Why Debit Fraud GrowsABA Survey Looks at Top Banking Fraud Threats
Financial losses linked to debit fraud are increasing, says Jane Yao, and the industry has cornered itself into a perpetual state of catch-up. "It is easier for the fraudsters nowadays," she says.
The prevalence of cyberattacks, phishing wars and the sale of stolen card information on the web has made it too easy for criminals to compromise bank accounts by creating counterfeit cards.
"Seeing the counterfeit card losses going up is not surprising," says Yao, vice president and director of the Benchmarking and Survey Research Group for the American Bankers Association in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below]. According to the ABA's bi-annual 2011 Deposit Account Fraud Survey Report, losses linked to debit fraud totaled an estimated $955 million in 2010, an increase from the $788 million in debit-related losses reported in 2008.
More than 96 percent of banks surveyed in 2011 reported losses to debit fraud in 2010.
"ATM skimming, that is another area that we heard a lot about; because of chip and PIN in most of the world, the U.S. market becomes one of the areas that fraudsters can still come to and perform skimming relatively easily," Yao says. "So, I don't think there was anything surprising in these results."
Understanding how institutions, as well as their corporate and retail customers, are responding to fraud was the catalyst for the association's launch of its deposit account survey more than a decade ago. Today, collecting information about best practices and strategies banks use to fight fraud is the motivation.
Migrating fraud, because of increased adoption of the Europay MasterCard Visa chip in other global markets, has pushed debit losses on U.S. card issuers and merchants. [See 2012: Year of the Skimmer.]
"POS signature suffers the greater losses," Yao says. "PIN-debit and ATM are lower, because of the PIN. That extra layer of authentication cuts down on fraud."
During this interview, Yao discusses:
- Why more banks are investing in cross-channel fraud detection and monitoring;
- The role education of staff and customers plays; and
- Emerging fraud threats that link cyberattacks to low-tech schemes.
Yao has more than 25 years of research experience in the banking industry. She developed the American Bankers Association's peer benchmarking program, which she now leads. Since 1999, she also has run ABA's DDA fraud benchmarking groups. Today, Yao oversees data collection of fraud losses, and monitors fraud attempts related to checks, debit cards, online banking, ACH and new accounts. She oversees ABA's Operational Loss Data Sharing Consortium, which collects operational loss event data according to Basel II AMA [Advanced Measurement Approach] event types and business lines. The ABA Consortium data is used by banks and credit unions for operational risk management and capital modeling.
Debit Overshadows Check
TRACY KITTEN: Check fraud losses are declining, but losses linked to debit fraud continue to climb. According to a new survey from the ABA, 96 percent of U.S. banks included in this survey suffered financial losses linked to debit fraud in 2010. So what steps is the industry taking to address these growing losses? Hi, I'm Tracy Kitten with Information Security Media Group. I'm here today with Jane Yao, Vice-President and Director of the Benchmarking and Survey Research Group for the American Bankers Association. Jane, the ABA recently issued updated statistics about deposit account fraud based on this bi-annual survey that it collected from U.S. Banks. Can you give us some background about the study such as the number and size of the banks surveyed, and what type of fraud statistics the ABA hoped to see from the results?
JANE YAO: Sure. We surveyed banks of all sizes and the results are calculated by bank size. We have community banks ranging from less that five hundred million in assets up to large banks super regional money center institutions with over fifty billion in assets. In total, we have 117 respondents. In addition, we surveyed a small sample of no respondents, just to make sure there is no sampling bias.
The purpose of the survey is to track the deposit fraud. We started the survey back in the '90s. Initially it was about check fraud and as the payment's channel evolved into electronic based transactions, we added the different electronic channels such as debit cards, online banking, and so forth. What we wanted to see really is to see how the fraud evolved over the time and what the industry has been doing to address those issues. We did several check-log studies in the '90s, and from 2000 out, the survey was expanded to cover all payments channels.
KITTEN: And the results highlight that check fraud is decreasing while fraud link to debit continues to grow, but were there any nuances that stood about the results?
YAO: Yes. Even though the check fraud losses decreased, this is for the first time since we've started tracking check fraud losses. We continue to see very high level of attempts. As you know the survey collected the data attempted fraud as well, so I think the bank is doing a good job in preventing check fraud with the investment in new technologies, prevention tools, and also consumers are more aware of these fake check scans with the public campaigns and so forth, but the attempts are still out there.
Are Smaller Banks Easier Targets?
KITTEN: And then what about some of the reporting variations among institutions? I noted that from some of the results it seemed that larger institutions were more likely to report fraud then smaller institutions. Is that just because maybe the smaller institutions aren't aware of fraud losses?
YAO: I wouldn't put it that way. I think large banks because of their large customer bases, is an easy target for the fraudsters. The small institutions they are, I think they are well aware of the fraudulent transactions out there, and some of them actually experienced attempts but did not suffer any losses. Also, for smaller institutions, one loss could be or have a much bigger impact than for a larger institution. I think the community banks they are aware of the fraud out there and they are taking actions to address the issue as well.
KITTEN: Now, going back to some of the breakdowns that were listed about fraud in the survey results, the leading fraud category was linked to counterfeit debit cards followed by card-not-present transactions. Skimming losses were concerns for all of the banks with more than of the respondents saying that they expect losses from ATM skimming to go up over the course of the next twelve months. They also said they expect losses linked to signature debit to increase. Are those results surprising Jane, and if so why and if not, why not?
YAO: They are not surprising, because the debit card fraud is going up. It is easier for the fraudsters nowadays, with the data breaches and some of the phishing e-mails; and card information is available online for purchase by fraudsters. So, seeing the counterfeit card losses going up is not surprising. In terms of ATM skimming, that is another area that we heard a lot about; because of chip and PIN in most of the world, the U.S. market becomes one of the areas that fraudsters can still come to and perform skimming relatively easily. So, I don't think there was anything surprising in these results.
KITTEN: So, based on the information that was collected from the results, to what transaction type, POS PIN, POS signature or ATM, do most institutions seem to suffer the greatest losses?
YAO: The POS signature. For the POS PIN and ATM, because of the additional authentication using the PIN, it does seem to take more efforts for the fraudsters to use those transactions to commit fraud. We will continue to see more fraudulent activities using signature POS than other types of cards.
KITTEN: And then, Jane, when we step back and look at debit fraud losses, overall, how did those rank, relative to other types of fraud?
YAO: At this point, debit card losses, based on our estimate, have surpassed check fraud, in terms of the industry. In other channels, right now, the losses appear low, even though we are seeing attempts. For example, in mobile banking and online banking, there are definitely attempts reported; but so far, the losses have been relatively low, compared with debit or even check fraud.
KITTEN: That is an interesting point and a nice segue to my next question, and that was to actually look at some of the survey results. Thirty-one of the institutions included in this survey reported losses from data breaches, while twenty-nine percent reported losses from phishing or spoofing attacks. How are the two differentiated? How were data breaches differentiated from phishing and spoofing, and do those percentages reflect increases from 2008?
YAO: The data breaches will be more the hacking into the system and grabbing the data from the system of the company's database, versus phishing or spoofing in an email to the customers or the consumers and trying to get the account information. Compared to the last survey, we are seeing a lower percentage of losses coming from data breaches. We are seeing a decreasing major data breaches in 2010 and I think that is reported by different sources. We are hearing that some of the data breaches are moving to smaller companies and institutions such as restaurants and some of these smaller retail outlets. In terms of phishing and spoofing it did go up compared with the last survey. I think the last time was about twenty-two percent, and again with the increased activities and also the phishing spoofing emails nowadays they look very sophisticated, the quality if very high so it is very easy to be deceived by it.
KITTEN: Now did the ABA find increases in online banking, ACH and wire fraud from 2008 to 2010?
YAO: Definitely there are more attempts and our survey participants also identified these channels as the emerging risks. However in terms of actual losses, we have heard some major cases out there due to account takeover, but if you look across the industry the percentage of banks reported in this type of fraud is still very low.
KITTEN: And then what about fraud linked to mobile banking? Have losses increased there as more institutions offer mobile solutions?
YAO: Based on the survey results mobile is the channel with the lowest percentage of respondents reporting having losses. Most of those are large institutions and I think that makes sense because of the actual offering transactions probably still not that broad-base at this point. A lot of time is still alerts that have transactions.
KITTEN: It has been relatively limited and I wanted to ask about remote deposit capture by a mobile. It is expected to increase over the course of the next twelve months based on what some of the survey respondents shared with the ABA. What security concerns do mobile ARDC options pose?
YAO: It appears that duplicate presentments are the number one concern for financial institutions. I think they are using software to try to identify duplicate presentment of the same check.
Fraud Prevention Best Practices
KITTEN: And then what about some of best practices that the ABA has noted regarding education and fraud prevention from the survey results? What are some of the best practices that you picked up on?
YAO: Effective communication with customers and also staff members that is the key and also using technology-based tools to monitor transactions is becoming very important. Also the monitoring need to be at the customer, the relationship level and more holistic view of a customer's transactions across all the different product lines is very, very important. There could be activities elsewhere that are out of pattern leading to the funds being transferring to DDA and eventually move the funds out of the bank. So employing these monitoring tools in the debit card world would be the newer network type of systems having good results. Another tool that is effective in the debit card space would be the real-time positioning so they will be able to decline a transaction real-time versus back-office. And in terms of education, for consumers because increasingly the fraudsters are targeting the customer's equipment and so forth so educating consumers about this kind of a threat out there and be aware of these activities, I think that is the key that is the first line.
For the staff members, providing tools for front-line staff so they could receive alerts or having some institutions use risk scores to identify a transaction and give some indication to the front line staff whether this transaction needs to be reviewed further. Those types of tools would be very helpful as well. And I know several institutions will go out and regular visit branches and inform them the latest trend of fraudulent activities and so forth and so they are aware of it and those are all very effective prevention methods.
KITTEN: How will the ABA address some of the results from the survey? What emerging threats do you think the industry should be watching closely over the next two years?
YAO: We continuously help facilitate information sharing among our member banks in terms of the latest trends in fraud. Frequently the fraudsters move around and they hit one bank today and may be hitting another bank. So if we can get the word out now this is going around that will help other financial institutions to set up prevention measures and so forth. Also, we're trying to develop services that would enable early warnings of fraudulent activities such as the "been capture" service recently launched to capture bank robbery information and we are looking at expanding that to capture fraudulent transaction information as well such as ATM skimming.
In terms of what is coming up, we are hearing about increased activities against small business customers and professionals, such as law firms. Also, I think using online fraudulent account opening and the link to different types of accounts ... and moving the funds out, or even the link to payments accounts, such as deposit or the use fraudulent checks to open CDs, will grow. These kinds of activities have perked up a little bit. We are hearing it even though it is not widespread but we are hearing more institution's experience it this type of fraud. So I think the natural evolution for fraud from a fraudster's point of view would be moved from the traditional to something unexpected and that is reason why a holistic view of a relationship would be very helpful because then you understand this activity is out of the norm for this customer that you will be able to take action sooner versus wait until it gets to the DDA account.