The debit card is becoming the single most popular form of currency in a consumer’s wallet. In the United States, the average credit card is used to make nearly three monthly purchases, while the average debit card is used nearly five times per month for signature transactions, plus an additional one to two monthly visits to an ATM.
Trends show the gap between debit card and credit card use continuing to widen. Credit card transactions grew five percent between 2003 and 2004, signature-based debit card transactions grew 20 percent, and PIN-based transactions grew 23 percent during the same period.
True, the types of purchases made using credit and debit cards may differ today and may continue to be different in the future. Yet through the sheer volume of debit card activity, consumers will increase the exposure of account data through the use of the physical plastic, careless disposal of printed POS data, out-of-sight mag-stripe swiping, and other activities that subject their debit cards to risk and abuse.
As consumers become more comfortable with using their debit cards and as issuers succeed in creating more incentives for cardholders to use their debit cards for more types of transactions, the opportunities for the criminals to commit fraud will increase accordingly.
How will the increase in debit card fraud impact small and mid-sized debit card issuers in the U.S.?
For the purposes of this article, “small and mid-sized debit card issuers” are defined as those with portfolios fewer than one million total cards issued. This sector represents approximately 40 percent of the total U.S. debit card market and a significant opportunity for criminals to perpetrate debit card fraud in a large sector of the overall market.
It seems as though this market segment will bear a disproportionately large amount of the fraud losses attributed to debit cards in the next three to five years. In addition to the more widespread use of debit cards, which is driven by consumer preference and increased convenience, debit card fraud in the small and mid-sized financial market is gaining momentum because of:
Pressure from large institutions
Large financial institutions have several distinct advantages in defending themselves from debit card fraud, most notably dedicated expertise, advanced analytics, and portfolio size.
Larger institutions recruit and develop skilled individuals with strong analytical backgrounds and dedicate entire business units to risk management. In addition, these institutions archive massive amounts of account, transaction, and fraud data for analysis. This enables them to develop an understanding of how fraud impacts their portfolios at every point in the customer lifecycle — from solicitation, to application, booking, utilization, deposit, account change requests, and expanding or terminating the banking relationship.
Larger issuers can quickly recognize a new fraud trend or area of weakness that’s being exploited simply because have resources dedicated to identifying the crime and improving their defenses.
Consider also that larger issuers often handle their own fraud operations, call center activities, and tracking of specific fraud cases under the same roof. The close integration of fraud investigations and the mechanisms to control it are a key advantage in the fight to protect assets from fraud.
Migration of criminal tactics
Some criminal tactics currently threatening debit card issuers are common and well known. The list includes application fraud, circumvention of card activation controls, kiting, counterfeit, and account takeover, to name a few.
As large institutions mobilize their resources to understand and stop fraud, perpetrators of fraud will be left with a choice — either they will have to invent new schemes to match wits with the analytic skills and resources of the big issuers, or seek easier prey.
History suggests these criminals will likely seek easier prey. As a result, existing fraud schemes will migrate to smaller institutions.
It is simply easier to move an existing scheme to an unsuspecting victim than to create a new one. The resulting increase in losses will be compounded by this sector’s reliance on third-party processing. Small and mid-sized institutions rely on third-party processors to administer a number of the functions critical to fraud management, including the use of software solutions to “score” transaction fraud risk, call center activities for fraud investigation, card embossing/mailing, activation, and authorization processing.
As an example, consider a processor that provides authorization services for 2,000 financial institutions in the small to mid-sized sector. Consider also that the processor does not have the ability to determine a transaction’s fraud risk in real time; that is to say, the authorization controls and fraud scoring systems cannot be invoked before a specific authorization is completed. But the processor can block the “next” transaction based on the fraud risk of the previous one.
Once the fraud perpetrators figure out the processor’s vulnerability, they will know that the best opportunity to make a high-dollar, fraudulent transaction will be on the first attempt to use the card. Furthermore, this can be repeated across a broad base of financial institutions before any single issuer detects a trend.
The same analogy applies to other processes as well. Anywhere vulnerabilities exist, criminals can exploit this market segment based on its fragmentation.
Recent advances in technology have greatly favored those in the fraud business. A quick shopping trip on the Internet reveals an abundance of thumb-sized remote cameras; wireless handheld card readers; blank plastics; magnetic stripe writing tools and software; card embossing devices; and documents detailing every aspect of the card and banking business. All of these items are easily accessible and alarmingly affordable.
Add to that the information that financial institutions make available about themselves; their lending products, the types of customers they serve and vendors with whom they partner. All of this information provides the would-be fraudster with important data that helps them perpetrate crime. From the smallest community banks to the largest, the Internet makes information about every financial institution equally accessible.
As a result of technology advances, small and mid-sized debit card issuers that have historically considered themselves isolated from the risk of fraud find themselves increasingly exposed and targeted by criminals. Phishing scams have emerged where the target banks have fewer than 200,000 total cards issued.
Fraudsters clearly have the ability, interest, and incentive to attempt fraud against small and mid-sized debit card issuers. Even when the required level of technical expertise is high, as in the case of phishing where a duplicate of the bank’s website has to be built, criminals find the effort profitable.
Debit card fraud is growing both for POS signature and PIN-based transactions. Consider that in the fourth quarter of 2004 alone, data from the card associations indicates more than $90 million in fraudulent signature transactions using signature debit cards occurred. This is an average of over $.60 per card in the U.S. This is more than double the dollar amount lost in the same quarter of 2002.
For the criminals, the fraud targets are shifting toward small and mid-sized institutions. With information about lending institutions universally available on the Internet, the decentralized nature of fraud prevention and detection in this segment and the lack of resources to focus on the issue of debit card fraud make the small and mid-sized market the area of greatest opportunity for criminals.
While small and mid-size issuers may not be able to meet the challenge of fraud with the same tactics used by the largest institutions, a few guidelines should be considered:
Track key metrics
Understand the stage of the customer lifecycle where fraud occurs and what processes need improvement.
Measure run time and total dollars lost. With every fraud loss, document the total dollars lost as well as how much time elapsed between the first fraudulent transaction and the time when the fraud was discovered and the account blocked. If detection and investigation functions are outsourced, review these metrics with the responsible vendor and understand what can be done to reduce them.
Understand the capabilities of third-party systems. A simple review of the strategies currently used to protect your cards and the alternatives, such as readily available predictive analytics, can be eye-opening. Common sense should prevail. The goal should be to provide the most comprehensive coverage possible around the clock. The longer the delay between the first fraud alert and decisive action, the greater the losses will be.
Take advantage of the opportunity to network with industry peers to get a broad perspective of what the criminals are doing. Using the collective experience of several small issuers will bring specific fraud trends to light much faster than first hand experience.
The best defense in the fight against fraud will be cardholder vigilance. Explore options for statement inserts and other avenues to ensure accountholders understand the basics of account protection.
A common adage in the home-security business says, “You don’t have to make your house 100 percent burglarproof, just make it easier for the burglar to go next door.” Large U.S. debit card issuers are aggressively pursuing this strategy today through the tight integration of analytics and operations.
As the criminals consider their options and opportunities, it will become critical to small and mid-sized U.S. institutions to re-examine their fraud prevention practices and take action to drive fraud elsewhere.
Chris Ryan is director global fraud solutions at Fair Isaac Corp. in San Rafael, Calif.
© Copyright BankNews, July 2005