Debit is a core payment method in the U.S. that has garnered particularly strong traction among consumers aged 31 to 38. A 2018 survey found that 40 percent of American financial institution (FI) customers in this age bracket reported debit cards as their go-to payment instruments, while 36 percent favored credit cards. Consumers aged 18 to 22, meanwhile, relied equally on the two methods.
Younger generations are not the only ones keyed into the benefits of debit, however. Another 2018 survey found that consumers of all ages showed growing interest for such cards, as customers’ preference for the payment method saw a 10 percent increase over 2017. Consumers appear to be moving their debit payments away from brick-and-mortar stores toward eCommerce channels, meaning FIs and card issuers must work to support them while minimizing online security risks. These organizations need to fend off anything threatening, combatting both popular and emerging debit fraud attack methods.
Doug Clare, vice president of fraud product management at FICO – a consumer credit score, analytics software and fraud detection platform provider – knows this dilemma well. He recently spoke with PYMNTS about what it takes to keep debit cards and their associated bank accounts safe from cybercriminals.
FIs have long been aware that relying on knowledge-based authentication (KBA) goes only so far. PINs and account passwords can be stolen, after all, so many banks take security efforts a step further by analyzing how consumers key in their information and what they do once granted account access. This includes monitoring keystroke rhythms, typical transaction values, spending patterns and which devices are being used at particular times, among other details. These traits outline what normal behaviors look like for each customer, and actions that deviate from these trends could indicate fraudsters at work – even if correct PINs and security question answers are entered.
Looking at customers’ activities is only one piece of the puzzle, though. Safeguarding against evolving debit card fraud requires FIs and payment companies to more holistically view and examine the behaviors of each participant in every transaction, Clare explained. This also requires analyzing typical activities at payment terminals, POS devices or ATMs that accept the consumers’ cards.
“By looking at the behavior of multiple entities and understanding the degree of normal or abnormal for any of those entities, you can paint a more complete picture of fraud,” Clare explained. “You can look at the cardholder. If the customer has multiple cards, you can look at [whether] this behavior [is] consistent across the multiple account types that customers may have. You can look at the behavior of the ATM: Are the rates and pace and characteristics of this particular withdrawal at this ATM in pattern or out of pattern?”
A cardholder may withdraw $300 every Tuesday at the ATM near her work, for example, so an ATM showing five $300 withdrawals within two minutes is a major red flag. Examining the activities that take place at such machines is critical, Clare added, as an ATM experiencing a quick succession of high same-value withdrawals may have fallen victim to a fraudster who is plugging in counterfeit cards to extract the maximum amount permitted on each.
The Rise of CNP Fraud
As criminals continually seek to modernize their attacks, they are increasingly targeting card-not-present (CNP) transactions. This allows them to take advantage of digital channels and benefit from the anonymity of remote interactions. These fraudsters can then sell the illicitly obtained payment data or use it in eCommerce.
Bad actors may find CNP transactions more tempting as security tightens for physical cards, Clare explained, noting that the prevalence of EMV chips has made counterfeiting more difficult. Using stolen credentials to purchase airline tickets is one form of CNP fraud that has taken off over the past few years, he added. Fraudsters make these high-value purchases either because they want to take said flights or so they can cancel and demand refunds. Such crimes are considered low-level issues and are typically not pursued by law enforcement.
FIs and retailers cannot focus only on stopping high-value fraud, either. Bad actors often make small transactions to test stolen credentials, as they know few businesses will want to risk irritating customers by verifying minor purchases. FICO analyzes all payment activity levels in an effort to quickly detect suspicious acts and nip fraud in the bud.
Classic Debit Attacks
New debit fraud forms don’t mean old standards are going away, though, so FIs and service providers must remain vigilant. Synthetic ID and bust-out fraud schemes more frequently target debit rather than credit, Clare warned. Hackers perpetrating synthetic ID fraud cobble together identifying information stolen in data breaches to create fake identities, then use them to attain debit cards. Bust-out fraud involves either fraudsters relying on synthetic IDs or customers using legitimate identities to open accounts. These parties stay in good standing until FIs trust them enough to grant strong overdraft protections, and then they overdraft significantly and abandon the accounts without repaying.
Other common threats include account takeovers (ATOs) – in which bad actors seize legitimate customers’ accounts – and impromptu friendly fraud. The latter issue sees customers who had intended to use their debit cards and accounts for legitimate means ultimately overdraft and abandon their debts after deciding that paying them off would be too challenging. These customers are not acting on long-term schemes, unlike those who perpetuate bust-out fraud.
FIs can better protect against debit abuse by carefully considering transaction approval thresholds and the factors they use to determine approval, Clare said. This could mean examining which types of purchases are being made. An attempt to buy something from a jewelry store at 2 a.m. could raise suspicion, for example, and different product categories have distinct fraud rates. It’s also key to control when overdraft amounts are permitted and when customers are granted higher limits.
“[FIs must] be careful, particularly when they don’t have a strong behavioral profile for that customer,” Clare explained. “They must look at the tenure and type of transaction. [It’s wise to] have a higher standard of diligence for those transactions, maybe [by] limiting the amount of overdraft you’ll allow for customers [who] don’t have [a] long tenure or who only have one account with the bank. If you don’t have a really good, strong, long multi-product relationship and track record with a customer, then you have to be careful and not get into a situation where you’ve overextended yourself with [him or her].”
FIs can consider relaxing their limits only after observing customers’ behavior over long periods of time, preferably across several cards and accounts. Vigilant fraud detection strategies and a strong level of caution can help businesses determine how to proceed when detailed behavioral information is not available.
One thing is certain: FIs and financial services providers cannot afford to overlook better debit payment monitoring and fraud detection. Demand for debit is rising in the U.S., and financial providers that want to stay relevant must ensure that consumers can safely transact via their preferred payment methods. FIs and financial services providers thus cannot afford to drop the ball on enabling convenient, secure debit payments.