Who should be responsible for financial fraud?

$45 million was stolen from ATMs around the world in a matter of hours. In what a U.S. Attorney called a “21st-century bank heist,” a New York-based organized crime ring in February hacked into financial databases, stole prepaid debit card data, removed their withdrawal limits, cloned new cards, and then sent “mules” (people commissioned to conduct the transactions) to make 4,500 ATM withdrawals worldwide.

[Shift to EMV cards expected to increase online fraud]

With four perpetrators caught and indictments issued in New York, victims on all sides of this crime are now left to sort out who assumes the losses. Does the liability rest with the financial institutions that were initially hacked and whose data was used to manipulate the withdrawal limits and load balances onto the cards? Or are the financial institutions that processed the transactions responsible?

“The law likes to impose liability on the party that is best able to avoid harm. But liability is all over the place in the area of financial payments fraud,” says Mark Rasch, principal attorney at Rasch Technology and Cyberlaw. “Recovering money from those who are liable is also difficult and expensive: You have to file the lawsuits and go through discovery, which can take years.”

As standards for pattern recognition and authentication change, so do the legal challenges that come with them. Liability rules are changing especially quickly in relation to card readers, corporate accounts and card-not-present transactions.

The trouble with magnetic stripes

Of these three areas of financial systems fraud, the most dramatic changes are occurring in card and card-reader protections for U.S. merchants making transactions through ATMs and other card-reader systems.

“Although statistics are hard to come by, card fraud has been increasing steadily over the past few years in the U.S.,” says Randy Vanderhoof, executive director of the Smart Card Alliance. “Meanwhile, card fraud has been decreasing in Europe and elsewhere where they are using chip-enabled EMV smart cards rather than mag stripes.” The EMV (EuroPay, MasterCard and Visa) open framework promotes interoperable, chip-enabled payment cards.

[PCI council says government should stay out of payment card standards]

In the U.K., where EMV cards are the dominant form of payment, counterfeit card fraud dropped by two-thirds (from 150 million pounds to less than 50 million pounds) between 2008 and 2010, according to a 2011 presentation by the Federal Reserve Bank of Kansas City. And from January 2010 to September 2011, FICO, a predictive-analysis company, reported a 60 percent decline in counterfeit card fraud in Europe, where smart cards are the dominant form of payment.

The risk in using magnetic stripes is that the data they contain is static and includes the cardholder’s name and address, the financial institution, the 16-digit account number, the expiration date and even the security confirmation code on the back of the card. All of which means the information on the stripe can be used to make new cards, explains Vanderhoof.

[Experts question security used in Target breach]

“As long as you are able to read static data that is encoded on the back of a magnetic stripe, criminals can replicate that data onto another piece of plastic, just like the original,” he says.

This weakness made it possible for the criminals and their global network of mules to quickly steal $45 million using counterfeit cards.

In an EMV chip-based smart payment card, this data is stored securely within the chip, meaning that only authorized merchant terminals can read the stored data and it cannot be reused to create fraudulent transactions, Vanderhoof continues.

Instead, each transaction processed with an EMV chip card and card reader is assigned a unique identifier. If criminals do break the card or terminal’s encryption programs, the data they see is good for one use only. The data stream processed through the terminal is also unique, so it cannot be re-used even if it is captured by wireless sniffers listening in from the parking lot, for example.

Deadlines meet resistance

In 2011 and 2012, MasterCard, Visa, Discover and American Express announced they were accelerating plans to issue EMV smart cards and were already using them for applications such as college credit cards and cards for travelers who want to use them internationally.

The next stage is to get the card readers compliant with the new smart payment cards, says John Graham, vice president of global information assurance and risk for First Data Corporation, one of the largest payment processors in the U.S., with infrastructure in 34 countries.

“The infrastructure is there to support EMV cards, but there are costs to banks and financial institutions that send out smart cards,” Graham says. “We’ve also ensured our back-end systems and mainframes are able to accept these new forms of transactions.”

[PCI DSS 3.0 is an evolution, not a revolution]

According to EMV Connection, approximately 1.5 billion EMV cards have been issued globally, and 21.9 million terminals were accepting EMV cards as of Q4 of 2011. This represents 44.7 percent of the total payment cards in circulation and 76.4 percent of point-of-sale terminals installed outside the U.S., where statistics are harder to find.

Under the EMV framework, merchants that process transactions through card readers have until October 2015 to make their systems ready to handle chip-enabled readers.

[Major attacks on retailers cast spotlight on higher security cards]

If merchants cannot process EMV payment cards and they are defrauded by counterfeit data in magnetic-stripe cards, liability for losses will begin to shift to the merchants that have not upgraded payment card readers, according to Vanderhoof. Likewise, if merchants can process EMV payment cards and the card issuer is still allowing its customer to use a non-EMV card, that issuer will begin to assume the liability for fraudulent transactions.

While large merchants stand ready to meet the EMV deadline, small mom-and-pop operations are the hardest to convince and need more education, says Graham, adding that, in some cases, small business are still using old, analog lines to conduct transactions.

The transition to smart cards will likely occur in phases, say experts.

“For some, it makes sense to make the upgrade to EMV-enabled readers as soon as possible, and for others it may be a phased-in approach that may not meet the EMV deadlines as they now stand,” says Steve Kenneally, vice president for the center of regulatory compliance at the American Bankers Association.

Kenneally notes that earlier this year, the ATM Industry Association asked for a push back on the deadlines imposed to them by Visa. As a result, most of the brands behind EMV smart cards are imposing their own liability shift dates for ATMs. For example, MasterCard will fully shift liability for card readers onto merchants on Oct. 1, 2016, while Visa will shift liability to its merchants in October of 2017, according to the financial publication and resource group ATM Marketplace.

MasterCard predicts that about 70 percent of those with card processing terminals will make the October 2015 compliance deadline and has even laid out its own liability shift schedule, which currently extends to 2017 for gas stations. (Gas stations are one of the first places criminals test cloned cards to see if they will process, according to experts.)

Most guidelines take into account that for some time during the transition, merchants will need to be able to process both mag stripe and chip-enabled cards. MasterCard provides incentives for merchants to become EMV-compliant, such as audit relief to organizations with readers that can handle both forms of payments.

[CSOs guide to the Target data breach]

Resources for upgrading to EMV are available through many organizations. Visa, MasterCard and other payment processors, along with the Smart Card Alliance and the PCI Council, provide guidance for understanding how PCI DSS and EMV work together to protect payment card data.

“There’s been a lot of work behind the scenes to educate the market about the value of EMV,” says Vanderhoof. “Financial institutions, merchants and processors all need to coordinate around a common method of handling EMV payments.”

[JPMorgan to notify 500,000 due to data breach, but will not offer replacement cards]

EMV chip-enabled smart cards also allow for the use of strong authentication methods—using more than just passwords to authenticate transactions. The chip supports tokens and other forms of authentication, including offline or online onetime passwords or PINs requested at the time of transaction. Increasingly, these challenge codes are being sent to the card user on their cellphones, say Vanderhoof and Graham.

Better detection tools head off fraud

In recent years, the success rate for Automated Clearing House (ACH) takeover attempts has been dramatically reduced, according to Doug Johnson, vice president and senior adviser of risk management and policy for the American Bankers Association (ABA), and fraud detection and analysis are behind the drop.

Since 2009, the ABA has conducted a yearly survey of its members to compare how many ACH takeovers were attempted to how many successful transactions were generated from the those attempts. In 2009, 70 percent of fraudulent transactions went undetected and were processed, while in 2012, only nine percent of fraudulent attempts made it through to transaction; the rest were blocked.

“This metric tells us that fraud detection patterns and triggers are better tuned to detect velocity of transactions, size of transactions and anomalous behavior of the end point system conducting the transaction,” says Johnson.

Fraud attempts continue against ACH account holders, of course, but more security controls have been built in so that it’s harder for criminals to succeed, agrees Avivah Litan, an analyst at Gartner.

For example, JP Morgan Corporate and Investment Banking puts some control into the hands of ACH account holders by allowing them to personally determine which companies can conduct ACH transactions with their account, while anyone not specified is not allowed to use that ACH account. The investment firm also includes education on ACH fraud and how it is conducted from the victim’s own computer.

[Collisions likely over PCI 3.0]

Who’s liable?

ACH takeover usually starts when account holders are victims of a phishing attack that tricks them into installing malware on their computers, or victims accidentally download malware from an infected or malicious website. Once the ACH transaction is initiated, a criminal can check the balance and initiate transfers without being seen by the system operator, explains Rasch.

Each party in this case was a victim, including the client that was phished, the back-end financial institution that sent the funds, and the processor between the two parties that negotiated the transaction.

[Passing PCI firewall audits: Top 5 checks for ongoing success]

Now, each party is finding that their share of the liability for the fraud is shifting as the result of better security practices. This is particularly good news for account holders who historically have been left holding the bag for transactions not stopped by their financial institutions.

As banks and processors add more pattern analysis and stronger authentication measures into their protections, these become “reasonable security practices” under the Uniform Commercial Code, explains Johnson. Under the code, entities with reasonable security practices are more likely to be protected from liability should they be victims of ACH fraud.

This shift is already beginning to happen, as evidenced by the fact that ACH fraud victims are taking their cases to court and account holders are winning judgments, says Gartner’s Litan.

For example, in July of 2012, a first circuit court overturned a 2011 judgment in favor of the bank that allowed nearly $600,000 in unusual and fraudulent transactions to process. In the suit, Patco, the construction company victimized by the fraud, claims that the bank was not in compliance with the Uniform Commercial Code for reasonable security, and in particular it failed to meet the Federal Financial Institutions Examination Council’s (FFIEC) authentication guidance for online banking.

Under FFIEC guidelines, authentication measures at banks should include strong pattern recognition and pattern matching tools. Most of these points were spelled out in the contract between Patco and the bank, yet the bank failed to challenge the six unusual transfers that resulted in the fraud.

“By contract, the customer of the ACH processor and the bank agree to a set of commercially reasonable standards that dictates what happens if a customer suffers losses and standards weren’t adhered to,” Johnson says. “The party that was not adhering to standards is the one that has liability.”

Remote transactions require new security solutions

As card-present payment systems get more secure due to the growing acceptance of EMV payment cards, the concern now is that more fraud will focus on card-not-present transactions such as online orders, says Jeremy Grant, senior executive adviser for the National Strategy for Trusted Identities in Cyberspace (NSTIC).

[Mobile shopping remains stifled by security, ease of use]

Already, this shift appears to be happening. FICO reported in 2012 that fraud losses in card-not-present environments (Internet, phone and mail order) increased at twice the rate of counterfeit card fraud.

This means that, in addition to fraud-pattern matching, the industry needs to standardize on stronger identity and authentication methods, at least for online transactions, Grant says.

“Our area of concern is about the user signing on to conduct the transaction,” Grant says. “If you look at the Verizon Data Breach Investigations report, most breaches start with the exploitation of a username and password.”

[Rise in data breaches drives interest in cyber insurance]

Operating out of the Commerce Department, NSTIC’s mission is to enable more online transactions through a common identity framework that can be leveraged by business and consumers. In this framework, consumers and their places of business can chose from a variety of authentication credentials that will function across an “ecosystem” to supplement passwords.

“We feel this would help address the risk in card-not-present fraud, but also it would be more convenient for consumers, who won’t have to remember dozens of different passwords and keep updating and changing them,” Grant explains.

NSTIC is working with privacy organizations and private-sector groups to develop standards and overcome issues of user privacy and interoperability and encryption key management, for example.

Widespread Access to Multi-Factor Authentication

In this identity ecosystem, could the chip on the smart payment cards support multi-factor authentication that criminals couldn’t meddle with? Possibly, says Grant.

Consumers will have the choice of using whatever kind of multi-factor authentication they find most convenient, as several types will be supported by payment processors in the ecosystem.

According to the Smart Card Alliance, MasterCard has enacted a Chip Authentication Program and Visa has set up a Dynamic Passcode Authentication system to allow EMV smart cards to be used to authenticate users during online transactions.

Under these programs, the user would insert a card into a handheld reader attached to their phone or computer and enter a PIN. Then the reader displays a one-time password that the user enters to complete the transaction.

Bob Russo, general manager of PCI SSC New York, thinks it will be some time before we see EMV chips becoming a dominant form of online authentication because most people don’t want to have to attach readers to their computers and phones.

However, 30 million Europeans already use EMV cards and readers for Internet transactions, according to the Smart Card Alliance. And millions of small business owners are using attachable smart card readers on their smartphones to conduct business.

Regardless of what forms of authentication are used, the improvements made to protect all forms of payment fraud, including those changes to the PCI DSS rules for protecting cardholder data all along the transaction chain, are reducing fraud. In 2012, payment fraud was 12 percent lower than in 2009, according to the 2013 AFP Payments Fraud and Control Survey conducted by JP Morgan.

[Little sympathy for merchants in disputes over PCI violations]

“EMV and PCI standards make for a powerful combination,” Russo says. “Financial organizations are seeing fewer large-scale breaches today, and that’s proof our efforts are working.”

Deb Radcliff is a freelance writer based in California and is also chief of the SANS Analyst Program.