Gartner Blog Network


Target Saga continues – too much for Fraud Detection systems?

by Avivah Litan  |  December 23, 2013  |  1 Comment

Chase’s and Citi’s action of setting thresholds on cash withdrawals on debit cards as a result of the Target breach is unprecedented, as least as far as I remember. It’s a little frightening that the fraudsters can cause such havoc.

How is the Target Breach affecting Card Issuers’ Fraud Detection operations?

a) PIN Codes Stolen Target claims that PIN codes were not stolen during their heist. PIN codes are needed by a debit cardholder to authenticate for cash withdrawals at ATM machines or merchant registers – activities recently limited by Chase and Citi. Citi and Chase must have seen PIN fraud occurring on the cards stolen at Target in order to take such extreme actions.

By design, PINs are encrypted at the POS card readers and decrypted by card issuers, (although there were reports years ago of split microsecond systemic issues in PIN handoffs between processors when PINs were exposed in the clear during momentary decryption).

So we have to assume that if the PINs weren’t skimmed or photographed or otherwise copied at Target’s POS operations, they were stolen in a different heist at another time (stolen perhaps via phishing scams or hidden ATM cameras).

That being the case, the criminals likely linked the previously stolen PINs to the magnetic stripe card data stolen from Target, and used the two data sets in combination to create cloned debit cards and make cash withdrawals.

Card issuers abhor ATM/Debit cash withdrawal fraud because they can’t reverse it to the merchant when it occurs. It’s just between them and the cardholder/consumer.

b) Geographically Smart Fraud The fraudsters are using cards at stores in or near the resident zipcodes of the cardholder for a stolen card. This easily defeats the geographic rules in the card fraud systems that score a transaction as risky if it occurs far away from the cardholder’s locale (unless it’s within a normal profile of the cardholder’s activity to travel frequently within a given timeframe).

c) Taxing Anomaly Detection The card companies’ fraud detection systems are very taxed by the Target breach. With so many active cards available for sale by the criminals, there are too many to put on a meaningful watch-list. After all, watching potentially a couple million cards becomes somewhat a meaningless exercise. Also, anomaly detection – which most card fraud detection systems rely on – fails when there are too many anomalies or outliers as the outliers all start looking normal.

Conclusion
When I first heard of this breach, I was hopeful that the banks’ and card companies fraud detection systems could handle staving off any potential fraud. But after speaking with a few issuers, I realized I was wrong. And after hearing about Chase and Citi’s moves I realized the fraudsters are finally getting the upper hand and disrupting our holiday season.

Thankfully there are some innovative and good technological solutions that can be implemented in the future to more strongly authenticate a card holder — if not EMV Chip cards used by the rest of the world which no one in the U.S. seems to want to pay for.

Of course, nothing is perfect, but almost anything provides stronger security than magnetic stripe cardholder authentication, technology which is over 50 years old. How much technology do you use that’s over 50 years old?

Category: 

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio


Thoughts on Target Saga continues – too much for Fraud Detection systems?


  1. Steve Tillotson says:

    Please read the “comments” associated with this news item if you wish to be in touch with public opinion (and the price Target will pay for this)

    http://finance.yahoo.com/news/target-confirms-encrypted-pins-were-174040687.html

    There was “watergate” cover up, now there is “targetgate”, what revelations can be left on targetgate now….



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.