Customers Key to Beating Card FraudJavelin Study: Out-of-Band Authentication Can Reduce Incidents
"Nobody knows your financial habits better than you do," says Blank, who works in Javelin Strategy & Research's Security, Risk and Fraud Practice.
In the recent Annual Issuer Safety Scorecard survey published by Javelin, the country's top 20 card issuers for Visa and MasterCard made few improvements over the last few years. Card fraud resolution and detection increased, but prevention remains a challenging area.
"Prevention is the hardest," Blank says. "It's strategic, as opposed to being tactical or operational, and frankly it's a cat-and-mouse game. The fraudsters are getting smarter, and the card issuers have to be quicker on their feet in order to compensate for the speed of the fraudsters."
The consumers and card issuers need to work together to prevent card fraud, Blank says. Two options, "review and respond" and "review and release," are beneficial in authenticating card-not-present transactions. In "review and respond," a text alert can be sent to a consumer's phone after a transaction has happened. If the transaction is fraudulent, the consumer can immediately call the issuer and get the problem resolved.
With "review and release" during a card-not-present transaction, the consumer can approve the purchase through out-of-band methods, such as texting or a phone call. "If it really is you, you're going to know the transaction took place, you can approve it and there's really no delay in the transaction," Blank says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
Over time, as Internet transactions continue to grow, card-not-present fraud will keep pace. "We have to get the consumer involved somehow in the review and release of these transactions because with traditional security, fraud trumps security when it comes to crime of impersonation," Blank says.
During this interview, Blank discusses:
- The unique challenge card-not-present fraud poses and why it's expected to increase;
- How institutions could do more to leverage the mobile channel, as a way to authenticate card-not-present transactions; and
- Why banks and credit unions must involve consumers, if they expect to curb growing fraud trends.
Blank provides central leadership to Javelin's Security, Risk and Fraud Practice areas. He has an extensive background in security, information technology, forensics and investigations. His perspectives on information technology and security have been presented at international conferences and published in numerous IT-related publications. He has more than 20 years of experience in both domestic and international organizations, with deep expertise in SAAS operations, security, networking, high availability systems, business continuity planning, customer service and internal support. Blank has pioneered systems of identity management for SOX and SAAS compliance, remote diagnostics for mainframe computing, accelerated development of international customer relationship management and sales force automation systems, as well as the use of SAAS as an operational paradigm.
Annual Issuer Safety Scorecard ResultsTRACY KITTEN: I can't really think of a more timely topic for us to be discussing. Card security has permeated many recent conversations, from the Fed's announcement this week to offer card issuers interchange fee incentives for fraud prevention to the recent wave of debit breaches we've reported hitting Michaels and Citi. Steps card issuers are taking to protect consumers is getting much more scrutiny. Now, this is the seventh year that you've published this particular scorecard. Can you give our audience some background about the scorecard study, such as how card issuers are rated, and then highlight any points that you think, from your perspective, stood out relative to years that you've conducted this particular survey in the past?
PHIL BLANK: We looked at the top 20 issuers of cards like Visa and MasterCard, and then we added certain other key folks into the survey, such as American Express and Discover, who are also large issuers of cards. And this report is filled with good news and bad news.
On the positive side, resolution efforts by the card issuers have continued to improve over a three-year trend. The bad side is that prevention efforts by the card issuers over the past three years have continued to decline. Detection is pretty much the same, with a slight decline in 2011. Resolution is actually pretty straightforward. It's, of the three, the easiest. Even though resolution might be intricate and complex, it's fairly prescriptive. You know what you need to do. Detection is the next most difficult, because obviously it's in the fraudsters' best interests to hide the fraud. But the one where we're seeing the most decline is in prevention, and prevention is the hardest. It's strategic, as opposed to being tactical or operational, and frankly it's a cat-and-mouse game. The fraudsters are getting smarter, and the card issuers have to be quicker on their feet in order to compensate for the speed of the fraudsters. So the high point for us is that prevention is now on a third-year decline in the last three years of our study.
KITTEN: The report highlights criminal trends and security strategies that issuers can adopt to combat current fraud tactics. According to your research, are most card issuers adequately fighting fraud with the right types of strategies? You've noted that for the last three years, you've actually seen a decline in some of the preventive measures they're taking. What other strategies are they pursuing?
BLANK: That's really the problem. The mindset of a lot of large financial institutions is that they don't want to involve consumers and security. They'll take care of everything behind the scenes. And because of that mindset, they miss one on the key components of fighting that fraud. The strategies and technologies that banks are using, or should be using, really tend to involve more the consumer, and there are some very prescriptive things. For example, we still have financial institutions that ask for full social security numbers, which, if you think about it, is just astonishing in this day and age when we really try and teach consumers not to give out their social security number under any circumstance. Many of them have been very good about shutting off paper statements. That's been a very positive side. Many of them do not include multifactor authentication for mobile. They just assume mobile doesn't need the same amount of care and feeding as does the PC environment. Many of them do not use EVSSL, or extended validation SSL, on their contacted login pages. Many of them don't have partnerships with security vendors that can help both the FI and the consumer ameliorate their security posture. We're not suggesting that we turn consumers into IT people, but helping the consumer better protect themselves is in the best interest of both the FI, the card issuer and the consumer themselves.
KITTEN: I was going to ask you about some of the technologies that you see banks using, and I just want to ask this question before we bridge that one. Do you think that the reason there's been a decline in some of the preventative steps that card issuers are taking over the last three years relates to the economic downturn?
BLANK: That's a tough question. It really shouldn't because many of the steps that we suggest and many of the steps that we encourage people to take are steps that would be very easy and not very costly for the FI. We've got seven years of longitudinal data that there's actually a reverse and an inverse proportion between the unemployment rate and the amount of fraud. When the gross national product goes down, fraud goes up, and when gross national product goes up, fraud goes down. Well in 2010, we saw an increase in gross national product. You would think there'd be less fraud and therefore the prevention efforts would not be as great. We believe the big decline in prevention is due primarily to the fact that the fraudsters are getting better. We've tightened up the measurements in the scorecard for us to key up with the fraudsters, and it's incumbent upon the issuers to do the same thing.
Mobile AuthenticationKITTEN: You mentioned mobile earlier, and you noted, that you don't really see card issuers taking the same precautions on the mobile channel, as far as authentication is concerned, that they've been taking with the online channel, or, in theory, should have been taking with the online channel. But you do see some things taking place in the mobile space, perhaps using mobile more as a complementary channel to help authenticate online transactions. What movement are you seeing there where the mobile device is being used to help leverage or send alerts to customers when it comes to card transactions?
BLANK: What a great question, and the short answer is not enough. There are really two things that should be happening. One is involving the consumer in their security. Nobody knows your financial habits better than you do. Imagine card-not-present fraud which, by the way, now exceeds card-present fraud, so a movement to EMV chips is going to do absolutely nothing about card-not-present fraud. The only way to prevent card-not-present fraud is to have the consumer involved, and Javelin strongly recommends two processes.
One is called review and respond, and the other is called review and release. Imagine that you're doing a card-not-present transaction and the transaction comes through and you get an SMS text alert on your phone. That's a great means of detection and not all issuers do that. At least now you know someone's used your card illegitimately. You can pick up the phone, call your issuer and get that problem resolved. The problem, of course, is the fraud has already occurred. But imagine, for card-not-present fraud, instead of getting notification, now you have to approve it through an out-of-band signaling, an SMS text or a phone call. If it really is you, you're going to know that transaction took place, you can approve it and there's really no delay in the transaction. But if it's not you, or the bank can't reach you, the transaction is not approved and suddenly all that card-not-present fraud goes away because you know your financial habits better than the bank. In crimes of impersonation, if I'm impersonating you, there's no amount of traditional security that can fight that. The only thing that can fight that is you.
KITTEN: I know that some of those types of out-of-band authentication techniques are used in Europe. But in the U.S., how much would it take for consumers to adjust to that kind of second layer of authentication?
BLANK: We propose, and what we encourage, is a transition. Let's educate the consumer as to the value of these types of authentication and start off with review and respond. If everyone, all of the card issuers, had a review and respond policy, it would at least help the fraud be detected very, very quickly. Then, as a next layer, go to review and release. We believe over time as the Internet transactions continue to grow, card-not-present fraud will also continue to grow. We have to get the consumer involved somehow in the review and release of these transactions because with traditional security, fraud trumps security when it comes to crimes of impersonation.
Personal SecurityKITTEN: You also note in your findings that most consumers view personal security, such as the protection of their identities, as something that should be shared - a responsibility that they should have for themselves but that banks should also have for consumers. How do banks, as card issuers, view that perspective?
BLANK: They view it generally a bit differently. The reason is that financial institution security and card-issuer security grew up and traditionally came from a lot of the IT background, a lot of the traditional fraud areas where they took care of all that internal to the bank. Well, the bank walls are no longer there, in effect, with the Internet. The bank walls are now all over the world. Banks and FIs are wired to think, "We don't need to have our consumers aware of any security issues. We'll take care of everything through analytics." I'm not bashing analytics. They're very important. They need to be a key part of this equation, but you can't do it all through analytics. There's almost a fear by a lot of the FIs to have the consumer involved. And yet we've got survey after survey that shows the consumer wants to partner and be an active part of that equation. We do have some very forward-thinking issuers that will actually provide you the software for free. They'll say to you, "Here's some free antivirus software; here's some free man-in-the-browser protection software." Is that going to cure all the problems? No, but it's a big step toward enabling your knowledge and awareness of what safe Internet banking practices are.
KITTEN: Before we close, what final thoughts or points about the scorecard would you like to share with our audience?
BLANK: I think the biggest issue is that consumers have to start demanding, asking and begging their card issuers to provide them these services. It's in the best interest of the consumer to avoid the fraud completely. Prevention has to be what we emphasize. Detection and resolution is important, but if we can get the prevention in place, all those downstream efforts and costs are taken out of the equation, and that will ultimately save billions of dollars for the FIs and billions of dollars for the consumer as well.