Fighting Payments Fraud: EMV, Mobile & Beyond SWACHA Southwest Financial Crimes Event August 20, 2015 Matt Davies, AAP, CTP, CPP Federal Reserve Bank of Dallas 1
Online Banking Corporate Account Takeover – Experi-Metal v. Comerica – PATCO Construction v. Ocean Bank (People’s United) – Choice Escrow & Land Title LLC v. BancorpSouth Bank “Whale Fishing” / “Masquerading” / “The CEO E-mail” /
Business E-mail Compromise (BEC)
“Invoice Hijacking” Fraudsters intercept correspondence between 2 parties who have an existing
contractual relationship, and ‘invoice’ the target for services that have actually been rendered.
Online Banking “Amegy allows customers free access to IBM Security
Trusteer Rapport software, which targets malware and…phishing.”
SOURCE: “Hacked & Strapped: Houston Banks Spending Millions on Cybersecurity,” by Suzanne Edwards, Houston Business Journal, Mar. 13, 2015
EMV “EMV” = Europay, MasterCard, and Visa Global standard for credit & debit payments using chip
cards
– “Chip cards,” “chip and PIN cards,” and “smart cards”
Cards include a microchip that sends a dynamic protected
value unique to each transaction. – “Dynamic Data” vs. “Static Data”
Reduction in counterfeit card present fraud – “Cloning” a chip card is virtually impossible
EMV Merchant point-of-sale (POS) terminal upgrades – Contact (“dipping”) – Contactless – Chip is equipped with a wireless antenna so
it can be “tapped” on an NFC reader
FIs issue new credit/debit cards containing chips – “Chip & PIN” – “Chip & Signature” – “Chip & Choice” [US]
EMV Liability Shift: Oct. 1, 2015 – Fuel-selling merchants: Oct. 1, 2017 – How much will the liability shift drive merchants/card issuers? • Many community bank card issuers are in the queue with processors • Merchants lag, especially small businesses • Will even the “big-box” merchants merchants wait to activate chip acceptance
until after this year’s holiday season?
ATM Liability Shift – MasterCard: Oct. 2016 – Visa: Oct. 2017
EMV – Where are we? Visa: – About 16% of Visa’s 700m cards in the U.S. have been
converted to EMV…
– Forecast: 63% of the cards will be EMV by the end of the
calendar year.
– Recent Visa studies indicated 83% awareness of chip cards
amongst consumers in May; 89% in July
Julie Conroy, Aite: “70% of all credit cards and 41% of
debit cards will be EMV by the end of the year.”
SOURCE: “The State of EMV, by the Numbers,” by David Heun, PaymentsSource, August 12, 2015
EMV – Where are we? USAA – By Oct., 80% of USAA’s approx. 8m credit cards will have an
EMV chip
– …Still evaluating its EMV options for its approx. 8.5m debit
cards issued
“Looking Ahead to Mobile, USAA Targets EMV Chips in 80% of Credit Cards by Fall,” by Kevin Woodward, Digital Transactions News, July 14, 2015
EMV – Where are we? Most FIs issuing chip-and-signature Exception: See State Employees CU, NC – $29.5b in assets; second largest CU in the country – Issues all of its EMV credit cards with PINs – Allows cardholders to authenticate with either the PIN or a
signature.
– So far, less than ½ of 1% of all of SECU’s credit card
transactions have been PIN-authenticated
EMV Brian Krebs, KrebsonSecurity.com, Aug. 2015,
reported a “shimmer” found on an ATM in Mexico – Shimmer: A thin device that sits between the card’s chip
and the chip reader when the cardholder inserts (“dips”) the card into the slot.
– Like a skimmer on a POS card readers, fuel pumps or ATM
that steals mag-stripe payment card info
– The shimmer reported by Krebs was easily inserted into
the ATM and reportedly could capture EMV card data.
SOURCE: “Does a ‘Shimmer’ on a Mexican ATM Portend a Fraud Threat to U.S. EMV Chip Cards?” by Jim Daly, Digital Transactions News, Aug. 13, 2015
EMV Lost/stolen and card-not-received – EMV can address this, if “chip-and-PIN” • U.S. is “chip-and-choice”; most cards are being issued as “chip-and-
signature”
• With chip and signature, fraudster can steal mail and use card without
knowing PIN
– Will EMV implementation in the US lead to a rise in
instances of non-receipt of mail?
Beyond EMV: Online Payments EMV does not address online card fraud Possible solutions: – 3DSecure (Verified by Visa, MasterCard SecureCode, etc.) – Online PIN Debit (e.g., Acculynk’s PaySecure, which uses a
“floating PIN pad”)
– Card readers at home
Beyond EMV Tokenization – Data at rest • Merchant • Mobile Devices (e.g. Apple Pay)
Point-to-Point Encryption (P2PE) – Data in transit
Mobile Banking – Fraud Alerts Security Service FCU ($8.3b; 700,000 members in TX, CO
and UT)
Offers real-time credit and debit card text fraud alerts – Free service (except where phone charges apply) – Credit card fraud alerts: Members sign up online – Debit card fraud alerts: Automatically enrolled – “…the minute we detect any suspicious debit or credit card
activity on the account, we send a text message asking for verification of the transaction.”—Howard Baker, EVP/chief risk officer, Security Service FCU
Mobile Banking – Card Controls Customer/Member can: – Turn credit/debit card(s) on and off – Set locations where the cards can be used – Set spending limits – Control use by transaction and merchant types
Examples: – City Bank Texas, Lubbock – Some CUs using CO-OP Financial Services’ CardNav – Discover’s “Freeze It” • Free • Can be used via mobile, online, or phone
Mobile Banking - Security Biometrics – Touch ID – Facial Recognition (e.g., USAA) – Voice Recognition (e.g., USAA)
Mobile treasury management functionality – e.g., approve a wire transfer from a mobile device
Mobile Payments Cell phone, smart phone, tablet, watch, etc. Two types of mobile payments: – Proximity Payment – Mobile device with technology
embedded in/displayed on it is used to make payment at POS • e.g., using mobile phone to make payment at POS
– Remote Payment – Mobile device used to initiate payment
regardless of proximity to payee/POS
• e.g., using mobile phone to make payment via PayPal
Mobile Payments Evolving 2006-2008 Remote SMS & ecommerce Payments
2009-2010 Mobile Web Payments Amazon
Amazon Text Buy It
Mobile App Stores Apple App Store
QR Code
Mobile Card Acceptance
2012
2013-2015
PayPal Here Mobile Wallets Isis NFC Wallet
Starbucks
PayPal Text to Buy
Direct Carrier Billing
2011
[later Softcard, bought by Google 2/2015]
LevelUp NFC Google Wallet
Cloud Digital Wallet Apple Passbook
Square
PayPal In-store Prepaid
Square Wallet (discontinued)
Google Wallet KitKat HCE
Android Market Beacon BLE
AmEx RFID Contactless Cards
NFC/Cloud Wallet
PayPal Beacon
Google Wallet Prepaid AmEx Bluebird Mobile Bank Account 18 Green Dot GoBank
FI/Card network tokenization TCH, EMVCo, X9
Mobile Payments Players and Products Who are they and what does this mean to financial institutions? Familiar Participants
Card Networks FIs Clearing/settlement organizations Processors Money transmitters
New Participants
19
Mobile carriers (MNOs) Handset manufacturers Chip-makers (NFC, SE) Software solution providers
New Products Bill-to-carrier P2P Mobile wallets Portable card acceptance Financial management tools Discounts, ads, loyalty rewards
Mobile Payments – Opportunities • Consumer convenience • Security • Safer than cash • Chip technology (card emulation) for better authentication to mitigate counterfeit cards and fraudulent payments
• Financial inclusion for unbanked • International compatibility and global acceptance • Cross-selling, convergence with ad and loyalty programs
20
Mobile Payments – Challenges • Slow consumer adoption • Lack of standards and interoperability • Proliferation of business models, including hardware and software • Unclear and complex regulatory environment • Security concerns
Mobile Payments Security PRO Geo-fencing, biometrics Mobile wallet in secure element,
or digital wallet accessing cloud via token protects data Diverse platforms may mitigate systemic spread of malware Lose your “Mobile wallet”? Telco can remotely wipe or disable
CON Malware in mobile is growing –
60K malwares in McAfee database, TrendMicro says >10% of apps infected Consumers don’t practice safe mobile computing Consumers say security is primary reason for avoiding mobile payments
22
Bar Codes / QR Codes
How they work: 1. Consumer opens merchant app on her smartphone 2. App generates a barcode or (as here) a Quick Response (QR) code containing data about the transaction 3. Merchant scans the barcode or QR code
Mobile Wallets a.k.a., “digital wallets” Mobile technology that functions like a physical wallet Can hold credit and debit cards, reward/loyalty cards, etc. – Eventually, medical records; digital driver’s licenses (e.g. initiatives in
Iowa, Delaware)
Generally, consumer adoption of mobile wallets to date has
been limited.
– Mobile wallets don’t necessarily solve a problem for
consumers; swiping a credit card is not really that difficult!
Near Field Communication (NFC) Short-range wireless RFID technology – As opposed to longer range used for toll tags, for example
Credit/debit card info “provisioned to” the mobile wallet – Credit/debit card information are encrypted and stored in a secure
element (SE) in the phone (as opposed to “in the cloud”) – SE is often an embedded chip controlled by the handset manufacturer, or the SIM card, which is controlled by the mobile carrier
Less than 14% of all merchant locations are enabled for NFC
transactions today
– Some big merchants have turned NFC off entirely (e.g., Best Buy) – Potential drivers of NFC upgrade at merchant POS: EMV; Apple Pay
Mobile Wallets: Apple Pay iPhone 6 (Sept. 2014) Apple Pay (Oct. 2014) Apple Watch (Apr. 2015) Uses NFC technology to facilitate contactless payments at point
of sale (POS)
Also allows in-app payments NFC antenna across the top of the phone – NFC protocol has encryption built into it
Uses Passbook app (will be renamed “Wallet” in iOS 9) Image credit: Apple Inc.
Apple Pay Uses iPhone’s TouchID fingerprint scanner as a form
of authentication
– introduced in the previous iPhone model, 5s – built into iPhone’s home button
iPhone 6 has a new chip, a secure element (SE), in the
phone handset
– Stores the cardholder’s payment information… – …though not the actual card number Image credit: Apple Inc.
Apple Pay Automatically uses consumer’s card on file with
iTunes as default payment account
Users add additional cards by scanning them with the
phone’s camera, or typing card details into Passbook app
Apple verifies card account data with card issuer and
places a digital rendering of the card in Passbook
Apple Pay Apple provides card issuing FI with information to help
validate a new card:
– Potential customer’s device name – Current location – Whether or not the customer has a long history of transactions
within iTunes
Issuing FI decides if additional verification is needed – Apple iOS Security Guide. “Depending on what is offered by the
card issuer, the user may be able to choose between different options for additional verification, such as a text message, email, customer service call, or a method in an approved thirdparty app to complete the verification.”
Apple Pay – Card Validation An FI might: – Ask cardholder to enter additional data to confirm his identity. – Require cardholders to log into their online accounts to
authorize Apple Pay.
– Asked cardholder to call customer-service rep to set up the card
e.g., Wells Fargo: – Requires some customers to provide additional verification to
add a card.
– Customers are directed to call in to verify or to download the
Wells Fargo Verify app.
– The app guides the customer through the verification process.
Apple Pay Apple Pay uses tokenization to remove payment card
numbers from the transaction process.
– When a user adds a card, Apple does not store the actual card
number
– Instead, creates a “device-only” account number for each card
and stores it in the phone’s SE
– Each time Apple Pay is used, Apple uses a one-time payment
number, along with a dynamic security code • Essentially, creates a one-time card use system, and
• Eliminates the need for static security code (CVV/CVC) on the plastic card
– Merchant never sees the cardholder’s name, card number or
security code
Apple Pay To make a payment using his default card, user does not need
to open an app or “wake” the phone, because of the NFC antenna
Holds iPhone near merchant’s contactless card reader Uses Touch ID (home button) to authenticate by fingerprint A subtle vibration and beep indicate payment information has
been sent
If user wants to pay with a card other than his default card, he
must first open the Passbook app and select an alternate card
Apple Pay Fees Card-issuing FIs pay a per-transaction fee to Apple to
be included in Apple Pay
– 15bps on credit cards transactions – $.005 on debit card transaction
Apple Pay – Banks/CUs 2,500 FIs have signed on to Apple Pay; 400+ live
(8/2015)
– Security Service FCU (San Antonio) • 425,000 credit and debit cardholders • “We are fighting a fierce battle for the hearts, minds and eyeballs of our
members so we want to be relevant and exciting for them.”—Jim Laffoon, president/CEO, Security Service FCU
– See Apple’s list at http://support.apple.com/en-us/HT6288 – See Visa’s list at http://usa.visa.com/clients-partners/technology-and-innovation/applepay/financial-institutions/index.jsp
Apple Pay - Issues Not ubiquitous; many retailers won’t accept Apple Pay 8m POS in the U.S. –
As of 3/9/2015: Accepted at nearly 700,000 U.S. merchant locations, acc. to Apple
–
7/2015: Anticipate 1.5m+ locations by EOY 2015 •
How does Apple define a “location”? Acceptance terminal?
•
Many of those are vending machines
Number of iPhones in consumers’ hands – Originally only iPhone 6 and iPhone 6+, but – Apple Watch enables payments (must be paired with the iPhone to do so). •
Will extend Apple Pay to iPhone 5, 5c, and 5s
•
“opens up Apple Pay to over 69% of devices on its OS” (Javelin) Image credit: Apple Inc.
Apple Pay – Fraud Issue Not an issue of fraud with Apple Pay itself, but… Fraud stemming from faulty verification of consumer’s identity. Criminals with stolen card numbers may provision them to
iPhones.
FIs might verify cardholder’s ID w/ date of birth, e-mail
address, etc.
That info might also be known to criminals Criminals use that data with compromised card data they
bought online, and set up an apparently legitimate account
Apple Pay – Fraud Issue FIs can strengthen their processes for verifying new
cards:
– Don’t just validate “static account data” such as last 4
digits of SSN, DOB, e-mail address
– Require cardholder to call in to get the card set up on
Apple Pay; ask for more than the basics
– Ask customers to authenticate their phones with TouchID – Send the customer an alert each time his Apple Pay
account is used
“Apple Pay Stung by Low-Tech Fraudsters,” by Robin Sidel and Daisuke Wakabayashi, The Wall Street Journal, Mar. 6, 2015
Apple Pay – Future? Will “a rising tide lift all boats”? – Will uptake of Apple Pay also encourage merchant
acceptance of Google Wallet and MCX/CurrentC?
What role for community banks and CUs? – Cards loaded to Apple Pay are accessed through Passbook,
which selects the first card enrolled as the default card.
– How will an FI stand out; provide a compelling app so
members will choose their card for mobile payments?
Interchange?
Apple Pay – Future? As Apple Pay grows, will Apple be content w/ 15bps per
credit card transaction/5c for debit transaction?
As Apple Pay grows, will Apple be content to not collect/
monetize customer transaction data?
As we continue to move away from plastic cards; will FIs
be able to instantly issue card accounts into Apple Pay?, – “…that will move the market for us.”—Jason Tinurelli, U.S.
Bank’s SVP retail payment solutions, digital strategy and innovation
Quoted in “Mobile Makes Headlines, But Plastic Makes Progress,” by David Heun, PaymentsSource, Apr. 13, 2015
Mobile Wallets LoopWallet / LoopPay – Technology can interact with mag-stripe POS terminals • Process called Magnetic Secure Transmission • Mimics a mag-stripe’s magnetic pulse, creating a wireless signal that can be read by
existing POS terminals
• Because of this, LoopPay says technology can work in up to 90% of retail stores
– Currently requires a fob or case, but can be built into a mobile
phone [see next slide]
– Could be a short-term solution until EMV is fully implemented • LoopPay currently has no way to support EMV-chip card payments Image credit: techfrag.com
Mobile Wallets 2/2015: Samsung announced purchase of LoopPay 3/1/2015: “Samsung Pay” announced at Mobile World
Congress, Barcelona
– Will be available on the Galaxy S6 and S6 Edge this summer
Users able to pay for purchases at 90% of mag-stripe
payments terminals, as well as NFC terminals
– Remember, Apple Pay only works at NFC terminals – LoopPay could help Samsung Pay gain merchant acceptance
quickly compared to Apple Pay
41
Samsung Pay Participants: – Visa, Mastercard – US Bank, Synchrony Financial (formerly GE Capital) – In discussions with AmEx, BofA, Citi, JPMC, others...
Security: – Fingerprint reader – Tokenization
“Samsung won’t charge banks and credit-card issuers
transaction fees.”—“Samsung Pay Could Win Over Banks Faster than Apple Did,” Bloomberg News, Aug. 14, 2015
Android Pay 5/28: Google announced Android Pay Available this summer Will be the Android solution for in-store and in-app
payments
– Google Wallet will be a dedicated person-to-person (P2P)
app for Android and iOS
Will come pre-loaded on new Android smart phones
from Verizon, AT&T, and T-Mobile
Android Pay Like Apple Pay… – Near-Field Communication (NFC) • …but Host Card Emulation (HCE) variant of NFC
– Tokenization – Fingerprint authentication
Mobile RDC Risk: “Double dipping” (or triple, etc.) Mitigants: – FIs that offer mobile RDC should have protections in place
to block duplicate deposits
– Do not have to offer mobile RDC to all customers; “qualify” – Typically limit the dollar amount that can be deposited
(daily, monthly)
– Restrictive endorsement
Mobile RDC Regulatory guidance: 2009 FFIEC Guidance “Risk
Management of RDC”
FRB Board RFC on proposed changes to Reg CC – 2011:
http://www.federalreserve.gov/newsevents/press/bcreg/20110303a.htm
– 2013:
http://www.federalreserve.gov/newsevents/press/other/20131212a.htm
Mobile ATM Transactions Fidelity (FIS) piloting a mobile app that facilitates cardless ATM withdrawals – Customer queues up an ATM transaction in mobile app before arriving at ATM – ATM displays a QR code – User scans QR code to complete the transaction
Combats skimming Speeds up transactions: At ATM, 7-10 seconds per transaction as opposed
to more than 45 seconds traditionally
Questions? Matt Davies, AAP, CTP Payments Outreach Officer Federal Reserve Bank of Dallas 214-922-5259
[email protected]