys in September 2011. Source: National Agricultural Statistics Service (NASS), Agricultural Statistics Board and United States Department of Agriculture (USDA).
According to a recent Ponemon Institute study, 44 percent of consumers who were notified about a data breach believed the breached company was hiding something. When data breaches occur, it is extremely important to be there for customers and to address their concerns. When companies hide a data breach, impacted consumers begin to suspect the breach is actually much worse than the company claims, and trust in the organization begins to wane. Find out more by downloading the data breach case study of lessons learned from the field.
I'm here in Vegas at the Mobile2020 conference and I am fascinated by my room key. This is not the usual “insert in to the slot, wait for it turn green or hear it chime” key cards, these are “tap and hold to a door scanner till the door opens” RFID key card. It is befitting the event I am about to attend – Money2020 – the largest of its kind bringing together over 2000 mobile money aficionados, strategists and technologists from world over for a couple of days to talk about how payment modalities are shifting and the impact of these shifts to existing and emerging players. Away from all the excitement of product launches, I hope some will be talking about one of the major barriers for consumer adoption towards alternate payment modalities such as mobile – security and fraud. I was in Costa Mesa last week and in the process of buying something for my wife with my credit card, triggered the card fraud alert. My card was declined and I had to use a different card to complete my transaction. As I was walking out, my smartphone registers a text alert from the card issuer – asking me to confirm that it was actually I who attempted the transaction. And If so, Respond by texting 1 – if Yes Or 2 – if No. All good and proper up till this point. If someone had stolen my card or my identity, this would have been enough to stop fraud from re-occurring. In this scenario the payment instrument and the communication device were separate – my plastic credit card and my Verizon smartphone. In the next couple of years, these two will converge, as my payment instrument and my smartphone will become one. At that point, will the card issuer continue to send me text alerts asking for confirmation? If instead of my wallet, my phone was stolen – what good will a text alert to that phone be of any use to prevent the re-occurrence of fraud? Further if one card was shut down, the thief could move to other cards with in the wallet – if, just as today, there are no frameworks for fraud warnings to permeate across other cards with in the wallet. Further, fraud liability is about to shift to the merchant with the 2013 EMV Mandate. In the recent years, there has been significant innovation in payments – to the extent that we have a number of OTT (Over the Top) players, unencumbered by regulation, who has been able to sidestep existing players – issuers and card networks, in positioning mobile as the next stage in the evolution of payments. Google, PayPal, Square, Isis (a Carrier consortium formed by Verizon, T-Mobile and AT&T), and a number of others have competing solutions vying for customer mind share in this emerging space. But when it comes to security, they all revert to a 4 digit PIN – what I call as the proverbial fig leaf in security. Here we have a device that offers a real-time context – whether it be temporal, social or geo-spatial – all inherently valuable in determining customer intent and fraud, and yet we feel its adequate to stay with the PIN, a relic as old as the payment rails these newer solutions are attempting to displace. Imagine what could have been – in the previous scenario where instead of reaching for my card, I reach for my mobile wallet. Upon launching it, the wallet, leveraging the device context, determines that it is thousands of miles away from the customer’s home and should score the fraud risk and appropriately ask the customer to answer one or more “out-of-wallet” questions that must be correctly answered. If the customer fails, or prefers not to, the wallet can suggest alternate ways to authenticate – including IVR. Based on the likelihood of fraud, the challenge/response scenario could include questions about open trade lines or simply the color of her car. Will the customer appreciate this level of pro-activeness on the issuer’s part to verify the legality of the transaction? Absolutely. Merchants, who so far has been on the sidelines of the mobile payment euphoria, but for whom fraud is a real issue affecting their bottom-line, will also see the value. The race to mobile payments has been all about quickly shifting spend from plastic to mobile, and incenting that by enabling smartphones to store and deliver loyalty cards and coupons. The focus need to shift, or to include, how smartphones can be leveraged to address and reduce fraud at the point-of-sale – by bringing together context of the device and a real-time channel for multi-factor authentication. It’s relevant to talk about Google Wallet (in its revised form) and Fraud in this context. Issuers have been up in arms privately and publicly, in how Google displaces the issuer from the transaction by inserting itself in the middle and settles with the merchant prior to firing off an authorization request to the issuer on the merchant’s behalf. Issuers are worried that this could wreak havoc with their inbuilt fraud measures as the authorization request will be masked by Google and could potentially result in issuer failing to catch fraudulent transactions. Google has been assuaging issuer’s fears on this front, but has yet to offer something substantial – as it clearly does not intent to revert to where it was prior – having no visibility in to the payment transaction (read my post here). This is clearly shaping up to be an interesting showdown – would issuers start declining transactions where Google is the merchant of record? And how much more risk is Google willing to take, to become the entity in the middle? This content is a re-post from Cherian's personal blog: http://www.droplabs.co/?p=625
By: Ken Pruett The great thing about being in front of customers is that you learn something from every meeting. Over the years I have figured out that there is typically no “right” or “wrong” way to do something. Even in the world of fraud and compliance I find that each client\'s approach varies greatly. It typically comes down to what the business need is in combination with meeting some sort of compliance obligation like the Red Flag Rules or the Patriot Act. For example, the trend we see in the prepaid space is that basic verification of common identity elements is really the only need. The one exception might be the use of a few key fraud indicators like a deceased SSN. The thought process here is that the fraud risk is relatively low vs. someone opening up a credit card account. So in this space, pass rates drive the business objective of getting customers through the application process as quickly and easily as possible….while meeting basic compliance obligations. In the world of credit, fraud prevention is front and center and plays a key role in the application process. Our most conservative customers often use the traditional bureau alerts to drive fraud prevention. This typically creates high manual review rates but they feel that they want to be very customer focused. Therefore, they are willing to take on the costs of these reviews to maintain that focus. The feedback we often get is that these alerts often lead to a high number of false positives. Examples of messages they may key off of are things like the SSN not being issued or the On-File Inquiry address not matching. The trend is this space is typically focused on fraud scoring. Review rates are what drive score cut-offs leading to review rates that are typically 5% or less. Compliance issues are often resolved by using some combination of the score and data matching. For example, if there is a name and address mismatch that does not necessarily mean the application will kick out for review. If the Name, SSN, and DOB match…and the score shows very little chance of fraud, the application can be passed through in an automated fashion. This risk based approach is typically what we feel is a best practice. This moves them away from looking at the binary results from individual messages like the SSN alerts mentioned above. The bottom line is that everyone seems to do things differently, but the key is that each company takes compliance and fraud prevention seriously. That is why meeting with our customers is such an enjoyable part of my job.
Last week, a group of us came together for a formal internal forum where we had the opportunity to compare notes with colleagues, hear updates on the challenges clients are facing and brainstorm solutions to client business problems across the discipline areas of analytics, fraud and software. As usual, fraud prevention and fraud analytics were key areas of discussion but what was also notable was how big a role compliance is playing as a business driver. First party fraud and identity theft detection are important components, sure, but as the Consumer Financial Protection Bureau (CFPB) gains momentum and more teeth, the demand for compliance accommodation and consistency grows critical as well. The role of good fraud management is to help accomplish regulatory compliance by providing more than just fraud risk scores, it can help to: Know Your Customer (KYC) or Customer Information Program (CIP) details such as the match results and level of matching across name, address, SSN, date of birth, phone, and Driver’s License. Understand the results of checks for high risk identity conditions such as deceased SSN, SSN more frequently used by another, address mismatches, and more. Perform a check against the Office of Foreign Asset Control’s SDN list and the details of any matches. And while some fraud solutions out there make use of these types of comparisons when generating a score or decision, they may not pass these along to their customers. And just think how valuable these details can be for both consistent compliance decisions and creating an audit trail for any possible audits.
Consumers want to hear about data breaches - Eighty five percent of respondents in a recent study say learning about the loss of their data is pertinent to them. However, when they do, 72 percent indicated that they are dissatisfied with the notification letters they receive. Companies need to take note of these findings because more than one-third of consumers who receive a notification letter contemplate ending their relationship with the company. Providing affected individuals with a membership in an identity protection product is extremely important since 58 percent of consumers consider identity protection to be favorable compensation after a breach. Learn five pitfalls to avoid in your notification letters and how Experian Data Breach Resolution can help. Source: Download the complete 2012 consumer study on data breach notification.
Learn More Image
