az nigp conference. 2 ▪fraud awareness and prevention ▪chip and pin ▪recent updates agenda...
TRANSCRIPT
AZ NIGP Conference
2
▪ Fraud Awareness and Prevention▪ Chip and PIN▪ Recent Updates
Agenda
Sharon Brause, CPPO, CPPB, CPCPSenior Procurement OfficerCity of Mesa
Your Bank of America Merrill Lynch Team
David Randolph, Vice-PresidentSenior Card Account ManagerBank of America / Merrill Lynch
Fraud awareness and prevention
http://www.bofaml.com/en-us/content/fraud-prevention.html
44
Data compromises are constantly in the news
▪ Sony Pictures100 terabytes of data
▪ Home Depot56 MM customer records
▪ JPMorgan Chase76 MM account holders
▪ eBay145 MM user records
▪ Target56 MM credit card records
55
▪ System/network▪ Point of sale (POS) software▪ POS devices / ATMs ▪ Skimming
▪ Issuer conducts a fraud investigation▪ If fraud confirmed, issuer blocks card▪ Issuers sends cardholder new card
Merchant/agent fails to comply with payment industry security
standards.
Hackers search for merchants or agents with weak controls or
known security vulnerabilities.
Hackers identify target and steal sensitive information.
Criminal manufactures counterfeit cards for use at retail stores or ATMs; fraudsters may use subsequent phishing attacks to steal information to conduct
identity theft or CNP fraud.
Fraudulent transactions conducted at merchant location
(retail, CNP, ATMs); criminals often target products that can be quickly converted to cash.
Fraudulent transactions identified by issuer risk detection systems or by
cardholders monitoring their account activity.
Issuer fraud mitigation activities begin.
Typical data breach and fraud cycle
2
3
4
1
7
6
5
____________________Source: Visa Franchise Data Compromise Trends and Cardholder Security Best Practices October 26, 2010 Visa, Inc.
66
Identify potentially compromised cards
Replace compromised cards as needed to reduce payment fraud risk
Replace cards with Chip & PIN enabled cards whenever possible
Remain up-to-date with industry trends and best practices as the fraud landscape evolves
Industry call to action
White House Cybersecurity Event to Draw Top Tech, Wall Street Execs1Obama convenes top executives, including Bank of America, to help improve information sharing as breaches get more sophisticated.
1Wall Street Journal : White House Cybersecurity Event to Draw Top Tech, Wall Street Execs (Feb. 11, 2015)AFP is a registered trademark of the Association for Financial Professionals
Appropriate Response…
77
Combat commercial card fraud
Ways companies are combating card fraud▪ Chip & PIN adoption
▪ Internal audits of transaction monitoring at merchant category code (MCC), vendor, and cardholder levels
▪ Procedures that stress timely cardholder reconciliation and review of management reporting
▪ Data security management to include encryption of sensitive information, laptops, and removable storage devices
▪ Virtual card programs with MCC and transaction amount thresholds
88
What it all means
PHISHING/SMISHING
SPOOFING
VISHING
MASQUERADING
successful fraudulent transaction
99
350K+versions of malware
for mobile devices by 2013
How MALWARE works▪ Phishing and SMishing
— Infected files/malicious links sent through email or SMS message
▪ Driven-by downloads — Clicking on a document, ad, or video, posted on legitimate website
- or received via email - that initiates malware download
— Using infected flash drive
▪ Attack includes:— Credential theft — HTML injection
Malware: what is known
MALWARE is software that is intended to damage or disable computers and computer systems
1010
How phishing works
▪ Looks like a legitimate correspondence from the company
▪ Wording does not have the level of refinement expected from an authentic company message
▪ Has an attention getter – high dollar amount of a cell bill in this example
▪ Embedded links activate malware download on your device
▪ Some individuals click on the links and may not even recognize they don’t have a relationship with the company
1111
How spoofing and masquerading work
From: [email protected] Sent: Monday, February 2, 2015 11:17amTo: [email protected]: FW: Wire TransferThis is the third one. We are pulling the confirmation now and will send to you.
From: [email protected]: Monday, January 12, 2015 11:30amTo: [email protected]: FW: Wire TransferFYI, this needs to get processed today. I checked with ?? to get your help processing it along. I will assume we take care of any vendor forms after the fact. I can send am email directly to ??? or let you drive from here. Let me know.
From: [email protected]: Monday, January 12, 2015 9:59amTo: [email protected]: FW: Wire TransferProcess a wire of $73,508.32 to the attached account information. Code it to admin expense. Let me know when this has been completed. Thanks.------------------------Forwarded message---------------------------------
From: [email protected]: Monday, January 12, 2015 6:45amTo: [email protected]: Wire TransferNick - Per our conversation, I have attached the wiring instructions for the wire. Let me know when done. Thanks. Charlie
Once malware is in your system, fraudsters can
▪ Access credentials
▪ Read emails
▪ Collect business contacts
▪ Initiate emails to accounts payable pretending to be you
▪ Ask the recipient to process a payment
1212
Vishing
Vishing is the criminal practice of using social engineering over the telephone system, to gain access to private personal and financial information from the public for the purpose of financial reward.
Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.
To protect themselves, customers are advised to be highly suspicious when receiving messages or phone calls asking for or directing them to call and provide credit card or bank numbers. When in doubt, calling a company's telephone number listed on their bank statement or other official sources is recommended instead of calling numbers from messages of dubious authenticity.
What number were you called from?
What suspicious actions were requested of you?
1313
How to identify fake URLs and websites
Type the website address in your address bar directly,
rather than use a link in an email message, especially if
you are going to a financial site
Check the URL or email before clicking or copying by
hovering over the link with your mouse
▪ URL will appear in your browser or status bar, typically
at the bottom of your screen
When in doubt…….
Chip and PIN
1515
What is EMV?
1616
EMV chip transaction flow
1717
US EMV Migration Update
1818
Key dates for chip technology in the U.S.
1919
The payment paradigm shift
2020
Card statement re-design
We are committed to delivering only the best Commercial Card solutions for all of our clients. With a focus on technology, service, innovation and our ever-increasing global footprint, we are in a position to deliver a comprehensive set of solutions with global and local proficiency.
We are providing innovative solutions in more and more markets around the globe, in addition to investing in product development and resources to support our clients’ growth. Wherever you do business, you will benefit from a strong service model and a complete package of solutions that help you manage your working capital, operate more efficiently, reduce risk and gain visibility into your cash balances worldwide.
KEVIN PHALENHEAD OF GLOBAL CARD & COMPREHENSIVE PAYABLES