How To Prevent Fraud On A Credit Card

Security Considerations for

Mobile Point-of-Sale Acceptance

Smartphones and tablets are providing users with an ever-expanding set of capabilities. But what does this mean for user security? Story on page 28

SECURITY

MATTERS

Insights on Advancing Security and Fraud Management for Payment Cards

AlSo InSIdE

 StrongerE-commerceFraud

PreventionThroughEnhanced

Issuer-MerchantCommunications PromotingStrongerDataSecurity

ThroughEMVandM/Chip IncreasingtheOddsAgainst

OnlineGamblingFraud

28 16

18

In this Issue

30

25

InthisIssue

02 EMVChipCardandM/Chip

TechnologyDataSecurity

Overview

06 BINAttackPrevention

BestPractices

08 PreventingCVC1Brute

ForceandInvalidService

CodeAttacks

10 ProtectingPrepaidCards

AgainstFraud

14 FraudTrends:Understanding

WebsiteNavigationLayer

Vulnerabilities

16 AFriendRequestfrom

ZeuS:CyberCrimeTrends

andTools

21 StrongerE-commerce

FraudPreventionThrough

EnhancedIssuer-Merchant

Communication

25 Small-MerchantPayment

ApplicationInstallationand

IntegrationBestPractices 28 SecurityConsiderations

forMobilePoint-of-Sale

Acceptance

30 IncreasingtheOddsAgainst

OnlineGamblingFraud 34 New&Noteworthy

GlobalSecurityBulletins 36 MasterCardContact

Information

Overview DATA securiTy Technology

AnIntegratedCircuitCard(ICC),

orchipcard,containsaprocessing

unitthatisabletoexecutefunctions

suchastheverificationofaPIN

andmorecomplexcalculations

usingcryptographicalgorithms,

suchasTriple-DES

¹

(symmetrickey

cryptography)andRSA

²

(asymmetric

keycryptography).Bydesign,the

advancedphysicalandlogical

securityfeaturesoftheintegrated

circuit,astheyrelatetotamper

resistance,protectthesensitivedata

storedonthechip,suchasPINsand

cryptographickeys.

Promoting stronger

Data security Through eMV and M/chip

FRoM MAgnETIC STRIPE To ChIP

Formanyyears,thecardvalidationcode(CVC)hasbeen

theonlyelectronicsecuritycomponentforpaymentcard

transactionsbasedonmagneticstripetechnology.The

CVCisacryptographicvalue(cryptogram)derivedfrom

specificcarddata,includingtheprimaryaccountnumber

(PAN),usingtheTriple-DESalgorithmwithanissuer- ownedsecretkey.TheCVCiscodedinthetrackdataof

thecard’smagneticstripeandreadbythepoint-of-sale

(POS)terminalatthetimeofthetransaction.Duringan

onlineauthorization,itisverifiedbytheissuer(ordel- egatedentity)tovalidatetheauthenticityofthecarddata.

 Despitethebenefitsfirstofferedbymagneticstripe

technology,therearetwochallengeswiththetechnology

thatcriminalshaveexploited.First,theCVCvalueisstatic,

whichmeansthatitdoesnotchangefromtransaction

totransaction.Afraudsterwhoisabletocapturethe

magneticstripedataofagenuinecard(e.g.,through

skimmingatthepointofinteraction[POI]),canthencopy

thatgenuinecarddata(includingthePANandacorrect

CVCvalue)ontocounterfeitcards.Second,CVCvalues

canonlybevalidatedonline,astheyprovidenodata

protectionoffline.

ChIP AUThEnTICATIon TEChnIqUES And ATTACk VECToRS

Chipcardsaddressthemagneticstripestaticdatacounterfeitattackvectorbyusingmore

activecryptographictechnologytoauthenticatethecardviaachallenge-responseproto- col.Chipcardshavealwaysprovidedmorerobustonlinedefensesincomparisontoother

technologies.However,aschipcardtechnologyhasevolved,issuershavebeenpresentedwith

variousofflineauthenticationoptions,startingwithstaticdataauthentication(SDA),then

dynamicdataauthentication(DDA),andnowcombineddataauthentication(CDA).During

atransaction,theterminalwillseektousethestrongestauthenticationoptionavailableon

thecard,startingwithCDAasthehighestpreference,thenDDA,andfinallySDA.

CDAisaninexpensiveenhancementofDDA,essentiallychangingthetimingdur- ingthetransactionflowinwhichthecardgeneratestheApplicationCryptogram

(AC).Moreprecisely,thecardcomputestheACbeforetheDDA,andincludesthe

ACtogetherwithproofthatthePINwasverifiedandothertransactiondatain

thedigitalsignature,whichcanbeverifiedbytheterminal.Thischangepreventsofflinewedge

attacks,whilemaintainingtheadditionalbenefitsofDDA.CDAfurtherprovidesacomplete

transactionintegritysolutionbyenablingthecardtogenerateadigitalsignatureonthecompleted

transactionthatcanbeverifiedbytheterminal.Currently,CDAhasnoknownimplementation

attackvectorsshortofcompromisingthetamperresistanceofthechipcarditself.

Thistechnologyprovidesofflinesecuritybyutilizinganoffline,activechallenge- responseprotocol(i.e.,thecardgeneratesanewcryptogramforeverytransaction).

DuringaDDAchipcardtransaction,thePOSterminalrequeststhatthecard

generateacryptogrambasedonarandomdataelementsenttothecard.In

contrasttoSDA,whichispassive,DDAchipcardsactivelyusethisrandomdataelementtogether

withcarddynamicdataandacryptographickeystoredinitssecurememorytocomputea

dynamicdigitalsignaturethatissenttotheterminalforvalidation.Becausethedatasignedby

thecardisunpredictable(dynamic)foreachtransactionandthefraudsterdoesnothaveaccess

tothekeyusedtogenerateit,thefraudsterwillnotbeabletorecreateatransaction,asisthe

caseforastaticCVCvalueoranSDA-enabledcard.

 DDAtechnology,however,isvulnerabletoanattackvectorknownasawedgeorman-in- the-middleattack.Inthisattack,awedgedeviceisinsertedbetweenalostorstolengenuinecard

andtheterminalthatmakestheterminalerroneouslybelievethatthecardsuccessfullyverifiedthe

PINandthatthecardapprovedthetransactionoffline.Althoughsuchattackshavebeenreported,

thepossiblefinancialgainfromtheattackislimitedtotransactionsthatwouldbeacceptedoffline

bytheterminal.However,CDAaddressesthisriskandprovidesadditionalprotection.

SdA

Withthistechnology,astaticdigitalsignatureofsomecarddataisassigned

byanissuertothecard.Duringatransaction,thesignatureisverifiedata

POSterminaltoauthenticatethecarddata.Althoughachipisused,andthe

datapassedtotheterminalislongerthantheCVConamagneticstripe,the

dataitselfisstillstatic.Therefore,SDAremainsvulnerable,becausethestaticsigneddatacan

becaptured(justliketheCVC)andcopiedtomakeafraudulenttransactionthatwouldbe

acceptedoffline.Thecopy,knownasanSDAclone,canbedesignedtoallowfortheau-

thenticationoftransactionsofflinewithoutneedingtoknowtheoriginalcard’sPIN.Further,

theclonewouldbeprogrammedtosimplydeclinethetransactioniftheterminalchoseto

trytoexecutethetransactiononline.Thereasonforthatdeclineisthattheclonecouldbe

detectedasacounterfeitdeviceifitweretoexecuteatransactiononline,sinceitwouldbe

unabletoproduceacorrectonlinedynamiccryptogram.

Retrievesandverifies

staticdigitalsignature

Retrievesandverifies

dynamicdigitalsignature

Sendschallenge

tocard

Retrievesandverifies

dynamicdigitalsignature,

andalsogeneratesthe

cardcryptogram Sendschallenge

CardgeneratestheApplication

Cryptogramandsendstoterminal

ddA

CdA

SdA CARd AUThEnTICATIon

ddA CARd AUThEnTICATIon

CdA CARd AUThEnTICATIon

CardcomputestheACbeforetheDDA,andincludes

theACtogetherwithproofthatthePINwasverified

andothertransactiondatainthedigitalsignature.

Thischangepreventsofflinewedgeattacks.

d Y n A M I C d Y n A M I C S TAT I C

Overview DATA securiTy Technology

M/ChIP SECURITY FEATURES

Inthe1990s,thepaymentbrandsofEuropay,

MasterCard,andVisa(EMV)jointlyestablished

acommonindustrystandardfortheusageof

chipcardsforpaymenttransactions.Sincethen,

updatedversionsoftheEMVstandardhave

beenpublishedandMasterCardhasdeveloped

theM/Chipproductfromthisstandard.The

securityfeaturesoftheM/Chipproductused

duringatransactionaresummarizedbelow.

offline PIn Verification: Thechipcardcan

verifytheaccuracyofacustomerPINentered

atthePOI.ThetransmissionofthePINbetween

thePINEntryDevice(PED)andthecardcan

eitherbeintheclearorencrypted.Theencryp- tionmechanismusedisbasedonasymmetric

cryptographywithdigitalcertificates.

offline Card Authentication: Theaimof

thisprocessisfortheterminaltoauthenticate

thevalidityofthecard,therebyallowingthe

authenticationtooccuroffline.Thedynamic

offlinecardauthenticationmethodisbased

onthechallenge-responseprotocol.More

precisely,thecarddynamicallysignsarandom

challengefromtheterminaltogetherwith

specificcarddata.Then,usingdigitalcertifi- catesretrievedfromthecard,theterminalcan

verifytheaccuracyofthedynamicsignature

(response)generatedbythecard.Thisprocess

establishestheauthenticityofthecardand

theintegrityofthecarddata.Italsotakes

placebetweenthecardandtheterminal,and

doesnotrequireinteractionwiththeissueror

otherparties.

Risk Management:Besidestheterminalexecut- ingriskmanagementprotocols,M/Chipusesthe

computationalcapabilitiesofthecardtoexecute

itsownriskmanagementprotocolsbasedon

featuresconfigurablebytheissuer.Suchfeatures

includedeterminingthetotalcumulativeamount

ofthetransactionsorthenumberoftransactions

approvedofflinesincethelastonlinetransaction,

andifthesevaluesexceedcertainthresholds,the

cardwillrequestanonlineauthorization.

 Ifeitherthecardortheterminalrisk

managementprotocolsconcludesthatanonline

authorizationisrequired,thisconclusionwill

alwayssupersedethedecisionoftheotherto

approvethetransactionoffline.

Application Cryptogram: Thisfunctionenables

thecardtogenerateadynamiccryptogram

(calledtheApplicationCryptogram)overa

randomchallengesentbytheterminal,carddata,

andtransactiondata(includingthetransac- tionamount)usingasecretkeysecurelystored

inthecardandsharedwiththeissuer.Ifan

onlineauthorizationisrequired,theApplication

Cryptogramtogetherwiththeotherdataissent

totheissuer,whichcanthenverifytheaccuracy

ofthecryptogramandtherebyestablishthe

authenticityofthecardandtheintegrityofthe

cardandtransactiondata.Theresponseofthe

issuer(i.e.,approveordeclinethetransaction)is

thensentbacktothecardprotectedbyanother

cryptogram,whichcanbeverifiedbythecard.

 Ifthetransactionisapprovedoffline,the

ApplicationCryptogramcanbestoredandused

laterbytheissuertoverifythatthetransaction

wasgenuine(e.g.,incaseofadispute).

SUMMARY

M/Chipusesthefullcomputationalcapabili- tiesofachipcardtoimplementstate-of-the- artsecurityfunctionstosecureatransaction

whenexecuting:

•OfflinecustomerPINverificationbythecard;

•Dynamicoffline(terminal)andonline(issuer)

cardanddataauthentication;and

•Cardriskmanagementprotocolsasdefined

bytheissuer.

Furthermore,itisimportanttonotethatthe

threebasicsecurityfunctionscontainedin

M/Chip—namelythecardholderverification

viaofflinePIN,thecardanddataauthentica- tionusingsymmetriccryptography,andthe

cardanddataauthenticationusingasym- metriccryptography—canbeusedasgeneric

functionstosecureanysystemrequiringsome

formofauthentication. 

 Andfinally,theusageofM/Chipcards

inconjunctionwithauserdevice,suchasa

ChipAuthenticationProgram(CAP)reader

orakeyboardanddisplay,enableacardholder

togeneratedynamicpasswordsforvarious

applications,suchashomebankingand

MasterCard^®SecureCode^™authentication.

PRoMoTIng ThE InTEgRITY oF ThE gloBAl PAYMEnTS SYSTEM ThRoUgh lIABIlITY ShIFT InITIATIVES

In its role as a founder and early proponent of EMV technology, MasterCard has executed a strategy to combat card fraud in many regions around the world that relies heavily on enabling chip-based payment transactions.

MasterCard has been a primary driver behind the impressive strides that EMV technology has made in addressing fraud in regions that have migrated or are in the process of migrating to chip-based payments. EMV has exceeded expectations in reducing counterfeit and lost & stolen fraud. EMV also has provided the marketplace with increased operational efficiencies, improved offline risk management, and a host of enhanced value-added solutions that go beyond simply making transactions more secure for cardholders.

As part of this global effort, MasterCard instituted an EMV chip liability

substantial global investments that various entities in the payment value chain have made to protect and safeguard sensitive data from fraud.

Across mature EMV markets, the migration to this technology has greatly reduced the viability of certain fraud attack vectors. Additionally, as more markets move towards widespread adoption of EMV, the entire payment card ecosystem will continue to reap the benefits.

To help foster that reality, MasterCard is committed to working with issuers and acquirers worldwide in building new EMV roadmaps and enhancing existing ones to ensure that key learnings and best practices for migration are clearly understood and implemented. Throughout the migration process, MasterCard will work with its customers to ensure that the balance of risk in the global payments system reflects the

Preventing BIN Attacks

Bank identification number (Bin) attacks on

unprotected accounts have the potential to cause significant financial losses in a short amount of time.

This type of attack is likely due to criminals constantly seeking authorizations on randomly-generated Bin ranges in an effort to obtain a positive autho- rization for valid account numbers, which can then be used for fraudulent transactions.

criminal probing-type activities that lead to Bin attacks can occur during all stages of a Bin’s lifecycle and are not necessarily associated with a specific Bin status change. Therefore, constant vigilance is required, because if no authorization controls are in place, inactive or low-activity Bins can present a fraud risk to issuers whereby transaction losses may quickly occur.

Best Practices Bin ATTAcKs

Issuers should closely and continuously monitor trans- action activity on both active and inactive BINs to detect potential fraud patterns.

Issuersshouldcloselyandcontinuouslymonitortransaction

activityonbothactiveandinactiveBINstodetectpotential

fraudpatterns.Issuersalsoshouldinitiatethefollowing

securitymeasurestohelpmitigateBINattacks.

Review and customize Stand-In parameters to align with cardholder portfolios. Thisactionhelpstoensure

thatvalidaccountsareapproved.Issuersshouldalsolever- ageNegativeListingstohelpensurethatinvalid(e.g.,lost,

stolen,andclosed)accountsaredeclined.

Check Stand-In transaction logs for suspicious activity.

WhentransactionsareinStand-In,logsarecreatedtohelp

identifyandrecordsuspiciousactivity.Whenoperatinginor

immediatelyfollowingStand-Inprocessing,issuersshould

reviewtheselogstodeterminewhethertransactionpatterns

areoutoftheordinary.

Choose BIn range blocking to protect account ranges.

Selectingthisofferingcanhelppreventfraudfromoccurring

onaccountsthatareinactiveornotyetissuedtocardholders.

Stand-In Service Fraud Management Services BIn Attack Prevention Measures

Stand-In Investigation Service (SIS)

MasterCardoffersaStand-InServiceto

helpenhancetheintegrityandreliability

ofourissuingcustomersbyensuringan

authorizationresponsewhenanissuercannotrespond

becauseofunexpectedoutages,datacommunication

errors,orplannedmaintenanceinterruptionsto

theirsystems.

 SinceeventsthattriggerStand-Inprocessingare

quiteoftenoutsideofthecontroloftheissuer,thefol- lowingservicesofferedbyMasterCardcanhelpensure

thatissuersprotectinactiveBINranges—includingnewly

licensedBINrangesnotyetissuedtocardholdersand

existingBINrangesinaninactivestateofloworno

cardholderactivity.

Stand-In Range Blocking Service

ThisofferingblocksauthorizationrequestsinStand-In

toassistissuersinmanagingriskoninactiveaccounts

oraccountsnotyetissued.Issuersareabletoblockan

entireBINrangeorasegmentofaBINrange,defined

upto11digits.

Transaction Blocking Service for Inactive BIns Thisfeaturehelpsissuersavoidlarge-scalefraudattacks

byprovidingpreventive,backupauthorizationcontrols

thatdenyunauthorizeduseofnon-issuedorinactiveBIN

ranges.Theserviceblockstransactionsonspecifiedcard

rangeswhentransactionsareprocessedonline.Italso

blocksauthorizationrequestsforanentireBINrangeor

asegmentofaBINrange,definedupto11digits.

Magnetic Stripe Validation Service

Thisserviceprovidesadditionaltestingofthemagnetic

stripe,orcardvalidationcode1(CVC1)data,usinga

DataEncryptionStandard(DES)algorithmtovalidatethe

legitimacyofthecardandtheauthenticityofthepoint-

of-sale(POS)orATMtransaction.

MasterCardalsohasdevelopedtheStand-In

InvestigationService(SIS)asanenhancement

toitsStand-Inprocessingservicesfordetecting

suspiciousauthorizationrequestsprocessedbyStand-In

throughMasterCard’sExpertMonitoringSolutions.This

serviceincorporatesaproprietaryanalyticaltoolthatnoti- fiesMasterCardpersonnelwhenanauthorizationrequest

processedbyStand-Inindicatescertainriskfactors.It

alsoallowsMasterCardtohelpdetectandadviseissuers

aboutsuspiciousauthorizationrequestsofthisnature.

 SIScomprisesthefollowingthreecategoriesof

availableservices:

SIS Attack

TheMasterCardFraudInvestigationsteamwillwork

withtheaffectedissuertoverifyandhelpeliminateany

high-riskafteritsinvestigation,MasterCardwillprovide

criticalinformationtotheaffectedissuerandthenfollow

theissuer’sinstructionstohelpresolvethesituation.



SIS Warning

ThisserviceoccurswhenMasterCardmonitorsStand-In

authorizationrequestsforearlywarningsigns(testing

orprobing)offraudulentactivitytypicallyassociated

withCard-Not-Present(CNP)authorizationsatsuspicious

merchants.Basedonthesewarningsigns,MasterCard

canthenworkwiththeaffectedissuertoverifyandhelp

eliminateanyidentifiedvulnerabilities.

SIS Monitoring

Thisoptionalserviceallowsissuerstorequestshort-term

orrecurringmonitoringoftheirStand-Intransactions

phishing(phoneore-mailmessages),smishing(text

messages),andfraudulentsocialmediarequestsasking

forpersonalinformation.

 Issuersalsoneedtomakesurethattheyhavedynamic

authorizationandfraudcontrolstrategiesinplacetoaddress

thisriskandavoidfinanciallossesassociatedwiththisattack

methodology.Thesestrategiesshouldensurethattheyiden- tifytheattack,declinetheassociatedtransactions,andstatus

theimpactedaccountswithoutloss.Specifically,issuersalso

shouldreviewtheauthorizationandfraudvelocitycontrols

forPANsandmerchantIDsandestablishalertswhenlimits

orparametersareexceeded.Ifissuersneedadditionalassis- tanceinmitigatingthistypeoffraud,MasterCardwillgladly

workwiththemtocreatespecificfraudrulesandstrategies

toidentifythistypeofattack.Suchsupportmayinvolve

assigningareasoncodetoarule(s)thatwillbeinsertedinto

theAuthorizationRequest/0100message.Thereasoncode

thencanbeusedtodefineauthorizationandqueuemanage- mentstrategiesonanissuer’sauthorizationsystem.

Inthistypeofattack,criminalsusehigh-speed

computerprogramsandstolenmerchantIDsto

testphishedpaymentcarddatainassociation

withmultiplecombinationsofpossibleCVC1values.After

validauthorizationsarereceived,fraudstersengageintest

transactionsofsmalldollarauthorizationamounts,typically

lessthanadollar,whicharerunthroughacompromised

merchantIDinordertoidentifyavalidCVC1value.These

bruteforceattacksmayoccurinashorttimeframeandusu- allyinvolverepeatedattemptsonasinglePANtoidentifythe

validCVC1value.OnceavalidCVC1valuehasbeenidenti- fied,criminalscanusetheotherphishedcardholderpayment

cardinformationtocounterfeitacardandcommitadditional

fraudulenttransactions,usuallyatATMs.

 Toaddressthistypeofbruteforceattack,issuersshould

continuetoraiseawarenessamongtheircardholdersregard- ingthevariousformsofphishingscamscurrentlyoccurring

inthemarketplace.Itisimportantthatcardholderssafeguard

theirpaymentcarddatafromscams,suchastraditional

Phishingscamspresentavarietyoffraudmanagementchallengesfor

issuerswhenitcomestoexploitingpaymentcarddata.Becauseany

unsuspectingcardholdercanfallvictimtoanofficial-lookingonline

orsocialmediaphishingploy,fraudsterscanquicklygainaccesstoa

numberofvalidprimaryaccountnumbers(PANs),expirydates,andPINs,

aswellasspecificpersonallyidentifiableinformation(PII).Byleveraging

thisinformation,criminalscanengageinawiderangeoffraudulent

activities,includingcardvalidationcode1(CVC1)bruteforceand

invalidservicecodeattacks.Thisarticleprovidesanoverviewofthe

attackmethodologiesandoffersfraudmitigationtechniquesrelated

tothesetwofraudschemes.

PREVEnTIng CVC 1

BRUTE FoRCE And InVAlId . SERVICE CodE ATTACkS

CVC 1

BRUTE FoRCE ATTACkS TARgETIng CVC 1 VAlUES

Best Practices Phishing scAMs

Cardholders must safeguard their payment card data from scams such as:

Traditional phishing (phone or e-mail messages)

Smishing (text messages)

Fraudulent social media requests asking for personal information Anotherpotentialfraudattackvector

thathackershavebeenabletoexploit

throughphishingscamsinvolvesusing

aninvalidservicecodevalueof000fortheCVC1entry.

Theservicecode,athree-digitnumericvalue,isencoded

intheTrack1andTrack2dataofacardandindicates

toamagneticstripe-readingterminalthetransaction

acceptanceparametersofthecard.

 Thepresenceoftheinvalidservicecode000in

magneticstripetransactionauthorizationsisalikely

indicatorthatcounterfeitfraudisoccurring.Inthissce- nario,criminalstakethephishedcardholderdata—such

asthePANandexpirydate—toproducecounterfeit

magneticstripecardsencodedwiththeservicecodeof

000andwiththephishedCVC2valueinplaceofthe

CVC1valueinthetrackdata.Whenissuersusethe

samecryptographicDataEncryptionStandard(DES)key

toverifytheCVC1andCVC2values,criminalsareable

tocommitATMfraudwiththephishedPIN,sothatthe

transactionsareabletopasstheCVC1checkandbe

authorizedbyissuers.

 Basedonthisattackvector,issuersarestrongly

recommendedtopromptlyimplementsystemeditsthat

willresultinthedeclineofauthorizationrequestscon- taining000servicecodes.Issuersalsoshouldsettheir

authorizationsystemparameterstorecognize000as

aninvalidservicecodewhenverifyingtheCVC1value

encodedonTrack1orTrack2.Additionally,theyshould

declinesuchmagneticstripetransactionsasafraud

preventionmeasure.Thisrecommendationappliesto

bothmagneticstripe-onlycardsandEMVcardsused

inmagneticstripeenvironments.

helping cardholders Avoid the Phishing hook

InVAlId SERVICE CodE ATTACkS

000

heever-increasinggrowthofprepaidcardsrepre- sentsasizablebusinessopportunityformanyissuers.

Inadditiontobecomingtheubiquitousgift-giving

option,consumersalsogreatlyappreciatethebenefitsthat

thesecardsprovideasanalternativetocarryingcashor

travelerschecks.Organizationsalsoseethebenefits

ofusingprepaidcardstosupportpayrollandbenefitpay- ments,whiletheiremployeeshavelearnedtovalue

theincreasedflexibilityandsecuritythatthesecardsoffer

incontrasttopaperchecks.

 However,withtheseopportunities,comepotential

risks.Broaderdistributionchannelsalsomeanthatissuers

areofferingprepaidcardswithalloftheutilityandrisk

associatedwithuniversally-acceptedpaymentcards.

Consumerswhomaynothavepassedatypicalissuer

screeningprocessorhavenodirectbusinessrelationship

withtheissuerarenowabletotakeadvantageofthe

prepaidcardprogrambenefits.

 Theseprepaidcarddynamics,combinedwithmanyof

thesamefraudattackvectorsusedagainstcreditanddebit

cards,representadifferentchannelforcriminalstocommit

fraud.Therefore,issuersmustbeabletomanagepotential

prepaidcardprogramriskinthesamemannerthatthey

managecreditanddebitcardrisk.

InCoRPoRATIng RISk MAnAgEMEnT ConTRolS AS PART oF dAIlY oPERATIonS

Issuersshouldincludeavarietyofriskcontrolsintheirdaily

operationstohelpreducetheirexposuretoprepaidcard

fraud.Theyalsomustsetminimumriskcriteriaforboth

currentandnewcustomersandestablishtheappropriate

levelofscreeningforportfolios.Additionally,limitsmustbe

establishedfortheinitialvalueloadorstoredvalueofan

account,aswellasthereloadvaluedependingonthetype

ofproductandcharacteristicsoftheprepaidprogram.

Authorizations

SettingreasonabledailylimitsforbothATMand

point-of-interaction(POI)transactionsisthefirst

lineofdefenseforanykindofpotentialloss.Issuers

shouldcreatechecksandbalancestoensurethatall

authorizationsystemsareworkingfromsimilarbalance

information.Issuersalsoneedtohaveauthorization

monitoringandloss-controlprogramsinplacetotrack

velocityandspendinglimitsonindividualaccounts

onasingle-dayandmultiple-daybasis.MasterCard

alsorecommendsthatissuershavethecapabilityto

respondinreal-timewhenthefraudandriskcontrols

aretriggeredduringtheauthorizationprocess.Having

documentedpoliciesandproceduresaroundthese

authorizationcontrolsisvitaltokeepingaprepaid

portfoliocurrentandaccurate.

Posting Transactions

Prepaidcardtransactions,justlikedebitcardtransac- tions,shouldbepostedtoanaccountassoonasa

validauthorizationisprovided.Thisprocessensures

thatfundsareavailablefortransactionsthatmaytake

timetosettleandpostagainsttheaccount.Issuers

shouldconsiderinstitutingapolicytoholdavailable

fundsthatcanmatchtheclearingtransactions.A

separatepolicyshouldbeimplementedfortransactions

withnomatchingauthorizationrecord.Issuersshould

alsoconsiderimplementingaprocesstoholdcredits

andforce-postedauthorizationsuntilsuchrecords

canbematchedtooff-settingdebitsorapproved

authorizations.Note: Transactions clear on average within two or three days, so the hold period should accommodate for the clearing transaction, but not be longer depending on the market.

Protecting Prepaid Cards Against Fraud

T

Best Practices PrePAiD cArDs

FRAUd CATEgoRIES

The following overview describes the top fraud categories and provides recommended practices for issuers to help control losses resulting from these types of fraud as they relate to prepaid cards.

lost/Stolen Card Fraud

Fraudulentactivitycommonlyoccursastheresultof

alostorstolencard,whichfraudstersusetopost

transactionstotheaccount.Issuersshouldconsider

thefollowingriskmanagementtoolstohelpcontrol

lostandstolencardfraud:

•Dailyreviewsofexceptionandvelocitymonitor- ingreportscanhelpidentifypotentialproblems

withaccounts.Thefollowingcategoriesshouldbe

reviewed:

-Transactionamountsinarolling24-to48-hour

period

-Dollaramountsinarolling24-to48-hourperiod -Expirationdatemismatch

-Multiplemismatchedcardvalidationcode1

(CVC1)declinereasoncodes -Dailydeclinereasoncode

-High-riskmerchantcategorycodes(MCCs)

andcountrycodes

-Non-monetarychangestoaccounts

•Mailorshipinactiveprepaidcardsthatrequire

cardholderactivation



Theabilitytomonitorexceptions

inthesecategoriesallowstheissuertobetter

controlriskandenablemoreproactivecustomer

servicewhenidentifyingpotentialfraud

oncardholderaccounts.

Card-not-Present Fraud

Card-Not-Present(CNP)fraudinvolvesnon–face-to- facetransactionswherefraudstersobtainaccount

numbersandfraudulentlyusethemtomake

purchasesviaphone,throughthemail,oronthe

Internet.Computer-savvycriminalscangenerateor

extrapolatevalidcardnumbersusingbankidentifica- tionnumber(BIN)listingsorexistingnumbersfrom

variousInternetprograms.Anumberofapproaches

canhelppreventlossesassociatedwithCNPfraud,

regardlessofhowthecriminalsobtaintheaccount

numbers,including:

•AddressVerificationService(AVS)

•Mismatchexpirationdateprograms

•CVC2

•DailyreportingforMCCsandcountrycodes

•Dailyreportingformerchantauthorizationdenial/

fraudadvisorycodes

•POIentrymode

•MasterCard^®SecureCode^™

Counterfeit Cards

Counterfeitinghasbecomemuchmoresophisti- catedascriminalshavedevelopednewwaysto

obtaingenuinecardholderaccountinformation.

Thisobtainmentallowsthefraudsterstocreate

embossed,printed,orre-encodedcardsbearing

trademarkedandbrandedicons.Issuersshouldcon- siderimplementingthefollowingsecuritycontrolsto

helpmitigatecounterfeitfraud:

•Validatetheexpirationdateinallauthorization

requests

•Useneuralnetworkfrauddetectiontechnology

withaprepaidordebitbehaviormodeltomonitor

authorizationsforunusualactivity

•PerformCVC1verificationonallauthorization

requests(ATMsincluded),aswellasCVC2verifica- tiononallnon–face-to-facetransactions

•EstablishexpirationdatesontheCVCandchange

periodicallytoavoidpotentialcompromise

•Reviewauthorizationexceptionreportsforpat- ternsofkey-enteredtransactions

•Implementstrategiestomonitorauthorizations

fromhigh-riskMCCsandcountrycodes

•Reviewclearingdatafortransactionsunderthe

floorlimitfornon-issuedaccountnumbers

•Monitorforauthorizationattemptsonconsecu- tiveaccountnumbers

•MonitorforCVC1mismatchdeclinevelocity

•MonitorforexceedsPIN-entryattempts

•Implementacardreissuedecisionmatrixand

specialauthorizationmonitoringforaccounts

thathavebeenpartofpastdatabreaches

•Monitorforunusualsettlementactivitysuchas

creditsorforce-postedauthorizationswithout

matchingauthorizations

•Randomlyissueaccountnumbersandvarythe

expirationdates

Best Practices PrePAiD cArDs

AnTI-MonEY lAUndERIng ConSIdERATIonS Considerationshouldalsobegiventotheunique

anti-moneylaundering(AML)risksthatprepaidcards

maypose.Indoingso,therewilllikelybeaclear

needtoincorporaterisk-basedcontrols,suchasload

andvelocitylimitsonthedifferentdeliverychannels.

Issuersshouldconsultwiththeirlegalandcompli- ancedepartmentstoensurethatappropriateAML

policy,procedures,andriskcontrolsareinplacefor

theirprepaidcardportfolio.Prepaidprogramsmust

meetlocalregulatoryrequirementsandnetwork

standardsforAML.Theprogram,ataminimum,

shouldinclude:

•Customeridentificationprocedures

•Suspiciousactivitymonitoringandreporting

•Recordkeeping

•Independentcontrolvalidationandrefining

•Sanctionscreening

Inadditiontothepreviouslydescribedpractices,

issuersshouldalsoimplementthefollowingpractices

tohelpcontrolprepaidcardfraud:

•linking prepaid cards—Issuingprepaidcards

whenthereisanongoingcreditordebitaccount

relationship

•knowing your business—Ensuringthatallparties

areknownbytheissuerandthateachpartyhasan

understandingofitsrole.Thiseffortshouldinclude:

-Third-partyserviceproviders -Processors

-Programmanagers -Co-brandpartners

-Otherprogrampartnersthatmighthavearolein

thedistributionofpayrollorincentive-typecards

toemployees

WhAT To do IF FRAUd oCCURS

Therecommendedmonitoringofsuspicioustransac- tionshelpsissuersdetectfraudulentpatternsquickly,

helpingtomitigatetheimpactontheirportfolios.

Incontrast,waitingforthelegitimatecardholder

todiscoverandreportthefraudcancausesignifi- cantbranddamageaswellasstraintheissuerand

cardholderrelationship.

 Inthecasewherethecardholderinforma- tioncannotbeauthenticated,suchaswithcertain

prepaidgiftcards,theissuershouldcontactthe

consumerwhopurchasedthegiftcardinanattempt

toascertaintheidentityoftheactualcardholder.If

possible,theissuershouldattempttoverifywhether

thepersonwhoreceivedthegiftcardwasresponsi- bleforthetransactioninquestion.Theissuershould

useacardholderauthenticationprocesswithpersonal- izedcardholder-selectedquestionstoverifytheidentity

ofthecardholder.Iftheinformationobtainedfromthese

cardholdercontactsconfirmsthesuspiciousactivity,

theissuershouldblockthecardimmediatelytoprevent

furtherfraudulentactivity.Evenifthetruecardholder

hasthecardinhisorherpossession,anunauthorized

purchasecouldindicateCNPfraudinwhichthefraudster

usedonlytheaccountnumberandnottheactualcard

orpossiblecounterfeitactivity.

 Ifanissueridentifiesfraudonnumerousprepaid

accounts,theissuershouldtakethefollowingimport- antactions:

•Pullstatementsforthereportedtimeframesto

determineaspecificfraudtrendorsuspiciouspattern.

Thisactionmayhelpisolateamerchantthatobtained

accountnumbersoflegitimatecardholdersforfraudu- lentpurposesasapotentialaccountdatacompromise

(ADC)event.

•Contactthecardprocessortoobtainfullauthoriza- tionlogs.Anissuer’sdailyreportsmaynotcontainall

ofthedetailedtransactioninformationthatisvitalin

identifyingfraudulentactivity.Thelogsprovidecritical

informationneededtoanalyzethefraudtypeand

patternofsuspecttransactions.Thelogsalsocontain

otherusefulinformation,suchas:

-Merchantinformation(e.g.,streetaddressesand

terminalIDs)

-Transactionamountdetailstohelpdetermine

whetherthesaleswerelowerthanthefloorlimits

-Sequentialaccountnumbersusedinfraudulent

transactions

Issuers must be able to manage potential pr epaid card program risk in the same manner that they mana

credit and debit car ge

d risk.

Themorethatbusinessoperations(bothinternaland

external-facing)movetoweb-enabledplatformsin2012,

themoreopportunitiespresentthemselvesforcriminals

tofindloopholes,mineforvaluabledata,andexploit

legitimatewebsitefunctionality.

 Cybercriminalsarebecomingmorecreativeandauto- matingtheirwayofexploitingvulnerabilitiesandbusiness

logicflawsattheNavigationLayer,whichincludesallbehav- ioronawebsiteandmaybereferredtoasa“clickstream.”

 In2012,theindustrywillbegintorecognizeanew

classificationofattacksexecutedthroughtheNavigation

Layer.Thisinsightwillbegintogiveorganizationsleverage

astheystarttolookatweb-bornthreatsinanewway.

ThE nAVIgATIon lAYER

Basically,theNavigationLayerishowusersofwebservices

accessandinteractwithvariousresourcesandfunctionality

ofwebsites.Purchasingadigitalcameraonane-commerce

site,balancingyourcheckbookusingonlinebanking,and

interactingwithprojectplansonacompany’sintranetareall

examplesofactivitiesthattakeplaceintheNavigationLayer.

 ThereasonthattheNavigationLayerissuchan

attractivetargetforcriminalsisthatthefunctionalitythat

enablestheircriminalactivities,inlargepart,hastobemade

availabletolegitimateusers.Aslongastherearewebsites,

criminalswillbelookingforwaystotakeadvantageofthe

dataandfunctionalitymadeavailablethroughthosesites.

Althoughcertainlynotanexhaustivelist,asignificantportion

ofonlinecriminalactivitycanbeseeninthecategoriesof:

• BusinessLogicAbuse,

• DataScraping,and

• ArchitectureProbing.

TRAdITIonAl SECURITY STRUgglES To PRoTECT ThE nAVIgATIon lAYER

Thecybersecuritychallengefacingbusinessesandorganiza- tionsisthatitisnotoriouslydifficulttodetectanddefend

againstBusinessLogicAbuse,DataScraping,Architecture

Probing,andothertypesofattacksexecutedthroughthe

NavigationLayer.

 Traditionalapproachesthatleveragedeep-authentica- tionofusers,transactionrisk-modeling,linkanalysis,and

eventcorrelationarestillcriticaltohaveinplace,butare

renderedlargelyineffectivewhenconfrontedwith“low-and- slow”processesscrapingsitedataorwithattackscarried

outbynetworksofhundredsofpersonalcomputers(PCs)

Since the commercialization of the Internet, there has been an evolution in how cyber criminals are conducting malicious activities on websites. They are finding an ever-increasing number of ways to steal information, commit fraud, game website logic, and impact business operations.

Central to the explosion of cyber crime in recent years is the continued evolution of rich Internet applications and exposure of critical business operations to the worldwide web.

Understanding

Website Navigation Layer Vulnerabilities

By Jesse Mckenna Fraud Analyst Silver Tail Systems

Status Report FrAuD TrenDs

infectedwithcriminal-controlledmalware.Moreover,

criminalsarecontinuallychangingtheirattack

strategiesanddevelopingnewmethodsofexploit- ingwebsitefunctionality.Keepingdetectionsystems

up-to-datewiththelatestattackvectorsisincredibly

challenging.

dEFEndIng AgAInST nAVIgATIon lAYER ATTACkS

Allofthismayseemoverwhelmingandrightfully

so.However,thereareafewaspectsofthistypeof

criminalactivitythatbegintoleveltheplayingfield.

 First,theseattacksalltakeplacethroughthe

NavigationLayerandwebsiteownerscontrolthislayer.

Althoughthefunctionalityexploitedbycriminalstypi- callyisrequiredfortheuseoflegitimateusers,busi- nessesandorganizationscanhavevisibilityintoevery

aspectofthetrafficgoingthroughtheNavigation

Layer.Theabilitytomonitorthiswealthoftrafficis

invaluablefordetectingattackscomingthroughthe

websiteandforperformingforensicinvestigationsof

pasteventstobetterinformdetectionandmitigation

decisionsinthefuture.

 Theotherareawherebusinessesandorganiza- tionshaveanadvantageisthatcriminals,inorderto

executetheirattacks,needtobehavedifferentlythan

normalusersofawebsite.Normalusersdonottryto

loginusingtens,hundreds,orthousandsofdifferent

passwords.Nordotheycrawlentireproductcatalogs

one-commercesitesorsubmitnonsensicalchunksof

datatowebapplicationsinthehopesthattheywill

break.ByleveragingfullvisibilityintotheNavigation

Layer,itispossibletoperformbehavioralanalytics

oneveryclickonthewebsiteandrapidlyidentifythe

outliers—thosewebsessionsthatarenotbehavinglike

everyoneelseusingthewebsite.

 Aswebapplicationsandweb-enableddevices

continuetorapidlyevolve,theattacksonthe

NavigationLayerwillcontinuetokeeppace—usingthe

latestfunctionalityforsomethingotherthanwhatit

wasintendedfor.However,bymaintainingfullvisibility

intotheNavigationLayerandoneveryclickoccurring

onthewebsite,theseevolvingthreatscanbedetected

andmitigatedinnearreal-time,therebypreventing

theoftendramaticimpactsofattacksthathavegone

unnoticeduntilthedamagehasbeenrealized.

As long as there

are websites,

criminals will be

looking for ways

to take advantage

of the data and

functionality made

available through

those sites.

A Friend request from Zeus

Cybercriminalsareactivelytargetingthepaymentvalue

chain,andfinancialinstitutions(FIs)arefeelingthepain.

Manyoftheorganizedsyndicatesresponsibleforthese

attacksspanmultiplecountries,therebycomplicatingthe

effortsoflawenforcementagenciestocoordinateandstop

them.Becausecybercrimeissuchalucrativebusinesswith

fewadverseconsequences,theintensityofcyberattacksis

rapidlyincreasing.

 Thefraudstersdon’tneedabusinesscasetojustify

creatingnewwaystoperpetratecrime,andtheirpaceof

innovationaroundcybercrimeisescalating.Cybercrime

isconstantlyevolvingtostayonestepaheadofthemost

recentlydeployedfraudmitigationtechnologies.Criminals

leveragethecodingeffortsoftheirpeersandcontinually

“improve”uponthebasemodelofamalwarestrainin

anefforttoavoiddetection.Ahigh-profileexampleof

thisevolutionisavariantofthecredential-capturingZeuS

Trojanthatwasfirstreleasedafewyearsago.Criminals

deployingZeuSrealizedthattheireffortswereoftenbeing

thwartedwhenabusinessloggedintoitsonlinebanking

site,detectedanunauthorizedtransaction,andcalled

itsbanktostoppayment.Inresponse,cybercriminals

developedaderivativestrainofthemalwaretomaskthe

unauthorizedtransactionintheonlinebankinginterface,

sothatthecommercialcustomerwouldnotidentifythe

FRAUd: CoMIng Soon To A MoBIlE PhonE nEAR YoU Inthemobilechannel,mostFIsarecurrentlyexperiencingfew

mobile-fraudlosses,largelybecausecustomeradoptionofthis

technologyisstillinitsearlystages,andalownumberofhigh- risktransactionshavebeenprocessedviathemobilechannel.

However,thisscenarioisrapidlychanging,asmostriskmanage- mentexecutiveswithwhomAiteGrouphasspokenbelievethat

mobilewillbethenextbigareaofexposureforfinancialservices

 Financialservicesinnovationinthemobilechannelispro- gressingrapidly,butthereisanunfortunateparadigminfinancial

servicesthatsecurityoftenlagsbehindinnovation.While

transactionalcapabilityhasbeenfairlylow-risktodate,customer

demandandtheneedforFIstofindnewrevenuesourcesare

drivinghigher-risktransactionalcapabilitytoconsumerandbusi- nessmobile-bankingapplications.AQ42011AiteGroupsurvey

ofglobalfinancialservicesriskexecutivesfoundthatwhileone

infourrespondentsexpectstoincreasesecurityinthemobile

channel,respondentsarecurrentlywaitingtoseehowtherisk

environmentwillevolve.

 Cybercriminalsarewellawarethatthemobileplatform

isanincreasinglyattractivetargetforfinancialfraud,andthey

aredeployinganincreasingvarietyofattacks.TheAndroid™

operatingsystem(OS)isthefavoritetargetofcybercriminals,

butnomobileOSisimmune.Whiletherearefarfewerstrainsof

mobilemalwarethantheironlinemalwarecounterparts,mobile

malwareisgrowingatafasterrate,with41percentmoreunique

malwarestrainsdetectedinthefirstthree-quartersof2011than

inacomparabletimeperiodin2010.²

 Manymobileattacksemulatethemalwaredirectedagainst

thecomputer,seekingtostealcredentials,contacts,andother

valuabledata.Themobileplatformalsohasuniquecharacteristics

cyber crime is constantly evolving to stay one step ahead of the most recently deployed fraud mitigation technologies.

Julie Conroy Mcnelley, Research Director jmcnelley@aitegroup.com

Status Report cyBer criMe TrenDs

SUMMARY oF TEChnologY TYPES

Behavior AnalysisDetectsfraudbymonitoringtheusersessiontodetect

anomalousbehaviorpatternsusingacombinationofrulesandanalytics.

device PrintingUsesacombinationofhardwareandsoftwareattributes

associatedwithacomputerormobiledevicetocreateaunique“fingerprint”.

Thistechnologycanbeusedtorecognizedevicesassociatedwithfraudulent

activity,aswellasidentifydeviceswithtrustedreputations.

knowledge-Based Authentication (kBA)Leveragesdemographicand

creditdatainthird-partydatabasestodynamicallycreatequestionsthatthe

endusermustaccuratelyanswer.

one-Time Password (oTP) TokensSupplyanexpiringpassword,which

changesoneitheranevent-ortime-drivenbasis.

out-of-bandAuthenticationusesacommunicationmechanismnotdirectly

associatedwiththedevicebeingusedtoaccessthebankingsiteinorderto

facilitateasecondmodeofcommunication.Themostcommonexampleofthis

mechanismisthetransmissionofatextmessageorvoicecalltoamobiledevice

toauthenticateasessionortransactionthatistakingplaceonacomputer.

Secure BrowserUsesclientsoftwareorhardwaretocreateabrowser

environmentthatisshieldedfromotherapplicationsandpotentialmalware

onacomputer.

Remote Channel Fraud Technology Mapping: Effectiveness vs. Intrusiveness

³

TheTrojanSpyEyehassuccessfullyinterceptedand

forwardedShortMessageService(SMS)messagesused

forout-of-bandauthentication,therebyenablingcross- channelfraudacrossthemobileandonlinechannels.Two

formsofmalwarehavebeendetectedontheAndroid

platformthatrecordvoiceconversationsandforwardthe

recordedcallstoahacker,whocanthenusethedatafor

furthersocialengineering.Themobilephone’sgeolocation

dataissusceptibletosimilartypesofattack.

In SEARCh oF ThE SIlVER BUllET

Inlightoftheelevatedriskenvironment,FIsareinvesting

inavarietyoffraudpreventiontechnologiestoprotect

themselvesandtheircustomers.Effectiveprotection

requiresthecombinationofmultipletechnologies

deployedtoprotecttheendpoint,theonlinesession,and

thetransactionitself.TheU.S.FederalFinancialInstitutions

ExaminationCouncil(FFIEC),recognizingthatthereisno

silverbulletagainstthesophisticatedandvariedthreatsin

thecurrentenvironment,mandatedalayeredapproach

withitssupplementalguidance.

 Thelayeredapproachneedstobecommensurate

withtheriskofthetransaction;therefore,ahigherdegree

ofprotectionisexpectedforcommercialcustomersthan

isrequiredintheretailbusiness.Therisk-layeredapproach

alsoneedstoeffectivelybalanceeffectivenesswiththe

levelofintrusivenessontheuserexperience.Whilesome

levelofuserparticipationisgenerallyrequired—andeven

desirableincertaincases—thetotaluserexperiencemust

notbecomesodifficultthatcustomersabandonremote

channelsaltogether.

 Thefigurebelowprovidesamappingofcommon

remotechannelfraudmitigationsolutions.Basedoninter- viewswith32NorthAmericanFIs,including19ofthetop

35,thefiguremapsthesolution’sperceivedeffectiveness

andintrusivenessontheuserexperience.³ ConClUSIon

Itismucheasiertobesuccessfulatcommittingcrimesthan

thwartingthem;ifthecriminalissuccessfulinoneof100

attempts,heorshewillpotentiallyprofitwithasizablesum.

FIs,ontheotherhand,needtobeperfectintheirattempts

toprotectthemselvesandtheircustomers.Whilethereare

manytoolsattheFIs’disposal,theefforttosecureremote

channelsagainstcybercrimewillbemoreaboutthejourney

thanthedestination—aswithallthingsrelatedtofraud,

cybercrimewillremainanongoingbattlebetweenthe

forcesofgoodandevil.

Voice Biometrics

Device Printing

Behavior Analysis

secure Browser

oTP Tokens

out-of-band InTRUSIVEnESS KBA

if the criminal is successful in one of 100 attempts, he or she will potentially profit with a sizable sum. Financial institutions, on the other hand, need to be perfect in their attempts to protect themselves and their customers.

1AiteGroup,Mobile Fraud: The Next Frontier,November2011.

2McAfee^®Labs^™,“McAfeeThreatsReport:ThirdQuarter2011,”

http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2011.pdf.

3AiteGroup,Online Fraud Mitigation: Tools of the Trade,October2011.

MORELESS

Preventing ATM Fraud

Automatedtellermachine

(ATM)attacksandthe

resultingfraudcontinue

tobesignificantconcerns

forissuersandacquirers

aroundtheworld.

WhenitcomestoATM-basedfraud,criminalsaretakingadvantageoftheprolif- erationofcashmachinesatlesssecurenon-bankinglocations,whichmakethese

machinesanappealingtargetforaddingskimmingdevicestocapturecardholder

data.Criminalsarealsotargetingsmall-tomedium-sizedfinancialinstitutionsthat

maynothaveadequatesecuritycontrolsinplace.Becausetheseinstitutionshave

nottraditionallybeentargeted,manyofthemdonothaveadequateprotection

measuresinplace.Forexample,theymaynotmonitortheirATMterminalsorbe

abletoaffordthesophisticatedfrauddetectiontechnologynecessarytoidentify

patternsindicativeofskimmingandcounterfeitingduringcardtransactions.

 Therecommendationsandbestpracticespresentedinthisarticlearespecific

tothephysical,logical,andproceduralsecurityrequirementsoftheATM.Thisarticle

alsoprovidesguidanceforcardholderconsiderationswhentheyareconducting

transactionsatATMs.

Best Practices ATM securiTy

Issuer PIn Security Considerations ATMPINscaneitherbegeneratedbyanissueror

selectedbythecardholder.If the PIn is generated by the issuer,itshould:



•Bederivedfromcarddatausingcryptographic

means.Thecryptographicmeansmustbesecure,

sothatevenifahackerknowsthenumberof

inputsoroutputstothealgorithm,itwouldbe

nearlyimpossibletodeduceanyfurtheroutputs.

Additionally,theprimaryaccountnumber(PAN)

mustbeincludedintheinput.



•Begeneratedusingarandomorsecurepseudo- randomprocesscompliantwithInternational

OrganizationforStandardization(ISO)9564.



•NotcontainthelettersQorZ.

If the PIn is selected by the cardholder,the

cardholdershouldbeadvisedthatthePINshouldnot

haveavaluethatis:



•Readilyassociatedwiththecardholder(e.g.,phone

number,address,birthdate,orotherpersonal

information).



•Partofdataimprintedonthecard.



•Consistingofthesamedigitsorasequenceof

consecutivedigits.



•Identicaltothecardholder’spreviouslyselectedPIN.



•Lessthanfourdigitsinlength.

UsingthelettersQorZ.

Cash machines at less secure non-banking locations make an appealing target for adding skimming devices to capture cardholder data.

ISSUER ATM FRAUd ConTRol PARAMETERS

InanefforttohelpmitigatethepossibilityofATM-basedfraudthreats,

issuersshouldconsiderimplementingthefollowingrecommendations:

Whereapplicable,issueEMV-capablechipcards,becausethesecards

canbeauthenticatedduringeachchiptransactionattheATM.

ImplementastrategicprocessformailingATMcardsandtheir

correspondingpersonalidentificationnumbers(PINs),suchas:

–MailthePINcodeandtheATMcardseparately.

–Sendtheseparatemailingsatleast24hoursapart.

–DisguisetheenvelopescontainingthecardsandPINs,sothatthey

donotattractattentionandalertnon-recipientstotheircontents.

Useacardactivationprocess.

Confirmcardholderaddresschangesforbothdebitandcredit

accounts.

Usecard-basedPINoffsetsandvalidateoffsetsinthe

authorizationprocess.

Validatethecardvalidationcode1(CVC1)valueduringauthoriza- tionforPINtransactionsandmonitorCVC1mismatchactivity.

ReviewboththevalueandvolumeofATMwithdrawals.

MonitorvelocitychecksonfailedPINtransactions.

Useneuralnetworkfrauddetectionsystems.

Considerloweringdailycashwithdrawallimitstominimize

exposuretorisk.

Reportandtrackunauthorizedcardusage.

LimitPINusagetoATM/point-of-sale(POS)terminalaccessonly,

andusedifferentauthenticationmethodsforcustomerserviceand

onlinebanking.

ACqUIRER ATM FRAUd ConTRol PARAMETERS Acquirersneedtomaintainanaccuraterecordofallofthe

ATMswithintheirinventoryandensurethatthemachines

aremonitored,inspected,andservicedregularlytoensure

thatnon-authorizeddevicesarenotbeingusedtocapture

sensitivecarddataandPINs.Tosupportthoseefforts,

acquirersshouldconsider:

  Ensuringthatbankbranchstaffunderstandshowto

detectoverlaysandinternalcapturedevices.

  TrainingATMservicetechnicianstoensurethatthey

conductadetailedevaluationofkeyATMcomponents

ateachvisittoensurethattherehasbeennotamper- ingormodificationstotheATM.

  Performingduediligenceonnon-bank-ownedATMs

byhavingaccesstocurrentandaccuratenamesand

addressesofeveryATMlocationparticipatingintheir

program.

  MonitoringATMterminalactivityfor:

  –Cardreaderanddispenseerrors.

  –PINentrytimeouts.

  –Changesintransactionpatternsatthemachine,

suchasmultiplebalanceinquiries,increasesin

“invalidPIN”messagesand/ortransactionvelocity,

andunusualtransactionactivityperiods.

ATM USER FRAUd PREVEnTIon EdUCATIon RECoMMEndATIonS

Financialinstitutionsshouldemphasizetheimportanceofawareness

attheATMtotheircardholdersandpromotevigilanceinreport- inganyirregularitiesintheappearanceandoperationofanATM.

Financialinstitutionsshouldinstructconsumerstocontacttheir

financialinstitutioniftheysuspectATMtampering.Inadditionto

leveragingcardholderstoreportsuspiciousATMoccurrencesor

interactions,financialinstitutionsalsoshould:

  EducateATMusersonpracticessuchasshieldingthePINpad

whenenteringtheirPIN.

  Advisethemtoimmediatelynotifytheirbankregardingan

unauthorizedATMordebitcardtransactionontheiraccount.

  Remindtheircustomerstocarefullyreviewtheirmonthly

accountstatementsortouseInternetbankingtomonitorfor

anysuspiciousactivityontheiraccount.

Physical ATM Security Considerations WhetheranATMislocatedatabankbranchorremote

location,itiscriticalthatthephysicalsecurityofthe

machinebecloselymonitoredusingacombinationof

electronicandphysicalinspections.Thefollowingtips

andtechniquesshouldbeimplementedtomakesure

thatATMownerscanbealertedquicklyifaskimming

ortamperingattackdoesoccur:



•Video surveillance–CamerascanbeeasilyintegratedwithATMmachines,

andstrongersecuritycanbeachievedbyinstallingadditionalsitecameras

onandaroundthepremises.Notonlyiscontinuoussurveillanceacritical

securityissue,butremotesitesofferparticularchallengeswithregardto

maintenance,whichcanbeaddressedbyvideomonitoring.

•Remote diagnostic services–Theseservicestrackandmanageevents

attheATMandcanrouteinformationtoacentralizedresourcecapable

ofquicklyrespondingtoissuesthatmayarise.Forexample,thecontinual

notificationviaaremotediagnosticserviceofanincidentregardingacard

readerfailureoradrasticdeclineintransactionsatanotherwisehigh-traffic

ATMlocationmaybeanindicationoftampering.

•Machine-based security features–ATMscanbedesignedtoprohibit

ordetercommonattackvectorstargetedagainstthem.Cardreadersand

cashdispensedevicescanbealteredtoreducedatacapturedevicesand

cashretractschemes.Machinescanalsobedesignedtoreduceshoulder

surfingandprovidecardholderswithgreatercomfortviarear-viewmirrors

orpanicbuttons.

Educate ATM users on practices such as shielding the PIN pad when entering their PIN.

Best Practices ATM securiTy

Stronger E-commerce

Fraud Prevention Through Enhanced Issuer-Merchant Communications

Status Report e-coMMerce ThreATs

Onlineshoppinggivesconsumers

immediateaccesstoawideworld

ofcommerce,fromexoticvacations,

tofavoritebooks,tospecialgifts.

Butasmerchantscapitalizeon

thismarketplace,withelectronic

commerce(e-commerce)transactions

reachingrecordlevels

¹

andonline

Card-Not-Present(CNP)payments

rising,thethreatofonlinefraudis

ever-present.

E-commercemerchants,whoarethefirstlineofdefense

againstonlinefraud,feelperhapstheworstimpact

fromfraudulentCNPtransactions.Suchtransactions

canleadtofinanciallossesthatincludedecreaseddirect

revenue,aswellasincreasedcostsandchargebackrates.

However,merchantsarenottheonlystakeholderswho

feelthenegativeeffects.Issuersthemselvessustainfees

toprocesschargebacks.Inaddition,customersatisfaction

suffersaswell.

 GlobalCNPtransactionsarealsogrowingsignificantly,

ase-commercecrossesbordersformerchantstoselltheir

productsandincreaserevenue.However,thisopportunity

presentsauthenticationchallengesaswell.International

CNPtransactionsaredeclinedatahigherratethandomes- ticCNPtransactions.Fraud-screeningismorechallenging,

andstandardvalidationtoolsmaynotbereadilyavailable

ormaybecostlytoimplement.Becauseofanissuer’sreluc- tancetoapprovecross-bordertransactions,merchantsmay

notbeabletofullycapitalizeonthisnewrevenuestream,

andtherebycouldrisklosingbothmoneyandmerchandise

ifanissuerdeclinesatransactionafterthemerchanthas

alreadyshippedanorder.

A VIEW InTo onlInE SECURITY ThREATS

FraudstersareincreasinglytargetingtheNavigationLayer

ofwebsiteswheretransactionstakeplace.Assuch,

e-commercemerchantsmayhavelittletonovisibilityinto

whatisattackingthem.Andwithfraudschemesevolving

sorapidly,merchantsmaynotevenbeawareofthemany

typesofonlinethreatsthatexist.Greaterlevelsofcom- municationabouttrendsanddetectionmethodsbetween

themerchantandtheissuercouldhelprevealcriminal

activitysooner.Someofthecommonattackvectorsthat

perpetratorsareusingtocommitonlinefraudaremalware,

Botnets,andWebLogicAbuse(see sidebars).

Malware

Malwareisanysoftwareorcodedeveloped

forthepurposeofextractinginformation

fromacomputerdatabaseornetworkwith- outtheowner’sconsent.Thisprominent

threatinpaymentcarddatabreachesruns

silentlyonpaymentsystems,capturingdataandfeedingacon- tinuousflowofcardinformationbacktocriminals.Asmalware

becomesfullyautomated,itbecomesmoredifficulttodetect.

Infact,63percentofmalwareindatabreachcasescannotbe

recognizedbytraditionaldefensesasitinvolvesspecializedcode.²

Web logic Abuse

Weblogicabuseuseslegitimatepagesand

pageflowsofawebsitetoconductfraud.

Attacksmaytakedaysorweekstoidentify

andmanifestthemselvesindifferentforms:

•Aman-in-the-middle attack,inwhichthemerchantwebsiteis

compromised,causesthecardholdertobeunknowinglyredirected

toamalicioussiteatthetimeofcheckout.

•Aman-in-the-browser attackinstallsapieceofmalwareonthe

user’scomputerandestablishesabackgroundsessionutilizingthe

user’saccountandbrowsersessiontoconductmaliciousactivity

(suchastransferringfundsoutofbankaccountsorbuyingitems).

•Screen scrapingoccurswhenanattackertakesalloftheinfor- mationthatapersonhaspostedonhisorherwebsiteorsocial

networkingpageandusesthatinformationtobreakintothe

user’saccountandcommitidentitytheft.

Botnets

Botnetsaregroupsofmalware-infected

computersunderthecontrolofcyber

criminals.Malicioussoftwareapplications

(containedwithine-mailattachmentsor

linkstowebsites)turnacomputerintoa

“bot”(orzombie),sothatitwillperformautomatedtasksvia

theInternetwithouttheuserevenknowingit.Underahidden

identity,thebotcanstealpasswords,logkeystrokes,andsend

outspammessages.

Status Report e-coMMerce ThreATs