Rippleshot Blog

In the wake of uncertainty about the Coronavirus outbreak, banks and credit unions are taking proactive measures to protect and educate their customers and members about what to expect, how to operate and how to minimize financial impact.

To help keep you informed about what bank and credit unions leaders have been sharing, we've gathered this week's top headlines on how the financial institution industry is managing the fallout from the global health crisis.

New insight from Juniper Research indicates that online payment fraud is expected to exceed $200 billion between 2020 and 2024. One key contributing factor is a rising number of synthetic identities created to perpetrate fraud. 

Tracking credit card fraud trends is a standard practice for any financial institution. When tracking that data, it's important to have context of what the last few years looked like, and what that means for future trends across the fraud ecosystem. What's important to track is what types of card fraud are mot prevalent (CP vs. CNP fraud), the rate at which credit card fraud is growing and who it is impacting most. 

Knowing how credit card fraud patterns are evolving can help your financial institution know which tools your team needs to proactively get ahead of these rapidly-growing problems. We break down four key trends: 

The Identity Theft Resource Center's annual report confirmed what we already knew about the state of data breaches: They continue to rise significantly, year-after-year. There is a bit of good news, however, within the ITRC's report: The number of PII and sensitive PII records exposed continues to drop. 

“This year’s report paints a mixed view of the landscape as we continue to work with businesses and consumers alike to thwart cyber criminals and contain their damage,” said Matt Cullina, CyberScout’s EVP of Strategic Partnerships and Managing Director of Global Markets.

Critical payment and credit card data from the Wawa convenience store breach has reportedly made its way to the dark web. Multiple reports, including Krebs on Security and Gemini Advisory, indicate that card data from more than  30 million Wawa customers was listed for sale Jan. 27 on the cybercriminal dark web forum Joker’s Stash.

Wawa acknowledged the reports, and released a statement saying it has "alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information." Wawa said it is working with federal law enforcement to determine the scope of the exposed Wawa-specific customer payment card data.

A newly published report from the American Bankers Association reveals key themes across the banking ecosystem: Fraudsters keep targeting old habits, while newer trends are gaining traction quicker than ever. 

The ABA's report showed is that popular fraud trends like check fraud and deposit account fraud continue to contribute to overall fraud losses — accounting for roughly $2.5 billion collectively. The report also details how point-of-sale debit card fraud trends have been shifting over the past few years. When comparing 2016 to 2018 figures, data indicates that POS debit card fraud from counterfeit frauds now accounts for 25% of the losses, compared to 47% in 2016. Looking at card-not-present transactions (CNP), those losses are account for 42% of counterfeit fraud, when compared to a 30% loss in 2016. 

Despite the gloomy outlook on many of the fraud figures, the report indicated some bright spots for financial institution leadership.

Another major data breach was announced this week. This time it was Landry’s Inc., a Houston-based company that owns and operates more than 600 restaurants, hotels, casinos and entertainment destinations. According to what has been publicly reported, malware was installed on Landry’s’ payment processing system servers, and was used to exfiltrate customers’ card numbers, expiration dates and internal verification codes.

Midway through December, data indicates holiday fraud is rising sharply as expected.

The latest data from Digital Transactions indicates that over the five-day holiday shopping period there was a 29% increase in suspected fraud when compared with the same time period in 2018. This uptick in fraud comes with increased holiday spending, particularly online. 

Black Friday brought in $7.4 billion in just e-commerce sales, with Cyber Monday clocking in a record $9.4 billion. That was a 20% increase in spending from 2018, according to Adobe Analytics. For suspicious transactions Black Friday appeared to be the most impactful day of all, accounting for both the most fraud and legitimate sales (26% of the four-day total).

It's clear fraudsters are following shopper's habits. As more and more shoppers spend online, so does the amount of fraudulent attempts across CNP channels.

The uptick in holiday shopping card fraud leaves financial institutions in a tough position: Manage the fallout from higher declines or take on additional fraud risk to minimize cardholder disruption. Getting proactive about holiday card fraud can alleviate that burden.

To help you keep your cardholders protected, we've brought back our team's tips on how to manage incidents during this peak fraud season.

News broke this week that Macy's online payment portal on its ecommerce site was hacked by Magecart, a cyber criminal group known for injecting payment card skimmers into ecommerce websites. From what's been reported, we know payment data stolen was submitted by shoppers onto payment/checkout pages. 

Macy’s reported that it received an alert about "a suspicious connection between macys.com and another website,” which led to an immediate investigation. The hacker group reportedly injected computer code onto two pages at macys.com: The checkout page if credit card data was entered and an order was placed, and the wallet page of a shopper’s account page.

The questions left for financial institutions is what can they do about it, how can they protect their cardholders and how can they protect themselves in the future? We answer those questions in our latest breach alert. 

A new industry study about consumer perception around fault over card compromises is a good reminder for financial institution leaders about what their cardholders are concerned about most this holiday shopping season. 

A November 2019 study from Terbium Labs titled "How Fraud Stole Christmas" details that a majority of consumers, or 68%, responded in a survey that they would hold their financial institution "at least partly responsible for fraudulent activity, regardless of how the compromise occurred." Even if the merchant was the source of the breach, consumer perception over how their bank or credit union is protecting them appears to play a role in who a cardholder is most likely to point the finger at after an incident occurs.

Rippleshot is excited to announce Rules Assist™, an AI-driven decision rules analytics solution to empower community banks and credit unions in the fight against emerging fraud trends.

E-commerce fraud now accounts for roughly 75% of all card fraud, causing financial institutions to race to keep up with fraudsters. In response, top Fortune 500 financial institutions have embedded artificial intelligence and machine learning into their core business models. The four biggest banks in the U.S. budgeted a collective $38.4 billion for innovation and technology in 2019 alone.

Faced with more limited resources, community banks and credit unions often lack the technological edge to keep pace with innovations that greatly impact customer experience. Rippleshot Rules Assist was developed to address technology gaps smaller financial institutions face in their back office to efficiently protect their customers. Financial institutions will be able to cost effectively leverage AI and Machine Learning within their existing infrastructure without adding IT resources or staff. 

With Halloween behind us, it's time to start thinking about what's next: The holiday rush. For banks and credit union leaders, this means thinking about the holiday card fraud rush that comes along with the increased card spend activity.

With more holiday shopping taking place online, CNP fraud continues to rise. E-commerce, or CNP, fraud is 81 percent more likely to occur than in-store, or card-present fraud. As seen every holiday season, we anticipate a surge in fraud this year. The holiday season is also a busy time for fraudsters who prey on financial institutions who are reluctant to decline a transaction or re-issue cards in order to lessen customer impact.

Being prepared to combat holiday card fraud means proactively preparing long before the storm hits. As a refresher for 2019, we’ve brought back our team’s tips on what issuers can do to manage incidents during this peak fraud.

California has set a new precedent for breach notification laws that is continuing to gain ground nationwide. A bill was signed into law by Gov. Gavin Newsom that adds passports and biometric data ad part of the PII covered by California’s data breach notification law. 

California now joins15 additional states that require notification if a resident’s fingerprint or other biometric information is breached. The other states include: Arizona, Colorado, Delaware, Illinois, Iowa, Louisiana, Maryland, Nebraska, New Mexico, New York, North Carolina, South Dakota, Wisconsin, Wyoming and Washington.

“Now, California law will require companies to treat consumers’ passport numbers and unique biometric data with the same security that they would a credit card or Social Security number — if you collect it, you must protect it,” California Attorney General Xavier Becerra said.

This addition to the data breach notification law follows trends across the country that aim to crack down on how quickly businesses and government organizations must alert customers about their personal data being compromised. Conversations about how data breach legislation will impact how banks and credit unions approach consumer privacy and protecting personal credentials is an ongoing topic in Congress as well.

The push for greater digitization across the financial services ecosystem has created another challenge for financial institutions: New channels for fraudsters to exploit and monetize. 

Banks must keep up with customer demand and offer more to compete, but they must also be mindful of the security measures needed to keep up with these trends. This has left many FIs with a Catch-22. Fraud trends are changing as fraudsters get more sophisticated in the methods they use to breach personal and financial data.

Big banks are proactively working to get ahead of fraudsters, but many smaller institutions are still relying on time-consuming, manual methods to spot fraud patterns — or count on their call centers to alert them when fraud occurs. This approach involves a lot of upfront time, money and analysis, only to fall short in being able to accurately pinpoint where an organization's biggest risks and how to get ahead of those trends. 

 The bigger banks with deep pockets are gaining a FinTech edge with teams of data scientists and sophisticated software tools to keep their fraud detection tools aligned with what the market demands. Smaller FIs know to compete they must embrace new technologies such as AI and machine learning. But knowing how and where to start can be the biggest hurdle.