1. Card Fraud and Identity Theft Michael D. Herr, VP, Card Fraud Strategy Manager 3/7/2007 Cyber Crime Hits the Big Time in 2006 Experts Say 2007 Will Be Even More Treacherous Online job scammers steal millions Elaborate con is 'out of control,' authorities say Debit card thieves get around PIN obstacle Wave of ATM fraud indicates criminals have upped the ante Easy check fraud technique draws scrutiny Ever written a check? Your account could be targeted, too Ameritrade warns 200,000 clients of lost data Account information, including SSNs, on missing tape ATMs may be an easy target for thieves Police uncover debit-card skimming at Calgary gas station 1
2.
3.
4.
5.
6.
7.
8. Today’s Fraud – Data Acquisition/Aggregation Criminals utilize hacking techniques to identify merchants or other entities inappropriately storing card Non-Magnetic stripe data. Card Non-Track data (CVV2, EXP Date, E-Mail Address, Name, Phone #, Address) obtained by criminals. Nikon World Magazine Moneygram International Credit/Debit Card Non-Magnetic Stripe Information Aggregated Data Warehouse TJX Enterprises Card Systems Solutions Credit/Debit Card Magnetic Stripe Information Criminals utilize hacking techniques to identify merchants or other entities inappropriately storing card magnetic stripe data. Card track data (CVV, Name, EXP Date, Service Code, PIN Block & Card Number obtained by criminals. PHISHING/Key Loggers PROBING - .COM/VRU Criminals employ various techniques such as PHISHING e-mails designed to look like financial institution correspondence or Key Loggers to covertly acquire data. Also brute force attacks , that employ repetitive attempts at non-traditional points that utilize the PIN# as authentication (VRU/.COM) Data captured not limited to PIN, CVV2, e-mail address, address, card number, VbV sign-on password also at risk Personal Information Credit Monitoring Services DMV//Universities Criminals employ various hacking techniques to gain access to non-financial institution databases that contain personal information. Examples include; Credit Monitoring Agencies, Universities, DMV’s etc. Alternatively, criminals infiltrate the above institutions with employees. Additional non-card related data captured such as; Maiden Name, DOB, PH #’s, Place of Birth, Residence Info, Vehicle Info, Driver Info and Credit Info. Debit Card PIN # 8
9.
10.
11.
12.
13.
14. Today’s Fraud - “Skimming” Variants - Device Examples Pass Through Reader – ATM “Skimming” PIN-Hole camera placed in close proximity to machine, captures PIN Fictitious card reader with exceptionally good craftsmanship Imposed over existing card reader of machine 14
15. Today’s Fraud - “Skimming” Variants - Device Examples Transaction Inhibiting Device – ATM “Skimming” Screen of false front actually is Pocket PC Partial front constructed with separate card reader (white). Imposed over existing ATM Screen. Helpful sign to “assist” cardholder. It advises the cardholder “ ATM operations have changed and directs cardholder to swipe card and enter PIN # on touch screen or follow on-screen instructions”. 15
16. Today’s Fraud - “Skimming” Variants - Device Examples Internal Re-Wiring or Completely Fictitious Machine Completely fictitious machine or existing machine (Requires vendor/employee collusion. Inner workings completely re-wired to capture stripe and PIN in clear before encryption occurs. 16
17. Today’s Fraud - “Skimming” Variants - Device Examples Traditional POS – “Skimming” Devices + OR + Traditional splice Computer + POS Terminal Traditional Wedge + POS Terminal 17