Subscribe to our podcast via:
The following is a transcript of the podcast episode with Patrick Davie, Vice President of Risk Solutions, Card Services at Fiserv, Aaron McPherson, VP, Research Operations at Mercator Advisory Group and Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com. During the episode, they cover topics such as:
- Why are there more fraud cases this time of year
- Different types of scams being used by fraudsters
- How fraud effects card usage and cardholder loyalty
- How can financial institutions protect themselves this holiday season
- Common sense advice for protecting your data
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
I’m very curious to get into this subject here as we’re kind of talking about fraud and the holidays are pretty much upon us here. But it’s not always just all happy feelings and everything during the holidays. Unfortunately, there’s been a lot of fraud increase especially during this holiday season here and in 2017, 2018. Now one thing I’d like to point to in particular is that Fiserv clients saw an additional 23 percent increase in fraud cases over previous months.
So Patrick, could you dive in a little bit deeper and give us a little bit more insight as to why that is?
Patrick Davie, Vice President of Risk Solutions, Card Services at Fiserv
Yeah sure. And so to be clear when we’re talking about an increase in fraud cases, really what that means is there are more fraudsters attempting to create fraudulent transactions. And when our systems are working well that will create a fraud case. And so what’s driving this, this time of year is there certainly is a lot more activity, a lot more transactions, purchases of those types of things, and so fraudsters try to hide out in the weeds and hope that they can operate more or less on observed among the many, many transactions that are occurring. I think ultimately though what’s driving this is just the overall increase in breach activity that we’ve seen over the last several years. The most recent one that I think is noteworthy is the Marriott Starwood Resorts breach where reportedly 500 million cards were exposed. And so to me breach activity in the seemingly endless number of breaches over time it’s really what’s fueling fraudsters.
There’s a there’s a well-known stat, 50 percent of all breaches have social security numbers stolen and 20 percent have card data. Those pieces of data are really what the key to enabling fraudsters to target card holders and create the fraud.
Aaron McPherson, VP, Research Operations at Mercator Advisory Group
Yeah, and I think that also the shift to e-commerce has increased fraud rates because it’s much easier to commit fraud online because there so far has not really been an extension to the EMV chip card technology to the e-commerce environment, but there are a number of initiatives underway to close that gap. But for now, I think fraudsters are going where the path of least resistance is, which is online transactions.
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
Now as we know holiday fraud is not limited to just payment card fraud. So Patrick, could you break down for us a little bit more around the typical scams that we’re seeing out there?
Patrick Davie, Vice President of Risk Solutions, Card Services at Fiserv
Yeah. I can actually give a personal anecdote here which I think is going to be relevant. I have a friend who saw on a social media site a pretty appetizing advertisement for a pair of boots and that they were from – they were called English brown boots. So he said, “hey I want these,” clicked on them, went to a merchant site, saw a really nice pair of boots, saw that these boots for a ridiculously low price $45 for a pair of leather boots. Probably too good to be true in hindsight right. Paid for it. Got an email confirming the purchase that the email said, “hey, due to some backlog. Probably not going to see these boots ship for another two to three weeks, check back later.” So he checked back later and the merchant had disappeared. The site links to the site URLs were broken. The email was unreturnable or unsendable. And so to me that’s emblematic of lots of what we’re seeing in this time, where it’s pretty easy to set up a merchant site, steal our data and then disappear over time. So to me, I thought that was a pretty interesting pretty relevant story share.
Aaron McPherson, VP, Research Operations at Mercator Advisory Group
Well, I think one of the important things for consumers to keep in mind is to look for that lock symbol in the browser address bar. Because that indicates you’re on a secure connection to a site while it’s not impossible for a fraudster to set up such a sight. It does mean it’s registered somewhere. And so it may be easier for law enforcement to trace. It also makes it safer to use things like public Wi-Fi to conduct transactions. You also can do searches on Google. I sometimes do this with unfamiliar websites to see if they’re legitimate or if there have been complaints. So I think there are things that consumers can do to protect themselves. But obviously, that leaves the issuer on alert because they’re often on the hook for this transaction when it’s charged back.
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
But now as we know in the industry, you know fraud isn’t just a one-time event. It has a ripple effect to it. And it does affect both the card usage and cardholder loyalty and Fiserv has some interesting data around that so Patrick, if you could,
could you please tell our audience a little bit about what your data and research found?
Patrick Davie, Vice President of Risk Solutions, Card Services at Fiserv
Yeah. Sure. So what we find is that, rightly so, issuers focus on stopping fraud, but sometimes can be over cautious – a little bit too aggressive in their approach around stopping fraud and this can drive false declines. And so we have two points of data. We have a survey that we conducted with customers or cardholders. And then we also have data from our issuer clients. And so the two different views are remarkably similar from a cardholder research perspective, what we found is that 56 percent of cardholders say they change where they shop and their shopping behavior after there’s been a fraud event. Sixty-five percent say they use their card less after being declined when making a purchase and then, as I mentioned, we’ve got actual statistical data on our issuer’s portfolio. So about 20 million cards we looked at over time and what we found is that when a cardholder has been declined two or more times when they should not have been over six-month period, 20 percent of them stopped using the card altogether. So you’ve lost, as an issuer, not just the interchange associated with that transactions, but you’ve lost future transactions and you really sacrificed a lifetime value of that of that customer. So those are, to me, really interesting and arresting stats.
Aaron McPherson, VP, Research Operations at Mercator Advisory Group
What do you think is the cause of that? Do you think that issuers are being overly conservative and their thresholds or do you think it’s machine learning run amok that they’re seeing patterns that maybe aren’t real?
Patrick Davie, Vice President of Risk Solutions, Card Services at Fiserv
I think it’s both. It’s really hard to strike the proper balance between proper fraud strategy diligence and protecting the cardholder relationship and oftentimes in an issue or organization, you’ve got conflicting priorities. The fraud folks are obviously… their number one job is to stop fraud to reduce the write-offs. The marketing folks who are not the ones driving the risk rules or the fraud rules are charged with growing the receivables base or the deposits, those kinds of things, and so they often aren’t in the same room putting together a cogent strategy. And more and more that’s going to be the most important thing I think issuers have to contend with, this striking that proper balance.
Aaron McPherson, VP, Research Operations at Mercator Advisory Group
I guess if we’re talking about personal anecdotes, I got challenged on a ten-dollar gas purchase this morning. I appreciated my issue looking out for me, but I said, I don’t think fraudsters going to try to buy ten dollars’ worth of gas in my car. I mean it could happen but that was kind of interesting.
Patrick Davie, Vice President of Risk Solutions, Card Services at Fiserv
It’s actually this whole dynamic of increased false declines… we see more and more of it during the holiday season because, as we talked about, actually there are more fraud attempts during the holiday season and so as a result, issuers tend to get a bit more aggressive, more cautious. And about 20 percent of the false declines, there’s about a 20 percent increase in false declines during the holiday season just because of more robust risk rules in place.
Aaron McPherson, VP, Research Operations at Mercator Advisory Group
Well, that’s interesting because when you talk about taking some of these technologies to protect merchants, often, they don’t really want them, like 3D secure version one. I’ve heard from numerous merchants that they’d actually rather have broad than a hard to climb because they don’t want the shopping cart abandonment. So it sounds like they’re accepting a certain level of fraud in the interest of overall market share and growth and that sort of thing, but issuers are kind of going the other way.
Patrick Davie, Vice President of Risk Solutions, Card Services at Fiserv
Yeah, as sophisticated as some of these models are that the new 3D secure 2.0 model is, those models are very sophisticated in how they how they learn – you mentioned machine learning earlier – including the issuer models for just scoring an authorization request. They’re very sophisticated. They’re very good at what they do, but when you’re talking about tens of billions of transactions across the U.S. ecosystem, invariably the models are going to be wrong. And that’s where you see fraud or that’s where you see these false declines. So as often as the models are right they’re often wrong as well.
Aaron McPherson, VP, Research Operations at Mercator Advisory Group
So it sounds like something you’d want to do as an issuer considering solutions is to ask them about their false positives as well as their false negatives. Not just the car the fraud that got through but the legitimate transactions that got denied because in some ways that’s worse.
Patrick Davie, Vice President of Risk Solutions, Card Services at Fiserv
It is. It costs U.S. issuers billions of dollars in lost interchange every year. “Just don’t decline the wrong transaction” and it sounds easy, “just don’t do that”. But it is, it’s more challenging than you think, but it is a growing problem with more and more awareness by issuers, that something needs to be done. We all need to get better at striking that proper balance.
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
Great. Now Patrick, if we can, I’d like to follow up with you and kind of saying where we know that there’s this increase in fraud during the holiday season, but from your point of view,
what advice can you give to financial institutions to help protect themselves against it?
Patrick Davie, Vice President of Risk Solutions, Card Services at Fiserv
Well sure, we’re hearing more and more about skimmers and shimmers at ATMs and cash out attacks and things like that. One of the easy things in issuer can do is just make sure that the folks who are responsible for inspecting their fleet of ATMs are just being extra diligent and looking for anything that looks a little bit out of out of place on the ATM itself. For ATMs that are inside a building, most are, looking for tiles in the ceiling that have been slightly moved that could be hiding a camera and the camera could be used to capture pin pad activities. So there’s just that element of ‘let’s be extra vigilant for the ATM fleets.’
The next would be, just broadly speaking, issuers should make sure they’re looking at their rules, their fraud rules, very closely. Rules are and should be very dynamic. The models are pretty effective in predicting fraud, generating a score that indicates the likelihood of that transaction being fraudulent, but issuers also need to wrap business rules (X for business rules) around those scores so that it’s not just a fraud score of X. It should be a fraud score of X with a certain merchant during a certain time frame outside of the cardholder’s typical buying geography. Those types of things need to make their way into these rules. And then the rules, as I mentioned, just need to be continuously reviewed to make sure that the fraud detection rates and the false positive rates are within accepted norms and when they are not changing the rule or remove the rule altogether.
I would think those are two big things and then there’s another thing that is a hybrid between a tool for the issuer and a tool for the cardholder. You often hear about mobile apps. Fiserv has a mobile app called CardValet and it’s a card control app. One of the key features that these types of apps have is they allow for transactions on purchase alerts being sent (the cardholder). So, Aaron, you mentioned this morning that you were notified by your issuer that may have come through an SMS message to your phone or may have come through their mobile app, but in either case, you were notified. “Hey was this your transaction?” And you said yes, but if it wasn’t yours when they reached out to you, you would have stopped that fraud sooner than if you hadn’t been getting an SMS or a push notification. So in a way, if you can get that notification out to the end card holder as quickly as possible, then the issuer is going to have a much better opportunity to limit the extent of the fraud, the number of transactions on that card.
Aaron McPherson, VP, Research Operations at Mercator Advisory Group
Yeah, I think one of the interesting things about 3D secure 2.0. Actually, I guess it’s up to 2.2. now. I just saw an announcement this morning about that but you know, one of the things I’m hoping will get more merchants to play along is that it has an option for the merchant to not invoke the well, first of all, it has as much greater flexibility about when the authentication is required.
So now you can set thresholds for when you want to invoke the person reentering their password. Also, it gives a merchant the power to forego authentication accept the risk themselves and maybe just send the data along with the transaction to be added to models in case the transaction turns out to be fraudulent. So that’s what’s a little more control in the hands of the merchants and maybe they won’t be so sensitive about abandonment rates and carts. Although when I talk to merchants that brand name is still poisonous. So they may end up having to roll it into secure remote commerce or something like that because I still get a lot of… I still got a lot of ‘never again.’
Patrick Davie, Vice President of Risk Solutions, Card Services at Fiserv
I get that from issuers too. They’re not huge fans of it either because of the friction it introduces for their cardholder and obviously for the merchant who’s trying to make a sale, but everyone’s looking forward to full market adoption of 3D secure 2.0. To your point Aaron there’s hope that this is, you know, it’s changed the paradigm a bit and it removes a lot of the inadequacies of the original version.
Aaron McPherson, VP, Research Operations at Mercator Advisory Group
Another interesting thing that’s kind of flown under the radar but which we think will be important in 2019 is the World Wide Web consortium’s payments task force, which has been coming up with a tokenized solution that’s already partially supported by all the major browsers. I say partially because the specification isn’t finished yet. So there are some pieces that you can’t support but essentially what this would do is build in a capability to your browser to authenticate you and generate a token on your behalf. So the browser would actually… it’s a little like the form filling if you use one of the popular browsers, I think they all now allow you to store card details within a secure vault and then they can fill those into forms. This would strengthen that and save a token rather than a rather than the actual card number. That could get built into secure remote commerce, which is the initiative to consolidate all the different buy buttons that you see on e-commerce sites into one general buy button. So it’s a little hard to see at this point how that’s all going to fit together. But I think it’s a positive development that browser manufacturers are building this in because that will really help with the integration and creating a seamless experience for the customer.
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
Now Patrick, you know, we’ve brought up cardholders a couple times here on this conversation. And I know that Aaron kind of pointed out as one of the ways to help kind of prevent some of this fraud here is to kind of you know have cardholders avoid shopping online using, you know, public Wi-Fi and looking for that little lock symbol that comes with HTTPS here. But from your viewpoint,
can you break down some additional kind of will call it common sense advice for cardholders during this holiday season?
Patrick Davie, Vice President of Risk Solutions, Card Services at Fiserv
I mentioned earlier one thing that issuers need to make sure that they do or ATM providers is inspect ATMs. Cardholders need to do that as well. If you’re visiting an ATM or even a retailer point-of-sale, look to see if the equipment or the behavior of the staff is suspicious and if it is don’t present your card, but you know, it seems obvious but so many people are so wrapped up in getting the cash or paying for their purchases and moving on but everyone needs to be vigilant at all times.
Secondly, specifically for the ATM’s make sure that when you put your card in, or before you do that, you wiggle the card reader, if there’s any play in that card reader, I would move to another ATM, chances are there’s a skimmer or shimmer sitting in there. Another one is just keep track of your balances and your transactions so you are aware of the purchases and when you’re looking online and you see something that’s unfamiliar or your balance suddenly dropped, quickly act on that, contact your issuer and have that conversation.
Aaron McPherson, VP, Research Operations at Mercator Advisory Group
Well, I think there is a feature on most issuers websites now or in their mobile apps where you can actually get notified every time your card is used. And that could be a little annoying but, that might be a good thing to activate during the holidays. So you’re aware of what’s going on if you don’t recognize it, you can call and find out.
Patrick Davie, Vice President of Risk Solutions, Card Services at Fiserv
Yeah, we know that cardholders who do that actively cut the instances of fraud on their card by as much as 50 percent because again, they’re seeing those transactions. They don’t recognize it and they’ll call the issuer and the card will be statused and the cardholder will be really impressed.
Aaron McPherson, VP, Research Operations at Mercator Advisory Group
And then and then the issue of strong passwords can’t be emphasized enough. I mean, I use a password keeper which is a special app that allows you to generate arbitrarily complex passwords. And if you’re using a late-model iPhone or Android or even a browser, they will auto-generate a password for you and you can copy that into your password keeper and what that helps with is the problem that passwords tend to be really hard for consumers to remember but really easy for fraudsters to guess. So we just had the list of a hundred weakest passwords. And of course, ‘password’ was number two, so I guess that’s some improvement but ’123456’ was number one, which is not a great improvement. So I’ve been trying to evangelize this that you know, you can have a 16 character ‘gobbledygook’ password that that means absolutely nothing and you don’t have to worry about forgetting it because you just have it stored in your browser or in a password keeper and then as long as you have control of your device, you know, you can just have a different password for every site and have it be arbitrarily complex. And I think that’s much more secure. I think ultimately, we are going to have to move away from passwords towards biometrics or things like that. But in the meantime, that’s certainly a good substitute and I think most of them work cross-platform, so you can keep your vault.
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
Excellent. Well, thank you Aaron, it really seems like I’m going to have to change my password to all my accounts now, but Aaron and Patrick, thank you so much for joining us today and talking about holiday fraud and we hope to have you both back on the podcast real soon.
Subscribe to our podcast via: