Best practices for fighting fraud

As we near the holidays it is critical to review best practices for fighting fraud with credit union staff and members.  There are four primary types of debit card fraud:

• Phishing
• Purchase return
• Card Present
• Card Not Present

Phishing

In the Verizon’s 2019 Data Breach Report phishing was found to be the top threat in all breaches analyzed.  Phishing begins with what appears to be a legitimate email, text message, or phone call.  The content of the communication leads you to believe that your account is on hold because of a billing problem and it asks you to click a link to update the account. Once clicked, the fraudster can access sensitive information like user names, passwords, payment card information, and PINs.

Best Practices for Issuers

1. Inspect URLs carefully to see if they are being redirected
2. Look for spelling or grammar mistakes in the email or text
3. Provide security training for staff, limit sharing sensitive personal information
4. Avoid answering unknown phone numbers, if in doubt call them back on the number you have
5. Make sure all anti-virus software and security is updated

Purchase Return Fraud

There are a variety of ways criminals can obtain Point of Sale (POS) devices:

• From an acquirer, or agent posing as a merchant
• From an online reseller
• Auction
• Criminal employee behavior

The terminals are programed with legitimate merchant credentials and used fraudulently; the legitimate merchant is not aware until the funds are deducted from their account.  The criminals will load prepaid cards or complete a return on debit cards for large dollar amounts; if the activity is not caught quickly and the funds are not blocked or removed by the issuer, the account will be cashed out.

Best Practices for Issuers

As of April 12, 2019 merchants are required not to process credit transactions without having completed a previous retail transaction with the same card holder.

1. Monitor for large merchant dollar returns when there is no corresponding debit transaction
2. Such transactions should be considered suspect and a block placed on the card

Card Present Fraud

With the implementation of EMV card present (CP) fraud has been reduced significantly; unfortunately, there are still ways that CP fraud can occur.

The fallback fraud method uses stolen magnetic stripe data to commit fraud.  When an EMV chip reader fails and a merchant is prompted to finish a sale with the outdated magnetic stripe swipe method, fallback fraud can occur.  This holds true for both merchant terminals and ATM terminals.

Fraudsters can also leverage mobile applications that use contactless Magnetic Strip Data (MSD) to load stolen track data obtained from merchant breaches.  The criminals attempt to use the mobile app at a POS terminal that triggers a Near Field Communication (NFC) transaction.  If approved, the fraudulent transaction is repeated to take advantage of the MSD.

Best Practices for Issuers

Criminals have learned if security and safety checks and controls are not in place it is possible to commit fraudulent activity.

• Create Fallback rules that limit the dollar amount and/or the number of transactions that can take place in fallback. Fallback transactions are a very small percentage of the overall share of CP transactions, however placing limits or declining all fallback can stop or limit this type of fraud.
• Ensure the POS entry mode identified is a supported transaction. If you are not issuing contactless cards at this time and do not offer Apple Pay or Samsung Pay, block all contactless transactions. If you do offer the Pays but do not offer contactless cards, make sure the token information is being validated when the contactless POS entry mode is used; if it isn’t, decline the transaction.
• A combination of data elements should be validated to eliminate fraudulent transactions: CVV/iCVV/dCVV values, POS entry modes, service codes, and valid token data.

Card Not Present Fraud

CNP occurs when a transaction is completed without physically presenting a card at a merchant – online, telephone, mail order, etc. With the shift to EMV, as well as an increase in overall Card Not Present (CNP) transactions, fraud has grown in this channel, although it is down from 2018.

Best Practice for Issuers

1. Alerts and controls allow cardholders to receive verification of transactions. Educate credit union members on how to set up alerts and controls and turn the card on and off to prevent or avoid additional fraudulent transactions.
2. 3D Secure allows issuers to receive additional customer data from merchants to help risk score online, ecommerce transactions. The additional data helps to identify potentially fraudulent transactions and helps to authenticate the cardholder.

LSC’s fraud team partners with credit unions to monitor and prevent fraud.  Arrange a consultation or just let us answer your fraud related questions by contacting us today at fraudteam@lsc.net.