|
Will Fraud Grind Debit's Growth to a Halt?
BY LAURI GIESEN
Most debit card fraud continues to surface as "onesie, twosie" events. But high-profile thefts of debit-related data point to the need for heightened security and attention. Card issuers push for better compliance with data storage requirements and step up their own detection systems.
| SYNOPSIS | Recent thefts of debit card account information including mag-stripe data and personal identification numbers (PINs) raise questions about the level of security in place and debit's ongoing appeal to consumers. To assure consumers that debit is safe to use, banks are being urged to better control the use and storage of PIN-debit information, employ more comprehensive monitoring of potential debit card fraud and take additional steps when authorizing debit card transactions. Precautionary steps include adopting or adapting neural network-based monitoring systems, integrating monitoring systems, greater participation in reporting services and added communication with customers.
To banks, debit cards have represented a robust revenue source accompanied by minor debit card fraud exposure. Consumers, in turn, have found debit to be one of the easiest and safest forms of payment.
Forecasted growth for debit notwithstanding (see "Cash Today, Debit Tomorrow—How Banks Can Benefit"), consumers' continued embrace of debit may be jeopardized by recent grand-scale thefts of debit card account in-formation, including mag-stripe data and personal identification numbers (PINs). The need to protect this promising product line is causing banks to take a second look at the security measures used in approving debit card transactions.
Last spring, for example, news reports alleged that hackers accessed servers at about 30 stores belonging to a large, national retailer and stole data from cards used in those stores and the keys to decode the PIN blocks. The criminals then used this information to create counterfeit cards to withdraw cash from ATMs around the country.
"These are watershed events that are getting banks to rethink the security measures and risk management programs they have in place for debit cards," says Bruce Cundiff, research analyst for Pleasanton, Calif.-based Javelin Strategy & Research.
Industry-wide estimates of the cost of debit card fraud to banks range from about $267 million annually, according to Framingham, Mass.-based Financial Insights, an IDC company, to about $546 million annually, according to research from Boston-based Dove Consulting Group Inc., a division of Hitachi Consulting. In a study released in late 2005, Dove reported that fraud costs banks an average of 0.1 cents per transaction on debit transactions secured with a PIN and 1.6 cents per transaction on debit transactions secured with a signature.
Such losses are inconsequential compared to the revenue the cards generate. On a typical $60 purchase made with a signature debit card, for example, the bank that issued the card will collect about 90 cents in usage fees, based on a 1.5% interchange rate, according to Dove.
Despite recent high-profile cases, the actual annual cost of covering debit losses has remained stable in recent years, according to Chris Thom, chief risk officer for MasterCard International, based in Purchase, N.Y. "The types of fraud are changing, but our members' overall debit card losses are actually down a bit in recent years because of improved detection," Thom says.
MasterCard, as is common of other payments companies, does not reveal the exact cost of bank fraud losses.
Reputational Risk
Yet more than financial losses may be at stake here. “The media attention on these recent events could potentially harm banks’ reputation as being a safe place for customers to put their money. This harm to the banks’ reputation could be much more serious than the cost of covering the losses,” says Gwenn Bezard, research director for Boston-based Aite Group LLC.
With credit card fraud, consumers usually do not pay for disputed payment transactions until after a transaction can be researched by the card issuer. In the case of PIN debit card fraud, fraudsters use stolen data to make duplicate cards — so-called “white label cards”— and then use those cards at ATMs to withdraw cash directly from customer checking accounts.
While the cardholders are not held liable for the fraud — they eventually get their money back — there might be several months’ delay in resolving the issue (plus related problems, such as insufficient funds or unpaid bills). And even when banks immediately return any amounts associated with a disputed transaction, the fraud will still have an emotional impact on the consumer.
The debit card is “what many consumers perceive as the safest means of access” to their checking account, says Steve Mott, principal of payments consultancy BetterBuyDesign, Stamford, Conn.
“If people don’t have confidence that their checking accounts are safe from being accessed, they won’t trust their banks,” says Ted Cross, vice president of global fraud solutions for Minneapolis-based Fair Isaac & Co. Fair Isaac is a developer of credit scoring and fraud detection systems.
Another concern to banks is that reports of card number and PIN thefts could cause consumers to cut back, if not stop altogether, the use of debit cards at the point of sale. Some Internet blogs show that consumers are questioning the security of debit card use and some consumers are saying they are not going to use debit cards because they believe the cards are unsafe.
If consumers make good on these threats, it could mean significant revenue losses for banks that receive between 1% and 1.5% of the value of the transaction from the retailer that accepts the card each time a signature-debit card is used, according to Mott. He says the industry earns far less on PIN-debit transactions, which have a fixed-fee ceiling rate. Moreover, according to Mott, industry experts have estimated that banks make as much or more revenue on signature-debit cards from NSF fees as they do on transactions.
“Signature-debit NSFs have become a major source of current revenue for many banks,” Mott says. “Most consumers aren’t aware that as many as 80% of signature-debit transactions take two to three days to clear and settle, just like an ACH e-check. Some banks are tweaking their debit account posting orders to get as much NSF income as they can right now.”
“Banks right now are pushing consumers hard to use their card more and to use them at a greater variety of locations,” says Brian Riley, senior analyst of bank cards for Needham, Mass.-based Tower Group Inc. “These fraud cases could have serious ramifications if consumers cut back on their card usage. About 90% of the revenue banks receive on debit cards is related to card usage fees, whereas only one-third of the total revenue on credit cards comes from usage fees.”
In addition to usage fees, credit card revenue includes substantial interest income earned on outstanding balances (not applicable to debit cards) and annual fees.
Such security concerns have encouraged senior bank management to look more closely at how debit card fraud is being managed and monitored. “Security has always been a priority for those bank executives who deal with debit cards on a daily basis,” says Bezard. “But recent events have gotten senior level executives to become more aware.”
Data Compromised
Previously, most debit card fraud was associated with signature debit cards, which operate much like credit cards. As with credit cards, retailers check the signature on the back of a debit card to verify the identity of the customer. With signature cards, it is not difficult for a fraudster who stole or found a lost card to make purchases, especially if the retailer was lax in checking the signature.
PIN-based debit cards were thought to be more secure in that they required the user to enter a PIN that presumably only the cardholder knew. Until recently, incidents of PIN fraud were relatively rare and each incident was confined to one or a few cards. According to Financial Insights, signature debit card losses consistently represent 2.5 times the losses suffered on PIN debit.
“In the past, PIN fraud was often a case where you had people looking over shoulders to get PINs,” says TowerGroup’s Riley. “Even more recently, there have been cases of phishing. But these were onesies and twosies, where fraudsters got a couple of card numbers and PINs. The real problems today are these data compromises where fraudsters might get 100,000 card numbers and PINs in one shot. Then, they have the ability to play havoc with the banking system.”
In the recent cases in California, Oregon and Washington, it has been alleged that a retailer or third-party processor working for a retailer improperly collected and stored card numbers and PINs after the data was captured by retail point-of-sale terminals, according to news reports. Under Visa and MasterCard rules, as well as the rules of all the major ATM networks, such data is required to be encrypted and sent directly to the card issuer and not be retained by the retailer.
Industry experts say there apparently were some violations of those procedures. As a result, someone was reportedly able to hack into retailer or processor databases and steal large numbers of card numbers and matching PINs. This data was used to create duplicate cards that were then either used at the point of sale to make purchases or, more commonly, used at ATMs to withdraw funds out of unsuspecting cardholder accounts.
“To create a working ATM card — legitimate or not — you need the card number called the PAN (personal account number) and the related data (name, address, PIN offset, service code, etc. contained in the mag-stripe,” says Mott. “Couple that with the encryption keys for the PIN and the correct PINs could be determined as well. Since most issuers authorize purchases or withdrawals based on Track II mag-stripe data, the thief needs to capture a mag-stripe reader’s output and the correct PIN for ATM use.”
Security experts say there is not much card issuers can do to prevent such events from occurring — other than to continue to press Visa, MasterCard and the ATM networks to review their procedures. Banks that have merchant card acquiring businesses also are being encouraged to work closer with merchants on data security. Some are considering substantial fines for violating rules on storage.
“Since most of the data breaches appear to be occurring at the merchant or merchant processing level, that is where you have to deal with the problem. There is not much issuers can do other than push the card associations harder to make sure the merchants are practicing safe procedures,” says Chris Allen, senior manager at Dove.
BITS, a Washington D.C.-based consortium of financial institutions, has formed a committee to work with major retailers to combat payment fraud, according to Catherine Allen, the Santa Fe, N.M. -based CEO of BITS. “We want to meet with the CFOs of the largest retailers to discuss how their procedures could be more rigor-ous,” Allen says. “We can show retailers some of the best practices used by financial institutions that they could benefit from.”
Experts say more frequent communication between banks and customers about how customers intend to use cards could also help flag potential fraud. For example, if a customer tells the bank he does not intend to use the card to shop online, the bank could do a check if an online transaction appears. Customers could also inform their banks of upcoming international trips so that the bank would know to approve transactions coming from foreign locations.
Damage Control
While card issuers may be limited in what they can do to stop the fraud outright, they can do more to monitor transactions that occur on their customers’ cards in order to spot fraudulent transactions before they are authorized. Indeed, with the recent incidents, industry sources say the losses would have been much greater if several large card issuers had not noticed patterns of disputed transactions. These institutions immediately voided and reissued other debit cards that fit similar use patterns. They also notified the card associations so that other financial institutions could take similar action.
Card issuers can notice, for example, that several cardholders reported fraudulent transactions that all occurred immediately after their cards were used at the same retail location. The issuers then will want to put a watch on or even reissue all of the debit cards used by other customers at that same retailer during that same time period.
In order to spot such fraud patterns, most banks apply the same neural network-based systems that they originally developed to prevent credit card fraud. These systems monitor customer behavior to determine unusual patterns of spending that might indicate fraudulent transactions. Such monitoring systems typically cost a large institution more than $1 million to develop but should pay for themselves in fraud reduction within a year, according to Cross.
But while card issuers have used these systems for years, banks may need to rethink how they apply this technology. At many banks, experts note, most debit card monitoring systems are replicates of what the banks use to monitor credit cards. But as debit card use evolves, banks are learning that debit card usage patterns differ from credit card usage.
Many consumers, for example, use credit cards for larger ticket purchases and use their debit cards for smaller purchases. A good system might detect that a customer who typically used a debit card for small purchases suddenly bought an expensive computer or jewelry using a debit card for payment.
“We’re finding the same risk-based logic that we used in credit cards is not always as effective in spotting debit card fraud,” says MasterCard’s Thom. “We’re currently developing a debit card-specific model that takes into consideration how consumers use debit cards.” He says MasterCard hopes to pilot the debit card risk monitoring system later this year.
Another problem is that these systems historically have been implemented in product silos, according to Gary Roboff, a former executive with Chemical Bank who is now a New York-based payments consultant. For example, most banks use one neural network to analyze credit card transactions and one to monitor debit card transactions. But the two systems typically don’t talk to one another. As a result, information about a customer’s credit card activities is not used in analyzing whether a debit card transaction might be fraudulent, Roboff says.
“Often, information in the credit card databases might be useful in detecting rogue transactions in debit card use. But that is often not possible because of how the systems were set up,” Roboff says. “Ideally, you want all the information about a customer’s payment behavior — credit cards, debit cards, even ACH transactions — to be captured in the same database so that when you score a transaction for risk, you have available the best information about that customer.”
Roboff admits that the cost of integrating the existing programs could cost large financial institutions “in the seven figures,” but he believes the investment is warranted. A BITS committee is working with financial institutions, the Federal Reserve Board and Visa and MasterCard to develop the best ways to integrate payment information, he says.
Additionally, Cross says, Fair Isaac is developing “an enterprise approach” that looks at all payment channels when assessing a payment transaction for fraud risk.
“You need an enterprise-wide approach to reducing all payment fraud,” he says. “As soon as you find a hole associated with one type of payment and plug that hole, the fraudsters find another hole somewhere else. If you stop the fraudsters from committing credit card fraud, they’ll move on to debit cards or ACH. You can’t look at this from a one-product perspective.”
|
