AZ NIGP Conference

2

▪ Fraud Awareness and Prevention▪ Chip and PIN▪ Recent Updates

Agenda

Sharon Brause, CPPO, CPPB, CPCPSenior Procurement OfficerCity of Mesa

Your Bank of America Merrill Lynch Team

David Randolph, Vice-PresidentSenior Card Account ManagerBank of America / Merrill Lynch

Fraud awareness and prevention

http://www.bofaml.com/en-us/content/fraud-prevention.html

44

Data compromises are constantly in the news

▪ Sony Pictures100 terabytes of data

▪ Home Depot56 MM customer records

▪ JPMorgan Chase76 MM account holders

▪ eBay145 MM user records

▪ Target56 MM credit card records

55

▪ System/network▪ Point of sale (POS) software▪ POS devices / ATMs ▪ Skimming

▪ Issuer conducts a fraud investigation▪ If fraud confirmed, issuer blocks card▪ Issuers sends cardholder new card

Merchant/agent fails to comply with payment industry security

standards.

Hackers search for merchants or agents with weak controls or

known security vulnerabilities.

Hackers identify target and steal sensitive information.

Criminal manufactures counterfeit cards for use at retail stores or ATMs; fraudsters may use subsequent phishing attacks to steal information to conduct

identity theft or CNP fraud.

Fraudulent transactions conducted at merchant location

(retail, CNP, ATMs); criminals often target products that can be quickly converted to cash.

Fraudulent transactions identified by issuer risk detection systems or by

cardholders monitoring their account activity.

Issuer fraud mitigation activities begin.

Typical data breach and fraud cycle

2

3

4

1

7

6

5

____________________Source: Visa Franchise Data Compromise Trends and Cardholder Security Best Practices October 26, 2010 Visa, Inc.

66

Identify potentially compromised cards

Replace compromised cards as needed to reduce payment fraud risk

Replace cards with Chip & PIN enabled cards whenever possible

Remain up-to-date with industry trends and best practices as the fraud landscape evolves

Industry call to action

White House Cybersecurity Event to Draw Top Tech, Wall Street Execs1Obama convenes top executives, including Bank of America, to help improve information sharing as breaches get more sophisticated.

1Wall Street Journal : White House Cybersecurity Event to Draw Top Tech, Wall Street Execs (Feb. 11, 2015)AFP is a registered trademark of the Association for Financial Professionals

Appropriate Response…

77

Combat commercial card fraud

Ways companies are combating card fraud▪ Chip & PIN adoption

▪ Internal audits of transaction monitoring at merchant category code (MCC), vendor, and cardholder levels

▪ Procedures that stress timely cardholder reconciliation and review of management reporting

▪ Data security management to include encryption of sensitive information, laptops, and removable storage devices

▪ Virtual card programs with MCC and transaction amount thresholds

88

What it all means

PHISHING/SMISHING

SPOOFING

VISHING

MASQUERADING

successful fraudulent transaction

99

350K+versions of malware

for mobile devices by 2013

How MALWARE works▪ Phishing and SMishing

— Infected files/malicious links sent through email or SMS message

▪ Driven-by downloads — Clicking on a document, ad, or video, posted on legitimate website

- or received via email - that initiates malware download

— Using infected flash drive

▪ Attack includes:— Credential theft — HTML injection

Malware: what is known

MALWARE is software that is intended to damage or disable computers and computer systems

1010

How phishing works

▪ Looks like a legitimate correspondence from the company

▪ Wording does not have the level of refinement expected from an authentic company message

▪ Has an attention getter – high dollar amount of a cell bill in this example

▪ Embedded links activate malware download on your device

▪ Some individuals click on the links and may not even recognize they don’t have a relationship with the company

1111

How spoofing and masquerading work

From: Treasurer@mycompany.com Sent: Monday, February 2, 2015 11:17amTo: rebecca.dumornay@mycompany.comSubject: FW: Wire TransferThis is the third one. We are pulling the confirmation now and will send to you.

From: Treasurer@mycompany.comSent: Monday, January 12, 2015 11:30amTo: rebecca.dumornay@mycompany.comSubject: FW: Wire TransferFYI, this needs to get processed today. I checked with ?? to get your help processing it along. I will assume we take care of any vendor forms after the fact. I can send am email directly to ??? or let you drive from here. Let me know.

From: Treasurer@mycompany.comSent: Monday, January 12, 2015 9:59amTo: rebecca.dumornay@mycompany.comSubject: FW: Wire TransferProcess a wire of $73,508.32 to the attached account information. Code it to admin expense. Let me know when this has been completed. Thanks.------------------------Forwarded message---------------------------------

From: CEO@mycompany.comSent: Monday, January 12, 2015 6:45amTo: Treasurer@mycompany.comSubject: Wire TransferNick - Per our conversation, I have attached the wiring instructions for the wire. Let me know when done. Thanks. Charlie

Once malware is in your system, fraudsters can

▪ Access credentials

▪ Read emails

▪ Collect business contacts

▪ Initiate emails to accounts payable pretending to be you

▪ Ask the recipient to process a payment

1212

Vishing

Vishing is the criminal practice of using social engineering over the telephone system, to gain access to private personal and financial information from the public for the purpose of financial reward.

Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.

To protect themselves, customers are advised to be highly suspicious when receiving messages or phone calls asking for or directing them to call and provide credit card or bank numbers. When in doubt, calling a company's telephone number listed on their bank statement or other official sources is recommended instead of calling numbers from messages of dubious authenticity.

What number were you called from?

What suspicious actions were requested of you?

1313

How to identify fake URLs and websites

Type the website address in your address bar directly,

rather than use a link in an email message, especially if

you are going to a financial site

Check the URL or email before clicking or copying by

hovering over the link with your mouse

▪ URL will appear in your browser or status bar, typically

at the bottom of your screen

When in doubt…….

Chip and PIN

1515

What is EMV?

1616

EMV chip transaction flow

1717

US EMV Migration Update

1818

Key dates for chip technology in the U.S.

1919

The payment paradigm shift

2020

Card statement re-design

We are committed to delivering only the best Commercial Card solutions for all of our clients. With a focus on technology, service, innovation and our ever-increasing global footprint, we are in a position to deliver a comprehensive set of solutions with global and local proficiency.

We are providing innovative solutions in more and more markets around the globe, in addition to investing in product development and resources to support our clients’ growth. Wherever you do business, you will benefit from a strong service model and a complete package of solutions that help you manage your working capital, operate more efficiently, reduce risk and gain visibility into your cash balances worldwide.

KEVIN PHALENHEAD OF GLOBAL CARD & COMPREHENSIVE PAYABLES