Card Data Breach Loss Prevention Checklist

By Ann Davidson, VP of Risk Consulting at Allied Solutions

Many of the large-scale card data breaches in 2015 involved the compromise of magnetic stripe data on both credit and debit cards. The data compromised in most of these card breaches involved either track 1 or track 2 magnetic stripe fraud (POS 90), as determined by the merchant during the transaction authorization. Because the track information can be duplicated, there will likely be a high risk for future fraud exposure if you opt not to block and reissue these cards.

For an in-depth look into payment card fraud risks that many credit unions are being hit hard with right now, watch Allied’s webinar “Card Fraud on the Rise: How Financial Institutions Can Help Prevent It.”

Card Data Breach Loss Prevention Checklist:

  • Evaluate the compromised card number to help determine if the risk is high
    • A high risk involves the full unaltered magnetic stripe data from track 1 and/or track 2 – track 1 carries the cardholder name; track 2 does not
  • Confirm you’re utilizing “name matching” if track 1 data was part of the breach
  • Review card associations’ alerts and act immediately on at risk card data outlined in alert
  • Analyze at risk open card accounts to determine which cards are/are not still active
  • Review other card accounts to find out which cards are non-active and have already been closed due to fraud
  • Identify the fraud pattern to uncover the common point of compromise (CPP)
    • This is where the breach took place, not where the fraud occurred
    • Once discovered, report the CPP immediately
  • Block and reissue impacted, open card numbers when magnetic stripe has been compromised
  • Accelerate the reissuance of active cards prior to their expiration date
  • Consider reissuing the card 30 to 180 days before the date of expiration
  • Ask the card association(s) to take recovery action related to any expenses
  • Report the fraud to the Visa Fraud Reporting System and/or MasterCard’s Safe System, as this is a requirement under the card association(s) rules

Watch Allied’s webinar “Card Fraud on the Rise: How Financial Institutions Can Help Prevent It” to learn more about payment card fraud risks.

Allied Solutions is the NAFCU Services Preferred Partner for Insurance- Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown Protection (MBP). More educational resources and partner contact information are available at www.nafcu.org/allied.

 

Combat Social Engineering Fraud

Produced by Jay Slagel, VP of Risk Management at Allied Solutions

Due to a general lack of awareness, fraudsters are often successful in obtaining your account holders’ private information using various social engineering methods.  Because of this, it is essential that you raise awareness among your employees about the causes of social engineering fraud and the prevention measures your financial institution has in place to combat these attacks.

Social engineering fraud occurs in a variety of ways:

  • Social Engineering FraudPhishing attacks via email or phone, where the fraudster claims to be a person of authority to obtain confidential and personal information.
  • Impersonation of a fellow employee, friend, or vendor to gather personal and confidential account information.
  • Obtaining personal and confidential information from digital storage devices (such as thumb drives, phones, or CDs) or paper documents that were not discarded properly.
  • Offering prizes or gifts via phony emails or calls in exchange for private information and/or money.
  • Baiting is when a person leaves an infected storage device, like a thumb drive or CD, at a location where someone would likely find it to entice the individual to load the infected device onto their computer.
  • Phone phishing where the fraudster uses an interactive voice response system (IVR) to duplicate a message from the person’s financial institution, directing the account holder to input their confidential and personal information.

Credit unions can defend against social engineering fraud by changing their corporate culture through education and training. Employees should know how to recognize methods of social engineering and how to combat those attacks.

Actions your financial institution should take to combat social engineering include:

  1. Determine which employees have access to sensitive information, and may be targeted.
  2. Educate employees about ongoing threats.
  3. Verify that deposited checks clear before permitting a withdrawal or transfer.
  4. Establish a multi-level authentication process for financial transactions or account change requests that are not performed in person.
  5. Never open attachments or links in emails received from untrusted sources and do not forward these emails.
  6. Tell employees to be wary of any prizes or offers made over the phone or through email, especially those that offer to update, correct, or solve a computer issue or problem.
  7. Protect private information on documents or storage devices no longer needed before shredding or destroying.
  8. Conduct tests to determine where system vulnerabilities exist and promptly address those areas of weakness.
  9. Monitor social media outlets to reduce the chance of sensitive information being posted.

It is likely that one or more of your employees will be the target of a social engineering scheme, but taking proactive steps early and often will help your financial institution to remain protected from these fraud attempts.

Allied Solutions Logo

Allied Solutions is the NAFCU Services Preferred Partner for Insurance – Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown (MBP); and rateGenius.  More educational resources and contact information are available at www.nafcu.org/allied

 

Protect Your Corporate Customers from Account Takeovers

Produced by Ann Davidson, VP of Risk Consulting at Allied Solutions

Manage Your RiskWere you aware that your corporate account holders are at an increasing risk of being targeted by cybercriminals?

Corporate accounts are especially vulnerable to account takeover attacks due to the fact that large wire and automated clearing house (ACH) transfers are frequently performed through these accounts, making fraudulent outgoing wire transfers or ACH credit requests harder to detect.

Additionally, these corporate accounts do not always have the most up-to-date or robust authentication layers in place on transactional activities, which makes it that much easier for criminals to obtain private credentials and take over these accounts.

To help combat these attacks, your credit union should have dynamic authentication methods in place for all consumer and business accounts, and should implement the following loss prevention recommendations:

  • Validate all account holder information when a wire transfer or ACH credit is requested
  • Pay special attention to new accounts performing large outgoing wire transfer or ACH credit requests, as these might be “money mule” accounts
  • Limit the dollar amount on outgoing wire transfers and ACH credit requests
  • Only offer in-person outgoing wire transfers and ACH credit requests
  • Have account holders sign an agreement that specifies that they will be assigned a confidential individual PIN and requires that they answer a security question prior to submitting an outgoing wire transfer or ACH credit request
  • Call back account holders’ listed phone number(s) to confirm their identities prior to performing requested outgoing wire transfer or ACH credit
  • Inform your corporate account holders that they have to do their part to stay protected from these attacks, such as:
    • Implementing anti-virus software on all company owned computers
    • Requiring password protection on all of their employees’ computers, cell phones, landlines, business accounts, and software applications
  • Continue to monitor reliable sources for updated information on risk exposures

To find out more about recommended authentication measures that can help your credit union and account holders remain more protected from this and other types of cyber crime, register for Allied Solutions webinar, Top Authentication and Identification Methods to Protect Your Credit Union.

 

Allied Solutions LogoAllied Solutions is the NAFCU Services Preferred Partner for Insurance – Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown (MBP); and rateGenius. More educational resources and contact information are available at www.nafcu.org/allied.

Fraud Insights

Originally posted on forwardbanker.com.

Guest post written by Scott P. Wallace, Vice President of Marketing, Deluxe Corporation.

Deluxe Financial Services is the NAFCU Services Preferred Partner for Check Printing, Online Check Ordering, Check Fraud Prevention, and Member Loyalty Solutions.

Banking margins are being squeezed and fraud continues to rise. This is not a good combination. To combat this, financial institutions want to stay aware of the trends and opportunities to mitigate losses to help improve bottom line profits.

A survey of both financial institutions and non-financial institutions compiled by the Federal Reserve Bank of Minneapolis provided some great insights into payments fraud.

What they found was fraud is a problem across all those surveyed no matter what their asset size, type of institution, or payment products offered. For financial institutions, the payment method most vulnerable to fraud was signature debit cards with over 83 percent experiencing an attempt. However, that’s only one of nine possible methods documented in the survey that fraudsters have tried to use.

Read more

Helping Your Small Business Members

Originally posted on forwardbanker.com.

Guest post written by Nick Buri, Fraud & Payment Solutions Manager, Deluxe Corporation.

The 2014 Deluxe Exchange Conference offers crucial advice on the most pressing topics in financial services. Use code NASC14 to register »

”Life is 10 percent what happens to you and 90 percent how you respond to it.”

This famous quote from Lou Holtz, a college football coaching legend, applies to your role in helping your small business customers with the problem of fraud.

Fraudsters are increasingly targeting small businesses. Consider these statistics: (1) 95 percent of all VISA credit card data breaches involve small businesses, (2) 73 percent of small businesses were hit by a cyber attack in 2011.

Why are small businesses an attractive target?

Read more