Daniel McIntyre on Fighting Debit Card Fraud
- The magnitude of the debit card threat;
- Strategies for fighting fraud;
- Effective ways to educate consumers.
TOM FIELD: The topic today is debit card fraud. I am talking with Daniel McIntyre, Information Security and Business Recovery Analyst with Superior Bank in Birmingham, Alabama. Daniel, how are you?
DANIEL MCINTYRE: I'm great Tom. How are you?
FIELD: Very good. Looking forward to talking with you about this because this is an issue I know that just comes up consistently with institutions. In your experience, Daniel, how big is this issue of debit card fraud at financial institutions today?
MCINTYRE: Speaking from experience for the institutions I have worked for, debit card fraud has had an enormous impact. You know, it wasn't so many years ago that debit card fraud was like the little brother to any amount we would charge-off, you know, compared to our credit cards. But starting about a year ago it was three times the amount of anything we were charging off for credit cards, and I think that is just because, you know, you open an account and you get a debit card nowadays and so it is just the sheer number of cards that are out there in the field has definitely made it something you need to get a hold of or else it could hurt you badly.
FIELD: So for the consumer side, Daniel, how does debit card fraud tend to manifest itself?
MCINTYRE: We see the largest losses through no fault of the consumer at all. They've been a direct result of data breaches where a company, whether they know it or not, has been storing credit card information and then they have gotten hacked into. So, you know, thousands or millions of cards have been taken in a short matter of time. And you know, the criminals will do a small test charge, and if it passes, they have got a live card in their hands and in a matter of minutes they are charging it up.
FIELD: Wow. So at the institutions you've worked with, what have you done to fight this challenge?
MCINTYRE: The most successful thing we did was more or less a fluke. That was specific to one institution that I worked at where we started noticing a trend of the track data that was coming in on card present transactions was actually different than what we had on our cards, and it turned out that some programming error along the way resulted in us having a non-standard track format. And I won't go into all the details because it is still working for them, but so we were able to, on any transaction where the card was present, if it did not contain that specific element in the track we were able to just deny it.
MCINTYRE: And I know that's not going to work for every institution, but it is certainly something that all institutions could implement by just using the empty field in their track to change the data and make it specific to them.
It doesn't protect you from an out and out, you know, I get your card and skim it on a skimming device, but it does protect you from they just have the card number and expiration date that they got from hacking into somebody's system. And that worked out really well. Like I said, it still works to this day.
We really had to--we used to use Visa's CRIS System for our debit card activity, and over the years it just wasn't strong enough to combat what we were seeing, so we had to move to a third-party system that was a rules-based broad detection system that we programmed and monitored in house. It later evolved into a rules-based and neural net system, and we were able to cut our losses by a third or more on average by having that system installed. It paid for itself in one year rather than the three or five years that the rate of return that was expected. So, I would highly recommend if you have the money and the resources to look into a fraud detection system, there are several companies out there that have them available, and I have worked with several good ones. And if you don't, then there are companies out there who you can outsource to who have the fraud systems. You know, if you are a small enough organization that you can't afford it, that you can farm it out to them and they will monitor your card base 24 hours a day. So, those are definitely things that you need to be looking at if you haven't already.
FIELD: Now how long have you been working in debit card fraud, Daniel?
MCINTYRE: For about 12 years.
FIELD: So you've been around almost as long as the debit cards have, really.
MCINTYRE: Well, that makes me sound old, but yeah, I guess so.
FIELD: What would you say has worked best in fighting fraud, and what has been least effective?
MCINTYRE: I think the best thing is to definitely take as proactive a stance as possible. Unfortunately, everything we do in the industry is reactive to some degree rather than proactive because we are always waiting to see what the criminals are going to come up with next. But taking that proactive stance of trying to do something, of putting in the rules-based system, putting in a neural net, contacting your peers to see what is going on in their specific areas of the world. Because you know what is happening in California today will be happening on the east coast in a week or so or vice versa.
So, definitely plugging into your peers or to these networking groups is a great tool. Visa and MasterCard put out two of the best tools that we were able to use as a gauge for where we needed to direct our fraud research I guess you could say. And with Visa it is the CAMS Report, I'm not sure what the security alert is for MasterCard, but it is a list of card numbers that they know have been compromised or believe have been compromised. So what we've done both of the institutions I have worked at is to take those reports, put them into a database, we also have a database of the fraud that is occurring and every month, twice a month, just on a regular basis, run those card numbers up against the fraud that is occurring, and after you see the spike then you can take it to the lines of business and say, hey we need to shut these off; we need to turn them off, reissue them, because we are fixing to have a huge spike off this list. Because the cost of reissuing is oftentimes prohibitive, as these lists can be massive. But once you see the spike you at least have the ammunition to tell them we now have confirmation fraud is occurring on this group of cards, and we need to do something, whether that be run a report to show your highest balance customers and just shut them off to mitigate your losses, or whether you shut the entire list of cards off and reissue them. At least you know and you can subscribe to those from Visa and MasterCard both, and those work very well.
FIELD: Sure. What has been least effective or less effective in your experience?
MCINTYRE: Least effective is more or less the approach of we are going to wait and see, you know, and then try and clean it up afterwards. It is just not the way to go.
I have worked with people who take that approach. They don't want to be the first in the field to do something, or they don't want to cause waves with the other lines of business, so they just wait and any time you just wait to see what is going to happen, well it is going to happen.
And that is always been the least effective.
FIELD: Now you spoke before about oftentimes that debit card fraud is not something that consumers have done. It is a breach of a database. But you know there are things that the consumers can do to protect themselves too. What are some of the best ways that you've seen to educate consumers about the perils of debit card fraud?
MCINTYRE: We've taken several approaches to educate our customers in the past. Unfortunately, you know, the best lesson any customer gets is to learn the hard way and have it happen to them. And the topic has been around for years in the news media, so everybody has heard something about it. Most people know somebody that it has happened to. So it is not that they don't know, it's just that in my opinion they are inundated by the media and by helpful friends and family members that forward emails around the world 50 times.
They get so much information, they don't know how to weed it out. I've seen organizations put flyers in with statements. In my opinion, I don't think that is the best way to go. It is better than nothing, but you know, if I get my statement, I am looking for my statement and anything that is in there I just think you are trying to sell me something, and I toss it. So, I think the best approach if you are going to use a mailing campaign is to send the customers a letter or a notice specifically about that. Don't muddy the water with 'Hey, we've got great loan rates and, oh, by the way this is what you can do to protect yourself.' Just tell them up front this is what you can do to protect yourself, and then remind them constantly.
Another very successful campaign was to place information about fraud protection on our [call center message]. They have used it for years for marketing when you are on hold, the music will interrupt and you will hear a blurb about, you know, we have this rate going on or this promotion going on. Well, we decided to use that time when you have the customer's undivided attention to let them know different ways that they could protect themselves and what they should do if they suspect that something had happened. Because so many times people don't realize that there are time frames and things that they have to follow in order to be 100% protected.
And just getting out and meeting with people; like talking to you today. I have always made myself available to get out with civic groups and social gatherings where people are actively looking for speakers. They want something to fill a time slot and you make yourself available. You know, I, Daniel McIntyre, am with such and such bank and we are here to talk to you about debit card fraud, and people really respond to that. They appreciate you taking the time to get out there and personally meet them. They have lots of questions, and sometimes the question and answer session lasts longer than the talk. They really appreciate it, and it puts a good image out there for your organization that someone is taking the time to educate them.
Those are just some of the best ways that I have seen in the past.
FIELD: That sounds like a great approach, good outreach. Now, as you said, the best thing to do is be proactive about this. We know that not all institutions are. For institutions that are just now starting to tackle the problem of debit card fraud, what one piece of advice would you give them to get started?
MCINTYRE: Don't wait. Don't think you are going to be lucky forever. If you haven't felt the blow yet, it is going to happen. As your organization grows in size, you are going to become more exposed. I have worked for large companies, and I've worked for small ones and everyone eventually feels it is going to happen. You just need to get with some of these vendors, talk with your peers, find out what they are doing and get with the vendors to see if you can put together a business case to either outsource it or bring it in house. You've got to start monitoring it and monitoring it regularly in order to keep anything drastic from happening. Every morning we would come in, and we would review everything that had been blocked the night before to look for new trends, and we would reprogram the rules on a daily basis. So it is not something that you can just put in place and forget about it because the criminals are going to get around you.
It is inevitable, and you just have to always be right on their heels. You may get ahead of them today, but they are going to pass you. You have just always got to be right there ready to jump back in.
FIELD: Daniel that is excellent insight. I really appreciate your time today and your thoughts on debit card fraud.
MCINTYRE: Well, thanks, Tom. It was great speaking with you.
FIELD: We've been talking with Daniel McIntyre from Superior Bank. For Information Security Media Group, I'm Tom Field. Thank you very much.