Is nothing in banking safe from fraudsters? Even PIN debit cards, once thought to be one of the most secure payment methods, are now the target of phishing and other fraud schemes.

The San Francisco Chronicle reported last week that a security breach at a third-party retailer apparently forced Bank of America Inc., Washington Mutual Inc. and Wells Fargo & Co. Inc. to reissue debit cards to thousands of customers.

The number of institutions affected by PIN debit card phishing scams grew 2 ½ times to 2,500 in 2005's third quarter, up from 1,000 in the first quarter. Meanwhile, the number of fraudulent incidents doubled to 10,000 during the same period, according to data from Minneapolis -based Fair Isaac Corp., an anti-fraud technology company.

Fraudsters have been particularly aggressive in running phishing scams at small and mid-sized banks (see "Familiar Faces - or Shadowy Figures?" in the July/August 2005 Banking Strategies). In Washington and Oregon, for example, dozens of small to mid-sized financial institutions reissued debit cards after security violations occurred last month, according to news reports. OSU Federal Credit Union in Corvallis, Ore., reported that more than 1,200 members' cards were compromised.

These incidents are typical of what is happening nationally, fraud experts say. While early phishing fraudsters concentrated on a few big banks, recent efforts have focused on smaller institutions that have been less aggressive in fighting PIN fraud.

"PIN debit still remains the safest form of card payment; signature debit cards, for example, have fraud rates that are at least four times that of PIN debit," says Steve Rathgaber, president and COO of the NYCE ATM and POS network. "That said, PIN debit fraud is on the rise both through the classic model of invading card privacy and the newer efforts associated with phishing."

In phishing scams, fraudsters send e-mails to bank customers alerting them to a problem with their account and requesting the customers' debit card account numbers and PINs. Bogus retailers also tell customers they can pay for goods by typing in their debit card numbers and PINs. The fraudsters then make duplicate cards with these account numbers and PINs and use them at ATMs and point-of-sale (POS) terminals.

Mike Urban, Fair Issac's director of fraud operations, recommends that banks check the CVV or CVC code that is embedded on all mag-stripe cards when approving ATM or POS transactions. These codes are not found on duplicate cards.

"We have identified 4,000 financial institutions, nearly half of all card issuers in the U.S., that do not check these codes," Urban says.

He also recommends:

• Invalidate and reissue debit cards where there are multiple attempts to use a card either lacking or with an incorrect CVV or CVC code. Some fraudsters will keep guessing at the code until they hit the right numbers.
• Limit or even curtail bank e-mail marketing campaigns that require customers to click on hyperlinks to learn about promotions.
• Subject PIN debit transactions to the same neural network-based analysis commonly used for credit card and signature debit transactions. Such analysis can identify transactions that are likely to be fraudulent.
• Educate consumers not to reveal their PIN numbers online and avoid making purchases over the Internet if they are required to type in a debit card PIN.

Urban says some banks will balk at limiting their e-mail marketing campaigns. But, he adds, "You don't want customers to get the idea that it is common for their bank to send them e-mails that require them to click on URLs."

Another form of PIN debit card fraud is skimming. Fraudsters place overlays, basically fake PIN pads, on legitimate ATMs or POS terminals. In some cases, they work with retailer insiders to switch legitimate POS terminals with ones owned by fraudsters.

These devices collect the card numbers, PINs and security codes when customers use the terminals. The fraudsters retrieve the fake PIN pads or fraudulent POS terminals and then use the data collected by the devices to make duplicate cards.

Skimming has been around for more than a decade, but appears to be increasing in recent months, Urban says. Along with neural network-based analysis to spot unusual behavior on accounts, he recommends banks use state-of-the-art ATMs that can disrupt skimming or detect tampering.

For more information on financial services fraud, see the following Banking Strategies articles: "Fraud Fighting 2006-Syle: Real-Time and Enterprise-Wide", "What Lengths Will Customers Go To To Protect Their Online Accounts?", "Fraud-Fighters Prevail" and "Fraud's Threat Looms Large".

More Articles in This Issue

» MINING CHECK DATA
What can you learn from your customers' check-writing? In the debate over whether to convert a check using ACH or truncate it to an image, truncation advocates cite the richness of the information on a check as a reason to preserve it in image form.  »more

» MATCHMAKER FOR SMALL BUSINESSES AND LENDERS
For small business borrowers and lenders looking to match up, the dating process just got a little easier.  »more

» ONLINE MARKETING ALLIANCES
On the Internet, where viewers can skip from site to site with a mouse click, alliances can provide a powerful marketing boost - as NetBank Inc. can testify.  »more

» RANDOM NOTES
Is banking by cell phones and other remote devices on the rebound? A study by researchers at the University of Hamburg sees "a remarkable comeback," not only in Germany but also worldwide due to Universal Mobile Telecommunications System (UMTS) technology.  »more