Forte Financial Blog

Chris Skinner contemplates payments risk and fraud prevention in anticipation of his Oxford Society style debate at the Financial Services Club (London). In preparation, he's posted the text of a speech on risk management. After the debate he'll post more (His post-debate write up is here). For now, here's an excerpt:

I would claim that, today, information about money is more important than money itself. These days, instead of robbing bank branches, I just need to thieve identities, account numbers and passwords.

Until we resolve this conundrum, we will be stuck in this never-ending vacuum of more and more electronic payment volumes growing, with increasing risks of those payments being fraudulent.

Read the rest:

• The FinanSer blog
• SWIFT Community

At the Bank Lawyer's Blog there is a thoughtful discussion of remote deposit capture fraud risk and whether banks (particularly community banks) are playing it too safe. Well worth reading.

(via PaymentsN ews)

Glenbrook's Linda Elliot was at the Chicago Federal Reserve Banks’ 2008 Payments Conference where this year’s topic was Payments Fraud: Perception versus Reality. Her observations are here; she makes the important distinction between fraud prevention and data security.

There was ample discussion of PCI data security programs, their costs and benefits, and the status of PCI standards as a near-default standard for data security in all participants in a payments service, whether or not that service is actually a subscriber to the PCI group. However, I was troubled by an apparent rush to equate payments fraud prevention with adherence to PCI data standards. An entire panel seemed to use the terms ‘payments fraud’ and ‘data security’ as interchangeable. When participants began to discuss data security, they seemed to lose sight of other important characteristics of fraud and of fraud measures...

Read more at Glenbrook.com

This recent segment on Charlie Rose with Jonathan Zittrain is fascinating. Zittrain is a professor of internet law at Harvard and Oxford and the author of a book The Future of the Internet and How to Stop It and discusses the tension between internet security risks (enabled by open, non-proprietary systems) and the potential for a backlash of centralized internet regulation and the potential flight to closed, proprietary platforms (with inherent data privacy risks).

It’s a great segment (and only 30 mins) – well worth checking out.

More:

• This segment on the Charlie Rose site
• More about Jonathan Zittrain
• Book: The Future of the Internet and How to Stop It

Forgive me this somewhat off-topic post, but it made me laugh out loud.

Excerpted from Dave Birch at Digital Money Forum:

[Dave Birch] It's amazing to me -- no, not amazing, more kind of quaint, reassuring and comforting -- that in this high-technology e-money world, there are crooks who still try to rob banks the old fashioned way. Not the modern way (by working for them as traders) but the old fashioned way. There are still people out there who rob banks with shotguns. And there are still people out there who make dodgy banknotes. An example being the gang of Chinese counterfeiters currently on trial in London for attempting to defraud the Bank of England of more than TWENTY EIGHT BILLION POUNDS. Yes, that's right. They tried to cheat the Bank of England out of more than FIFTY BILLION DOLLARS by swapping 360 "special-issue" £500,000 notes and and 28 million £1,000 notes for lower denominations. Unfortunately, there were two tiny flaws in their masterplan: the Bank of England has never issued a £500,000 note and £1,000 notes were taken out of circulation in 1943 (and there are only 63 of them not accounted for). The criminal geniuses tried to get the Bank of England to accept £1,000 notes with the signature of Jasper Holland, the chief cashier in 1963. Now, far be it from me to criticize -- I know virtually nothing about counterfeiting -- but c'mon guys. Didn't anyone think that the Bank of England might double-check if someone turns up with twenty eight billion pounds in used notes? The only way to get away with this kind of thing is to skim off a small amount from each legitimate note in circulation (like the Chancellor of the Exchequer does).

If you enjoyed that, add Dave Birch to your feed reader (if you haven't already):
Digital Money Forum

Read more about the hapless counterfeiters:

• BBC
• Daily Mail (with pictures of the fake £500,000 notes)
• Telegraph (same pictures)

Cash processing is not only time consuming but fraught with security challenges (and associated high costs of dual custody, surveillance, etc.). The astounding success of remote deposit capture of checks has prompted interest in remote CASH deposit services.

Bankers are attracted to the ability to serve customers in areas where they do not have branches (much the same appeal as remote check deposit) and merchants receive faster availability and are able to tap into cash that is otherwise unavailable or "trapped in the system."

BofA and Fifth Third Bancorp are experimenting with specialized safes that allow customers to receive immediate credit for funds that have not left the customers' store locations.

Fifth Third Bank

• Fifth Third Bank is partnering with Brinks to service an unnamed fast food chain and has 400 safes in use nationwide (and expects to have over 500 deployed by year end).
• The product is called "Remote Currency Manager" and has been available since the second quarter.
  
• The bank does not assume liability until the funds are delivered to the bank by Brinks.
• The bank charges a monthly user fee for the safe as well as a cash servicing fee.

BofA

• So far, BofA is piloting with Chick-fil-A, a restaurant chain in Atlanta, but intends to test with five other companies, including a major department store chain and a boutique retailer. BofA says it will offer the service widely in the first half of next year.
• BofA accents responsibility for the funds once they are in the safe.
• Merchants are able to "withdraw" currency from the safe when they need cash.
• BofA has not determined fees for its as yet unnamed service.

Learn more:

Remote's Next Capture: Cash
Fifth Third, BofA eyeing business deposits
American Banker
Tuesday, October 23, 2007
By Will Wade

My favorite feature of the Harvard Business Review is the case study: fictional scenarios that represent common managerial challenges followed by concrete solutions from experts. This month the situation is directly relevant to payments and transaction security. It involves a regional chain of electronic stores that discovers its customer transaction data may have been compromised.

Excerpt:

“What kind of data breach?” Brett asked. His tone was calm, as always, yet he scanned the [airport] lounge to make sure that no one could overhear.

“I’m still not sure,” Laurie admitted. “I was contacted by Union Century Bank. They regularly examine their fraudulent accounts for patterns, and we’ve shown up as a common point of purchase for an above-average number of bad cards. They’re getting me more information, but I thought you’d want to know right away. It could be nothing—or it could be significant.”

Brett recalled the newspaper stories he had read about stolen laptops with veterans’ records stored on them and about hackers trying to penetrate eBay and other big online retailers. His firm was just a regional chain with 32 stores in six states and a modest online presence. Flayton’s could hardly be a target for stealing lots of customer data. Or could it?

“Laurie, I’m not sure I understand. People were using stolen credit cards at our stores? Our clerks weren’t checking cards correctly?”

“No,” she replied earnestly. “It looks like we might be the leak.”

As you read the case, ponder what you would do if you were CEO Brett. Should you contact customers immediately? Defer to law enforcement? Fire your CIO? Be sure to read the compelling and diverse suggestions offered by the following four experts:

James E. Lee, senior vice president and chief public and consumer affairs officer at ChoicePoint, based in Alpharetta, Georgia.

Bill Boni, corporate information security officer for Motorola in Schaumburg, Illinois. He is also a vice president and board member of the Information Systems Audit and Control Association, a global organization based in Rolling Meadows, Illinois

John Philip Coghlan, former president and CEO of Visa USA, headquartered in San Francisco.

Jay Foley, executive director of the Identity Theft Resource Center in San Diego.

HBR Case Study
Boss, I Think Someone Stole Our Customer Data
Harvard Business Review
September 2007
Reprint R0709A

Did you catch the front page article in Friday's WSJ on the TJX wireless security debacle that led to the largest heist of consumer credit card data ever?

The $17.4-billion retailer's wireless network had less security than many people have on their home networks, and for 18 months the company -- which also owns T.J. Maxx, Home Goods and A.J. Wright -- had no idea what was going on. The hackers, who have not been found, downloaded at least 45.7 million credit- and debit-card numbers from about a year's worth of records, the company says.

How secure is your network? Are you in compliance with PCI - a set of security standards that were created by the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International) to protect their customers from increasing identity theft and security breaches? According to Javelin "with only 32% of even the largest merchants at PCI compliance, many merchants are still sitting ducks for this type of attack." If you aren't sure if your company is PCI compliant (gulp!) learn more about PCI at the PCI Compliance Guide here.

Read the WSJ article:

BREAKING THE CODE
How Credit-Card Data Went Out Wireless Door
Biggest Known Theft Came from Retailer With Old, Weak Security
By JOSEPH PEREIRA
May 4, 2007; Page A1

This letter to the Wichita Eagle, in Kansas (a follow up to their article on BOC here) demonstrates how at least one consumer views POP as more secure than BOC. The consumer's rationale is that if the paper check is returned to them the merchant isn't responsible for safeguarding their personal data:

Letter to the Editor, Wichita Eagle: 

Scary bank rule

Regarding "New rule offers 2nd option to electronically convert checks" (May 2 Business & Money): Right now, when huge Wal-Mart or tiny Bionic Burger electronically converts my paper check to an electronic debit, I am given the paper check back. I am responsible for that piece of paper, which has personal information on it.     

When a bank handles my paper check, it is responsible for my personal information.     

When a business uses a "Back Office Conversion," who is responsible for my personal information -- including a perfect example of my signature? Some business, without my knowledge or consent, now has a valuable piece of paper, which it must dispose of safely. With all the problems involved in identity theft or check fraud, how does a business protect its customers' information? The name and address of my bank, my checking account number, the routing number, and my signature may all be used without my knowledge to empty my account or disrupt my credit. Will the businesses using the Back Office Conversion system let their customers know what they are doing?   
JAMES KEENER
Wichita

One wonders how this consumer feels when they write a check that is NOT converted.

For those of you that still rely on spreadsheets - and there are more of you than care to admit it, I know - CFO Magazine has a round up of spreadsheet auditing tools here.

The Association of Financial Professionals new Payments Fraud Survey finds that corporate payments fraud is on the rise.  Seventy-two percent of corporations experienced fraud (or attempted fraud) in 2006, up from 68% in 2005. Thirty-nine percent of organizations reported an increase in fraud incidents since 2005, 47% reported that the prevalence of fraud remained about the same, and 14% reported a decrease in fraud incidents. However, most organizations suffered little or no financial loss as a result of fraud.

Checks continue to be the primary source of fraud - although it's hard to say if this is because checks are still the primary form of B2B payment or because electronic payments are inherently more secure.

Many safeguards are in place to prevent fraud, thus most companies did not experience losses. Forty-two percent suffered no losses at all. Another 31% of companies experiencing at least one payments fraud incident suffered losses under $25,000. Only 5% of organizations sustained at least $250,000 in losses from fraudulent activities.

Most fraud is perpetuated in-house (just as  identity theft is often perpetuated by someone you know):

In many cases, the fraud is perpetrated internally. Employees were responsible in about half of the cases involving fraud associated with the use of organizations' corporate cards (e.g., travel & entertainment, purchasing, fleet cards). Internal fraud appears to be an important factor in check and ACH fraud as well, and one of the reasons why organizations must assume liability for financial losses from the fraud.

The AFP survey results are based on responses from 414 cash managers, analysts, assistant treasurers, directors, and controllers.

AFP Press Release
2007 AFP Payments Fraud Survey (download PDF)

Jim Bruene, at NetBanker, expresses his frustration that the Freakonomics duo offered little new insight on Identity Theft. I too, was underwhelmed by the recent NYTimes article (see my post here) but did not express my frustration as eloquently as Jim. Read his post here.

Heads up! The Freakonomics duo - Stephen J Dubner and Steven D. Levitt - will be exploring Identity Theft in their New York Times Magazine column this coming Sunday, March 11th.

In the meantime, their blog has links to their research sources, including the TowerGroup and Javelin, plus Frank Abagnale of Catch Me If You Can fame.

I for one am looking forward to reading the column Sunday morning. I'll let you know what I think. In the meantime, read the Freakonomics blog post here.

UPDATED 03/11/07

What do Levitt and Dubner conclude? That MERCHANTS are the ones paying for Identify Fraud through chargebacks (as many of you merchants out there well know).

Who cares about Identify Theft - Individuals?

The answer would also seem obvious: You, the potential victim. But according to the Javelin data, people probably worry way too much about identity theft. Seventy-three percent of victims incur no out-of-pocket expenses whatsoever; the unlucky minority loses, on average, $2,000 — hardly chump change but far less than the scare stories would have us believe. And in more than half the cases of identity theft, the thief is not a stranger at all but rather a relative, friend or co-worker.

Who cares about Identify Theft - Banks and Credit-card Companies?

Surely, then, it is the banks and credit-card companies that are desperate to stop the problem? Sgt. Robert Berardi, who runs the Los Angeles County Sheriff Department’s ID Theft Task Force, has found otherwise. “The banks are in conflict between security and making a profit,” he says. In an industry that is reluctant to add even an ounce of friction to a customer’s purchase, Berardi says identity theft is seen as simply the cost of doing business. Indeed, a recent report by TowerGroup, a research firm owned by MasterCard Worldwide, noted that “banks are not yet ready to dedicate resources to solving any ID theft problem.”

Who cares about Identity Theft - Merchants? YES!

So if the banks, the consumer and the police aren’t sufficiently incentivized to stop identity theft, who is?

The merchant. That is what Peisner, a 44-year-old veteran of the credit-card business, has discovered. “Let’s say one of these hackers takes the information they find in a chat room,” he says. “He goes to the Sony Web site, buys a laptop computer for $1,000, and a month later the actual cardholder gets the billing statement. He calls up his bank and says, ‘I didn’t order a computer from Sony.’ At that point, the credit-card issuer, let’s say Citibank, sends a ‘chargeback’ through the interchange system to the acquiring bank, and that $1,000 is taken right out of Sony’s bank account, and they also get hit with a $25 chargeback fee.” So the merchant has lost the money from the sale (as well as the laptop) while paying the chargeback fee, other bank fees and processing and shipping costs. “If you’re a merchant,” Peisner says, “you have all the liability.”

Read the Sunday New York Times column here.

Identity Crisis
By STEPHEN J. DUBNER and STEVEN D. LEVITT
Sunday New York Times Magazine
Published: March 11, 2007