Yet more on Citibank Security Update/spoof

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Fri, 07 May 2004 14:12:13 -0400
From: Dan Shoop <shoop () iwiring net>
Subject: Yet more on Citibank Security Update/spoof
X-Sender: dshoop () iwiring net
To: dave () farber net, ip () v2 listbox com

Dave, [for IP]

In one of my 'past lives' I used to be a bank officer at CitiCorp Credit 
Services, the group responsible for card products. As the largest holder of 
credit card accounts (at least at the time) we pioneered the concept fraud 
detection and prevention, leading the industry. Every day our systems would 
paw through all of the transactions of our card holders looking for 
patterns of fraud. It was, and remains, no small task, and one in which 
CitiBank continues to be very committed.

As pointed out, these phishing scams are pretty much commonly accepted 
occurrences, just like other fraud scams were in the past. It is quite 
likely that reporting them to CitiBank customer service is going to get 
shrugged off in a manner that to the customer may seem like the bank 
doesn't care. The reason of course is that they don't care. Seriously. It's 
just accepted that fraud scams are circulating, so the issue isn't to be 
concerned about the fraud scam du jour, but to trap and contain the fraud 
once it occurs. Fraud costs the credit card industry a serious amount of 
money, but the card holder is well protected. In the case of lost or stolen 
cards the typical maximum cost to the card holder is capped at $50 (see 
your banks agreement for your specific details.) In the case of reported 
fraud, the cost to the card holder reporting it is zero. So from a customer 
service perspective fraud scams are a non-issue.

Fraud scams are however an issue to the bank and more so to the merchant, 
who ends up bearing the costs of fraud.

IP readers may be surprised to hear that a merchant is never assured 
payment for a credit card transaction and bear the risk. The bank can deny 
the charge for a wide variety of reasons, most commonly that of 
fraud.  Then again it's the merchant's responsibility to check credentials 
of card holders. Purchase types are assigned risks by the banks and 
transaction costs vary according to these types of purchases, mostly to 
account for fraud risk. A physical card swipe with electronic authorization 
and physical card impression is the most trusted and has the least cost per 
transaction, the merchant is also supposed to verify the purchaser's 
signature with the one on the back for the card and ask for some form of ID 
(CitiBank even puts the cardholder's picture on their card products as an 
additional ID check.) Merchants can additionally verify the card holders 
billing address, which is stored on the card's magnetic track, and can also 
be verified during the electronic authorization against that on file and 
provided by the customer. The riskiest form of transaction is that of 
online or telephone sales where a physical card isn't seen by the merchant. 
In these cases there still are many forms of ID that can be checked to help 
verify the transaction; while there's the obvious and physically visible 
card holder's name, card number and expiration date, the merchant should 
also require the billing address which can be used as part of the 
electronic authorization. Modern cards also have an extra set of check 
digits printed on the back of the cards. In all cases the more information 
available the less risky the transaction and this is passed on to the 
merchant as a lower cost per transaction to encourage them to use the least 
risky method for conduction the purchase. But in the end if the transaction 
is reported as fraudulent the merchant is responsible, the customer doesn't 
bear much of a burden (except perhaps through interest rates and annual 
fees that reflect, much like car insurance, the risk that customer 
represents based on how they are assigned in a portfolio of similar accounts.)

Most card issuing banks also have significant fraud analysis departments 
that monitor accounts for patterns and react when triggers are tripped. In 
most cases your bank knows more about your purchase habits than you do. 
Seeing an strange increase in spending, spending in multiple geographic 
locations, spending in exotic locations, and many other patterns can 
trigger an alert and your bank may call you to verify your transactions. In 
extreme cases the bank can flag the account requesting the merchant call in 
and the bank can speak to you by phone as you're transacting your purchase 
to verify. Triggered accounts get watched more closely, and/or a "fraud 
block" can be placed on the account until your bank can speak with you. 
Customers can also request that a 'fraud watch' be placed on their account 
so that closer scrutiny by the bank can placed on transactions, normally 
when the customer suspects unauthorized charges. These methods stop 
suspicious transactions as they're occurring.

Fraud scams are best caught however *after* the transaction, not during the 
con or phishing. This may seem strange but then again that's when the 
largest trail for investigation exists, and it represents a hard crime, one 
from which action can be taken. To a investigator or prosecutor a fraud in 
progress isn't as significant as the fraud that occurred and has real 
dollar costs associated with it, sorry to say.

Sometimes fraud occurs from the merchants; an employ steals account info 
which they use to rack up fraudulent charges, or the merchant 'double 
dips'. Generally speaking though, in most cases of fraud it is through some 
fault or action of the customer. They didn't properly secure there cards, 
they lost their card or had it stolen and didn't report it, or they gave 
out their number to a con artist in a scam. But again these generally 
result in patterns of activity that can be flagged by the bank's fraud 
department.

So the bottom line is that the banks do care about fraud -- just not so 
much the latest fraud scam du jour -- they expect fraud occurs and do react 
when it does. Scams are harder to track than the fraud itself. The fraud 
itself can be sorted out either in direct fraud prevention techniques or by 
the customer when reported after their statement is delivered. At that 
point the bank has something actual to work with and the customer, while 
perhaps temporarily inconvenienced, can perform the best security and fraud 
prevention technique, that of verifying their actual transactions.

Regards
--

-dhan

------------------------------------------------------------------------
Dan Shoop                                              shoop () iwiring net
Consulting Internet Architect                              shoop () mac com
AIM: iWiring                                     http://www.iwiring.net/

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/