JPMorgan Chase and Bank One DAY ONE

Download Report

Transcript JPMorgan Chase and Bank One DAY ONE 

Fraud Prevention and Risk:
Protecting Your Procurement Card Program
Presented By
Patricia Larkin Green, VP, Relationship Manager
J.P.Morgan, Wholesale Card & Procurement Services
Overview
 Patricia Larkin Green, VP J.P.Morgan
 Evolving History and Trends
 Steps J.P.Morgan is taking to Combat Fraud
 Addendum
 Questions, Concerns
Types of Fraud
 Lost: Recovery varies
 Stolen: Recovery varies
 Non-receipt: NRI - Non-receipt of card
 Internet: Card Not Present/MOTO/Internet: Recovery is good
 Counterfeit/skimming: Card present - Recovery unlikely
thru chargeback process
 Stolen/compromised number: Recovery varies
 Account takeover: True name fraud
3
Fraud by Type 4Q06 – 3Q07
Counterfeit and Card Not Present Fraud are the fastest growing fraud type today
$15
$13
Card
Not
Present
$10
$8
Counterfeit
$5
Lost
$3
$0
Sept
Stolen
NRI
Acct Takeover
Misc
Jan
May
Sept
Consumer Credit and
Commercial Card
4
Fraud Trends
 Increase in Counterfeit Cases –
1Q09 trending higher than FY08.
 Test Merchants –
Method in which fraudsters test the status of the card.
 Gift Cards –
Counterfeit card used to purchase gift cards from a retail
merchant.
 Day to Day Living Expenses –
Not easily detected in the tools.
 Gas Pumps –
Focused on states with fewer controls.
5

Fraud activity - Dynamic and nimble.

“Carder” Sites - Well organized with business like structures.


Wireless Technology - One of the leading drivers in hacking
events.
Skimming - Continues to challenge the industry.






Four step process is followed to validate a compromise
occurred.
Issued after confirmation that account data has been
accessed by an intruder.
JPM Commercial Card handles about twelve alerts per week.
Not a breach involving JPM systems.
Assessment is done by JPM to determine level of risk and
strategy.
JPM cannot reveal the name of the merchant or company
involved in the breach.
Fraud Strategy and Case Analytics







Review of fraud cases to identify fraud trends and patterns of test
(probe) merchants.
Adjust fraud tools and strategies to target the most recent trends or test
merchants.
Review false positive fraud ratios weekly and revise strategies if needed
to reduce fraud exposure without impacting spend
Participate in regular meetings with processors, Associations and other
issuers to validate industry trending.
Identify Common Points of Purchase(CPP) in relation to confirmed fraud
cases. We turn this over to the Associations for forensic investigation.
Work with law enforcement on large fraud cases that involve suspected
fraud rings.
Suggest and implement enhancements to further refine fraud detection
tools.








Analyze accounts queued in the Fraud Detection Systems or
via Association Alerts to detect fraud, misuse or credit related
risks (i.e. NSF Payments).
Contact Cardholders to validate transactional activity.
Work with the Program Administrators in reaching card
members.
Block accounts, flag fraud transaction(s), fraud report
confirmed fraud to Associations.
Process replacement card requests.
Initiate recommendations on strategic opportunities related
to trends and test merchants.
Handle Inbound calls to verify transaction activity.
Partner with Program Coordinators on potential misuse in
escalation to the Program Administrators.
What is J.P.Morgan Doing to Prevent Fraud?

Hologram

Tamper-evident signature panel

Unique Magnetic strip encoding
10
What is J.P.Morgan Doing to Prevent Fraud?
 E-mail alerts are generated from Visa/MasterCard
notifying of account number compromise
 J.P.Morgan security representatives review accounts and
make proper contact with cardholders or administrators
based on information obtained from Visa and MC alerts
 J.P.Morgan security representatives contacts appropriate
agency – FBI, Secret Service, or other law enforcement
agencies with pertinent fraud information based on
requirements within the Visa or MC alert
11
What is J.P.Morgan Doing to Prevent Fraud?
3. Cardholder and client awareness
 J.P.Morgan works with program administrators to develop
proper card control to reduce risk i.e:
 MCC codes
 credit limits
 purchase velocity limits
 Participate at conferences and forums to educate
cardholders and clients on current trends and fraud
prevention
12
What is J.P.Morgan Doing to Prevent Fraud?
4. Fraud detection systems
 Flexible Fraud detection systems are used that provide the
ability to target both general fraud trends as well as
specific trends
 Criteria/rules dynamically defined based on analysis of
current fraud trends
 Fraud patterns
 Specific MCC
 Dollar amounts
 Geographic location
 Specific merchants
13
What is J.P.Morgan Doing to Prevent Fraud?
4. Fraud detection systems (cont)
 When authorizations meet these pre-defined criteria, the
account is sent to queue
 J.P.Morgan security representatives analyze account and
determine if contact with cardholder and/or program
administrator is needed
 Merchant referral status put on account if appropriate
14
Fraud Department Structure
 Partner with Program Coordinators on potential misuse in
escalation to Program Administrators.
 Initiate recommendations to Clients on strategic opportunities
related to improved authorization controls.
 Open Fraud Cases
 Fraud Report to the Associations
 Send Affidavit
 Request and initiate chargeback for recoveries via Association regulations
 Investigate High Risk Merchant Category Codes to identify potential
suspect
 Analyze for account history for potential point of compromise
 Work with various law enforcement agencies
15
Fraud Chargeback Process
J.P.Morgan
account
Orders
puts temporary credit on
copy of sales draft-30 days
Affidavit
sent and customer to return
within 30 days
Customer
calls to report fraud
SALE
If
merchant contests, case in
arbitration with Visa-30 days
Representment
Merchant
Settlement
can dispute-45 days
of decision by Visa
Second
16
of charge to merchant
representment of charge
to merchant-30 days
Fraud Department Structure
 Recovery Investigations
 Upon receipt of the signed affidavit the Recovery
Investigator will initiate request to the merchant(s) to obtain
documentation on the fraud transaction(s) (This process
takes approximately 45-90 days)
 If JPMorgan Chase recovers the loss via the Association
Regulations the Recovery Investigator will issue credit(s) for
the fraud dollars to the old (lost/stolen) account to offset
the initial debit that was placed on the old account when the
case was initially opened.
17
Use card controls available:

Restrict MCCs when possible, especially high risk MCCs.

Set daily velocity and dollar limits on MCCs.

Review the credit limits and determine based on usage.

Set limits for the expected usage.

Cash access should only be granted as needed.

Flag can be set to restrict all foreign transactions in some
cases.
Program Monitoring:
 Review transactions for exceptions and declines.
 Educate your cardholders to:
 review their transactions and statements.
 go into a bank to get cash or use a bank owned ATM.
 Use account blocking for temporary leaves or infrequent
travelers.
Company A Fraud Losses
2006
$88,000
2007
$86,000
2008(YTD)
$18,448





Increase in fraud loss trend detected.
MCC changes implemented May, 2007.
Over $50,000 in fraud losses avoided in two
months.
Common point of compromise identified and
reported to Association.
Investigation resulted in confirmation of a
merchant breach.
PROTECT UAZ’S CARD PROGRAM
 Watch for Red Flags
 Excessive Declines
 Unusual Merchants
 Cardholder Awareness
 Small $ Purchases
 Pay Attention to Notifications of Charges
 Phishing Emails
PROTECT UAZ’S CARD PROGRAM
 Guarding the Data
 Use Encryption Program (Some are free!)
 Don’t Keep Card #s or Personal Information on
the Desktop
 Work with IT to Make Sure Systems are PCI
Compliant
Patricia Green, VP Product Specialist
JPMorgan
patricia.m.green@jpmchase.com
abuse@jpmc.com to report scams
High Risk MCCs
Top Merchant Category Codes – Fraud Losses

5310 Discount Stores

5411 Grocery Stores and Supermarkets

5200 Home Supply Warehouse

5941 Sporting Goods
Block or Data-Mine

5311 Department Stores
These MCCs

5541 Service Station

5542 Automated Gas Pump

5912 Drug Store and Pharmacy (Gift Cards)
Other High Risk Merchant Category Codes
 5732 Electronic
 5944 Jewelry Watch and Clocks
 5945 Hobby Toy and Game Store
 5948 Luggage and Leather Goods
 5722 Household Appliances
 5300 Wholesale Clubs
 5734 Computer Software
 4812 Telecommunication Equipment Including Telephone
Sales
Why are my passwords so complex?
Combinatio
ns
Six Characters
Example
All numbers
123456
1,000,000
58
abcdef
309,000,00
0
17,882
1a2b3c
2,180,000,0
00
126,157
1a#2b$
3,520,000,0
00
203,704
ABcDeF
19,600,000,
000
1,134,2
59
AB1dE2
56,800,000,
000
3,287,0
37
AB1#cD
690,000,00
0,000
39,930,
556
All letters
Numbers & letters
Numbers, letters and special characters
Lower and upper case letters
Lower and upper case letters and numbers
Lower and upper case letters, numbers and
special characters
Days
Did you know how long it tacks a hacker to crack a
password?
Where can I go for more information?
http://www.ic3.gov
http://www.fbi.gov
http://www.ftc.gov
http://www.lookstoogoodtobetrue.com/
We can all play a significant part in thwarting Fraudulent
activity by practicing strong computer security habits such
as updating anti-virus software, using strong passwords and
employing good email and web security practices.