Top 4 Debit Fraud Risks
POS Attacks, Skimming Top List of Most Common ThreatsFraudsters are targeting smaller merchants and institutions at an alarming rate, says Mike Urban, senior director of global fraud solutions for FICO, which provides fraud analytics and detection technology. "What we're seeing is the criminals hacking into those merchants because they have much less security than a major processor," he says.
And while card issuers offer some protections, most safeguards are limited. "There's significant compromise out there," Urban says.
The top four debit fraud threats include:
- Merchant Compromises - Small merchants often have weaker security measures, so it's easy for hackers to infiltrate or compromise their POS systems. One way small merchants can improve security is by understanding and complying with the Payment Card Industry Data Security Standard. The PCI Internal Security Assessor Program, for example, offers PCI-led training and education about compliance and security requirements.
- Social Engineering - Obtaining bank account numbers is only a piece of the puzzle. Cybercriminals are relying more heavily on social engineering to con online users into giving up secure card information. CVV2 data, the so-called secure code on the backs of most debit and credit cards used for authorizing transactions, is commonly sought by cyberthieves during socially engineered attacks. Phishing and smishing are the most commonly used schemes to gain cardholder information.
Legitimate institutions should never ask for passwords and other sensitive information via e-mail or text messaging.
- Card-not-Present Fraud - After collecting CVV data, cybercriminals have all they need to conduct card-not-present fraud, which is typically perpetrated through online and/or telephone purchases. Most banking institutions and merchants don't have authentication measures, such as multifactor or out-of-band, strong enough to detect fraudulent card-no-present transactions. Detection and monitoring for cardholder behavior that falls outside the norm is critical when it comes to preventing debit fraud.
Card issuers also need to get consumers involved in second-layer transaction approval. "If it's not you or the bank can't reach you, then the transaction [should] not be approved," says Phil Blank, member of Javelin Strategy & Research's Security, Risk and Fraud Practice. "The mobile channel could be used to send alerts to customers about card transactions. Not enough is being done in that area."
- Card Skimming - ATMs are still popular targets for fraudsters. Criminals place skimming devices over card readers and then collect PINs by shoulder surfing or using cameras. Some are even skimming card details from access panels on vestibule doors, as consumers swipe ATM/debit cards to enter and use the ATM.
PIN pads at retail locations are another target. Criminals have historically targeted POS PIN pads by swapping or switching them out with pads that have been manipulated or altered to collect card details and PINs as they're entered. [See: Michaels Breach: 4 Suspects Sought.]
Simple solutions, such as the placing of decals, regular inspections and customer and employee education, can aid in the protection of ATMs and PIN pads.
"It's really a confluence of compromises coming together," Urban says. Fraudsters are going after mag-stripe data as well as PIN- and signature-debit transactions. And by targeting smaller merchants and banking institutions, "we're seeing escalating debit card fraud."
Fight Back: Combating Debit Fraud
Real-time fraud detection and behavioral analytics are essential to curbing debit fraud. "Sometimes financial institutions will question, 'Do I need to implement real-time fraud detection on a PIN portfolio?'" Urban asks. "I think as criminals are pushing in all directions, that's really a 'yes.'"Gartner's Avivah Litan says detection is an important step. "In general, what's being done is much better fraud detection systems, payer authentication, cardholder authentication and [a migration to] chip cards," Litan says.
Another area that needs further focus: learning how to quickly identify card compromises. That means having good procedures in place, working with industry groups to share information and managing compromises as quickly as possible. Speedy arrests and prosecutions have strong impacts as well.
As more criminals target debit, banking institutions need to minimize the impact. "Institutions need to be on their game, from the fraud-detection and management perspective," Urban says.