Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

fraud prevention

Syntec Telecom and Davies Hickman Partners have produced a report on how contact centre leaders are meeting the challenges of PCI DSS and the concerns of consumers to credit card payments over the phone.

Extracts from the report are below.

Consumers demand better card payment security

  • 72% (68% in 2012) say “call centre managers should do more to prevent credit and debit card fraud” 
  • 74% (70% in 2012) say “the banks, credit card and payment companies should do more to prevent fraud

The report believes their research shows that despite years of compliance pressure call centres are adopting one of three methods to deal with the issues:

  1. ‘Head in the Sand’: These organisations are adopting a trust-based approach relying on existing systems and staff, including elements of ‘clean-rooming’, but are unaware of the seriousness of PCI requirements
  2. ‘Segmenting the Problem’: Here, organisations are setting up discrete payment teams to reduce the numbers of agents taking payments
  3. ‘De-scoping payments’: Organisations engaged in PCI compliance are using technology to shield crucial payment card data from the call centre

Key findings from the research showed:-

  • 1% (2013), 3% (2012) of consumers say payment over the phone to a call centre is the most secure method (compared to chip and pin, online and self-service/ATM payments)
  • 16% (2013), 14% (2012) of UK consumers say they are very confident that “Organisations I buy from over the phone will keep my personal and card payment details secure”
  • 80% (2013 & 2012) of consumers say that despite careful recruitment policies, some call centre agents may commit fraud, directly or indirectly, by stealing personal data and credit card payment details taken over the phone from customers
  • 72% (2013), 68% (2012) say call centre managers should do more to prevent credit and debit card fraud.
  • 68% (2013), 58% (2012) of UK consumers say “As a general rule, I don’t think companies should be allowed to keep my credit or debit card details on their databases”
  • 32% of UK consumers say they have seen news stories about credit & debit card fraud in call centres (39% of 18-34 year olds)
  • Twice as many consumers favour using their phone keypad* to enter their card details whilst the agent is still on the call, compared with the solution where the agent simply pauses the call recording. A higher majority of consumers say they would use, and be happy to use, their phone keypad – 58%, with only 27% favouring pausing the call recording.

Do you believe call centre agents may commit fraud directly or indirectly by stealing personal data and credit card details they take from customers over the phone?

  • Yes, often, 16%
  • Yes, sometimes 64%
  • No 6%
  • Don’t know 14%

When making card payments which is the most secure?

  • Chip and Pin 53%
  • Payments over a secure website 18%
  • Self-service Machines (e.g. train tickets) 11%
  • Telephone payments to call centre agents 1%
  • Don’t know 16%

Solving the compliance conundrum

  • Use technology to hide credit card details from call centre agent 45%
  • Only allow selected agents in ‘clean rooms’ 7%
  • Regular audits of calls to monitor fraud 14%

Has the risk of fraud when giving your credit/debit card details over the phone to a call centre made you reluctant to pay for a product or service?

  • Yes 59% (Yes, often 17%, Yes, sometimes 42%)
  • No 21%
  • Don’t make phone payments 19%

Tips for rebuilding trust through card payment delivery in call centres

  1. Build capability by educating your people about risk, fraud and the value of security to customers
  2. Develop processes and procedures so your people can report suspicions confidently
  3. Build relationships with internal and external fraud monitors
  4. Create a compliance strategy which suits your organisation
  5. Keep your eye on changing operational requirements to improve security programmes
  6. Delete basic operational failings such as storage of sensitive information
  7. Choose trusted secure partners
  8. Explore technologies which ‘shield’ the call centre from sensitive payment data.

Simon Beeching, director at Syntec Telecom, said: “There is no question that card payments over the phone to the call centre remain a weak link. Our research clearly shows that an increasing majority of consumers have serious concerns over card payments by phone. Consumers are now saying they will positively favour brands and call centres that can provide tangible reassurance over their card payment security.”

Advertisements

2012: “A year of Identity & Fraud” a review by Experian

Experian, a global information services company has posted two summaries of its research and blogs for 2012. I have taken the information that relates to Identity theft and fraud and consolidated it into one post.

In March, Experian revealed its latest research which estimated £1.02 billion worth of online shopping transactions were abandoned the previous year by UK consumers frustrated by old and inefficient identity measures. One in five of these abandoned transactions were not taken elsewhere as individuals cancelled their shopping attempt altogether, resulting in £214 million worth of net lost revenue for UK retailers.

The study, which was conducted for Experian by the International Fraud Prevention Research Centre and included survey data as well as insights from online retailers and the Office of National Statistics, revealed that 44% of UK shoppers had abandoned at least one online shopping transaction in the last year having become frustrated with the length and complexity of certain older forms of identity verification.

Older forms of online identity verification, typically complex, standalone systems drawing on single sources of information to corroborate identity information, are unable to validate as many individuals electronically as modern services. As a result, genuine customers might be forced to call a contact centre, submit physical documents through the post or visit the store or branch to confirm identity. Alternatively, the organisation might choose to accept a lower level of proof, and risk higher levels of fraud, in order to minimise customer inconvenience.

In April, Experian revealed that fraudulent applications for mortgages increased by 8% in the previous year. This was the fifth year in a row in which the rate of mortgage fraud has increased. 34 in every 10,000 applications for mortgages were found to be fraudulent in 2011, compared to just 15 in every 10,000 in 2006.

The overall rate of fraud at point of application across the UK’s financial services sector increased by 4% in 2011, to just over 17 in every 10,000 applications. In addition to record mortgage fraud figures, this overall increase was also driven by growth in insurance and current account fraud. 93% of attempted mortgage fraud in 2011 was down to individuals misrepresenting their personal information on applications. Typically these first party frauds involved falsifying employment status or financial information, and most commonly attempting to hide an adverse credit history.

Experian’s demographic insight revealed that Mosaic groups Terraced Melting Pot (young, poorly educated individuals living in small towns) and Suburban Mindsets (predominantly middle aged, middle and skilled working class individuals) were both responsible for around 15% of first party mortgage fraud cases in 2011. The young, well educated professionals of the Liberal Opinions were also prone to attempting first party mortgage fraud, being responsible for 13% of cases.

Nick Mothershaw, UK&I director of identity & fraud at Experian, comments: “About 70 per cent of financial services application fraud in the UK fraud is down to first parties misrepresenting their circumstances, and the products such as mortgages and insurance that have seen fraud soar over the last year have a significant first party fraud element to them. This kind of fraud tends to originate from financially stressed segments of society.”

  • Insurance fraud. Insurance fraud rates reached 11 in every 10,000 applications and claims in 2011, an increase of 23% over the last year. 89% of insurance fraud was first-party led with the Terraced Melting Pot, Suburban Mindsets and Liberal Opinions demographics responsible for the most instances. Combined they accounted for 43% of cases.
  • Current accounts. The rate of current account fraud increased to 36 frauds in every 10,000 applications in 2011, up from 23 in every 10,000 in 2010. 60% of current account fraud in 2011 was committed by first-parties, almost a quarter (23%) of which was down to the Terraced Melting Pot demographic. The remaining 40% of current account fraud attempts were down to third-party identity fraudsters seeking to open accounts as a springboard to obtain other, more lucrative credit products, or for money laundering purposes.
  • Automotive and credit card fraud rates fall. Not all financial products saw fraud rates increase in 2011. Credit card fraud continued to fall, from 19 in every 10,000 applications in 2010 to 12 in every 10,000 in 2011. The rate at which fraudsters target new credit cards is almost a quarter of the level recorded in 2006, when 45 in every 10,000 applications were fraudulent.  Automotive finance providers have also seen fraud rates fall. 23 in every 10,000 applications were found to be fraudulent in 2011, down from 38 in every 10,000 during 2010. 85% of these frauds were first party.

In May, Experian revealed that Slough had overtaken London to become the identity fraud capital of the UK. The Berkshire town recorded 25 identity fraud attempts for every 10,000 households, with residents targeted at around four times the UK national average (seven households in every 10,000). Residents of London, Gravesend, Birmingham, Luton, Manchester and Leicester were also targeted at twice the national average rate. London as a whole experienced 22 attempts for every 10,000 households, although attempts were not spread evenly across the capital.

Substantial hotspots for identity fraud activity were found in and around London’s Olympic neighbourhoods. Financial service providers detected 78 incidents for every 10,000 households in East Ham, as residents were targeted at more than 11 times the national rate. Woolwich and Stratford also experienced significant identity fraud activity, recording 46 and 43 identity fraud attempts respectively for every 10,000 households.

Whilst the instances of fraud across all financial products remained at a constant level between 2010 and 2011 (six in every 10,000 applications were found to be fraudulent), the data shows that there was a surge in identity theft via current accounts and mortgages during this period, with rates doubling (from six to 14 in every 10,000 applications) and quadrupling (from one to four in every 10,000) respectively.

Identity fraud attempts on credit cards fell from 17 to four in every 10,000 applications.

Fraudsters turn their attention away from the wealthy.

  • For the first time, young people renting small flats from local councils or housing associations represent the demographic most likely to be targeted by identity fraudsters. This group, known in Experian’s Mosaic classification as Upper Floor Living, saw its identity fraud risk score increase by 47% to 256 in 2011. Its constituents are two-and-a-half times more likely than the average UK resident to be targeted.
  • Almost as high on the identity fraud danger list are the Terraced Melting Pot (risk score 242), a group of mostly young people with few qualifications that who work in relatively menial, routine occupations, and live close to the centres of small towns or, in London, in areas developed prior to 1914. The Terraced Melting Pot saw its risk score increase by 75% in 2011.
  • Previously, the wealthy Alpha Territory demographic – representing the wealthiest sections of society living in fashionable London neighbourhoods – were most likely to be targeted. The risk score for this group halved in 2011 (from 301 in 2010 to 149) as fraudsters turned their attentions to younger and less affluent sections of society.

In June, Experian revealed that the financial services industry saw a 16% quarter-on-quarter jump in fraud rates in the period January to March 2012, driven primarily by a significant surge in current account fraud. 19 in every 10,000 applications for financial services were found to be fraudulent in the first three months of 2012, up from 16 in the last quarter in 2011. 44 in every 10,000 current account applications were detected as being fraudulent during the first quarter of 2012, 23% higher than Q4 2011.

The current account extended its position as the most targeted financial product, recording the busiest period for current account fraud ever recorded by Experian. Experian’s data shows that the majority (62%) of current account fraud in 2011 was committed by first-party perpetrators, which typically involves an individual painting a knowingly false portrait of their personal circumstances to obtain services to which they are not entitled. 38% of current account frauds were due to individuals attempting to hide adverse credit histories when opening current accounts or applying for overdrafts.

A further 39% of current account fraud involved product or payment abuse, which included people knowingly attempting to make payments with insufficient funds in their accounts. Attempted insurance fraud increased by 37% quarter-on-quarter, to reach its highest point since late 2009. 13 in every 10,000 applications and claims were detected as being fraudulent during Q1, up from 10 in Q4 2011. 58% of insurance fraud involved some form of product abuse, most significantly the provision of false payment information.

A 56% increase in identity fraud attempts pushed credit card fraud up from 10 cases in every 10,000 applications in the final three months of 2011 to 14 in the first quarter of 2012. Attempted identity frauds on cards leapt from five to eight in every 10,000 applications over the same period.

Nick Mothershaw, UK director of identity & fraud services at Experian, comments: “Experian’s data shows further growth in current account fraud during the first quarter of 2012, mostly emanating from individuals providing false information attempting to open new accounts or obtain overdrafts or making payments they knowingly couldn’t afford. The threat of identity fraudsters seeking to open accounts in the names of unsuspecting third parties, for money laundering or as a springboard to attempt fraud on more lucrative credit products, also remains.  Credit cards have seen a resurgence in identity fraud, while a growing number of financially stressed individuals consider misrepresenting their personal or payment information when applying for insurance, contributing to a significant fraud upswing in the first quarter of 2012.” 

  • Automotive finance. Fraud attempts in the automotive finance sector have declined significantly, down 34% on the previous quarter. There were 18 attempted frauds in every 10,000 applications in the first quarter of 2012, the majority of which were individuals attempting to hide an adverse credit history when applying for automotive finance.
  • Loans. The number of fraudulent loan applications has continued to decrease, reaching the lowest point ever recorded by Experian. Four in every 10,000 applications were discovered to be fraudulent in Q1 2012, 38% lower than the previous quarter. Attempting to hide an adverse credit history continues to be the preferred modus operandi in more than half of attempted loan fraud.
  • Mortgages. Attempted mortgage fraud fell by 5% quarter-on-quarter, with 35 in every 10,000 applications uncovered as fraudulent during the first three months of 2012. Attempting to hide an adverse credit history, misrepresenting employment status and falsifying financial information were the most commonly used tactics employed by mortgage fraudsters during Q1.
  • Savings accounts. Savings account fraud rates were 18% lower in the first quarter of this year than the preceding three months. 12 in every 10,000 applications were found to be fraudulent, with identity fraudsters responsible for more than 80% of cases.

In July, it was reported that fraudsters had traded 12 million pieces of personal information online in 2012, representing a threefold increase on corresponding figures for 2010. Experian data indicated that consumers had an average of 26 separate online logins, but just five different passwords across them all.

Experian advised people to change their passwords on a regular basis and try to make them more complex to keep fraudsters from cracking them.

The full story can be found here.

In August, a special investigation revealed that fraudsters were stealing identities in order to take out multiple mobile phone contracts and walk away with valuable handsets. One man returned from a holiday to discover fraudsters had taken out nine contracts in his name.

Experian said around 200 victims were contacting the company each month for help to restore credit histories that had been damaged by the “mobile communications fraud”.

George Hopkin’s original posts can be found here, part one and part two.

.

RSA’s January 2012 Online Fraud Report

Below is a summary of RSA’s Jnauary 2012 Online Fraud Report:-

PHISHING IS A NUMBERS GAME

In 2011, approximately one in every 300 emails circulating the web was deemed to contain elements pointing to phishing. Most phishing content targeted the public sector, which was followed by the SME business sector.

Compared with the total numbers of phishing attacks recorded in 2010, phishing numbers have increased considerably through the past year. The cumulative number of phishing attacks recorded through 2011 was 279,580—a 37% increase from 2010.

In 2011, phishing attacks also received better coverage around the globe, with brands targeted from 31 different geographies and phishing emails communicated in 16 different languages – reaching an even more diverse crowd of Internet users. The top countries in which the most brands were attacked include: the U.S., the UK, Australia, Canada, India, and Brazil.

CONCLUSION

Looking at the year in phishing, it is clear that phishing has become easier than ever before with more automated toolkits available. In fact, some cybercriminals are known to invest all their efforts into phishing attacks only. On average, every phishing attack yields a $4,500 profit in stolen funds for the fraudster, a number which keeps this work-from-home endeavor rather lucrative.

Attack numbers have been increasing annually, and although phishing is one of the oldest online scams, and user awareness is higher than ever, it seems that web users still fall for phishing, unknowingly parting with their credentials over convincing enough replicas of websites they have come to trust.

With the ease of production and the enhanced quality of today’s attacks, the forecasted outlook for 2012 calls for yet another year riddled with hundreds of thousands of phishing attacks worldwide. As the phenomenon continues to spread, it stands to reason that phishing will move on to even more geographies, target more brands and be spread in more languages in 2012.

Phishing Attacks per Month

In December, phishing volumes decreased 26 percent with 21,119 unique phishing attacks identified by RSA worldwide. The UK continued to be country most targeted by phishing attacks in December, suffering 50 percent of global volume while the U.S. continued to be the top hosting country – hosting 52 percent of the world’s phishing attacks in December.

Number of Brands Attacked

In December, 256 brands were targeted through phishing attacks, marking an 18 percent decrease from November. The number of new brands attacked for the first time decreased from 13 brands in November to six brands in December.

US Bank Types Attacked

Last month, the portion of brands targeted in the U.S. credit union sector decreased three percent as did the portion of brands targeted by phishing in the U.S. regional banks sector (decreasing seven percent). The portion of attacked brands representing U.S. nationwide banks increased ten percent from 76 percent to 86 percent. This represents the highest portion of brands in the U.S. nationwide banking sector targeted by phishing in the last year.

Top Countries by Attack Volume

The UK was the country most targeted by phishing once again in December – targeted by 50 percent of all attacks – for the fourth consecutive month. The U.S. was the second most targeted country with 28 percent of all phishing attacks.

Since this time last year, the top five countries that have endured the highest volume of phishing include the UK, the U.S., South Africa, Canada and Brazil. In terms of the languages used in phishing attacks, English is still the most dominant, followed by Portuguese, Spanish and Dutch.

Top Countries by Attacked Brands

Together, the U.S. and UK accounted for 43 percent of the world’s targeted brands, while the brands of 14 additional countries accounted for a total of 39 percent of phishing attacks in December.

Top Hosting Countries

In December, the US hosted 52 percent of the world’s phishing attacks, a nine percent decrease from November. Germany and Russia were the second top hosts with five percent of attacks. A surprising entrance came from Japan as a top host in December, accounting for four percent of attacks.

The RSA December Online Fraud Report Summary is here.

The RSA November Online Fraud Report Summary is here.

The RSA October Online Fraud Report Summary is here.

The RSA September Online Fraud Report Summary is here.

.

Study: Consumers’ Reaction to Online Fraud

Image representing ThreatMetrix as depicted in...
Image via CrunchBase

ThreatMatrix and Cloud-based Fraud Prevention Company and the Ponemon Institute have released the findings of their joint study on Consumers and their awareness and appreciation of online fraud.

The study has revealed

  • 85% of respondents reported being worried and dissatisfied with the level of protection online businesses are providing to stop fraudsters. This % is up 5% on the Ponemon study of 2009.
  • 42% of respondents said they have been the victim of online fraud.
  • 80% of victims said they did not report the crime.
  • 19% that said they had reported the fraud only reported to the online business.

A lot of fraudulent activity goes unreported today, making it difficult for online businesses to fully understand the prominence and seriousness of the problem,” said Reed Taussig, president and CEO, ThreatMetrix. “With a rise in online transactions and activities across devices, more needs to be done to educate online merchants, banks, social outlets and other businesses on how to decrease fraudulent activity.”

Those respondents that expressed concern over online fraud said they felt online merchants, banks and social networks need to take additional steps to prevent fraudsters from stealing consumer information.

  • 68% would allow a trusted online business to place a cookie on their computer to automatically authenticate them
  • 82% indicated that they would expect an online business to offer alternative authentication methods if they were unable to match the consumer’s digital fingerprint to their security system.

“Our survey results help validate the need and consumer preference for technology, such as device identification, to authenticate identity as opposed to using personally identifiable information,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Consumers expressed much more willingness to share data like ISP, computer serial number, type and make, rather than information like date of birth and telephone number.”

Information Consumers are Willing to Allow a Trusted Online Business to Check to Verify Their Identity, or Digitally Fingerprint Their Computer:

1. Serial number of computer 88%
2. Type and make of your computer 83%
3. Internet service provider 76%
4. Browser settings  71%
5. Type of browser  65%
6. IP address 59%
7. Types of software applications residing on your device 54%
8. Email address  46%
9. Purchase history  39%
10. Planned future purchases  35%
11. Date of birth  34%
12. Telephone number  17%
13. Home address  16%
14. Name  14%
15. Zip code 9%
16. Social Security number 4%
17. Driver’s license number 2%

Study findings indicate that consumers have a “positive perception about companies that use authentication and fraud detection tools to prevent online fraud”.

  • 56% of consumers indicated they are ‘more willing’ to shop or browse an online business if they know that company is taking specific measures toward combating fraud.
  • 88% of respondents stated a preference for companies to share information about their device for authentication purposes — as opposed to sharing personal information to verify their identity.

 Read the whole study here.

Blog at WordPress.com.

Up ↑

%d bloggers like this: