Embed Size (px)
Citation preview
The Looming Identity Takeover Threat
Wednesday, April 12, 2017
Nikki Atchison, Sr. Product Manager, FIS
Matt Schraan, Product Development Manager, ID Insight
Introductions
2
• Nikki Atchison, Sr. Product Manager, FIS
– is a Senior Product Manager and part of the FIS Decision Solutions (Chex Systems, Inc.) organization within the Global Retail Payments Division.
– She is responsible for the Identity Solution suite of services offered by Chex Systems, Inc., an indirect wholly owned subsidiary of FIS.
– Nikki joined FIS three years ago and prior to FIS, Nikki gained eight years of experience of digital products and mobile platforms at Valpak.
• Matt Schraan, Product Development Manager, ID Insight
– leads Product Development at ID Insight, Inc., a strategic partner of FIS Decision Solutions.
– He has dedicated his professional life to building products that reduce fraud risk, meet compliance requirements, and maximize value from fraud detection techniques and has presented at numerous industry conferences on counter-fraud topics such as account takeover, application fraud, identity verification, and compliance strategies.
– Matt is entering his eleventh year at ID Insight, and has been spent most of those years working closely with FIS clients.
Agenda
3
• What is the current state of identity takeover fraud?
• Industry trends, and the resulting identity fraud ecosystem
• What do today’s identity takeover schemes look like?
– The Common Elements of Today’s Identity Takeover Schemes
– Real-Life Case Examples
• What can be done about it?
– Best Practices
– Case Studies
• FIS Vision for Centralized Fraud Management
• Questions & Discussion
4
What is the Current State
of Identity Takeover Fraud?
We can no longer think of personally identifiable information as private. Over the past two years, 1,874 breaches left 205 million identities exposed. At least. Half of these breach notifications did not report how many records were compromised. In 2016 alone, 1,093 reported data breaches left 36 million identities exposed and vulnerable.
Source: Identity Theft Resource Center, 2016 Data Breach Report
Compromised data is being weaponized, identity takeover attacks are on the rise. In 2016, Account Takeover losses increased by 60%. The incident rate increased by 36%. In 2016, New Account Fraud losses increased by 24%. The incident rate increased by 20%.
Source: Javelin Strategy & Research, 2017 Identity Fraud Report
Consumer behavior is increasingly digital, and so is identity fraud.
Sources: Pew Research1, Braun Research
2, Javelin Strategy & Research
3
77% of college graduates have at least one online
account with a financial institution.162% of consumers cited digital as their primary means of banking in 2016.2This was up from 51% of consumers citing digital as their primary means of banking in 2015.2Mobile phone account takeover increased by 71% from 2015 to 2016.3
It’s a perfect storm for identity takeover fraud. Aite estimates that Account Takeover Fraud losses will grow 43% by the year 2020.1Aite estimates that Credit Card Application Fraud losses will grow 49% by the year 2020.1Aite estimates that DDA Application Fraud losses will grow 79% by the year 2020.1
Sources: Aite Group1, Javelin Strategy & Research
2
1 in 3 notified data breach victims in 2016 experienced fraud in the same year.2
A Perfect Storm for Identity Fraud
9
Industry Trends Outcomes
Data Breaches
EMV Migration
Digital Shift
Counterfeit Card Fraud
New Account Fraud
Account Takeover Fraud
Non-Card Fraud
What Does an
Identity Takeover Scheme
Look Like?
Step 1: Obtain Stolen Information
Technical Compromise• Malware
• Ransomware
• Data Breaches
Human Compromise• Social Engineering
• Insider Collusion
• Familiar Fraud
Step 2: Set the Stage
Non-Financial Account Changes • Address Changes
• Phone changes
• Email changes
• Online Bill Payees
• Authorized Users
• Passwords/PIN Changes
• Mobile Wallet Enrollment
Step 3: Drain Accounts
Gain Access to Account Funds• Card Requests
• On-Us Checks
• Online Bill Payments
• Cash Advances
• ACH transfers
• Wire transfers
• Check orders
• ATM withdrawal
The Critical Gap: Non-Financial Account Manipulations
• Physical addresses, phone numbers, email addresses, and IP addresses are critical points of
contact for both customers and their financial institutions.
• Fraud controls that rely on notification are only as good as the accuracy of the customer contact
data (addresses, phones, and emails).
• As many existing fraud controls and strategies are specific to a particular product or channel,
there is a vulnerability for multi-threaded fraud attacks than span across products or channels.
Fraudsters are increasingly exploiting this vulnerability.
• Having enterprise-wide controls in place to ensure that the contact information in the customer
profile actually belongs to the legitimate customer are critical to reducing identity takeover fraud
risk.
14
Identity Takeover in the News
• A New Jersey couple received a change of
address/mail forwarding postcard from the postal
service, but they weren't moving out of their Gillette
home.
• The local post office told the victims that their postal
carrier would be instructed not to forward any mail.
• Shortly after, someone in the Miami area went on a
three-hour spending spree with the victim’s debit
card.
• "He or she withdrew $4,000 from two ATMs, spent
$4,900 at three supermarket locations, filled his or
her car with gas and visited two restaurants," Lohn
said. "We received no calls or alerts from the bank."
Source: Karin Price Mueller | NJ Advance Media for NJ.com
What Happened?
• About a week after the couple discovered the change of address notification in their mailbox, the scammer called the bank to request a duplicate card.
• “The bank issued new plastic with the same card number and mailed it to my home via USPS," Lohn said. "I did not receive this card, as it was forwarded by USPS."
• Two days later, the fraudster called the bank and requested a new PIN by mail. This, too, was forwarded to the scammer's address.
• The fraudster called the bank to raise the debit card's ATM withdrawal limit from $400 to $3,000. The scammer called yet again to file a travel notification, saying he had an upcoming business trip to Florida and wanted to make sure the card would work.
A “Mobile First” Fraud Design
• Fraudster tokenizes stolen or cloned cards to a mobile
wallet.
• Fraudster may also perform other account maintenance
activities such as:
– Manipulate & change phone number or email on the account
– Request card limit increases
– Inquire about available balances
• Once tokenized, the fraudster is free to use the card at brick
& mortar retail stores, purchasing fenceable goods or
making small purchases with cash back.
• With the card tokenized on a mobile wallet, the transaction
steps around EMV controls and effectively becomes a CNP
transaction.
16
Best Practices for Preventing Identity Takeover
• Scrutinize non-monetary transactions or account maintenance events
in context of financial transactions, and vice versa.
• Wherever possible, choose tools and a strategy that is channel
agnostic; not exclusive to only branch, call center, or digital channels.
• Wherever possible, choose tools and a strategy that is product
agnostic.
• Wherever possible, choose fraud controls that require minimal
dependence on front line staff.
• Take measures to ensure the your customer contact data (addresses,
phone numbers) are accurate at the time of onboarding, and
throughout the account lifecycle.
17
18
FIS Vision for
Centralized
Fraud Management
19
New Account Fraud Account Takeover Payments Fraud
Authentication Data AnalysisPost TransactionConsumer
Engagement
Transaction
Monitoring
ID Verification
Biometrics
OFAC
Device Authentication
Consumer ControlsTransaction Monitoring
Machine Learning
Business Intelligence
Predictive AnalyticsTransaction WarrantyCompromised Cards
Dedicated Analyst
Custom Rules
Global Rules
2-way Messaging
Fraud Mitigation
AssociationsTravel
Notification
Attack Types
Solutions in the Market
CAMS Alerts
Mitigation Categories
Malware Detection
Internal Fraud
Employee Fraud
Detection
Automated Chargeback
Dynamic Jailbreak Root Detection
ANI Spoofing
Fraud Solutions LandscapeAs the complexity of payments increases so does the demand for new fraud solutions
Enterprise Strategy for Omni-Channel Protection
20
Leverage each channel’s unique processing to create a holistic view to fraud mitigation
• Fraud strategy across
multiple product lines
including credit, debit,
prepaid, & merchant
• Create a forum to allow
various fraud analyst
groups to talk and share
• Identify gaps in business
lines to start the solution
process
• Combine various fraud
roadmaps to drive into a
single through line
Layers of fraud, risk, cross-selling and compliance assessment
FIS Decision Solutions Product Suite
21
Layer 2
Layer 3
Layer 1
Layer 4
Layer 5
Layer 6
Generates an interactive, multiple choice knowledge-
based questionnaire to authenticate identity
Identifies and scores inconsistent address changes
to predict account take-over and identity fraud
Verifies identity inconsistencies in the new account
process and warns of OFAC listing
Assesses and scores risk on DDA applicants for
privilege setting or declination and provides for
cross-selling
Verifies identity on new business account
applicant and up to three signers, and
assesses and scores DDA risk of the
business
Provides for use of ChexSystems debit
data in consumer credit underwriting to
approve more thin-file and no-file
applicants
Fraud in Payments Breakout Sessions
22
Sessions happening at Connect related to payments fraud mitigation
Application Fraud: The reemergence of an old
tactic with a new approach
Wednesday 2:00 – 3:00pm
The Looming Account
Takeover Threat
Wednesday 2:00 – 3:00pm
Fraud Analytics and how to
Harness the data
Tuesday 3:15 – 4:15pm
Consumer engagement: a cardholder’s new role
to stop fraud and save you money
Thursday 9:45 – 10:45am
Fraud Machine Learning: a digital arms race
that holds security in the balance
Tuesday 3:15 – 4:15pm
Visit us in the Solutions Expo
Payments Track
23
For an Address Analysis Demo,
please join us in the
Solutions Expo – Payment Track
ChexSystems® Consumer
Risk & Fraud
Kiosk
24
Questions & Discussion
