Expert: Training One Of Many Fraud Prevention Steps

IMGCAP(1)]

Preventing data thieves from duping payment card customer service staff takes more than just employee training, according to a fraud-prevention expert. The District Attorney of Queens County, N.Y., last week announced the indictments of 45 alleged participants in a card fraud and identity theft ring that caused American and Canadian financial institutions, retailers and consumers more than $12 million in losses last year alone. Some fraudsters allegedly used a product called SpoofCard that enables users to change the phone numbers that appear on a receiver's caller ID, according to a statement by the attorney general's office. SpoofCard technology can even change a caller's voice by accent, tone and apparent gender, the statement says. Fraudsters allegedly used the tools to convince call center staff to increase credit limits and change a credit or debit card's PIN, mailing address and secondary user. Fraud ring participants allegedly then withdrew cash and made large purchases using cloned cards tied to the compromised accounts. "The combination of techniques used in this fraud made it extremely difficult to detect, even by the most competent service reps," Tom Wills, senior analyst of risk, security and fraud at Pleasanton, Calif.-based Javelin Strategy & Research Inc., tells CardLine. "I'm not sure additional training would have helped in this case. What would have helped are some technology and business process controls that are available and in use by many banks." For starters, financial institutions should not rely on caller ID to authenticate customers, Wills says. Instead, Wills recommends financial institutions employ multiple layers of technology and practices to fend off account takeover attempts: Knowledge-based authentication requires callers or customers using Web sites to answer secret questions only true accountholders would know. Tools such as device authentication can detect red flags such as Internet protocol addresses and physical locations of computers that do not match customer records. And customer alerts, especially those sent to mobile phones, can help true accountholders react quickly to fishy transactions. "These techniques aren't perfect. They won't work for a (new) account that was opened fraudulently," Wills says. "But if used together in combination with a strong security policy and awareness programs directed at both employees and customers, they do add layers of strong security against account takeover attacks."