Chase’s and Citi’s action of setting thresholds on cash withdrawals on debit cards as a result of the Target breach is unprecedented, as least as far as I remember. It’s a little frightening that the fraudsters can cause such havoc.
How is the Target Breach affecting Card Issuers’ Fraud Detection operations?
a) PIN Codes Stolen Target claims that PIN codes were not stolen during their heist. PIN codes are needed by a debit cardholder to authenticate for cash withdrawals at ATM machines or merchant registers – activities recently limited by Chase and Citi. Citi and Chase must have seen PIN fraud occurring on the cards stolen at Target in order to take such extreme actions.
By design, PINs are encrypted at the POS card readers and decrypted by card issuers, (although there were reports years ago of split microsecond systemic issues in PIN handoffs between processors when PINs were exposed in the clear during momentary decryption).
So we have to assume that if the PINs weren’t skimmed or photographed or otherwise copied at Target’s POS operations, they were stolen in a different heist at another time (stolen perhaps via phishing scams or hidden ATM cameras).
That being the case, the criminals likely linked the previously stolen PINs to the magnetic stripe card data stolen from Target, and used the two data sets in combination to create cloned debit cards and make cash withdrawals.
Card issuers abhor ATM/Debit cash withdrawal fraud because they can’t reverse it to the merchant when it occurs. It’s just between them and the cardholder/consumer.
b) Geographically Smart Fraud The fraudsters are using cards at stores in or near the resident zipcodes of the cardholder for a stolen card. This easily defeats the geographic rules in the card fraud systems that score a transaction as risky if it occurs far away from the cardholder’s locale (unless it’s within a normal profile of the cardholder’s activity to travel frequently within a given timeframe).
c) Taxing Anomaly Detection The card companies’ fraud detection systems are very taxed by the Target breach. With so many active cards available for sale by the criminals, there are too many to put on a meaningful watch-list. After all, watching potentially a couple million cards becomes somewhat a meaningless exercise. Also, anomaly detection – which most card fraud detection systems rely on – fails when there are too many anomalies or outliers as the outliers all start looking normal.
When I first heard of this breach, I was hopeful that the banks’ and card companies fraud detection systems could handle staving off any potential fraud. But after speaking with a few issuers, I realized I was wrong. And after hearing about Chase and Citi’s moves I realized the fraudsters are finally getting the upper hand and disrupting our holiday season.
Thankfully there are some innovative and good technological solutions that can be implemented in the future to more strongly authenticate a card holder — if not EMV Chip cards used by the rest of the world which no one in the U.S. seems to want to pay for.
Of course, nothing is perfect, but almost anything provides stronger security than magnetic stripe cardholder authentication, technology which is over 50 years old. How much technology do you use that’s over 50 years old?
Read Complimentary Relevant Research
Top Strategic Predictions for 2019 and Beyond: Practicality Exists Within Instability
Technology-based change is happening continuously, and most organizations struggle to see the change in advance. Continuous change can...
View Relevant Webinars
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.