[IP] Yet more on Citibank Security Update/spoof

To: ip@xxxxxxxxxxxxxx
Subject: [IP] Yet more on Citibank Security Update/spoof
From: Dave Farber <dave@xxxxxxxxxx>
Date: Fri, 07 May 2004 15:24:34 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx


Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Fri, 07 May 2004 14:12:13 -0400
From: Dan Shoop <shoop@xxxxxxxxxxx>
Subject: Yet more on Citibank Security Update/spoof
X-Sender: dshoop@xxxxxxxxxxx
To: dave@xxxxxxxxxx, ip@xxxxxxxxxxxxxx

Dave, [for IP]

In one of my 'past lives' I used to be a bank officer at CitiCorp CreditServices, the group responsible for card products. As the largest holder ofcredit card accounts (at least at the time) we pioneered the concept frauddetection and prevention, leading the industry. Every day our systems wouldpaw through all of the transactions of our card holders looking forpatterns of fraud. It was, and remains, no small task, and one in whichCitiBank continues to be very committed.

As pointed out, these phishing scams are pretty much commonly acceptedoccurrences, just like other fraud scams were in the past. It is quitelikely that reporting them to CitiBank customer service is going to getshrugged off in a manner that to the customer may seem like the bankdoesn't care. The reason of course is that they don't care. Seriously. It'sjust accepted that fraud scams are circulating, so the issue isn't to beconcerned about the fraud scam du jour, but to trap and contain the fraudonce it occurs. Fraud costs the credit card industry a serious amount ofmoney, but the card holder is well protected. In the case of lost or stolencards the typical maximum cost to the card holder is capped at $50 (seeyour banks agreement for your specific details.) In the case of reportedfraud, the cost to the card holder reporting it is zero. So from a customerservice perspective fraud scams are a non-issue.

Fraud scams are however an issue to the bank and more so to the merchant,who ends up bearing the costs of fraud.

IP readers may be surprised to hear that a merchant is never assuredpayment for a credit card transaction and bear the risk. The bank can denythe charge for a wide variety of reasons, most commonly that offraud. Then again it's the merchant's responsibility to check credentialsof card holders. Purchase types are assigned risks by the banks andtransaction costs vary according to these types of purchases, mostly toaccount for fraud risk. A physical card swipe with electronic authorizationand physical card impression is the most trusted and has the least cost pertransaction, the merchant is also supposed to verify the purchaser'ssignature with the one on the back for the card and ask for some form of ID(CitiBank even puts the cardholder's picture on their card products as anadditional ID check.) Merchants can additionally verify the card holdersbilling address, which is stored on the card's magnetic track, and can alsobe verified during the electronic authorization against that on file andprovided by the customer. The riskiest form of transaction is that ofonline or telephone sales where a physical card isn't seen by the merchant.In these cases there still are many forms of ID that can be checked to helpverify the transaction; while there's the obvious and physically visiblecard holder's name, card number and expiration date, the merchant shouldalso require the billing address which can be used as part of theelectronic authorization. Modern cards also have an extra set of checkdigits printed on the back of the cards. In all cases the more informationavailable the less risky the transaction and this is passed on to themerchant as a lower cost per transaction to encourage them to use the leastrisky method for conduction the purchase. But in the end if the transactionis reported as fraudulent the merchant is responsible, the customer doesn'tbear much of a burden (except perhaps through interest rates and annualfees that reflect, much like car insurance, the risk that customerrepresents based on how they are assigned in a portfolio of similar accounts.)

Most card issuing banks also have significant fraud analysis departmentsthat monitor accounts for patterns and react when triggers are tripped. Inmost cases your bank knows more about your purchase habits than you do.Seeing an strange increase in spending, spending in multiple geographiclocations, spending in exotic locations, and many other patterns cantrigger an alert and your bank may call you to verify your transactions. Inextreme cases the bank can flag the account requesting the merchant call inand the bank can speak to you by phone as you're transacting your purchaseto verify. Triggered accounts get watched more closely, and/or a "fraudblock" can be placed on the account until your bank can speak with you.Customers can also request that a 'fraud watch' be placed on their accountso that closer scrutiny by the bank can placed on transactions, normallywhen the customer suspects unauthorized charges. These methods stopsuspicious transactions as they're occurring.

Fraud scams are best caught however *after* the transaction, not during thecon or phishing. This may seem strange but then again that's when thelargest trail for investigation exists, and it represents a hard crime, onefrom which action can be taken. To a investigator or prosecutor a fraud inprogress isn't as significant as the fraud that occurred and has realdollar costs associated with it, sorry to say.

Sometimes fraud occurs from the merchants; an employ steals account infowhich they use to rack up fraudulent charges, or the merchant 'doubledips'. Generally speaking though, in most cases of fraud it is through somefault or action of the customer. They didn't properly secure there cards,they lost their card or had it stolen and didn't report it, or they gaveout their number to a con artist in a scam. But again these generallyresult in patterns of activity that can be flagged by the bank's frauddepartment.

So the bottom line is that the banks do care about fraud -- just not somuch the latest fraud scam du jour -- they expect fraud occurs and do reactwhen it does. Scams are harder to track than the fraud itself. The frauditself can be sorted out either in direct fraud prevention techniques or bythe customer when reported after their statement is delivered. At thatpoint the bank has something actual to work with and the customer, whileperhaps temporarily inconvenienced, can perform the best security and fraudprevention technique, that of verifying their actual transactions.


Regards
--

-dhan

------------------------------------------------------------------------
Dan Shoop                                              shoop@xxxxxxxxxxx
Consulting Internet Architect                              shoop@xxxxxxx
AIM: iWiring                                     http://www.iwiring.net/

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] more on Clean Image Is So Key To Google's Success, Why Take Gmail Risk?
Next by Date: [IP] Abu Ghraib torture sanctioned by Pentagon Political Appointees
Previous by thread: [IP] more on Clean Image Is So Key To Google's Success, Why Take Gmail Risk?
Next by thread: [IP] Abu Ghraib torture sanctioned by Pentagon Political Appointees
Index(es):
- Date
- Thread