Article

Data breaches and the ATM industry

Fair Isaac's John Buzzard shares thoughts about ATM skimming.

September 24, 2008 by

John Buzzard is the manager of client relations for Fair Isaac. To submit a comment about this article,e-mail the editor.

During the ATM Industry Association's Payments Fraud in the Americas conference earlier this month, industry leaders from throughout North America spent a great deal of time talking about debit-card fraud and its connection to ATM-skimming attacks.

John Buzzard

Security is a top-of-mind issue, and it's presence in the industry is not expected to diminish anytime soon.

John Buzzard, manager of client relations for Fair Isaac Corp.'s Card Alert Service, a decision-management and fraud-prevention solutions provider, says ATM deployers and IT departments should be taking note and making changes.

In a report he released in May, "Risk Management for ATM & Card Compromises," Buzzard lists 13 actions every financial institution should have in its security-breach-response plan. Below is an excerpt from his report. Click hereto download the full report.

Are data breaches and card compromises raising fears and costs unnecessarily? In the recent string of news stories about massive thefts of payment-card data from retailers and other organizations, one of several causes for alarm is this: Only a small percentage of the compromised cards resulted in fraud.

While the currently low odds of compromised cardholder data being used for fraud might seem reassuring, it's actually anything but. In fact, it creates a situation that is dangerous, costly, and perplexing for card issuers and consumers alike.

Card replacement costs vary from $3.50 to $30 per card. These expenses can have extremely negative effects on institutions of any size, depending on the scope of the compromise. Large issuers are just as easily at risk for substantial loss when hundreds of thousands of compromised accounts are involved. The erosion of consumer confidence adds heavily to the final tally creating an immediate need to restore faith in the security and convenience of payment cards for both credit and debit varieties.

story continues below...

ATMmarketplace.com SPECIAL REPORTMobility and the Integration of Banking ChannelsHow Consumers Will Demand to Bank in the Next Five Years

Only US$299!

Order your copy today!

Providing timely assistance to customers

The idea that responses to mass compromises should be timely and effective is at the heart of the financial-services industry's reticence regarding the proliferation of notification laws now being enacted at the federal, state and local levels. Credit-card issuers are concerned that undifferentiated broad-scale notifications could alarm many customers unnecessarily; causing overreactions that may well cause not only expense for the consumer but undesirable market volatility.

Anecdotal evidence from financial institutions after large-scale breaches supports the possibility of negative portfolio impact. One such example follows the disclosure from TJ Maxx that more than 45 million credit and debit card numbers may have been stolen from its IT systems. As a result, the Massachusetts Banking Association announced that it is filing a suit against the company in federal court in Boston.

"The Massachusetts Bankers Association made a decision to file a class action suit because we believe we are in the best position to achieve success for our members and customers," said Daniel J. Forte, president and chief executive of the MBA, in a written release. "With the possible exception of the banks from California that could also decide to join us, our New England institutions have had the most exposure to this massive data breach. We believe TJX has more stores in our region than anywhere else other than California and, of course, it is headquartered here in Massachusetts."

According to the MBA, banks throughout New England continue to receive lists of "hot" cards that have been exposed in the TJX data breach — more than three months after TJX first disclosed there had been a problem.

Large breaches of this sort, if they continue to proliferate, cannot be financially sustained by institutions, as we noted by a member of a co-plaintiff in the suit.

"Protecting consumers is our No. 1 priority," said Lindsey Pinkham, senior vice president of the Connecticut Bankers Association. "However, retail data breaches are getting larger and more frequent, and we cannot continue to absorb the costs." But companies can do a lot today to reduce negative customer loyalty impacts. Two of the most important factors affecting consumer attitudes are timeliness and the ability to offer substantive assistance.

The new detection solutions provide card issuers with the means to surely and consistently meet these customer expectations. Now financial institutions can replace broad brush, undifferentiated notifications with informative, helpful contacts that are specific about the level of fraud risk for each customer and that are coupled with concrete actions that substantially mitigate that risk.

By putting in place the means to respond appropriately to mass compromises, commensurate with the actual risk to individual accounts, the financial services industry may also lessen demands for legislative remedies. Many lawmakers are as puzzled by the phenomenon of mass compromises and unsure of what to do about them as consumers.

They are seeking solutions that are demonstrably effective and can be fairly and consistently applied. With the new technology, the industry is in a position to take the initiative by bringing forth the solution rather than passively waiting to become the target of more regulation. Surely, it would not be a positive outcome for consumers if new laws ended up institutionalizing far less efficient measures that have far less impact on fraud.

Efficient, scalable response to data breaches

If the number of mass compromises rises, will card issuers be able to absorb the cost of massive notifications and card replacements, without passing on significant costs to consumers? And the rise of large-scale breaches is expected to continue.

Writing in Cards & Payments Magazine, Jeff Trachtman, vice president and manager of Analytic Innovations LLC's fraud risk analysis division, sees a rise in the crime, and in its sophistication.

Cards & Payments magazine in May 2007 wrote: "Fraudsters will continue to steal, warehouse, sell and use debit data in ever more sophisticated ways, costing the industry millions in losses and untold reputational damage."

STEP BY STEP ACTION PLAN FOR ATM SKIMMING COMPROMISES

Issue

Action

Who is in charge of leading an investigation for this organization?
Establish an internal escalation plan in case of an ATM compromise.
Select team members.
Test the system.
Choose some law enforcement contacts.
Contact law enforcement as soon as a suspicious event occurs.
Secure the ATM area.
Treat the ATM as a crime scene.
Observe the perimeter.
Verify the potential compromise. (Look for sticky adhesive residue, unauthorized brochure holders, devices and unusual openings in the ceiling or walls.)
Notify Fair Isaac's CardAlert Fraud Manager Team.
Secure surveillance footage.
A compromise has occurred

Identify an internal leader and at least one backup person.
Who needs to know about potential compromises within this organization? Establish an e-mail distribution list for this group.
Select employees who will contribute on different levels within your organization.
Schedule a yearly test of your compromise procedure. Make sure contact information is up-to-date.
Make sure you always contact federal law enforcement, such as the Secret Service or FBI, as well as local law enforcement.
Refer to the law enforcement contact list.
Cordon off the ATM using caution tape from a standard robbery kit.
Disable the ATM and wait for law enforcement to arrive.
Cautiously note unusual persons or lingering automobiles that may be of interest to law enforcement.
Assist law enforcement with a physical examination of the ATM and surrounding area. Do not touch anything until the crime scene is processed.
CardAlert Fraud Manager will request an ATM-transaction log request that will enable compromised issuers to be notified in a timely manner.
Law enforcement will most likely request surveillance footage as soon as possible.
Notify your ATM network that a compromise has occurred.

Data will be analyzed to identify "at-risk" cards issued by other financial institutions. Fair Isaac will perform all the necessary steps to notify the affected issuers of the potential compromise. Fair Isaac will also provide a date range, card count and time range for the compromise upon request from the acquirer. Fair Isaac will continue to monitor for unusual ATM withdrawal activity specific to any identified point of compromise.