Ann Davidson, senior risk management consultant for CUNA Mutual Group, and Carlton Howard, vice president of risk management at the $2.2 billion Coastal Federal Credit Union, urged credit unions not let themselves become paralyzed into vulnerability no matter how frequent or large the card data security breach.
The two provided three tips credit unions can implement to minimize the costs of card fraud:
Davidson said credit unions seeking to limit or eliminate card fraud need to first look to their own staff, educating them overall about their card programs and the layers of security that could prevent fraudulent transactions.
“Just as no two credit union credit or debit card programs are alike,” Davidson said, “no two card fraud prevention programs are alike. But all programs share a few things in common, and making sure that everyone at the credit union understands the card program is a good first step.” Davidson explained that since the Target breach, she has still encountered credit union employees who expressed confidence their credit union's debit card program is safe from fraud related to the breach because thieves had not been able to capture the cards' PIN data.
“Of course that's wrong” Davidson said, “if both tracks of card data have been compromised, the card is at risk of being counterfeited.”
She added such statements show credit unions needed to do a better job of educating their employees and members about card fraud.
Howard, who has more than 30 years’ experience fighting fraud at Coastal, also said as credit unions educate employees about their card programs and the fraud risk, they should also designate who will be responsible for tracking fraud and accepting accountability for it.
“You almost need someone with a heart for fighting fraud,” he said, adding the person should be accountable for fraud tracking, from month to month, quarter to quarter and year to year, so the problem is always well understood and controlled.
Read more: Anti-Fraud Toolkits
2. Anti-Fraud Toolkits
The second part of a strong anti-fraud strategy, Davidson said, is building a robust anti-fraud toolkit. She acknowledged such an anti-fraud effort is most likely to be tailored to each individual card program and budget.
Common strategies might include getting to know the credit union's card processor or third party security vendor, and the neural network they use, so credit union executives become completely familiar with the tool’s capabilities.
Howard offered some details of Coastal's card fraud response toolkit. While stressing not all of Coastal's tools or strategies might fit every credit union, he agreed with Davidson about the role a good neural network can play in fraud protection.
Coastal experienced roughly $25,000 in PIN debit fraud in 2013, down from 2012; $128,000 in signature debit fraud, also down from 2012; and, $174,000 in credit card fraud, which was up a bit from 2012.
Coastal’s card portfolio includes at least 90,000 debit cards and 24,000 credit card accounts worth $82 million.
“Sometimes we change the parameter of our neural network weekly,” Howard said, “depending on what we see as a fraud threat that week. People don't realize it, but a breach happens every day – every day you can get alerts about compromised cards. Now most of time, it may only be three or five or 10 cards, but you have to be able to work with your fraud prevention partner on short notice.”
Howard said Coastal focuses on proactively tracking fraud, routinely reading security blogs such as Krebs on Security or data tracking web sites in order to find out about breaches and potential breaches as soon as possible.
“We found out about the Target breach by reading it on Krebs,” Howard said, adding that the early warning allowed Coastal to use a tool to identify the roughly 14,000 debit card holders who had shopped at Target during the breach period.
As a result, the credit union had a head start evaluating the risk presented by those cards and mapping out a strategy, he said.
“We take a pretty conservative course so we decided to block all those cards,” Howard explained, but added Coastal had been conscious of the holidays and chose to block the cards on Jan. 6, unless card costs topped $40,000 before that date.
“We figured we might take a bit more fraud losses by holding off [the block] for as long as we did, but we also knew that this time of year our members were going to be shopping like crazy and traveling like crazy, and the last thing anyone needs to happen is for a card to suddenly stop working.”
Howard also made a distinction between reissuing and blocking the compromised cards, compared to blocking and then reissuing compromised cards.
“Our policy is that every member who has had a card compromised will have a new card in their hand before we block the old one, whenever possible,” Howard said.
He also said he hoped to conduct a test later this year to determine whether reissuing and blocking is necessarily the best policy all the time. In the BJ's breach in 2004, for example, Howard reported that Coastal took $40,000 in fraud losses but spent $80,000 on reissuing and blocking cards.
Howard acknowledged that Coastal was always making a slightly different calculation of risk versus reward when confronted with a decision about whether to close and reissue, and he said much of the decision depended on what sort of breach the credit union was facing.
If card PIN's have compromised, for example, he said Coastal is more likely to block and reissue cards, because compromised PINs used at ATMs could cost the credit union a lot of money in a very short period of time.
The tool Coastal used to find out which debit card holders had shopped at Target is called CO-OP Revelation, and was provided by debit processor CO-OP Financial Services. Howard stressed that other processors have the same or similar program available.
“It’s very useful to help us plan the placement of branches or ATMs, for example,” Howard said, “because we can tell where our members are shopping and plan accordingly.”
Finding out about a breach as soon as possible also helps Coastal get cards more quickly into the hands of members if it decides to block and reissue, Howard noted, pointing out that there is often a big draw on card plastics after a breach, and it’s good to get your orders in first.
He also reported that Coastal keeps a supply of plastics on hand at its fulfillment partner so that it would be able to re-issue efficiently if needed.
Read more: Member Involvement
3. Member Involvement
As a final suggestion, both Davidson and Howard urged credit unions to get their members involved in preventing fraud. The two pointed out there are a number of strong anti-fraud measures available, such as setting daily spending limits or transaction limits; like transaction monitoring, members must opt-in for the services.
Davidson has a daily spend limit on her card, for example, and she said she can change it when she anticipates making a large purchase or traveling. Howard said he also uses a similar alert.
Educating members about the fraud threat and the role they can play in managing it can turn something which members find a tedious hassle into something they welcome, Howard said.
“Our members love our transaction verification calls,” he explained. “When we make them they know we are protecting them and their money and they are very grateful.”