Fighting Payments Fraud: EMV, Mobile & Beyond SWACHA Southwest Financial Crimes Event August 20, 2015 Matt Davies, AAP, CTP, CPP Federal Reserve Bank of Dallas 1

Online Banking  Corporate Account Takeover – Experi-Metal v. Comerica – PATCO Construction v. Ocean Bank (People’s United) – Choice Escrow & Land Title LLC v. BancorpSouth Bank  “Whale Fishing” / “Masquerading” / “The CEO E-mail” /

Business E-mail Compromise (BEC)

 “Invoice Hijacking”  Fraudsters intercept correspondence between 2 parties who have an existing

contractual relationship, and ‘invoice’ the target for services that have actually been rendered.

Online Banking  “Amegy allows customers free access to IBM Security

Trusteer Rapport software, which targets malware and…phishing.”

SOURCE: “Hacked & Strapped: Houston Banks Spending Millions on Cybersecurity,” by Suzanne Edwards, Houston Business Journal, Mar. 13, 2015

EMV  “EMV” = Europay, MasterCard, and Visa  Global standard for credit & debit payments using chip

cards

– “Chip cards,” “chip and PIN cards,” and “smart cards”

 Cards include a microchip that sends a dynamic protected

value unique to each transaction. – “Dynamic Data” vs. “Static Data”

 Reduction in counterfeit card present fraud – “Cloning” a chip card is virtually impossible

EMV  Merchant point-of-sale (POS) terminal upgrades – Contact (“dipping”) – Contactless – Chip is equipped with a wireless antenna so

it can be “tapped” on an NFC reader

 FIs issue new credit/debit cards containing chips – “Chip & PIN” – “Chip & Signature” – “Chip & Choice” [US]

EMV  Liability Shift: Oct. 1, 2015 – Fuel-selling merchants: Oct. 1, 2017 – How much will the liability shift drive merchants/card issuers? • Many community bank card issuers are in the queue with processors • Merchants lag, especially small businesses • Will even the “big-box” merchants merchants wait to activate chip acceptance

until after this year’s holiday season?

 ATM Liability Shift – MasterCard: Oct. 2016 – Visa: Oct. 2017

EMV – Where are we?  Visa: – About 16% of Visa’s 700m cards in the U.S. have been

converted to EMV…

– Forecast: 63% of the cards will be EMV by the end of the

calendar year.

– Recent Visa studies indicated 83% awareness of chip cards

amongst consumers in May; 89% in July

 Julie Conroy, Aite: “70% of all credit cards and 41% of

debit cards will be EMV by the end of the year.”

SOURCE: “The State of EMV, by the Numbers,” by David Heun, PaymentsSource, August 12, 2015

EMV – Where are we?  USAA – By Oct., 80% of USAA’s approx. 8m credit cards will have an

EMV chip

– …Still evaluating its EMV options for its approx. 8.5m debit

cards issued

“Looking Ahead to Mobile, USAA Targets EMV Chips in 80% of Credit Cards by Fall,” by Kevin Woodward, Digital Transactions News, July 14, 2015

EMV – Where are we?  Most FIs issuing chip-and-signature  Exception: See State Employees CU, NC – $29.5b in assets; second largest CU in the country – Issues all of its EMV credit cards with PINs – Allows cardholders to authenticate with either the PIN or a

signature.

– So far, less than ½ of 1% of all of SECU’s credit card

transactions have been PIN-authenticated

EMV  Brian Krebs, KrebsonSecurity.com, Aug. 2015,

reported a “shimmer” found on an ATM in Mexico – Shimmer: A thin device that sits between the card’s chip

and the chip reader when the cardholder inserts (“dips”) the card into the slot.

– Like a skimmer on a POS card readers, fuel pumps or ATM

that steals mag-stripe payment card info

– The shimmer reported by Krebs was easily inserted into

the ATM and reportedly could capture EMV card data.

SOURCE: “Does a ‘Shimmer’ on a Mexican ATM Portend a Fraud Threat to U.S. EMV Chip Cards?” by Jim Daly, Digital Transactions News, Aug. 13, 2015

EMV  Lost/stolen and card-not-received – EMV can address this, if “chip-and-PIN” • U.S. is “chip-and-choice”; most cards are being issued as “chip-and-

signature”

• With chip and signature, fraudster can steal mail and use card without

knowing PIN

– Will EMV implementation in the US lead to a rise in

instances of non-receipt of mail?

Beyond EMV: Online Payments  EMV does not address online card fraud  Possible solutions: – 3DSecure (Verified by Visa, MasterCard SecureCode, etc.) – Online PIN Debit (e.g., Acculynk’s PaySecure, which uses a

“floating PIN pad”)

– Card readers at home

Beyond EMV  Tokenization – Data at rest • Merchant • Mobile Devices (e.g. Apple Pay)

 Point-to-Point Encryption (P2PE) – Data in transit

Mobile Banking – Fraud Alerts  Security Service FCU ($8.3b; 700,000 members in TX, CO

and UT)

 Offers real-time credit and debit card text fraud alerts – Free service (except where phone charges apply) – Credit card fraud alerts: Members sign up online – Debit card fraud alerts: Automatically enrolled – “…the minute we detect any suspicious debit or credit card

activity on the account, we send a text message asking for verification of the transaction.”—Howard Baker, EVP/chief risk officer, Security Service FCU

Mobile Banking – Card Controls  Customer/Member can: – Turn credit/debit card(s) on and off – Set locations where the cards can be used – Set spending limits – Control use by transaction and merchant types

 Examples: – City Bank Texas, Lubbock – Some CUs using CO-OP Financial Services’ CardNav – Discover’s “Freeze It” • Free • Can be used via mobile, online, or phone

Mobile Banking - Security  Biometrics – Touch ID – Facial Recognition (e.g., USAA) – Voice Recognition (e.g., USAA)

 Mobile treasury management functionality – e.g., approve a wire transfer from a mobile device

Mobile Payments  Cell phone, smart phone, tablet, watch, etc.  Two types of mobile payments: – Proximity Payment – Mobile device with technology

embedded in/displayed on it is used to make payment at POS • e.g., using mobile phone to make payment at POS

– Remote Payment – Mobile device used to initiate payment

regardless of proximity to payee/POS

• e.g., using mobile phone to make payment via PayPal

Mobile Payments Evolving 2006-2008 Remote SMS & ecommerce Payments

2009-2010 Mobile Web Payments Amazon

Amazon Text Buy It

Mobile App Stores Apple App Store

QR Code

Mobile Card Acceptance

2012

2013-2015

PayPal Here Mobile Wallets Isis NFC Wallet

Starbucks

PayPal Text to Buy

Direct Carrier Billing

2011

[later Softcard, bought by Google 2/2015]

LevelUp NFC Google Wallet

Cloud Digital Wallet Apple Passbook

Square

PayPal In-store Prepaid

Square Wallet (discontinued)

Google Wallet KitKat HCE

Android Market Beacon BLE

AmEx RFID Contactless Cards

NFC/Cloud Wallet

PayPal Beacon

Google Wallet Prepaid AmEx Bluebird Mobile Bank Account 18 Green Dot GoBank

FI/Card network tokenization TCH, EMVCo, X9

Mobile Payments Players and Products Who are they and what does this mean to financial institutions? Familiar Participants     

Card Networks FIs Clearing/settlement organizations Processors Money transmitters

New Participants    

19

Mobile carriers (MNOs) Handset manufacturers Chip-makers (NFC, SE) Software solution providers

New Products  Bill-to-carrier  P2P  Mobile wallets  Portable card acceptance  Financial management tools  Discounts, ads, loyalty rewards

Mobile Payments – Opportunities • Consumer convenience • Security • Safer than cash • Chip technology (card emulation) for better authentication to mitigate counterfeit cards and fraudulent payments

• Financial inclusion for unbanked • International compatibility and global acceptance • Cross-selling, convergence with ad and loyalty programs

20

Mobile Payments – Challenges • Slow consumer adoption • Lack of standards and interoperability • Proliferation of business models, including hardware and software • Unclear and complex regulatory environment • Security concerns

Mobile Payments Security PRO  Geo-fencing, biometrics  Mobile wallet in secure element,

or digital wallet accessing cloud via token protects data  Diverse platforms may mitigate systemic spread of malware  Lose your “Mobile wallet”? Telco can remotely wipe or disable

CON  Malware in mobile is growing –

60K malwares in McAfee database, TrendMicro says >10% of apps infected  Consumers don’t practice safe mobile computing  Consumers say security is primary reason for avoiding mobile payments

22

Bar Codes / QR Codes

How they work: 1. Consumer opens merchant app on her smartphone 2. App generates a barcode or (as here) a Quick Response (QR) code containing data about the transaction 3. Merchant scans the barcode or QR code

Mobile Wallets  a.k.a., “digital wallets”  Mobile technology that functions like a physical wallet  Can hold credit and debit cards, reward/loyalty cards, etc. – Eventually, medical records; digital driver’s licenses (e.g. initiatives in

Iowa, Delaware)

 Generally, consumer adoption of mobile wallets to date has

been limited.

– Mobile wallets don’t necessarily solve a problem for

consumers; swiping a credit card is not really that difficult!

Near Field Communication (NFC)  Short-range wireless RFID technology – As opposed to longer range used for toll tags, for example

 Credit/debit card info “provisioned to” the mobile wallet – Credit/debit card information are encrypted and stored in a secure

element (SE) in the phone (as opposed to “in the cloud”) – SE is often an embedded chip controlled by the handset manufacturer, or the SIM card, which is controlled by the mobile carrier

 Less than 14% of all merchant locations are enabled for NFC

transactions today

– Some big merchants have turned NFC off entirely (e.g., Best Buy) – Potential drivers of NFC upgrade at merchant POS: EMV; Apple Pay

Mobile Wallets: Apple Pay  iPhone 6 (Sept. 2014)  Apple Pay (Oct. 2014)  Apple Watch (Apr. 2015)  Uses NFC technology to facilitate contactless payments at point

of sale (POS)

 Also allows in-app payments  NFC antenna across the top of the phone – NFC protocol has encryption built into it

 Uses Passbook app (will be renamed “Wallet” in iOS 9) Image credit: Apple Inc.

Apple Pay  Uses iPhone’s TouchID fingerprint scanner as a form

of authentication

– introduced in the previous iPhone model, 5s – built into iPhone’s home button

 iPhone 6 has a new chip, a secure element (SE), in the

phone handset

– Stores the cardholder’s payment information… – …though not the actual card number Image credit: Apple Inc.

Apple Pay  Automatically uses consumer’s card on file with

iTunes as default payment account

 Users add additional cards by scanning them with the

phone’s camera, or typing card details into Passbook app

 Apple verifies card account data with card issuer and

places a digital rendering of the card in Passbook

Apple Pay  Apple provides card issuing FI with information to help

validate a new card:

– Potential customer’s device name – Current location – Whether or not the customer has a long history of transactions

within iTunes

 Issuing FI decides if additional verification is needed – Apple iOS Security Guide. “Depending on what is offered by the

card issuer, the user may be able to choose between different options for additional verification, such as a text message, email, customer service call, or a method in an approved thirdparty app to complete the verification.”

Apple Pay – Card Validation  An FI might: – Ask cardholder to enter additional data to confirm his identity. – Require cardholders to log into their online accounts to

authorize Apple Pay.

– Asked cardholder to call customer-service rep to set up the card

 e.g., Wells Fargo: – Requires some customers to provide additional verification to

add a card.

– Customers are directed to call in to verify or to download the

Wells Fargo Verify app.

– The app guides the customer through the verification process.

Apple Pay  Apple Pay uses tokenization to remove payment card

numbers from the transaction process.

– When a user adds a card, Apple does not store the actual card

number

– Instead, creates a “device-only” account number for each card

and stores it in the phone’s SE

– Each time Apple Pay is used, Apple uses a one-time payment

number, along with a dynamic security code • Essentially, creates a one-time card use system, and

• Eliminates the need for static security code (CVV/CVC) on the plastic card

– Merchant never sees the cardholder’s name, card number or

security code

Apple Pay  To make a payment using his default card, user does not need

to open an app or “wake” the phone, because of the NFC antenna

 Holds iPhone near merchant’s contactless card reader  Uses Touch ID (home button) to authenticate by fingerprint  A subtle vibration and beep indicate payment information has

been sent

 If user wants to pay with a card other than his default card, he

must first open the Passbook app and select an alternate card

Apple Pay Fees  Card-issuing FIs pay a per-transaction fee to Apple to

be included in Apple Pay

– 15bps on credit cards transactions – $.005 on debit card transaction

Apple Pay – Banks/CUs  2,500 FIs have signed on to Apple Pay; 400+ live

(8/2015)

– Security Service FCU (San Antonio) • 425,000 credit and debit cardholders • “We are fighting a fierce battle for the hearts, minds and eyeballs of our

members so we want to be relevant and exciting for them.”—Jim Laffoon, president/CEO, Security Service FCU

– See Apple’s list at http://support.apple.com/en-us/HT6288 – See Visa’s list at http://usa.visa.com/clients-partners/technology-and-innovation/applepay/financial-institutions/index.jsp

Apple Pay - Issues  Not ubiquitous; many retailers won’t accept Apple Pay  8m POS in the U.S. –

As of 3/9/2015: Accepted at nearly 700,000 U.S. merchant locations, acc. to Apple

–

7/2015: Anticipate 1.5m+ locations by EOY 2015 •

How does Apple define a “location”? Acceptance terminal?

•

Many of those are vending machines

 Number of iPhones in consumers’ hands – Originally only iPhone 6 and iPhone 6+, but – Apple Watch enables payments (must be paired with the iPhone to do so). •

Will extend Apple Pay to iPhone 5, 5c, and 5s

•

“opens up Apple Pay to over 69% of devices on its OS” (Javelin) Image credit: Apple Inc.

Apple Pay – Fraud Issue  Not an issue of fraud with Apple Pay itself, but…  Fraud stemming from faulty verification of consumer’s identity.  Criminals with stolen card numbers may provision them to

iPhones.

 FIs might verify cardholder’s ID w/ date of birth, e-mail

address, etc.

 That info might also be known to criminals  Criminals use that data with compromised card data they

bought online, and set up an apparently legitimate account

Apple Pay – Fraud Issue  FIs can strengthen their processes for verifying new

cards:

– Don’t just validate “static account data” such as last 4

digits of SSN, DOB, e-mail address

– Require cardholder to call in to get the card set up on

Apple Pay; ask for more than the basics

– Ask customers to authenticate their phones with TouchID – Send the customer an alert each time his Apple Pay

account is used

“Apple Pay Stung by Low-Tech Fraudsters,” by Robin Sidel and Daisuke Wakabayashi, The Wall Street Journal, Mar. 6, 2015

Apple Pay – Future?  Will “a rising tide lift all boats”? – Will uptake of Apple Pay also encourage merchant

acceptance of Google Wallet and MCX/CurrentC?

 What role for community banks and CUs? – Cards loaded to Apple Pay are accessed through Passbook,

which selects the first card enrolled as the default card.

– How will an FI stand out; provide a compelling app so

members will choose their card for mobile payments?

 Interchange?

Apple Pay – Future?  As Apple Pay grows, will Apple be content w/ 15bps per

credit card transaction/5c for debit transaction?

 As Apple Pay grows, will Apple be content to not collect/

monetize customer transaction data?

 As we continue to move away from plastic cards; will FIs

be able to instantly issue card accounts into Apple Pay?, – “…that will move the market for us.”—Jason Tinurelli, U.S.

Bank’s SVP retail payment solutions, digital strategy and innovation

Quoted in “Mobile Makes Headlines, But Plastic Makes Progress,” by David Heun, PaymentsSource, Apr. 13, 2015

Mobile Wallets  LoopWallet / LoopPay – Technology can interact with mag-stripe POS terminals • Process called Magnetic Secure Transmission • Mimics a mag-stripe’s magnetic pulse, creating a wireless signal that can be read by

existing POS terminals

• Because of this, LoopPay says technology can work in up to 90% of retail stores

– Currently requires a fob or case, but can be built into a mobile

phone [see next slide]

– Could be a short-term solution until EMV is fully implemented • LoopPay currently has no way to support EMV-chip card payments Image credit: techfrag.com

Mobile Wallets  2/2015: Samsung announced purchase of LoopPay  3/1/2015: “Samsung Pay” announced at Mobile World

Congress, Barcelona

– Will be available on the Galaxy S6 and S6 Edge this summer

 Users able to pay for purchases at 90% of mag-stripe

payments terminals, as well as NFC terminals

– Remember, Apple Pay only works at NFC terminals – LoopPay could help Samsung Pay gain merchant acceptance

quickly compared to Apple Pay

41

Samsung Pay  Participants: – Visa, Mastercard – US Bank, Synchrony Financial (formerly GE Capital) – In discussions with AmEx, BofA, Citi, JPMC, others...

 Security: – Fingerprint reader – Tokenization

 “Samsung won’t charge banks and credit-card issuers

transaction fees.”—“Samsung Pay Could Win Over Banks Faster than Apple Did,” Bloomberg News, Aug. 14, 2015

Android Pay  5/28: Google announced Android Pay  Available this summer  Will be the Android solution for in-store and in-app

payments

– Google Wallet will be a dedicated person-to-person (P2P)

app for Android and iOS

 Will come pre-loaded on new Android smart phones

from Verizon, AT&T, and T-Mobile

Android Pay  Like Apple Pay… – Near-Field Communication (NFC) • …but Host Card Emulation (HCE) variant of NFC

– Tokenization – Fingerprint authentication

Mobile RDC  Risk: “Double dipping” (or triple, etc.)  Mitigants: – FIs that offer mobile RDC should have protections in place

to block duplicate deposits

– Do not have to offer mobile RDC to all customers; “qualify” – Typically limit the dollar amount that can be deposited

(daily, monthly)

– Restrictive endorsement

Mobile RDC  Regulatory guidance: 2009 FFIEC Guidance “Risk

Management of RDC”

 FRB Board RFC on proposed changes to Reg CC – 2011:

http://www.federalreserve.gov/newsevents/press/bcreg/20110303a.htm

– 2013:

http://www.federalreserve.gov/newsevents/press/other/20131212a.htm

Mobile ATM Transactions  Fidelity (FIS) piloting a mobile app that facilitates cardless ATM withdrawals – Customer queues up an ATM transaction in mobile app before arriving at ATM – ATM displays a QR code – User scans QR code to complete the transaction

 Combats skimming  Speeds up transactions: At ATM, 7-10 seconds per transaction as opposed

to more than 45 seconds traditionally

Questions? Matt Davies, AAP, CTP Payments Outreach Officer Federal Reserve Bank of Dallas 214-922-5259 [email protected]