Security, fraud, and risk Model Bank profiles: Alfa Bank and USAA

Banks have worked hard to manage the different risks across their institutions. It has been and will remain costly, time consuming and a top priority. Celent profiles two award-winning banks who have modelled excellence in their use of risk management technologies across their banks.

They demonstrated:

  1. Degree of innovation
  2. Degree of difficulty
  3. Measurable, quantitative business results achieved
(Left to right, Martin Pilecky, CIO Alfa-Bank; Gary McAlum, SVP Enterprise Security Group USAA; Joan McGowan, Senior Analyst Celent)

(Left to right, Martin Pilecky, CIO Alfa-Bank; Gary McAlum, SVP Enterprise Security Group USAA; Joan McGowan, Senior Analyst Celent)

ALFA-BANK: SETS THE STANDARDS FOR BASEL COMPLIANCE IN RUSSIA

Alfa-Bank built a centralized and robust credit risk platform to implement Basel II and III standards, simultaneously, under very tight local regulatory deadlines. The bank decided to centralize all corporate credit-risk information onto a single platform that connected to front office systems and processes. Using Misys FusionRisk, Alfa-Bank was able to implement a central default system with a risk rating and risk-weighted asset calculations engine. The initiative is seen as one of the most important initiatives in the bank’s history. The successful completion of the project has placed Alfa-Bank at the forefront for setting standards and best practice methodologies for capital management regulations for the Russian banking industry and Central Bank.

USAA: SECURITY SELFIE, NATIVE FINGERPRINT, AND VOICE SIGNATURE

The game-changer for USAA is to deliver flawless, contextual customer application services that are secured through less intrusive authentication options. The use of biometrics (fingerprint, facial and vocal) to access its mobile banking application positions USAA to be able to compete with Fintechs across the digital banking ecosystem and offer exceptional service to its military and family members.

USAA worked with Daon Inc. to provide biometric solutions paired with its “Quick Logon” dynamic security token technology, which is embedded in the USAA Mobile App for trusted mobile devices. Biometric and token validation focus on who the user is and who the verifiers are and it addresses increasing concerns around the high level of compromise of static user names, passwords, and predictable security questions from sophisticated phishing attacks, external data breaches, and off-the-shelf credential-stealing malware.

For more information on these initiatives, please see the case study abstract on our website.     

Practice what you preach?

This is the next – I have a terrible feeling its not the last though – of seeing the cards world through the eyes of a consumer. The story so far is contained in three previous posts, with the last reporting that my card details were skimmed (we assume) in the US. This post however looks at the experience at home. As a consumer, we often get warnings from our banks about phishing attacks – we will never do this, our emails will look like this, etc. Then consider what a daily average inbox looks like – full of identical emails from fraudsters, often better written, and better laid out. Furthermore, banks only focus on emails and outbound calls. I’m possibly wrong, but I’m fairly sure never had the same warnings about text messages, tweets etc. Consider then these channels and how many spam messages you get on a daily basis. (It’s probably ok though, as all the PPI claims I’m told I have should more than compensate me for all the recent accidents I’m alleged to have been in!) Saturday afternoon I received this text: fraud Note that it comes from a mobile number, and texts from my card provider have their details in the text. I deleted it, assuming it was spam, and that if I replied I’d be signed up to some premium rate text service…again. Something made me pause, so I rang my card company, using the number that I already had. And I was right to do so, as it was from them. Thats why I’ve blurred the full number – this is an active line that they are using, but don’t advertise They seemed surprised that I was querying the method, yet when I asked how many people responded to texts, they seemed less certain (to be fair, it was a call center operator!). As a consumer, I appreciate the attempt to make it as seamless and easy as possible. Yet it contradicts the advice we’re given. It would be very simple to text people randomly and ask them personal detail to confirm who they are or to log into a man-in-the-middle website. It feels a little chicken and egg. Consumers need educating. Explaining that the layers of security are providing them protection. At the same time, banks need to think about how consumers will – or should – view their messaging. Given the nature of the message, and the reputational issues, I wonder whether it’s time for the banks collectively to find a solution. Detecting fraud and managing it could be a competitive differentiator – or it could prove far more powerful to do collectively. Across providers, across channels, across products. Best practice across the industry surely has got to benefit everyone long term?  

I didn’t leave my heart in San Francisco…

…but something far more valuable. So for this post to make sense, you ought to read my last 2 posts, about my experience of using my credit card in the US. The first talked about the customer experience, and how varied it was. Some of the quirks were allegedly to improve security, yet offered no perceivable additional security. When asked, the retailers I spoke to saw EMV as offering no better security and a worse customer experience. The second was noting that many of the threads around card fraud led to the US – either cards being skimmed there, or card details from around the world ending up in the US, where just the mag stripe is required. Saturday morning I got a call on my mobile. I’ll write another post later about this and how banks tell you to be careful about highly professional looking phishing scams… and then contact you in ways that look like amateur phishing scams! The point of the call was… to say my cards details have being skimmed as they assumed I hadn’t spent a lot of money in person at an art shop in India. Actually, given I had been using my PIN in a terminal 5 miles from house, in a shop I go in most Saturdays about 20mins before that transaction, I was rather shocked by the fact that they’d authorised it anyway even it was highly unlikely it was me. And guess what? “have you had to swipe your card recently? That’s probably where they got the details” Yes, reader – in almost all certainly, stolen whilst I was in the US. If only they had full EMV, then this almost certainly wouldn’t have happened.

What do we want? EMV! Where do we want it? Over there!

In my last post, I talked about the experience of using my credit card in the US, and how just inconsistent it feels. Some of it was undoubtedly tied to security – using photo ID or entering zip codes – though I’m far from convinced that they provided any security at all. In some conversations we’ve had, there has been a feeling that US fraud is actually manageable at an industry level – a belief that they are in line or better than in many other countries. Yet the recent figures from Nilson seem to paint a very different picture. Whilst accounting for 21.4% or $6.187 trillion of total volume last year, the US accounted for 48.2% or $7.86 billion of gross losses worldwide on plastic cards. Zil has – and will! – discuss the implementation of EMV at length with anyone, so I won’t discuss that here. What struck me was how ineffective the checks were currently. As a consumer (rather than a payments geek) it struck me:
  • Asking for zip code as authorisation seems pointless – if I’ve stolen a purse or wallet with cards in, I’m likely to have either the zip code already or have enough info to find it within seconds on the internet
  • Asking for a signature, yet not even checking it seems odd. Perhaps I have an honest face or perhaps the risk didn’t warrant the effort
  • Photo ID, at least for non-US, seems pointless. How many people can spot fake ID, or know what a, say, Latvian national ID card looks like?
Another thought that strikes me is that the figures probably hide some other issues too. Traditionally, a third of UK card fraud takes place overseas (in 2014, £150m of £479m). And given that most other countries have EMV, of that, the majority takes place in the US – it has been ranked the country with the highest losses every year for as long as I can find records for. I suspect the figure above does not include this. The volume of fraud then that could be cut by EMV in the US would seem to be even higher. Whilst I know it’s not that simple, the US “accounts” for over 5% of UK card fraud. Full EMV in the US wouldn’t reduced this to zero – but equally, even if it halved it in the top 10 countries which lose most to the US, the reduction in fraud would easily be in excess of £100m a year. Visitors to the US aren’t just wanting the experience to improve, they’re wanting to stop paying for fraud that takes place in the US as well.  

Can’t Wait for the US to Migrate to EMV: The Musings of A Visitor

Usually, during the Autumn season, I make a few trips to the United States for conferences and client visits. This year was no exception and I have recently come back from two trips to Las Vegas and San Antonio. EMV migration in the US was high on the agenda during both visits and I came back with two takeaways: 1) the US market is finally serious about EMV and preparations are going full steam ahead and 2) I am glad it is happening. All the data breaches at retailers, from Target to K-Mart Sears, have spooked the market and stirred it into action. Some of the major challenges, such as reconciling EMV with Durbin/ Reg II, have been resolved – on November 4, Vantiv announced it became the first US acquirer to successfully complete a debit EMV chip transaction compliant with Durbin. Most of the issuers are in the planning stages and beyond, even with debit. On September 30, Bank of America became the first major US bank to announce that all new debit cards with be EMV, while existing cards would be replaced at expiry. I am planning to soon publish a report on the US EMV migration, which will discuss what is happening in the market now and will address a number of questions we frequently get from clients, including some of the more advanced EMV topics, such as scripting, PIN management and multi-functional cards. In this blog I just wanted to share a personal story. Until the cards and terminals migrate, the fear of fraud at the US retailers is palpable, to the point where it is starting to impact consumer experience. During my brief shopping break I wanted to pay with my UK-issued chip card. As the amount was over $75, I was asked for a customer ID. I offered my UK driver’s license, which the cashier started diligently copying by hand onto the printed receipt. As it was a foreign license, he wasn’t sure which was what, so had to call his supervisor to check what exactly he should be copying. When he was done, I thought that would be the end of it, but unfortunately, I was mistaken. The cashier then took my card, placed the receipt on top it and started rubbing it with a pen to get the imprint of the embossed details on the card! Apparently, he had to do it because the amount was actually over $150… I could scarcely believe this was taking place in the 21st century… On a separate note, I must admit, 10 years of EMV in the UK made me deeply suspicious whenever at a restaurant I have to hand in my card and the waiter just runs away with it. In Europe, the waiter brings a handheld terminal to the table, I enter my PIN and the card never leaves my sight. I am not saying that this is an everyday experience for all US consumers these days. Perhaps I happened to go to a retailer with particularly strict anti-fraud policies, or they recognised a foreign card and wanted to take extra precautions, or I was simply unlucky. But I did not enjoy the experience. This is also not a smug boast how “we have it better here in Europe.” I actually think that the US is a hotbed of innovation and creative solutions emerging from the US such as Apple Pay are pointing to the future of what lies ahead for many of us. However, EMV will help with the “here and now.” Of course, there will be a learning curve for the US consumers as they get used to new chip cards, and there will be teething challenges during the migration, but it will be worth it for the market as a whole. And as a regular visitor, I just can’t wait for the US to migrate to EMV.

It’s so easy for bank marketing to take a wrong turn

Yesterday I came home to a strange voicemail from ING Direct Canada. I decided to phone back right away because I noted the following 3 things about the message:
  • The toll free number provided was nowhere to be found on the bank’s web site
  • The message left was with regards to “my profile and information”
  • The reference number left on the voicemail was my online banking user ID
I called back the main toll free number provided on the bank’s web site. After a brief hold I was transferred to an agent who looked me up in their system. I was told that I had to be transferred to another department and that yes, the message that I received was legitimate. The person I was transferred to was polite and friendly and wanted to sell me an investment. WHAT??? The good news for the bank is that they got me to call back right away. The bad news is that I don’t even know or care about what she offered because I was so thrown off by the voicemail. I had questions. Why was I being directed to a toll free number that I can’t find on the bank’s web site or through a Google search? Why were the details of the voicemail so mysterious? Why was my user ID being divulged over the phone as a reference number? All of my comments were noted and the rep apologized. Granted I’m not a typical customer, but it’s customers like me that can help make a difference when it comes to these issues (or so I would hope!). There’s a lot that banks can learn here – on the security front and on the marketing front. This is particularly relevant in an age where banks are so focused on marketing and offers that are based on data:
  • You can have great data, but it’s useless if you don’t master things like privacy and security
  • Customers should always be directed to call back a primary telephone number that can be easily validated. Banks are so cautious about email communication with clients – they should be just as cautious with telephone communication
  • Under no circumstances should a user ID ever be divulged. It’s a key piece of an authenticated login. It of course takes a couple of other pieces to login but that’s not the point – why give away any pieces of the puzzle? Furthermore, if a bank or customer were to suffer a breach, a fraudster could attempt to gain access to other account credentials by leaving a convincing voicemail containing a user ID (that obviously did not happen here).
I welcome your thoughts and comments. UPDATE 4/7/2014: I was contacted by ING Direct last week. They have informed me that they will no longer use a user ID as a reference number. Kudos to them for reacting quickly and switching around the process.

When Credit Card ID Checks Go Awry

I’ve always had mixed feelings regarding handing over my ID to a merchant when paying by credit card. On one hand it’s great that the merchant is attempting to protect its business and you from fraud. On the other hand you are handing over your personal information to a complete stranger. I was shopping last week with my wife at a Coach store in Florida. We made a small purchase and the sales agent asked for my ID for the credit card transaction. I handed over my credit card and ID and started chatting with my wife. I then noticed that the salesperson was studying my ID and appeared to be typing my information into her computer. I promptly asked what she was doing and she answered that she was typing my address and info into her computer so that I could be added to the Coach mailing list. She never asked for my consent and needless to say I was not happy. The salesperson thought she could simply take the liberty of capturing my personal information. I found this especially curious since this happened on the same day as the Zappos data breach that exposed the personal information of 24 million customers. I subsequently spoke to a manager about the salesperson’s actions and was told that their policy is to check IDs but ask for consent regarding the capture of your personal information. I told the manager what happened and she replied, “Oh, she probably did this on a habit.” Talk about bad habits, and ones that can certainly get you into trouble! In some instances, asking for personal information may violate store policy, credit card merchant agreements and even state law. This past February, a ruling in the state of California determined that merchants cannot even legally ask for your zip code when making a purchase by credit card. Merchants must start to weigh the pros and cons of capturing personal information at the point of sale. Sure, it can help gather data and help with marketing, but on the other hand it can open the merchant and the consumer up to all sorts of vulnerabilities. In the online world things are obviously different. Shoppers must provide (and are therefore consenting to provide) a billing address, and that can be captured. And the vulnerabilities are being exploited. Just yesterday, Coach’s website was hacked by a group called UGNazi. This group hacks organizations that support SOPA. To my knowledge no information was leaked, only the website was defaced. I’m still thinking about how to deal with Coach’s mishandling of my transaction. I am definitely going to file a complaint with Coach senior management. Other options include complaints to the Federal Trade Commission, and to the Florida Attorney General. I’m curious to hear your thoughts, please discuss!

Hey FFIEC, Is This Really Guidance?

Last week the FFIEC issued the long awaited Supplement to Authentication in an Internet Banking Environment. I read through the 12 page report (it’s actually 8 pages with a 4 page appendix), and kept reminding myself that I should try to look at this in a cup half full manner. Yes, I can be a cup half empty kind of a guy, however I must say that this document doesn’t say much that most banks don’t already know. The wording is vague, open to interpretation, and unclear. It’s a great read for someone who is new to the space that wants to get a high level overview of some of the challenges banks are facing. I know that banks are going to be placing a lot of energy into analyzing this document, and making sure they can follow the so-called guidance. The first problem is the title – Supplement to AUTHENTICATION. Authentication is was definitely a big deal back in 2005 when the first iteration of this document was released. At this stage of the game, it really doesn’t mean much. Sure, all banks should have it, and yes they should pay attention to new solutions that can enhance authentication. Today, with current threats and attacks, authentication is about as useful as a security guard that is placed in front of a bank building. The guard can scare people off, and provide the appearance of security. If criminals or terrorists want in, we all know that the guard is nothing more than a useless sentry. So sure, let’s keep on forcing customers to use the familiar image/phrase/challenge question routine for online banking. But let’s accept the fact that multifactor authentication, even using hard tokens, is pretty useless. The document keeps referring to layered security – that’s a good thing. But how long have we been hearing that for? Great that its down on paper given that it’s so critical. It’s the most important step a financial institution can take but a lot more detail and guidance is required here. There was quite a buzz regarding the fact that the document doesn’t discuss mobile banking security. That ties back to the vagueness of the document. Personally, that doesn’t bother me as much. The info in this doc has to be consumed with the understanding that consumers and businesses are using a range of electronic devices – PCs, mobile phones, tablets, etc. Yes, there are going to be security issues that are device category specific. It would have been nice to see things laid out a little more clearly, or at least recognition of this trend. On page 3, the document goes over high risk transactions. The overly structured section misses a key point – as features migrate out of the branch for cheaper self service alternatives (think consumer wire transfers online) the risks increase. Financial institutions need to plan for these changes now and understand that the online channel is already handling higher risk consumer transactions. In my opinion, the most important section of this document should have been customer awareness and education. It takes up approximately half a page. Banks do a very poor job of educating customers, and there are tons of examples to prove it. Since the consumer is the weakest link in the equation, this clearly requires a lot more attention. Can I be a curmudgeon? Absolutely. Is it warranted in this case (objectively speaking of course)? Without a doubt.

Reporting from the field

Last week I attended “The Future of Cards and Payments” conference in London. Over two days, various speakers shared their perspectives on how they see the cards and payments market developing, particularly in the UK. Here is a selection of facts, which I picked up during the presentations and found especially interesting:
  • The crisis hasn’t changed the UK consumers’ behaviour that much. According to a study by Visa Europe, 56% of respondents in 2010 agreed with the statement “I save money so I have some protection in the future”, compared to 57% in 2008 and 24% are “open to borrowing to buy what I want today” (vs 23% in 2008). Having said that, more people are aware of their finances with 63% vs 45% two years ago “watching every penny they spend to avoid getting into debt”.
  • Cash is not going away. In the same Visa survey, 35% of people surveyed in 2010 stated that they “prefer to pay in cash for everything I buy”, which is down from 54% in 2002, but up from 18% in 2008.
  • Only ~50% of business accounts in the UK have a card
  • Identity fraud is up by 32% in 2009
  • Cheques are due to be phased out in the UK by 2018. However, it will only be done if by 2016 there are real alternatives in place, they are available to the users, well known and are being used. Heavy cheque users include charities (get 70% of their income via cheques) and elderly (may need another paper-based alternative, e.g. giro credit) among others.
  • UK market has ~4m prepaid cards.
  • Also, UK is on track to have 12m contactless cards in use by December 2011. Focus needs to shift now to acceptance.
  • Adoption of SEPA Direct Debit is partly an issue of interchange. 70% of euro-based DD transactions in the EU don’t have interchange, but the others do. The European Commission is firmly against having interchange for DD, but accept that a transition period may be required and there might be a case for it when dealing with rejected transactions.
  • To limit fraud, some online merchants and their PSPs are beginning to tailor availability of payment methods based on the consumer’s postcode, e.g. credit cards would be OK if you live in a premium address in Chelsea or Kensington, but only a prepaid electronic voucher (e.g. ukash) would be offered if you happen to shop from a council estate in Peckham.
  • And if you live with 20 other strangers in a room with no doors or windows in Asia or Africa and have no bank account, storing money is as important to you as being able to make payments.
I will be on vacation for my next blog post. See you in August!

A Major Blip in Blippy’s Security

If only it were just a blip. Mashable just reported that a simple Google search reveals Blippy users’ credit card numbers. As much as I love the social web, I could never wrap my head around the concept of folks providing their credit card number in order to share info on what they are purchasing. While this may be fun and “cool,” it is a great example of what not to do. This is obviously a major error on Blippy’s part, but I also blame users who so easily give up confidential info. If this type of practice continues, card companies are going to stop reimbursing customers. It’s one thing if a merchant or a processor is a victim of fraud. It’s another issue if a startup does something inexcusable, even if it is unintentional. Interestingly, just yesterday Techcrunch announced a new round of funding for Blippy, bringing their valuation to a whopping $46.2 million.
blippy-fail-21

Image courtesy of Mashable

Update 2:06pm EDT. Blippy issues a reply. Celent believes that this issue is far more serious than Blippy is making it out to be. Pointing fingers at Google’s cache and claiming that consumers are protected is not the right approach. I am sure Blippy will improve their security efforts, but this is nonetheless an incorrect approach to take with the public.