September 2014 Newsletters
We here at Compliance Alliance are committed to keeping our bankers informed of regulatory changes, as well as “breaking news” on our industry. CBTx is one of our clients and they shared a fraudulent scheme with our group. After hearing the details of the scheme, we thought our member base would benefit by having this knowledge as well.
Even though this scheme does not pose a threat in the way of losses to our bankers, as the merchant will bear the brunt of the loss, it is important to make our colleagues aware of the most current scams and schemes.
Thank you Tim Leonard of CBTx for sharing this information with us:
Commercial Bank of Texas (CBTx), in Nacogdoches is seeing a type of debit card abuse that involves using a deactivated card to purchase merchandise at retailers. The perpetrators are able to force post the transactions by having the clerk enter an authorization code, despite the fact the card status had been set to lost or stolen. CBTx has seen several versions of this fraud.
In the first, the perpetrator pretends to call a bank and get an authorization code. This method was used in the recent Apple Store fraud and seems to rely on a heavy social engineering component.
In the second, more interesting case, the perpetrator swipes the card and the merchant machine automatically displays the message “Voice Authorization Required.” A code is provided by the perpetrator. From our testing at Commercial Bank of Texas, any code can be made up and does not need to be the one issued by the processor. The code need only be the required number of digits required by processor. When perpetrator supplies the code, the sale is forced through. In this case there seems to be a technical and social engineering component.
Banks more than likely will have chargeback rights; however, the merchant will have to absorb the cost of the fraud. Commercial Bank of Texas incurs a six dollar transaction fee per dispute.
There is a large possibility this type of fraud will increase in frequency because of the number of cards which will be turned off because of Home Depot.
It does not matter if the card status is lost or stolen.
It does not matter if the card is tied to an account with a zero or negative balance.
The processors and networks CBTx called stated the only way to stop this type of fraud is educate merchants to not accept override codes.
The recent security breach at Home Depot spanning from April to September of 2014, which happens to coincide with the busiest months for the big orange box, is the latest in a string of security breaches affecting large store chains. The announcement comes on the heels of the Target and Michaels security breaches. While this may have given a reputational and PR headache for the companies whose systems were hacked, the lion’s share of the cost for the breach falls back on the banks.
Why are banks left holding the bag? It all comes back to Regulation E, Visa and MasterCard rules and the consumer’s limit on liability. Generally, a consumer is not liable for any unauthorized transactions made through their debit or credit card, which means the bank needs to reimburse the customer for any such transactions. The only real option to prevent any fraud from occurring is to send out new cards – which costs the bank a substantial amount of money and can inconvenience customers.
Faced with the cost of issuing new cards and the seemingly endless breaches of security, some banks are taking a wait and see approach rather than sending new cards every time a Target or Home Depot gets hacked. This approach should be taken with caution. One thing for sure is that there will be a hit to the bank for any unauthorized transaction. Another issue a bank taking this approach needs to get on top of is insurance. While small, unauthorized transactions can be covered through the bank’s general ledger, larger hits may involve insurance claims. Basic insurance policies cover many bank losses, but they don’t often cover unauthorized debit card transactions. If your bank takes the wait and see approach, you should consider adding a “plastic card policy” as part of your insurance coverage.
Banks are trying to fight back. A group of community banks have filed a class action lawsuit against Target to cover the costs of replacing cards and unauthorized transactions. Target has responded with efforts to throw the case out of court rather than settle as T.J. Maxx did in 2007 when it was hit with a cyberattack. What happens with the Target suit is still very much up in the air. The resolution will no doubt have an impact on any future suit against Home Depot and other retailers hit with a security breach.
Chip and PIN Cards and NFC
There may be some relief on the horizon. Chip and PIN cards, or “smart cards,” are the standard in Europe but they have been slow to gain traction here in the U.S. This method is more secure and makes it more difficult for would be hackers to access funds in an account. Unlike a magnetic strip, smart cards have embedded microchips that encrypt the information and can be accessed through a PIN-code. The end result is a more robust card that is harder to hack. Visa and MasterCard are already pushing the change so the cards should slowly become the norm.
Yet another innovation that may change the way electronic payments are made is Apple Pay and Google Wallet. These “virtual” wallets use Near Field Communication, or NFC, to transmit payment information. These NFC payments are certainly innovative, but whether they will replace physical cards and reduce the risk of fraud is still speculative. It’s worth noting that Apple already has over 800 million credit cards on file. We can only hope that Apple’s security measures can withstand a serious hack.