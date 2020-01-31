divide

Debit is one of the main payment methods in the United States, which is particularly attractive to consumers ages 31 to 38. A 2018 survey found that 40 percent of American financial institution (FI) customers in this age group indicated debit cards as a means of payment, while 36 percent preferred credit cards. Meanwhile, consumers between the ages of 18 and 22 equally trusted the two methods.

However, younger generations are not the only ones to benefit from the advantages of direct debit. Another 2018 survey found that consumers of all ages showed growing interest in such cards as customers’ preference for the payment method increased 10 percent compared to 2017. Consumers seem to be shifting their debit payments from brick-and-mortar stores to e-commerce channels, meaning FIs and card issuers need to support them while minimizing online security risks. These organizations must counter all threats and combat both popular and emerging methods of debit fraud attacks.

Doug Clare, vice president of fraud product management at FICO – a provider of consumer credit score, analytics software and fraud detection platforms – knows this dilemma well. He recently spoke to PYMNTS about how to protect debit cards and related bank accounts from cybercriminals.

Holistic security

FIs have long been aware that relying on knowledge-based authentication (KBA) only goes so far. Finally, PINs and account passwords can be stolen, causing many banks to take security measures by analyzing how consumers enter their information and what they do when they are granted access to the account. This includes, among other things, the monitoring of keystroke rhythms, typical transaction values, expenditure patterns and which devices are used at certain times. These features describe how normal behaviors look for each customer, and actions that deviate from these trends can indicate fraudsters at work – even if correct PINs and security questions are entered.

However, looking at customers’ activities is only part of the puzzle. To prevent debit card fraud, FIs and payment companies need to take a holistic view of each participant’s behavior in every transaction, Clare said. This also requires the analysis of typical activities at payment terminals, POS devices or ATMs where customer cards are accepted.

“By looking at the behavior of multiple entities and understanding the level of normality or abnormality of those entities, you can get a more complete picture of fraud,” said Clare. “You can look at the cardholder. If the customer has multiple cards, you can check whether this behavior is consistent for the different account types of the customers. You can take a look at the behavior of the ATM: are the rates, pace and characteristics of this particular withdrawal on this ATM in or out of pattern? ”

For example, a cardholder can withdraw $ 300 from an ATM near his work every Tuesday. An ATM that shows five withdrawals of $ 300 within two minutes is therefore an important red flag. Clare added that reviewing activity on such ATMs is critical, as an ATM that has made high withdrawals of the same value in a short period of time may have been the victim of a fraudster who steals fake cards at around each extract the maximum allowable amount.

The rise in CNP fraud

As criminals are constantly trying to modernize their attacks, they are increasingly targeting transactions where there are no cards. This enables them to use digital channels and benefit from the anonymity of distant interactions. These fraudsters can then sell the illegally received payment data or use it in e-commerce.

Bad actors may find CNP transactions more tempting as physical card security increases, Clare said, noting that the spread of EMV chips has made counterfeiting more difficult. Using stolen ID to buy airline tickets is a form of CNP fraud that has increased in recent years, he added. Fraudsters make these high quality purchases either because they want to take advantage of these flights, or they can cancel and request refunds. Such offenses are considered minor issues and are generally not prosecuted by law enforcement agencies.

FIs and retailers also can’t just focus on stopping high-quality fraud. Bad actors often do small transactions to test stolen credentials, knowing that few companies want to take the risk of irritating customers by checking minor purchases. FICO analyzes all levels of payment activity to quickly identify suspicious activity and nip fraud in the bud.

Classic direct debit attacks

However, new forms of direct debit fraud do not mean that old standards are no longer applicable. Financial service providers and service providers must therefore remain vigilant. According to Clare, synthetic identity and resolution fraud programs target direct debits more than credit. Hackers who commit synthetic ID fraud collect information that was stolen during data breach to create fake identities and then use it to obtain debit cards. Attempted fraud affects either fraudsters who rely on synthetic IDs or customers who use legitimate identities to open accounts. These parties have a good reputation until credit institutions trust them enough to provide strong overdraft protection, and then take out a substantial overdraft credit and give up the accounts with no repayment.

Other common threats include account takeovers (ATOs), where bad actors confiscate legitimate customers’ accounts, and spontaneous fraud. The latter problem means that customers who intended to use their debit cards and accounts for legitimate purposes will eventually overdraw and abandon their debts after deciding that repayment would be too difficult. These customers do not act on a long-term basis, unlike those who maintain fraud.

FIs can better protect themselves against direct debit abuse by carefully considering transaction approval thresholds and the factors they use to determine approval, Clare said. This could mean examining what types of purchases are made. For example, trying to buy something in a jewelry store at 2 a.m. might raise suspicion, and different product categories have different fraud rates. It is also important to control when overdrafts are allowed and when customers are granted higher limits.

“(FIs have to) be careful, especially if they don’t have a strong behavior profile for this customer,” said Clare. “You have to consider the term of office and the type of transaction. (It is advisable) to have a higher standard of care for these transactions by possibly limiting the overdraft amount that you grant to clients who have (no) long terms or who only have an account with the bank. If you don’t have a really good, strong, long relationship with multiple products to a customer and you don’t have a track record of success, you need to be careful and not get into a situation where you (or him) overwhelmed you. ”

FIs can only consider easing their boundaries after observing customer behavior over a long period of time, preferably across multiple cards and accounts. Vigilant fraud detection strategies and a high degree of caution can help companies determine what to do when detailed behavioral information is not available.

One thing is certain: financial service providers and financial service providers cannot afford to overlook better monitoring of direct debits and the detection of fraud. In the U.S., demand for direct debits is increasing, and financial services providers who want to stay relevant need to make sure that consumers can trade safely with their preferred payment methods. Financial service providers and financial service providers can therefore not afford to forego convenient and secure debiting.

