Who should be responsible for financial fraud?

Improvements in payment protections are shifting the liability for fraud to the least-secure party

1 2 Page 2
Page 2 of 2

[CSOs guide to the Target data breach]

Resources for upgrading to EMV are available through many organizations. Visa, MasterCard and other payment processors, along with the Smart Card Alliance and the PCI Council, provide guidance for understanding how PCI DSS and EMV work together to protect payment card data.

"There's been a lot of work behind the scenes to educate the market about the value of EMV," says Vanderhoof. "Financial institutions, merchants and processors all need to coordinate around a common method of handling EMV payments."

[JPMorgan to notify 500,000 due to data breach, but will not offer replacement cards]

EMV chip-enabled smart cards also allow for the use of strong authentication methods—using more than just passwords to authenticate transactions. The chip supports tokens and other forms of authentication, including offline or online onetime passwords or PINs requested at the time of transaction. Increasingly, these challenge codes are being sent to the card user on their cellphones, say Vanderhoof and Graham.

Better detection tools head off fraud

In recent years, the success rate for Automated Clearing House (ACH) takeover attempts has been dramatically reduced, according to Doug Johnson, vice president and senior adviser of risk management and policy for the American Bankers Association (ABA), and fraud detection and analysis are behind the drop.

Since 2009, the ABA has conducted a yearly survey of its members to compare how many ACH takeovers were attempted to how many successful transactions were generated from the those attempts. In 2009, 70 percent of fraudulent transactions went undetected and were processed, while in 2012, only nine percent of fraudulent attempts made it through to transaction; the rest were blocked.

"This metric tells us that fraud detection patterns and triggers are better tuned to detect velocity of transactions, size of transactions and anomalous behavior of the end point system conducting the transaction," says Johnson.

Fraud attempts continue against ACH account holders, of course, but more security controls have been built in so that it's harder for criminals to succeed, agrees Avivah Litan, an analyst at Gartner.

For example, JP Morgan Corporate and Investment Banking puts some control into the hands of ACH account holders by allowing them to personally determine which companies can conduct ACH transactions with their account, while anyone not specified is not allowed to use that ACH account. The investment firm also includes education on ACH fraud and how it is conducted from the victim's own computer.

[Collisions likely over PCI 3.0]

Who's liable?

ACH takeover usually starts when account holders are victims of a phishing attack that tricks them into installing malware on their computers, or victims accidentally download malware from an infected or malicious website. Once the ACH transaction is initiated, a criminal can check the balance and initiate transfers without being seen by the system operator, explains Rasch.

Each party in this case was a victim, including the client that was phished, the back-end financial institution that sent the funds, and the processor between the two parties that negotiated the transaction.

[Passing PCI firewall audits: Top 5 checks for ongoing success]

Now, each party is finding that their share of the liability for the fraud is shifting as the result of better security practices. This is particularly good news for account holders who historically have been left holding the bag for transactions not stopped by their financial institutions.

As banks and processors add more pattern analysis and stronger authentication measures into their protections, these become "reasonable security practices" under the Uniform Commercial Code, explains Johnson. Under the code, entities with reasonable security practices are more likely to be protected from liability should they be victims of ACH fraud.

This shift is already beginning to happen, as evidenced by the fact that ACH fraud victims are taking their cases to court and account holders are winning judgments, says Gartner's Litan.

For example, in July of 2012, a first circuit court overturned a 2011 judgment in favor of the bank that allowed nearly $600,000 in unusual and fraudulent transactions to process. In the suit, Patco, the construction company victimized by the fraud, claims that the bank was not in compliance with the Uniform Commercial Code for reasonable security, and in particular it failed to meet the Federal Financial Institutions Examination Council's (FFIEC) authentication guidance for online banking.

Under FFIEC guidelines, authentication measures at banks should include strong pattern recognition and pattern matching tools. Most of these points were spelled out in the contract between Patco and the bank, yet the bank failed to challenge the six unusual transfers that resulted in the fraud.

"By contract, the customer of the ACH processor and the bank agree to a set of commercially reasonable standards that dictates what happens if a customer suffers losses and standards weren't adhered to," Johnson says. "The party that was not adhering to standards is the one that has liability."

Remote transactions require new security solutions

As card-present payment systems get more secure due to the growing acceptance of EMV payment cards, the concern now is that more fraud will focus on card-not-present transactions such as online orders, says Jeremy Grant, senior executive adviser for the National Strategy for Trusted Identities in Cyberspace (NSTIC).

[Mobile shopping remains stifled by security, ease of use]

Already, this shift appears to be happening. FICO reported in 2012 that fraud losses in card-not-present environments (Internet, phone and mail order) increased at twice the rate of counterfeit card fraud.

This means that, in addition to fraud-pattern matching, the industry needs to standardize on stronger identity and authentication methods, at least for online transactions, Grant says.

"Our area of concern is about the user signing on to conduct the transaction," Grant says. "If you look at the Verizon Data Breach Investigations report, most breaches start with the exploitation of a username and password."

[Rise in data breaches drives interest in cyber insurance]

Operating out of the Commerce Department, NSTIC's mission is to enable more online transactions through a common identity framework that can be leveraged by business and consumers. In this framework, consumers and their places of business can chose from a variety of authentication credentials that will function across an "ecosystem" to supplement passwords.

"We feel this would help address the risk in card-not-present fraud, but also it would be more convenient for consumers, who won't have to remember dozens of different passwords and keep updating and changing them," Grant explains.

NSTIC is working with privacy organizations and private-sector groups to develop standards and overcome issues of user privacy and interoperability and encryption key management, for example.

Widespread Access to Multi-Factor Authentication

In this identity ecosystem, could the chip on the smart payment cards support multi-factor authentication that criminals couldn't meddle with? Possibly, says Grant.

Consumers will have the choice of using whatever kind of multi-factor authentication they find most convenient, as several types will be supported by payment processors in the ecosystem.

According to the Smart Card Alliance, MasterCard has enacted a Chip Authentication Program and Visa has set up a Dynamic Passcode Authentication system to allow EMV smart cards to be used to authenticate users during online transactions.

Under these programs, the user would insert a card into a handheld reader attached to their phone or computer and enter a PIN. Then the reader displays a one-time password that the user enters to complete the transaction.

Bob Russo, general manager of PCI SSC New York, thinks it will be some time before we see EMV chips becoming a dominant form of online authentication because most people don't want to have to attach readers to their computers and phones.

However, 30 million Europeans already use EMV cards and readers for Internet transactions, according to the Smart Card Alliance. And millions of small business owners are using attachable smart card readers on their smartphones to conduct business.

Regardless of what forms of authentication are used, the improvements made to protect all forms of payment fraud, including those changes to the PCI DSS rules for protecting cardholder data all along the transaction chain, are reducing fraud. In 2012, payment fraud was 12 percent lower than in 2009, according to the 2013 AFP Payments Fraud and Control Survey conducted by JP Morgan.

[Little sympathy for merchants in disputes over PCI violations]

"EMV and PCI standards make for a powerful combination," Russo says. "Financial organizations are seeing fewer large-scale breaches today, and that's proof our efforts are working."

Deb Radcliff is a freelance writer based in California and is also chief of the SANS Analyst Program.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline