Security for the Changing Face of Fraud INNOVATIONS FOR THE CHANGING FACE OF FRAUD

Fraud is everywhere—and on Creditcards.com projects that commitment to success. INTRODUCTION multiplying. In fact, 17.6 million the total value of fraudulent card- Americans (7 percent of all U.S. not-present transactions alone will Toward that end, CO-OP Financial residents) fell victim to identity theft approach $19 billion in 2018. Services remains dedicated to in 2014, according to the Bureau delivering on all fronts. of Justice Statistics. Nilson reports As any union will attest, Here is what we have learned about that global card fraud increased by fighting fraud is like putting out a the state of fraud today—and about 20.6 percent in 2015, while card wildfire. It requires all hands on deck, how credit unions can apply the most volume grew by only 7.3 percent. a highly effective strategic plan, a advanced security innovations toward And JAVELIN research published powerful arsenal of tools, and a 24/7 the safety of their members.

Security Innovations for the Changing Face of Fraud 2 CHAPTER 1: FALSE POSITIVES AND THEIR IMPACT ON REVENUE

When it comes to fraud detection, emphasizes that all transactions can bring even greater frustration credit unions walk a fine line. should be treated with equal due to the member involved. In fact, Identifying fraud takes advanced diligence. JAVELIN research reports that 39 computing systems and sophisticated percent of declined cardholders algorithms designed to uncover “Issuers may write more rules for abandoned their card after being anomalies in member spending large dollar amounts simply because falsely declined. patterns. However, not every the potential losses are greater,” he anomaly equates to fraud. And said. “However, false positives can “A declined transaction at the declining a genuine transaction can impact any transaction that meets is not only a hassle break member confidence in your the criteria of a fraud strategy rule.” for the cardholder—it can also be card products. embarrassing,” said Buzzard. He adds that, as problematic as false “False positives are a common, positives are for credit unions, they everyday issue,” said John Buzzard, CO-OP’s fraud expert. “Trying to avoid them is like reaching into a paper bag full of different colored hoping to withdraw the same A $118 Billion color each time. It’s a statistical Problem impossibility.”

“For every incidence of fraud According to JAVELIN detected there are almost always research, 15 percent of a few suspects that end up being all cardholders have had non-fraudulent transactions,” said Buzzard. “The important question to at least one transaction ask is whether the fraud captured is incorrectly declined in worth the number of false positives the past year, costing that result from the process.” issuers nearly $118 While false positives typically billion. impact higher dollar purchases disproportionately, Buzzard

Security Innovations for the Changing Face of Fraud 3 False positives are a costly, time-consuming and aggravating byproduct of FALSE POSITIVES AND FRAUD PREVENTION even the most effective fraud prevention strategies. However, there are best A Balancing Act for Credit Unions practices credit unions can embrace to limit their impact. Here is what you need to know: 

FALSE POSITIVES COST ISSUERS BILLIONS (Source: JAVELIN Strategy & Research) 15% $118B Of all cardholders have had at What these declines cost issuers

least one transaction incorrectly DECLINED nearly annually declined in the past year

9B 39% By comparison, what actual fraud Of declined cardholders abandoned costs issuers annually the card after being falsely declined

Conflicting shipping and billing information

IMPACT REASONS $ 8.6B FOR Differing risk appetites  ON among issuers and merchant $ What U.S. e-commerce FALSE acquirers/processors E-COMMERCE merchants will lose in falsely (Source: Businessinsider.com) declined transactions in 2016 DECLINES (Source: Businessinsider.com) Outdated card information

Security Innovations for the Changing Face of Fraud 4 FALSE POSITIVES AND FRAUD PREVENTION A Balancing Act for Credit Unions (continued)

WAYS CREDIT UNIONS CAN CUT LOSSES 5 4 WAYS TO EMPOWER MEMBERS Rely on cutting-edge fraud Falcon Fraud Manager prevention FICO data analytics  FRAUD Machine learning technology Enable them to secure their own cards with mobile card Educate members on Create more granular controls and alerts fraud—and on the reality of fraud strategy rules false positives

 Green light mildly suspicious Talk to them about the transactions - then contact importance of travel Offer tokenized digital the cardholder to verify notifications wallets—and promote their security

Stay up to date on the latest fraud trends and prevention  Communicate via two-way texting to alert members to potential fraud

We have never had to be more vigilant in our action around fraud containment. CO-OP will continue to invest in a strong blend of real-time analytics combined with a variety of tools that address problem areas like identify verification - always with a goal to balance between member and fraud prevention.

Todd Clark, President/CEO, CO-OP

Security Innovations for the Changing Face of Fraud 5 A Constant Balancing Act

For activity that is mildly suspicious, handled delicately,” he said. “While are as detailed as possible. in Real Time and the power of FICO Buzzard advises credit unions to many members appreciate this data analytics,” he said. forego declining the transaction and outreach, others may view it as an “Our risk escalation team works to instead contact the cardholder inconvenience.” seven days a week to fine tune fraud According to CO-OP President/CEO immediately after the purchase to strategy rules for our client credit Todd Clark, the company’s team verify its legitimacy. To help reduce the incidence of false unions, and is supported by a cutting- consistently outperforms the in positives, Buzzard recommends edge suite of fraud prevention tools, keeping false positives to a minimum. “These conversations need to be adjusting fraud strategy rules so they including the Falcon Fraud Manager

CO-OP’s false positive ratio is approximately 5:1, which means five cases are created for “ each incidence of confirmed fraud,” he said. “By comparison, the national average is 9–12:1. For fraud denied in real time, our false positive ratio is 1.3:1 versus a national average of 3:1 Todd Clark, President/CEO, CO-OP Financial Services “

Emerging Tech: Machine Learning

To more accurately distinguish fraud machine learning and continues to which analyzes hundreds of pieces CO-OP’s 2017 technology roadmap from genuine transactions, financial advance its speed and accuracy to of data related to a transaction also includes new, advanced leaders are looking to protect cardholders from both fraud instantaneously, as that transaction learning technology, which will new advances in machine learning and false positives. unfolds. The company is calling it “the integrate with the Falcon Fraud technology. According to the first use of AI being implemented Manager platform to create an even Washington Post, the Visa Advanced MasterCard recently announced on a global scale directly on the stronger scoring mechanism for Authorization System employs new Decision Intelligence Software, MasterCard network.” detecting fraud.

Security Innovations for the Changing Face of Fraud 6 CHAPTER 2: ARMING MEMBERS IN THE FIGHT AGAINST CARD FRAUD

To prevent card fraud, members may percent. According to Visa research as Apple, Samsung and Android Pay, all share a common thread—they be a credit union’s most powerful cited by PYMNTS.com, merchant are recognized by experts as virtually place fraud prevention squarely in the resource. Ondot reports that financial sites that accept their customers’ impossible to compromise. hands of consumers. institutions whose members use EMV cards nationwide have seen mobile apps for card controls and counterfeit fraud drop by 43 percent. While each of these innovations plays Here’s why members should have alerts reduce fraud by as much as 40 And tokenized digital wallets, such a unique role in protecting payments, them:

Battling Fraud with a Smartphone Protecting Cardholders at the Point of Sale

Ultimately, only your members know how they are using their cards, In more than 80 countries worldwide, EMV chip cards have virtually which is why it makes sense to engage them in fraud prevention. eradicated card-present fraud. The technology works by issuing a dynamic code for each transaction that is processed by the merchant. Mobile apps for card controls and alerts allow members to quickly and As a result, member account information remains securely out of a easily specify exactly when, how, where—and with which merchants— fraudster’s reach, locked behind the firewalls at the payments networks. their cards can be used. For example, CO-OP’s CardNav app allows members to receive alerts whenever a card is utilized, with the ability EMV Inroads, According to Visa: to authorize or deny transactions before they are carried out. Users can • 388 million Visa EMV cards have been issued nationwide set spending limits, authorize additional family members for usage, and even temporarily turn cards “off” when not in use. Members can also • 1.7 million locations across the country are chip-enabled track important financial information ranging from account balances to • 40 billion chip-on-chip transactions have been processed (total payment due dates. volume)

Why Act Now: • 41 percent of Visa’s in-store payment volume is chip-based today (Source: PYMNTS.com) Effective October 14, 2016, for Visa, and April 21, 2017, for MasterCard, every U.S.-based card issuer must give cardholders the option to register Up Next—EMV 3DS 2.0 for some basic alerts. EMV 3-D Secure (3DS) 2.0 is a new specification that will allow consumers to authenticate themselves with issuers for card-not-present Moving beyond basic alerts, card control apps empower members to purchases or when verifying their identity for non-payment activities, like prevent fraud vs. just detecting fraud. adding a to a digital wallet.

(Source: Ondot) (Source: Global Banking and Finance Review)

Security Innovations for the Changing Face of Fraud 7 Digital Wallets Go Mainstream

While consumers and merchants have been slower to embrace digital wallets than many had predicted, this dynamic is changing. According to Macdaily.com, Apple Pay transactions were up 500 percent year-over- year in September 2016—with more Apple Pay transactions processed during the month than in all of fiscal 2015. As with EMV, tokenization protects member account data by transmitting a unique code—or token— for each transaction instead of the PAN, preventing actual cardholder data from ever changing hands.

Before Members Pack Their Bags . . .

Make sure members know to file travel notifications with your credit union before leaving town. This step can save everyone involved time and aggravation, and ensure that members have full access to their cards while away.

Mobile Revolution

If the outlook for mobile is any indication, digital wallets have a bright future. For 2017, the number of U.S. smartphone users will reach an estimated 222.9 million, and the number of smartphone users worldwide will exceed two billion.

(Source: Statista.com)

Security Innovations for the Changing Face of Fraud 8 CHAPTER 3: SHORING UP THE BACK OFFICE: THE POWER OF MACHINE LEARNING

Machine learning continues to make So what is machine learning and learning theory to teach the industry headlines as credit unions why is it so effective at catching card computer, in essence, how to think. and other financial institutions fraud? increasingly find value in big data. As a fraud detection tool, machine According to a study completed by In 1959, artificial intelligence pioneer learning enables highly accurate London-based Oakhall and published Arthur Samuel defined machine predictive analytics based on on finextra.com, global financial learning as a “field of study that enormous volumes of complex—and services firms could save $12 billion gives computers the ability to learn ever-changing—data. annually—or more—by optimizing without being explicitly programmed.” adaptive, machine learning fraud It accomplishes this by employing technology. advanced pattern recognition algorithms and computational

More Effective Than Humans

Research published by Mercator own criteria for what constitutes Advisory Group in conjunction fraud, based on vast amounts of with CO-OP states that, “In most historical data in the system.” situations where human beings determine risk today, a machine He adds, “The technology is rapidly learning algorithm will be able to becoming mission critical because outperform those humans.” fraud has changed dramatically in 2016. We are now at the point where Machine learning also outperforms fraud has mutated and outpaced the neural network technology widely the general thoroughness of neural used by financial institutions to detect networks.” card fraud. The good news for credit unions, “Neural networks follow a rules-based Mercator reports, is that third- approach that requires a human to party software suppliers have program the rules,” said Buzzard. already invested heavily to integrate “New advancements in machine machine learning into their software, learning technology now enable the substantially reducing the cost and system to intelligently develop its effort to employ the technology.

Security Innovations for the Changing Face of Fraud 9 Beyond Fraud Detection Machine Learning by the Numbers While machine learning shines in detecting fraud, there are other valuable credit union applications for the technology, including the following: IBM researchers working with a large U.S. reported that machine learning yielded a 15 percent increase in 1 Cross-selling products fraud detection, a 50 percent reduction in false alarms, and a total savings increase of 60 percent. 2 Facilitating member satisfaction scoring (Source: helpnetsecurity.com) 3 Expediting diagnostics for technical support

A More Intelligent Member Profile

Machine learning makes a fraud detection system faster—and smarter. However, if the member’s card is For example: simultaneously used at a big box store in L.A., the system would recognize this transaction as fraud.

If a member pays a cab driver in Los Angeles

Buys a latte at LA Checs into a in Paris

And then purchases an item from a Parisian boutiue ✓ Machine learning technology LAX creates a transactional profile for the member that would approve a in France

Security Innovations for the Changing Face of Fraud 10 CHAPTER 4: WHY ATM SKIMMING IS RAMPANT (AND HOW TO STOP IT)

ATM skimming is increasing— of migrating to fraud-resistant EMV counterfeit skimming will continue.” both magstripe and PIN data from exponentially. According to USA technology, many are not there yet, unwitting consumers,” he said. Today, FICO reported earlier this making them particularly vulnerable According to Buzzard, ATMs have year that ATM skimming is prevalent to card fraud. always been targeted by criminals. With skimming devices evolving into across virtually every region of the sleeker, smaller and more authentic “Because ATMs require PINs to be U.S., and that it increased overall 546 “Skimming is a huge issue this year,” looking replicas of actual ATM used in tandem with a payment percent year-over-year. And while said Buzzard. “As long as magstripe components, detecting their presence card, they are fertile ground most U.S. ATMs are in the process technology exists on payment cards, is becoming increasingly difficult. for fraudsters looking to capture

Periscope Skimmers—Tiny, But Mighty 4 Security Precautions Every Member “Financial institutions now have to tools used to perpetrate ATM fraud, Should Take look for miniscule devices known as Buzzard advises credit unions to ‘periscope skimmers’ that fraudsters closely with industry experts such as install inside ATM magstripe readers, FICO’s Card Alert Service (CAS). 1. Sign up for account alerts and two-way texting capabilities that hidden from view,” said Buzzard. expedite communication and confirmation of fraud “CAS has been a leader in ATM 2. Transact only in environments they trust—If an ATM feels According to PYMNTS.com, while skimming detection for decades and unsafe, members should move on to an alternative location periscope skimmers are small remains one of the best industry where they feel safe enough to evade detection, they resources for managing losses from can hold up to 32,000 unauthorized ATM cash withdrawals,” 3. Check their financial accounts everyday to ensure funds are numbers, and sport a battery life he said. “Having physical security secure of up to 14 days. surrounding your ATMs is also critical, 4. Follow the adage “If you see something, say something” as are regular device inspections and To mitigate the damages from member .” periscope skimmers and other

It is not uncommon for a consumer to discover a skimming device on an ATM “ before the financial institution has a chance to catch it John Buzzard, Strategic Technical Account Executive, CO-OP Financial Services “ Security Innovations for the Changing Face of Fraud 11 CHAPTER 5: EDUCATING EMPLOYEES AND MEMBERS - A CHECKLIST FOR CREDIT UNIONS

Fraud is damaging on many levels. In addition to the billions of dollars lost by financial institutions each year due to fraud, incidents can significantly impact member relationships and confidence in your card products.

Your employees and members need to know about fraud—and how to effectively protect against it. Follow our guidelines below for a more secure member base:

What Employees Need to Know . . .

About Fraud Trends change security settings, and About Communications Employees need to be knowledgeable ultimately access accounts. Credit union employees should about all types of fraud, including the exercise caution when disclosing following: About Payments information pertaining to internal • Social fraud – A All credit union employees should fraud detection tactics. Fraudsters form of fraud that occurs when a be well versed in the benefits may be reading these documents, criminal poses as a trustworthy of new, more secure payment too, and may find the information for the purpose of technologies, ranging from EMV chip helpful. soliciting information. Phishing is a cards and tokenized digital wallets good example of this. to MasterCard’s MasterPass, Visa Checkout, and smart phone apps • Card-based fraud – Theft or fraud for card controls and alerts. Branch committed using or involving a employees and call center agents payment card, such as a credit or should be able to demonstrate each , as a fraudulent source of these products to members and of funds in a transaction. explain why they are secure. • Network-based fraud – Also called sniffing, this type of fraud uses About ATM Security computer software or hardware to intercept and log traffic passing Employees should understand how over a computer network. to monitor security across the credit union’s ATM fleet and how to conduct • Software-related fraud – Use visual inspections in compliance with of malicious software, such as the Payment Card Industry Data spyware or Trojan Horse software, Security Standards Council standards. to secretly record user keystrokes,

Security Innovations for the Changing Face of Fraud 12 What Members Need to Know . . .

About Security at Checkout Because fraud always thrives in an unprotected ecosystem, Members should be equipped with The impact of fraud a mobile app for card controls and members also need to keep alerts—and know how to use it. At their antivirus and anti-malware on credit unions and the point of sale, they should know software up to date on PC and their members can Android platforms. that chip-enabled and tokenized be devastating - but payments are more secure because they rely on encryption as a means of About ATM Security information is powerful. authentication. Members should be instructed to An educated and vigilant only use machines in a safe, secure credit union community About Online and Mobile Safety and well-lit area—and to pay close is always a safer one. Members should follow these rules attention to their surroundings while whenever they transact digitally: there. Whenever a POS or ATM makes a member feel uneasy, it is • Vary their login IDs and passwords always best to seek out an alternative to avoid risky situations. • Change login IDs frequently (every month or every quarter) • Only download banking apps from About Authentication trusted sources like the credit Ease and efficiency don’t always union , and not from high equal security. Members should risk web pages that appear in understand that the longer and more social media complex an authentication process is, • Utilize e-commerce solutions, such the more secure it is. as Visa Checkout and MasterCard MasterPass • Never purchase online—or by phone—from a retailer they don’t recognize • Never click on a link embedded in an unsolicited email or pop up

Security Innovations for the Changing Face of Fraud 13 CONCLUSION

As a credit union, protecting member assets is the most important service you provide. Your ability to shield members from the devastating effects of fraud speaks directly to your value proposition. By employing the most innovative technologies and strategies, and by staying informed on fraud tactics as they advance and evolve, you can deliver on your promise of security to members.

Making things inconvenient for fraudsters cannot mean making things inconvenient for members. Their experience must be both safe and seamless. “ Todd Clark, President/CEO, CO-OP Financial Services

Find out about how you can empower your members with the latest security innovations from CO-OP. Visit CO-OPfs.org, email @CO-OPfs.org or call 800.782.9042, option 2

Security Innovations for the Changing Face of Fraud 14 CO‑OP Financial Services 9692 Haven Avenue Rancho Cucamonga, CA 91730 CO‑OPfs.org

©2017 CO-OP Financial Services 12272016CF16427