While it can take between six
months or even as long as 18
months for a credit card breach to be detected, it takes nine minutes or
less for a criminal to use stolen credit card data, Mastercard SVP of security
standards and solutions Bruce Rutherford said. With an increasing number of
businesses and smartphones being hacked, Mastercard has launched Early
Detection System, which alerts Mastercard commercial and consumer credit card
issuers their accounts may have been compromised.
"The intent is that we can get to a point where, months
in advance of fraud actually occurring, [card issuers] can accurately monitor
and defend themselves against the account we've alerted them on,"
Rutherford said.
The idea is this. News stories are common in which a company
announces it's been hacked and is investigating the breach. Frequently, it
turns out the company had been hacked months prior, meaning hackers had
cardholder details for months. Hackers may use those card numbers themselves or
sell the information on the dark Web in batches. Sometimes they charge $1 or so
on the card to test if it's still active before making larger purchases. EDS monitors
for these and other such activity before they turn into bigger losses.
While Mastercard already has fraud detection and prevention
measures, this paid subscription service combines existing Mastercard solutions
with broader intelligence and analysis, Rutherford said. With partners,
Mastercard mines and analyzes authorization and clearing data, analyzes dark Web
ecosystems like testing sites and honeypot computer security systems to look
for common points of purchase for data breaches, among other analysis. "If
we detect something that seems like it has strong evidence of being a breach,
we work with our account data compromise team, [which may] initiate a forensics
investigation. And if we believe there's strong confirmation of a breach, we
will alert issuers of accounts at risk," Rutherford said.
The EDS alerts indicate medium, high or very high risk. It
is then up to the issuer to decide whether to continue monitoring a particular
account, replace a single card or replace all cards for an account. While many
accounts may be compromised at once, Rutherford said, only 3 percent to 5 percent
actually suffer fraud. Issuers also must consider that replacing cards can be
expensive and inconvenient and that cardholders are inclined to use the new card
less.
"What
we typically see is that if a card itself has been reissued because of a breach,
40 percent of consumers may actually use a card less than they did on the
original card," Rutherford said. "By giving [issuers] proactive
analytical information on accounts we feel are high at risk well ahead of [confirmation],
we can then give them new tool sets to go back and stop those first frauds and
perhaps avoid the need to have to block and reissue across the board on all
their accounts."