MasterCard International

Credit Card Security & Risk

IS6800 Group Presentation

Mike Cornish
Kathleen Delpha
Mary Erslon

November 2004 1
Agenda

 MasterCard Organization
 Credit Card 101
 Credit Card Fraud
 Case Studies
 Card Not Present Fraud
 Identity Theft Fraud
 Best Practices for Credit Card Security
2
MasterCard Organization

3
 MasterCard’s
IT & Security Organizations1
CIO & SEVP
Global Technology
CIO reports to the President & CEO
& Operations

SVP Technology
SVP GTO Human SVP Computer SVP Security & SVP GTO SVP Member SVP Systems SVP Debit VP Technology
Business
Resources & Network Services Risk Management Administration Services Development Services Communications
Management

Business IT Investment
Data Center Security & Risk Global Member Business Debit Systems
Requirements Management
Operations Analysis Operations Support Systems Development
Management Office

Technology
Network GTO Plans & 1-800-MasterCard Technology Global Debit
Sales Field Operations
Operations Budgets Call Center Infrastructure Operations
Organization

Hardware & MasterCard

Technical Debit Customer
Software Change Product Support Data Warehouse
Architecture Support
Management Call Center

Project
Management
Office

Offshore
Partnership
Management
& Sales

Direct IT Functions Security & Fraud Functions 4

Major IT Decisions1
IT Principles MasterCard GTO level

IT Architecture MasterCard GTO level

IT Infrastructure MasterCard GTO level

Business Application Federal:

Needs Core- MasterCard GTO level
Value Added*- Mixture of GTO
and business levels
IT Investment and Duopoly: CxO level & GTO
Prioritization
5
* Includes Security & Risk Management applications
Governance1
 Transitioning to IT Duopoly at the CxO level
from IT Monarchy
 All IT spending remains under control of GTO
 GTO led initiative to bring transparency to the IT
decision making processes, and to bring
business involvement into IT investment
management
 CxO level sets budget for technology investment
& decides priorities
 GTO investment management office
 Facilitates business prioritization by CxO level
 Allocates & tracks technology spending across GTO

6
 Metrics

• 37 Sites: Global HQ, GTO HQ, 5

regional & 30 local country offices2
3
• Total GTO FTE*: ~2,000
• Total MasterCard FTE*: ~4,0002
• Desktops: ~ 4,800 worldwide4
• Security & Fraud Applications: 115
• GTO’s IT Budget for 2003 was
~11%6 of Total Revenue of $2.23 Bn7

* Full-time Equivalents (employees, contractors, temps) 7

Credit Card 101

8
 Open System:
Interchange Model

Account
Cardholder Relationship

Merchant

Statementing
Relationship
*
Acquiring Issuing
Bank Bank

Transaction
Processing
Relationship
Relationship

Acquiring Issuing
Processor Processor Biggest threats
come from
outside the
9
* Structure for Visa is similar. payment system!
 Open System:
Interchange Transaction Flow
*

Merchant Acquiring Acquiring Issuing Issuing Cardholder

Processor Bank Bank Processor

Authorization Request (real-time)

Authorization Response (real-time)

Merchant Deposit
Merchant Payment
First Presentment Notice

Settlement
Statement

Payment
10
* Flow is similar for Visa.
 Closed System

Cardholder
Merchant Account
Relationship

Transaction
Relationship *

Acquiring
Processor Biggest threats
come from
outside the 11
* Structure for Discover is similar. payment system!
 Closed System:
Typical Transaction Flow
*

Merchant Acquiring Cardholder

Processor

Authorization Request (real-time)

Authorization Response (real-time)

Merchant Deposit
Merchant Payment

Statement

Payment

12
* Flow is similar for Discover.
MasterCard’s Space
 MasterCard International is a global payments
company2
 Membership corporation of 25,000 financial institutions
that issue MasterCard, Maestro, and Cirrus branded cards
 Licensor and franchisor for the MasterCard, Maestro, and
Cirrus payment brands

 2003 Key Business Indicators2,8

 Gross volume: US$ 1,272 Bn
 Number of transactions: 13.2 Bn
 Number of account: 529.5 MM
 Number of cards: 632.4 MM
 Number of merchants: 22.0+ MM in 210 Countries
 Number of ATMs: 900K+ in 120+ Countries
13
Not MasterCard’s Space2

 MasterCard does not…

 Issue cards
 Set annual fees on cards
 Determine annual percentage rates
(APRs)
 Solicit merchants to accept cards or set
their discount rates

14
Credit Card Fraud

MasterCard’s Strategies

15
 Headlines
“ ”
Jan 23, 2003
“
”
“
Sep 12, 2003

”
Aug 5, 2004 “ ”
Oct 24, 2003

“ ”
Feb 19, 2003
“
”
March 17, 2003
“
“
”
Nov 20, 2001
”
Feb 27, 2003
“ ”
Sep 12, 2003 16
 Types of Fraud9
 Identity Theft *
 Application Fraud
 Account Takeover Incidence of Fraud by Method

 Card Not Present * 50%

48%

 Mail, telephone, web 40%

 Counterfeit * 30%
 Skimming 20% 15% 14% 12%
 Account number 10% 6% 5%
generation
0%
 Lost & stolen

g
t

er
it

ed
ef
Never Received after Issue

in
le

rfe


th
Th

iv
to

O
te

e
im
/S

ec
ID

n
st

ou
Sk
Merchant Fraud

R

Lo

er
ev
Collusion

N

 Triangulation

* Increasing and gaining a lot of attention in recent years, especially in the online space
17
 Industry Fraud Estimates*
10
11

12
13

Fraud Rates as % of Transaction Volume

18
* There is no true consolidated source for credit card fraud statistics in the industry
MasterCard’s
Security & Risk Mission
14
Mission:
“Protect brand integrity and manage fraud
risk through best in class core and value
added services with integrated end to end
solutions to help position MasterCard as
the Global Payments Leader ”

19
 ID Theft
Counterfeit

Lost & Stolen

Fraud Type

Never Received
Merchant Fraud
Card Not Present

P
P
P
A
cc

P
P
o
A un
dd t

D
D
M
C res an
om s

D
D
D
D
V ag
Fr mo eri em

P
au n fic en
Is d V Poi atio t S
su e n y

A
A
A
e lo ts n S ste
M rs ci o y m
as C ty f P st

P
P
P
e
M terC lear Mo urc m
as a in ni h

P
P
t a

Awareness Detection Prevention

M terC rd A gho orin se
as a l

P
te r
M rC I ts e S d
er us g
er n

D
ch ard ter er
M a vi
D
er nt Se net ce
D
D

ch A cu G
N
am an ler reC ate
t w
D
D
D
D
D

ts
R eP On to ode ay
is ro li
P
P

kF te ne Co Se
Si in ct S nt rv
ic
A
A
A
A
A
A

te de P ta ro
a t
rt us H l es
Sy Da r
Applications & Services5

st ta ne T ig
em r P rs ra h R
o hi ck is
p in k
to tec
A tio g
vo n
id
Fr
Application or Service

au
Security & Risk Management

d
Ef
fe
ct
iv
el
y
20
Case Study

Card Not Present Fraud

21
“Card Not Present” Defined

 Definition9:
 Neither the card nor the cardholder is
present at the point-of-sale
 Merchants are unable to check the physical
security features of the card to determine if it
is genuine
 Ecommerce; online or telephone
transactions
 No way to dispute a cardholder claim that a
purchase wasn’t made
22
Ecommerce Market15

 > $3 Trillion worldwide

 MasterCard research
shows that 90% of
online buyers worry
about their personal
and financial
information online

23
Statistics
 MasterCard CNP incidents account for between 80
and 84% of credit card fraud16
 Online fraud rates up to 30x higher than in the
physical world17
 2003- $1.6B or ~2% of all online sales lost to credit
care fraud17
 2004 credit card fraud rate has decreased by 0.5%
since 2000, but the amount lost has increased by
60%19
 Projected losses to internet merchants in 2005
expected to be $5 - $15 billion9

24
Statistics (continued)

 Merchant Risk Council Survey 200319

 Fraud chargeback rates > 1% = 9.7%
 50% reduction since 2002
 Fraud chargeback rates < 0.35% = 64%
 30% increase since 2002
 17% of merchants spent > 2% of revenue
on fraud prevention
 30% increase since 2002

25
Examples of Card Not Present
Credit Card Fraud
 Low-Tech:
 Dumpster Diving
 Card Loss/Theft
 High Tech:
 Phishing or site
cloning
 Account number
generators
 Online “auctions” or
false merchant
sites
26
Card Not Present

 May be caused by
 Less-than-diligent cardholder (dumpster
diving, theft)
 Cardholder response to plausible ploy
(phishing)
 May be out of cardholder’s control
(numbers generator, hacking)

27
Combating CNP Fraud:
Legislative Examples

 Anti-Phishing Act of 200420

 Introduced 07/04 by Sen. Leahy (D-VT)
 Phishing responsible for $2B in merchant
losses/year
 Enters 2 new crimes into US Crime Code
 E-mail that links to sham websites with the
intent of committing a crime
 The sham websites that are the true scene of
the crime
28
Combating CNP Fraud:
Legislative Examples

 State laws21 regulate the amount of

information on a credit card receipt to
the last four numbers of the credit card
 Expiration date may not appear on
receipt
 CA, WA, MD, CT enacting legislation

29
Combating CNP Fraud:
Consumer

 Education and Awareness

 Consumer “Best Practices”

30
Combating CNP Fraud:
Merchant

 Multi-level technical solutions

 Cardholder Authentication
 Neural Networks

31
Case Study: SecureCode™
 Licensed MasterCard cardholder
authentication solution15 enables
cardholders to authenticate
themselves to their issuer through
the use of a unique personal code
(PIN)
A VISA counterpart is
“Verified by VISA” or
“VbyV.”

32
SecureCode15
 Cardholders enter their
secure code in a
separate browser
window before an on-
line transaction can be
authorized
 Requires a merchant
“plug-in,” or software
module, to be deployed
on the merchant’s
website
 Requires the merchant to
use a data transport
mechanism and
processing support
33
SecureCode15
 The participating merchant gets
explicit evidence of an authorized
purchase (authentication data)
 Fully guaranteed online payments –
protection from chargebacks
 MasterCard mandated that issuers
implement support for MasterCard
Secure Code by November 1, 2004

34
SecureCode and eTronics22
 A Top Ten Internet consumer electronics
retailer
 >200,000 customers and 300,000 orders
annually
 Over $65 million in yearly sale
 In 2002, eTronics had credit card
chargeback costs of over 1 million/year
 Implemented SecureCode in 2003
 “Too soon to tell” impact since SecureCode
is not yet implemented globally, but eTronics
is “optimistic and enthusiastic” about its
success
35
“Phishing Attack” –
Mike’s Experience

36
Phishing Attack Website Authentic MyCiti Website
 Case Study: RiskFinder™
 A “neural network” system
 Fair Isaac’s proprietary
profiling technology for fraud
prevention – RiskFinder23 is
a MasterCard-specific
application
 Enables transactions to be
“scored” based on highly
detailed cardholder
patterns/behavior, existing
patterns of fraud, and
merchant trend data23

37
Case Study: RiskFinder™

 The institution can establish a

transaction score threshold, and
conduct supplemental review and
cardholder follow-up on any
transaction that scores above the
threshold23
 RiskFinder has saved issuers up to
50% in fraud losses23
38
Citibank Fraud Detection

(Click the thumbnail to play the commercial)

www.fightidentitytheft.com/video/babe_magnet.mpeg,
Viewed, October 30, 2004
39
RiskFinder and Kathleen’s Story

 Kathleen’s daughter goes camping in

Venice.

40
Case Study

Identity Theft Fraud

41
Identity Theft: The neoteric crime of the IT era 24

 Identity theft is the illicit use of another

individual’s identifying facts to perpetrate an
economic fraud, such as
 Opening a bank account
 Obtaining bank loans or credit
 Applying for bank or department store cards
 Or leasing cars or apartments
in the name of another.24

42
Citibank Identity Theft

(Click the thumbnail to play the commercial)

www.fightidentitytheft.com/video/flaps_mpls_te_mpg.mpeg,
Viewed, October 30, 2004
43
Identity Theft: The neoteric crime of the IT era

 Number one source of consumer

complaints to the Federal Trade
Commission (FTC) in 2001(and
thereafter)25
 Credit card fraud was most common
form of identity theft in 2002 according
to the FT25

44
Identity Theft: The neoteric crime of the IT era

26

45
Identity Theft: The neoteric crime of the IT era

 “Compared to equally profitable crimes

involving drug or gun trafficking, the
sentencing for identity fraud is much
lighter—and these folks are tough to
catch.”
- Bruce Townsend
Special Agent in charge of
Financial Crimes Division
Secret Service27

46
Identity Theft: The neoteric crime of the IT era

 In 52% of cases in which the victim

discovered how the information was
stolen, the thief turned out to be a
family member, neighbor, or coworker.28
 Low-Tech sources include:
 Paper records of personal information kept
by numerous sources.

47
Identity Theft: The neoteric crime of the IT era

29

48
Identity Theft: Causes

 Phishing
 “Stealing corporations’ identities as a
means to impersonating individuals”30
 Greater number pieces of personal
information = greater chance of Identity Theft

49
Identity Theft:

 To counteract phishing, corporations are

using software to search for sites
breaching their copyrights, then go
directly to the company hosting the bogus
site to get it shut down.30
 5% of consumers respond to phishing
according to the Anti-Phishing Working
Group.31

50
Identity Theft: High Tech Causes

 Hacking merchant sites, home computers

and any place where personal information is
stored.
 Servers that aren’t set up correctly can be
compromised by techniques like “end-mapping,”
which “pings” servers systematically until it finds
an open port to exploit.
 Trojan horse content can slip by ordinary packet
filter devices deployed by firewalls (spyware,
keyloggers).32

51
Identity Theft: High Tech Causes

 Commandeering other applications.

 Eavesdropping Software that reports to
the hacker a person’s keystrokes and
uses it to pick up passwords and gain
entry.32

52
Identity Theft: High tech Causes

 Case Study: “Operation Firewall”.

 28 Identity Theft Suspects arrested
 1.7 million stolen credit card numbers
 Investigation instigated by MasterCard’s
senior vice president of security risk
services.33

53
Identity Theft: Low tech Causes

 Security firms tend to stress physical

security issues, which are easier to identify
and remedy than human vulnerabilities.
 Financial institutions, in order to reduce the
risk from within, must create and sustain an
institutional culture that values and
promotes critical thinking, high self-esteem
and genuine loyalty to the institution. 34

54
Identity Theft: Actions to Combat

 Legislative
 Identity Theft and Assumption Deterrence Act of
199824
 Privacy Act of 200135
 Consumer Privacy Protection Act, May 200229
 Identity Theft Prevention Act, Jan 200329
 SSN Misuse Prevention Act, Jan 200329
 Fair and Accurate Credit Transactions Act of
200336
 Anti-Phishing Act of 2004 20

55
Identity Theft: Actions to Combat

 Payment Industry—calling for

implementation of technology that
definitively corresponds the user to the
instrument.27

56
Identity Theft: Actions to Combat
 Identity Authentication Technologies
 Biometrics
 Face recognition
 Retina scans
 Fingerprint authentication

 Voice /speech verification

 Handwriting analysis
 Genetic Engineering
 Analyzing DNA components of human fluids &
cells. 25

57
Identity Theft: Actions to Combat

 Use of Public Key Infrastructure (PKI)

 Digital signature
 Protects electronic records
 Inherent security hinges on who has access
to system. 25

58
Identity Theft: Actions to Combat

 System embedded security controls to

enhance the privacy and confidentiality of
information processed across Internet
architectures
 Data encryption
 Digital signatures
 Secure socket layers (SSL)
 Cryptographic protocols such as hypertext
transfer protocol over SSL (HTTPS)37

59
Identity Theft: Actions to Combat

 Smart Cards
 Contain embedded CPU (electronic chip).
 32-kilobyte mini-processors are capable of
generating 72 quadrillion encryption keys.
 Can be programmed to perform tasks & store
information.
 Practically impossible to fraudulently
decode.9

60
Identity Theft: Actions to Combat

 Personnel & Procedures

 Background checks
 Limit access through password protection
 Leave an audit trail of who got into files &
when
 Shred information being thrown away
 Train staff by creating a security handbook25

61
Identity Theft: Actions to Combat
 Designate a Privacy Officer –could be the
Information Manager

“Privacy and security do not work if you do not have

top-level buy-in. Information managers might very
well be the key people within the organization to
help accomplish this.”
- Gary Clayton
Founder & Chairman
The Privacy Council25
62
Identity Theft: Actions to Combat

 Use of a layered approach to security

 Perimeter
 App-layer protection
 Intrusion detection
 Monitoring tools
 Strategic rather than silver-bullet
approach32

63
Issuers Clearinghouse

 Joint MasterCard and Visa service.

 To detect fraudulent and high-risk
credit card applications.
 Screens, validates & tracks
 Addresses
 Phone numbers
 Social Security numbers38

64
NameProtect®

 Monitors Internet 24x7

 Watches all gTLD and ccTLDs, new
registrations, and activations.
 “Identifies Web sites, emails, chat
rooms and other electronic venues
where personal credit card data is
published, sold or traded.”39

65
Identity Theft

“Rather than posing security as a hurdle to

overcome, companies should view their
customers’ privacy needs as an opportunity
through which they can differentiate themselves
as trust leaders, increase their financial value
and even energize entire economies.”
Glover T. Ferguson
Chief Scientist
Accenture26

66
Best Practices

67
Best Practices:
All Industries40

 Protect your employees and

customers from ID theft
 Ask only for necessary information
 Don’t use SSNs as identifiers
 Regularly check backgrounds of
employees who have access to
identifying information
 Define a privacy policy and communicate
it to your customers and employees

68
Best Practices:
All Industries40

 Protect sensitive paper information like

payment card numbers, social security
numbers, and customer identifying data
 Secure records in a vault or under lock-and-key
 Restrict access only to persons with a legitimate
need to know
 Shred records when they are no longer needed
 Immediately report security breaches to affected
customers and law enforcement

69
Best Practices:
All Industries41

 Conduct a risk assessment for impact from

loss or disclosure of business data
Area of Concern Low Medium High
Business Disruption - Moderate Major
Legal impact - Minor Major
Financial Impact - Minor Major
Health & Safety Impact - - Threatened
Effort to Restore Easy Moderate Significant

 Design record retention policies and

physical access controls based on the
assessed risks from loss or disclosure. 70
Best Practices:
IT Functions 42, 43
 Use firewalls, anti-virus, anti-spyware, and access
control software to protect networks and computers
 Keep operating system and security software up-to-
date with latest security patches from vendors
 Define policies for strong passwords and change
them frequently
 Monitor for signs of network and web server attack
 Monitor security websites for breaking information
about new threats and best practices (e.g., CERT®
Coordination Center)

71
Best Practices:
IT Functions43

 Protect sensitive electronic info like

customer identifying data and account
numbers
 Segregate sensitive data on separate
servers from web servers
 Restrict data access rights to only those
persons and systems with legitimate
need to know
 Consider encrypting sensitive information
housed in databases 72
Best Practices:
Consumers44
 Only give payment account numbers or personal
identification information to companies you have
contacted
 Challenge businesses that ask for it about why
they need to know
 Avoid saying information over the phone when
others may hear
 Do not carry unnecessary payment cards or
identification papers (e.g., social security card, birth
certificate) in your wallet or purse
 Do not use SSN for your driver’s license or other
identification cards

73
Best Practices:
Consumers44

 Keep track of receipts for payment card

transactions
 Shred receipts and account statements having
full account numbers
 Cancel unused credit card accounts*
 Keep a list of all of your payment card
account numbers along with their issuers’
names and contact numbers so you can
cancel them quickly if lost or stolen
* But be aware of potential credit score impact 74
Best Practices:
Consumers45
 Use firewall, anti-virus, and anti-spyware software
 Keep your PC operating system and security
software up-to-date with latest security patches
from your vendors
 Be suspicious of emails and websites requesting
private information
 Verify URLs and make sure websites are secure
before entering account numbers and personal
identifying information
 Be careful locating sites through search engines
 Call the company if you are unsure of the validity of a site

75
Best Practices:
Merchants46

 Card Present
 Check that the embossing extends into the
hologram
 Check the hologram and indent printing
 Compare the signature on the card and sales
draft
 Check that the magnetic strip appears authentic
 Call for a “Code 10” authorization if something
doesn’t feel right

76
Best Practices:
Merchants21

 Card not Present

 Use address verification systems to
check the account holder’s billing
address
 Implement SecureCode and Verified by
Visa services
 Include card verification values/codes in
authorization messages (but do not store
them in your database)

77
Best Practices:
Merchants21

 Card not Present (Continued)

 Require complete customer contact and
payment information before completing
an order
 Process transactions in real-time
 keep the customer on the website until the
payment card is authorized and the sale is
completed
 Monitor international transactions

78
Best Practices:
Merchants21

 Card not Present (Continued)

 Employ rules-based systems to screen and
detect suspicious order activity
 Maintain negative databases of fraudulent
orders & offenders, and positive databases of
trusted returning customers
 Adopt MasterCard’s Best Practices for
eCommerce websites
 Have a Site Data Protection audit done on your
eCommerce website

79
Best Practices:
Acquirers & Merchant Processors

 Merchant Acquirers & Processors

 Provide security features like Address
and Card Verification services to
merchants
 Monitor merchant deposit velocity for
unexpected increases in deposits
 Check & report merchant’s termination
history

80
Best Practices:
Issuers & Card Processors

 Card Issuers & Processors

 Monitor cardholder purchase and cash
velocity for drastic changes
 Use behavioral models/neural network
software to detect fundamental changes
in cardholders’ behaviors

81
Best Practices:
Payment Companies

 Payment Companies
 Create, refresh & enforce standards
 Monitor to detect shifts in types and
volumes of fraudulent activity
 Conduct research to innovate new fraud
detection and prevention mechanisms

82
Questions & Answers

83
References

84
References
1. Fisher, Bill. Pers. Comm. VP Processing Strategy, MasterCard
International. Interviewed by telephone by Mike Cornish, October
26, 2004.
2. “MasterCard Corporate Fact Sheet,”
www.mastercardinternational.com/docs/corporate_fact_sheet_0804
.pdf, viewed October 18, 2004.
3. “Global Technology and Operations,” Fact Sheet.
www.mastercardinternational.com/newsroom/gto.html, viewed
October 18, 2004.
4. “Total Cost of Ownership Analysis.” Internal document: Powerpoint
Presentation. Technology & Architecture Services, MasterCard
International, February 26, 2003, page 4.
5. “Application Portfolio: Security & Risk Applications.” Internal
document: Word document. MasterCard International, March 27,
2003.
6. “2003 GTO & Division Level Financial Data.” Internal document:
Excel Sheet. GTO Division, MasterCard International, January 3, 85
2003.
References
7. MasterCard International SEC Form10K – March 4, 2004,
www.sec.gov/Archives/edgar/data/1141391/000095012304002820/
y94488e10vk.htm, pages 6, 22-24, viewed October 19, 2004.
8. MasterCard International SEC Form 8K – February 3, 2004,
www.sec.gov/Archives/edgar/data/1141391/000095012304001154/
y93767e8vk.txt, viewed October 18, 2004, pages 3.
9. Bhatla, TP, Prabhu, V, and Dua, A. “Understanding Credit Card
Frauds”. Card Business Review #2003-01, June 2003, pp 1-15.
10. “Taking a Bite our of Credit Card Fraud,” Celent Communications,
www.celent.com/PressReleases/20030121/CreditCardFraud.htm,
viewed October 28, 2004.
11. “Identity Theft: Protecting the Customer – Protecting the Institution,”
Celent Communications,
www.celent.com/PressReleases/20020731(2)/IDTheft.htm, viewed
October 28, 2004.
12. “Online Payment Fraud: The Grinch who stole Christmas?” Celent
Communications,
www.celent.com/PressReleases/20001218/OnlineFraud.htm,
viewed October 28, 2004. 86
References
13. Valentine, Lisa. “The Fraudsters’ Playground.” American Bankers
Association. ABA Banking Journal, 95(8), Aug. 2003, p. 39.
14. “Security & Risk Mission & Overview.” Document, MasterCard
International, February 24, 2003.
15. “MasterCard SecureCode for Online Merchants.” Online security
document for merchants.
http://www.mastercardmerchant.com/docs/securecode/Merchant_B
rochure.pdf, viewed October 20, 2004.
16. Bennett, RA. “I didn’t do it.”. USBanker 111(12), December 2001,
p. 48.
17. “Online fraudsters take $1.6B out of 2003 eCommerce.”
CyberSource,
www.retailindustry.about.com/cs/lp_internet/a/bl_cs111803.htm,
viewed October 20, 2004.
18. US Credit Card Fraud Statistics 2000-2007. Celent
Communications, www.epaynews.com/statistics/fraud.html, viewed
October 18, 2004.
87
References
19. Merchant Risk Council Press Release,
www.merchantriskcouncil.org/press.php?p_press_id+13, February
3, 2003, viewed October 21, 2004.
20. “New Leahy Bill Targets INTERNET “PHISHING” That Steals $2
b./yr. from Consumers.” July 2004.
www.leahy.senate.gov/press/200404/070904c.html.
21. Micci-Barreca, D. “Unawed by Fraud.” Security Management
47(9), p. 75.
22. “MasterCard SecureCode Case Study: eTronics.” 2003.
http://www.mastercardmerchant.com/docs/SC_Case_Study-
eTronics.pdf., viewed October 21, 2004.
23. MasterCard RiskFinder. “Solutions.” http://www.fairisaac.com/cgi-
bin/MsmGo.exe?grab_id=13&page_id=655872&query=RiskFinder&
hiword=RiskFinder+, viewed October 21,2004.

88
References
24. Saunders, Kurt M., and Zucker, Bruce, “Counteracting Identity
Fraud in the Information Age: The Identity Theft and Assumption of
Deterrence Act” International Review of Law, Computers &
Technology, August 1999, 183– 192.
25. Groves, Shanna, “Protecting Your Identity” Information
Management Journal, May/June 2002, 27-31.
26. Myron, David, “Stolen Names, Big Numbers” American
Demographics, September 2004, 36-38.
27. Bielski, Lauren, “Identity Theft” ABA Banking Journal, January
2001, 27-30.
28. Diller-Haas, Amy, “Identity Theft: It Can Happen to You” The CPA
Journal, April 2004, 42-44.
29. Riordan, Diane A., and Riordan, Michael P., “Who Has Your
Numbers?” Strategic Finance, April 2003, 22-26.

89
References
30. O’Sullivan, Orla, “Gone ‘Phishing’” ABA Banking Journal, November
2003, 7-8.
31. Bauerle, James F., “Pattern Recognition Software and Dramas of
Deception: New Challenges in Electronic Financial Services”
The RMA Journal, October 2004, 2-5.
32. Bielski, Lauren, “Striving to Create a Safe Haven Online” ABA
Banking Journal, May 2003, 53-59.
33. Krebs, Brian, “28 Identity Theft Suspects Arrested in Transatlantic
Sting,” The Washington Post, October 29, 2004.
34. Bauerle, James F., “Golden Eye Redux” The Banking Law Journal,
March 2003, 1-15.
35. Heller, Jason, “New Senate Privacy Bill Addresses Personally
Identifiable Information” Intellectual Property & Technology Law
Journal, September 2001, 31-32.
36. http://frwebgate.access.gpo.gov/cgi-
bin/useftp.cgi?IPaddress=162.140.64.21&filename=h2622eas.pdf&
directory=/diskb/wais/data/108_cong_bills , viewed October 25,
2004. 90
References
37. Phillips, John T., “Privacy vs. Cybersecurity” Information
Management Journal, May/June 2002, 46-50.
38. https://www.merchantconnect.com/CWRWeb/glossary.do?glossary
Letter=i , Viewed October 30, 2004.
39. http://www.nameprotect.com/html/services/id_theft/credit_card.html,
Viewed October 30, 2004.
40. “How can I protect my customers from identify theft?” Colorado
Attorney General: ID Theft Prevention & Information,
www.ago.state.co.us/idtheft/clients.htm, viewed November 3, 2003.
41. “Network Security Policy: Best Practices White Paper,” Cisco
Systems, www.cisco.com/warp/public/126/secpol.html, Page 2,
viewed November 2, 2004.
42. CERT® Security Improvement Modules, CERT® Coordination
Center, www.cert.org/security-improvement, viewed November 2,
2004.
43. “Webserver Security Best Practices”, PC Magazine,
www.pcmag.com/article2/0,4149,11525,00.asp, viewed November
2, 2004.
91
References
44. “Tips for Preventing Credit Card Fraud,” MasterCard International,
www.mastercardinternational.com/newsroom/security_risk.html,
viewed October 22, 2004.
45. “Best Practices for Preventing Online identity Theft”, Public Safety
and Emergency Preparedness Canada, www.ocipep-
bpiepc.gc.ca/opsprods/info_notes/IN04-002_e.asp, viewed
November 2, 2004.
46. “Preventing Fraud: Fighting Fraud is a Shared Responsibility,”
MasterCard International,
www.mastercardmerchant.com/preventing_fraud, viewed October
28, 2004.

92