Payments Industry Comes Together to Fight a Common Enemy

  John Philip Coghlan, Visa USA's president and CEO, recently urged the payment card industry to work more closely together in the fight against data-security breaches. The breaches, he said, affect cardholder trust, and if not stopped, they will destroy the faith cardholders have in the payment system.
  Coghlan's call for unity comes as data-security breaches are giving the payments industry a headache because fraudsters are proving to be resourceful in developing new ways to steal. The payments industry, however, is showing it can be resourceful, too.
  It has no option, Coghlan contends, noting a data-security breach involving a MasterCard issuer or a merchant also affects Visa.
  "We must do everything in our power and everything necessary to maintain shareholder trust because that is the bedrock of our industry," Coghlan said during his keynote address in May at SourceMedia's 18th annual Card Forum & Expo. "We're all in the same boat."
  In 2005, U.S. payment card fraud losses reached $1.7 billion, according a Financial Insights study "Payments Fraud Management: Analysis Beyond the Transaction." From 2005 through 2009, Financial Insights predicts, U.S. payments fraud will reach $1.8 billion.
  Indeed, cyber thieves are relentless, says Ted Crooks, vice president of the Global Fraud Solutions Group at Fair Isaac Corp. "We can stop one thing, but they try a thousand others," he says.
  Not even PIN debit, considered the industry's most secure form of card transaction with its two-factor cardholder authentication, is safe from massive fraud attacks. Late last year and early this year, crooks who stole personal identification numbers and debit card data used the information to withdraw millions from thousands of cardholders' checking and savings accounts ("Latest Card Fraud Target: Where the Money Is," May).
  Although PIN-debit fraud was thought by some to be primarily a problem affecting American financial institutions, it is not. In early, June, a security breach prompted Dubai Islamic Bank to block debit and
  credit card transactions in Bosnia, Bulgaria, Croatia, Hungary, Macedonia, Moldovia, Romania, Serbia-Montenegro and Slovenia.
  Coghlan's plea for collaboration may sound unusual because he is urging competitors to band together to fight a common enemy. In reality, his call reflects growing industry sentiment, one observer contends, and the industry is circling its wagons.
  "Companies must cooperate [with each other] because fraudsters work together to discover new ways to breach the nation's payment system," John Stewart, vice president and chief security officer of corporate security programs at Cisco Systems Inc., said in May during a panel discussion on confronting security threats held at the Federal Reserve Bank of Chicago's 2006 Payments Conference.
  Bad Press
  Amir Orad, vice president of marketing for the Consumer Solutions Division at RSA Security Inc., contends financial-services companies lately have begun to work more closely. "Fraudsters sell technologies and trade information on the Internet," he says. "Until recently, banks worked in silos. Now, they realize they must work together."
  The widespread news coverage data breaches have generated have, indeed, sparked greater cooperation among competitors. They are doing so by creating both formal and informal organizations, making alliances with the government agencies and holding national seminars to discuss ways to improve security.
  Even Visa is working with rival MasterCard Inc. to combat data breaches. But cooperation is not confined to bank card networks.
  Discover Financial Services, issuer of the Discover card, is working with other issuers and processors on fraud prevention and detection, says Steve Furman, Discover's director of e-commerce.
  Fraud prevention also involves creation of international customer networks. Cyota LLC, a New York-based Internet-payments security firm that RSA Security recently acquired, two years ago formed eFraud Network. The organization, says RSA's Orad, is composed of more than 70 banks and other card issuers in Canada, the United Kingdom and the United States. Its goal is to fight online fraud.
  The network's members, which include card issuers Washington Mutual, Royal Bank of Canada and Barclays Bank, share information in real time about possible security threats, Orad says. "When there is an online threat against one bank, it can alert the others," he says. "Fraudsters don't just limit themselves to attacking one institution."
  The launch this May of Early Warning Services LLC, a Scottsdale, Ariz.-based company that fights identity theft and payment fraud, is another example of big banks and a processor working together to fight fraud. Bank of America Corp., JPMorgan Chase & Co., Wachovia Corp. and Wells Fargo & Co. founded Early Warning. First Data Corp. subsidiaries Primary Payment Systems and ID Logix, specialists in fraud-prevention technologies, also are part of the company.
  Early Warning's software investigates individuals' backgrounds for identity fraud before they can open a checking account linked to a debit card at a member bank. Though the company does not monitor card activity, "We are confident this new venture will strengthen the industry's defenses in the fight against fraud," says Leslie Altick, Wells Fargo executive vice president and vice chairman of the Primary Payment Systems board of directors. "We believe that by working together we can achieve a common goal that none of us have achieved individually."
  Financial Insights, a Framingham, Mass.-based research firm, also believes issuers and processors must cooperate because card transactions involve different companies performing specific services. "Each participant has different capabilities for data analysis given the type of data it obtains during the transaction and the speed with which it can perform the analysis," note Jeanne Capachin and Sophie Louvel in an August 2005 Financial Insights' report on fraud management. "These capabilities are necessary to effectively fend off fraud."
  Capachin and Louvel say payment processors and networks see the payment transaction before an issuer does, so they have the opportunity to detect fraud more quickly. "Banks may have better information about the customer initiating the payment and, in certain cases, may be better able to determine whether or not the transaction is fraudulent," the researchers wrote.
  Companies also are working together because many of their top security officers know each other. There are fewer than 150 top-level computer-virus experts worldwide, says Mikko Hypp?nen, chief research officer for F-Serve Corp., a Helsinki, Finland-based firm that provides antivirus, network-encryption, desktop-firewall and antispam software.
  Law Enforcement
  "There is a surprisingly large amount of cooperation between data-security companies, such as antivirus companies," he says. "This cooperation is largely happening because the amount of top-level experts in this area is not large."
  Private companies also are working more closely with local police and the federal government to fight fraud. MasterCard and the Fraternal Order of Police, for example, are holding a series of 12 seminars nationwide to train merchants in protecting cardholder data.
  On a national and international level, the Internet Crime Complaint Center, or IC3, a partnership between the FBI and the National White Collar Crime Center, is working with the Financial Institution Fraud Unit, an FBI unit that fights financial fraud, and members of the Financial Services Roundtable, an organization composed of the nation's 100 largest financial institutions.
  Although the FBI says it is involved in the fight against fraud and has arrested fraudsters around the world, Fair Isaac's Crooks says the FBI has played a small role in combating card fraud. "Their involvement is mostly lip service and very little shoe leather," he says.
  He cites as an example the government's failure to fund the National Joint Theft Identity Center, an organization he, the FBI and Los Alamos National Laboratory scientists proposed nearly two years ago.
  The Justice Department gave the center $250,000 for a feasibility study, but Attorney General Alberto Gonzalez froze department spending on software when he took over early last year, Crooks says.
  Investigative Help
  The center would fight fraud by bundling smaller cases into larger ones so the amount of money involved attracts the attention of local and federal law enforcement. Police interest is piqued when fraud involves a minimum of $250,000, Crooks says. Banks also would be able to report fraud cases directly to the center.
  The facility is needed because only a few hundred of the 3,000 fraud cases annually are investigated.
  "It [the center] would take a proactive approach to fighting fraud instead of just having banks building moats around their computer systems," Crooks says. Fraud cases, he explains, "are a window on organized crime, not the Sopranos kind, but the work of terrorists who are involved in data breaches and identity theft."
  Lately, however, Crooks' feelings about the FBI have mellowed thanks to the May 10 signing by President Bush of an executive order strengthening federal efforts to protect against identity theft. Since the signing, Crooks claims he has received calls from Fair Isaac's lobbyist in Washington about reviving the center. "Let's say I am much happier," he says.
  If Crooks' National Joint Theft Identity Center gets off the ground, it would join the fight against an enemy who isn't that old.
  Observers cannot point to a specific date when the industry set aside its differences to fight fraud collectively, but it apparently began more than a year after the May 8, 2003, appearance of the Fizzer.A computer virus. Fizzer.A was the first piece of malware crooks used to steal money, says Hypp?nen. Malware is malicious software designed to do harm.
  Before Fizzer.A, individuals hacked security systems simply for challenge, Hypp?nen said during the Federal Reserve Bank of Chicago's 2006 Payments Conference. During his presentation, Hypp?nen showed photographs of six men, including three sweet-faced teenagers he says hacked Web sites in a contest of gamesmanship with the site's designers. A much tougher-looking crowd, including a reputed member of the Russian mob, replaced the teenagers. These rougher individuals ran phishing scams and spamming operations.
  It is the emergence of this type of criminal group that has forced industry players to put their heads together, Hypp?nen says.
  Collaboration leads to sharing information on different types of fraud to prevent attacks, says Phil Mellinger, First Data chief information security officer. "If we anticipate certain kinds of attacks, we call competitors and get our equivalents on the telephone," he says.
  Information Sharing
  RSA's Orad cites as an example eFraud Network successfully stopping a Trojan, a type of malicious software, that initially targeted one of the network's members. The member shared the information with others, which was smart because the Trojan software attempted to attack 20 banks.
  Cooperation also means sharing information and samples, Hypp?nen says. "When we talk to each other, we might discuss how a particular piece of malware is encrypted and how to decrypt it," he says. "We might ask each other to work together to shut down a malicious Web site."
  Companies have not always done this. An incident last year, for example, had the industry red-faced after a data breach at CardSystems Solutions received worldwide attention. Paul Martaus, an electronic-payments industry consultant, says he has heard industry rumblings that the FBI and Visa knew of the breach for some time and were working together to resolve it unbeknownst to MasterCard.
  "I don't know why MasterCard was so far out of the loop," he says. Visa and MasterCard would not comment on Martaus' claims.
  Once it learned of the intrusion, MasterCard last year publicly disclosed the breach. The unexpected disclosure caught Visa executives, and some issuers, off guard ("Failure to Communicate," August 2005).
  Hackers broke into CardSystems' computers in September 2004. In early 2005, banks reported that several million dollars in fraudulent credit and debit card purchases had been made with counterfeit cards using magnetic stripe data from the CardSystems' breach, the Federal Trade Commission says. Thieves compromised millions of debit and credit cards, according to industry observers.
  Data-security breaches lately have received significant publicity, so reputations are on the line, says John Latimer, enterprise risk management officer for card processor Total System Services Inc., or TSYS. "Our customers have their good names, and we want to protect them," he says.
  Most card issuers traditionally have figured some degree of loss stemming from fraud into their program planning and budgeting, so the industry has tolerated certain levels of fraud, notes Harry Mahlstedt, Merrill Lynch's managing director of private client banking and retail services. "It's part of doing business," he says.
  But the numbers get bigger every year.
  Indeed, debit card fraud will cost banks at least $1 billion this year, Brian Riley, TowerGroup senior analyst for bank cards, writes in his report "Debit Card Fraud: Because That's Where the Money Is." The anticipated $1 billion in PIN-debit fraud losses is nearly half of the combined credit and signature-debit card fraud losses for all of last year.
  Riley, however, says the $1 billion does not fully reflect the entire cost of PIN-debit fraud. He says some losses go unrecognized because cardholders do not reconcile their monthly bank statements.
  Fraud also is hitting credit union card issuers hard. CUNA Mutual Group, a provider of financial services for credit unions, says fraud on debit and credit cards reached $100 million in 2005, up from $85 million in 2004 and $51.5 million in 2003.
  Dan Roads, first vice president of Elan Financial Services, which buys credit-union card portfolios, says data-security breaches have become a factor in credit unions' decisions to sell their portfolios. "They are asking themselves if they should be in the card-issuing business," he says.
  Not everyone, though, is throwing up their hands regarding fraud. The industry, after all, is doing more collaboratively to protect their interests. Whether the efforts help to contain fraud remains to be seen.
  (c) 2006 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
  http://www.cardforum.com http://www.sourcemedia.com