IBM, Visa tackle IoT security
I BM Corp. and Visa Inc. introduced a cross-platform solution Feb. 16, 2017, designed to improve security on the Internet of Things (IoT) by aligning the global brands' patented technologies and capabilities. By integrating IBM's Watson IoT Platform and Visa's Token Service, the companies will enhance security in payment-enabled devices, including wearables, appliances and cars, the companies stated.
"The Internet of Things is not only driving a more connected world, it's changing the way we live, shop and pay, by moving data and the point of sale to wherever the consumer wants it to be," said Jim McCarthy, Visa's Executive Vice President, Innovation and Strategic Partnerships. "With the power of Watson's cognitive technologies and IBM's leadership in IoT and security, they are the ideal partner to help us deliver secure payments to 'virtually anywhere' and on the enormous scale of the IoT."
IoT's broad attack surface
Senior privacy and data governance advocate Marc-Roger Gagné, Principal at Ottawa, Canada-based Gagne Legal Services and board member of the Privacy and Access Council of Canada, stated the IoT represents a broader attack surface for cybercriminals, providing opportunities to exploit operating system weaknesses, infect connected devices with malware and spoof legitimate apps to steal login credentials.
"For security professionals, the difference between defending a corporate data structure from attack and defending that same structure once it's connected to the IoT is vast," he said. "Compare it to defending a bank and defending a country."
Indeed, Wired journalist Andy Greenberg reported Russian security firm Kaspersky found serious, distinct flaws in nine Android-connected car apps. In "Android Phone Hacks Could Unlock Millions of Cars," published Feb. 16, 2017, Greenberg also cited independent security professional Samy Kamkar, who planted sniffing devices in cars to hack their apps. These included the General Motors Corp. Onstar, Fiat Chrysler UConnect and Mercedes-Benz mbrace. Once inside the app, Kamkar could locate and unlock the cars, and sometimes start ignitions, Greenberg stated.
"Encrypting or hashing the credentials stored on the device, adding two-factor authentication or fingerprint authentication, or creating integrity checks that the apps would perform to see if they've been altered to include malicious code would all go a long way toward mediating the problem," Greenberg wrote.
Multifactor security schemes
A December 2016 report published by the Financial Services Information Sharing and Analysis Center, Retail Cyber Intelligence Sharing Center and United States Secret Service urged the retail community to mitigate cyberattack risks by adopting the following multifactor authentication methods:
- End-to-end encryption: Encrypting the card account number and other data before it is temporally stored in the payment terminal protects cardholder data in transit; only the merchant acquirer or processor will be able to decrypt the sensitive data, rendering the data useless to criminals.
- Stronger encryption: The National Institute of Standards and Technology recognizes TLS 1.2 as strong encryption. NIST is in the process of replacing Secure Hashing Algorithm One (SHA1) with SHA256 for stronger payment processing.
- Tokenization of card account numbers: Merchants who need to store transaction information can replace account numbers with tokens that are of no value to anyone outside the merchant's protected data environment.
Multibrand, multifactor solution
Visa and IBM representatives stated the companies will leverage Visa's Token Service, which replaces sensitive account information found on payment cards with unique digital identifiers to process payments without exposing actual account details. The Visa Token Service, part of the Visa Ready partnership program, is used by third-party Visa-certified token service providers.
The companies additionally plan to roll out Visa payment services in the IBM Cloud, making Visa Tokens available to IBM's Watson IoT Platform customers, enabling merchants and consumers to connect to billions of devices, sensors and systems worldwide. The partners are confident the co-branded solution, combined with their immense global footprints, will help the solution rapidly scale.
Consumer technology experts have seen steady growth in connected cars and expect the trend to continue. The Watson IoT platform is designed to enhance connected cars by securing information in the cloud and alerting consumers when vehicles need updates and renewals. "With this information, the driver can order parts with the push of a button or schedule a service appointment at their preferred local garage," IBM representatives stated. "The driver could even pay for gas through a direct interaction between the car and the gas pump."
Payfacs receive boost from ETA
Thursday, February 23, 2017
O nce a neglected payments stepchild, payment facilitators (payfacs) have been embraced by the industry's mainstream in recent years. In a nod to the growing significance of payfacs, the Electronic Transactions Association launched the Payments Facilitator Committee on Feb. 23, 2017.
The Washington, D.C.-based ETA, a prominent trade association for the payment technology sector worldwide, stated the committee "will identify current and emerging technology, business, policy and compliance-related issues that shape the continuing growth of this market."
ETA member companies will comprise the committee, which will be chaired by Mike McGirr, Senior Vice President of Compliance and Risk for Adyen, a multichannel payment company. RunSignUp LLC Chief Finance and Operations Officer Kevin M. Harris will serve as the committee's second in command. RunSignUp provides technology to facilitate events for runners and race directors.
"It is an honor to be selected as the first chairperson of ETA's Payments Facilitator Committee," McGirr said. "This is an unmatched opportunity to encourage relevant discussions with key segments of the payment industry and offer strategic insight into payments facilitators' impact."
As the established, valued experts on payment facilitators within the ETA, the committee will serve as a resource to enable deeper discussions on emerging industry challenges and assessing opportunities. The committee will also serve to consider public policy matters that may affect this constituency, the ETA noted in a statement about the committee's formation.
"As the sales channel evolves and technology facilitates innovation, the payment facilitator model is emerging as a significant part of the payments ecosystem," said ETA CEO Jason Oxman. "I'm delighted that this committee will create proactive discussions on pressing issues impacting the industry and the accompanying opportunities for expansion of the payment facilitator market."
The committee will hold its first in-person meeting at Transact, ETA's signature event, coming up May 10 to 12, 2017, at the Mandalay Bay Resort and Casino's conference center. For further information about this new committee, as well as the invitation-only Payments Facilitator Day also taking place at Transact and featuring Carl Perry, General Manager at Square Inc., contact Amy Zirkle, ETA Vice President of Industry Affairs at firstname.lastname@example.org.
OCC enters uncharted fintech waters
Wednesday, February 22, 2017
I ndustry observers agree the Office of the Comptroller of the Currency's proposal to consider granting fintech bank charters has broad implications for the banking industry. However, experts disagree on what those implications are. The proposal was set forth in the OCC's Dec. 2, 2016, white paper, Exploring Special Purpose National Bank Charters for Fintech Companies.
Critics say the granting of fintech bank charters could hurt startups and consumers alike. Advocates say it would promote innovation and financial inclusion. A number of financial analysts believe supporters and detractors are separated by political fault lines, with Democrats and state governments among the most vocal opponents.
In a letter to U.S. Comptroller Thomas J. Curry, U.S. Sens. Sherrod Brown, D-Ohio, and Jeff Merkley, D-Ore., who serve on the Banking, Housing, and Urban Affairs Committee, suggested the OCC's proposal could harm consumers, stifle innovation and threaten financial stability. They shared concerns about the paper's language and "loosely defined" criteria.
"While we share your goal of ensuring that affordable banking products are more accessible, we are concerned with the OCC's proposal to expand its powers by chartering non-bank institutions," they wrote. "Offering a new charter to non-bank companies seems at odds with the goals of financial stability, financial inclusion, consumer protection, and separation of banking and commerce that the OCC has upheld under your tenure."
The senators noted language in the OCC's proposal goes beyond the scope of accommodating fintech firms by including marketplace lenders, financial planners and wealth management firms as potential recipients of alternative nonbank charters. They added this runs contrary to the OCC's narrowly defined authority "to charter only three specific types of special-purpose national banks" that do not accept deposits: bankers' banks, credit card banks and trust banks.
New York State Financial Services Superintendent Maria T. Vullo stated the OCC's proposal would bypass state consumer protection laws and create "regulatory arbitrage." New York's Department of Financial Services is better equipped to regulate "cash-intensive nonbank financial service companies" by providing strict oversight and enforcing anti-money laundering, consumer identification and transaction monitoring, she stated.
Vullo's opinions are reflected in a Jan. 13, 2017, comment letter to Comptroller Curry from the Conference of State Bank Supervisors, representing 50 U.S. states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands. The CSBS feels the OCC would be overstepping its authority by issuing a new type of charter that would distort the financial services marketplace and create uncertainty and risks pertaining to government resources, while limiting the states' ability to protect consumers.
Access to capital emphasized
Advocates see the granting of fintech charters as both welcome and inevitable. Scott Talbott, Senior Vice President of Government Affairs at the Electronic Transactions Association, said fintech has made financial services accessible through mobile and online apps and a range of free and low-cost digital services. In a Jan. 17, 2017, letter to Comptroller Curry, Talbott wrote, "It's clear that online small business lending is reaching a broad market, and that providing quicker access to capital allows small businesses to invest in their employees, purchase more inventory, expand their services, and ultimately grow their businesses."
NYPAY, a professional networking group, hosted a panel discussion Feb. 21, 2017, to further explore the issue. David True, payments industry consultant and NYPAY President, said the discussion was intended to expand on the OCC's proposal, which continues to evolve in response to the new administration and proposed changes to the regulatory environment.
The panel, moderated by Tom Scanlon, Counsel at Davis, Wright, Tremaine and former Senior Counsel for the U.S. Department of the Treasury, included the following panelists:
- Andrew Lorentz, Partner at Davis, Wright, Tremaine
- Kathy Tomasofsky, Director at Money Services Business Administration
- Stuart Sopp, Chief Executive Officer of Current, a fintech startup
Thorough vetting needed
Panelists noted the OCC was established in 1863 as part of the national banking system under the National Currency Act. It brought cohesiveness to what had been a fragmented approach to banking and ultimately helped the Union finance the Civil War. Taking steps to steady the financial system through good times and bad and weathering the challenges each era has brought, the OCC launched a framework for responsible innovation in 2016.
While praising the OCC for staying attuned to the evolving payments landscape, panelists noted its white paper recommended bringing fintech under uniform supervision, without providing an overarching definition for fintech. The white paper stated firms applying for a special charter would need one of three qualifying criteria: it would have to receive deposits, pay by check or debit cards, or lend money.
"Under the current administration, there is a lot of open agenda to address fintech issues but little specificity," Tomasofsky said. "There's a lot of movement on the House side, with 500 pending appointments. The House and Senate will be approving and consolidating bills and rolling back regulations in conjunction with the Congressional Review Act and Financial Choice Act."
While the OCC is considering banking charters for fintechs, the panelists noted there are numerous open questions, a changing regulatory environment and uncertainties about the incoming Comptroller. They agreed the OCC's fintech application process may not be the best vehicle for a startup that wants to get to market quickly. As they speculated about which company would have the distinction of being the first fintech to win a banking charter, they suggested that applicants have sufficient capital to sustain a lengthy vetting process.
Advocates, detractors at odds over CFPB
Friday, February 17, 2017
A Feb. 16, 2017, ruling by the U.S. Court of Appeals for the District of Columbia Circuit granted the Consumer Financial Protection Bureau the right to appeal an earlier decision by the court against the government agency. The court had ruled the bureau's very existence was in violation of the U.S. Constitution. Established July 21, 2011, as part of 2010 Dodd-Frank Act, the CFPB has broad authority to enforce financial laws. Its authority, autonomy and potential for legislative overreach has been a matter of concern on Capitol Hill.
In April 2016, PHH Corp. and concerned parties challenged the CFPB's constitutionality. The petitioners, a diverse group of mortgage lenders, financial institutions and trade associations, alleged the CFPB and select government entities such as the Federal Communications Commission "collectively constitute a headless fourth branch of government."
This "fourth branch of government," with massive power and operating without presidential supervision, poses a "significant threat to individual liberty and to the constitutional system of separation of powers and checks and balances," plaintiffs stated. They cited a $109 million order by the CFPB against PHH Corp. as an example of legislative overreach.
"In seeking to vacate the order, PHH argues that the CFPB's status as an independent agency headed by a single Director violates Article II of the Constitution," plaintiffs stated. The court ruled in their favor in October 2016, but agreed to reconsider the ruling in Feb. 16, following the CFPB's appeal.
Chorus of nays
The CFPB has received harsh criticism on Capitol Hill, most recently from Sen. Ted Cruz, R-Texas, and Rep. John Ratcliffe, R-Texas, who introduced two bills Feb. 14, 2017 designed to eliminate the government agency.
Sen. Cruz calls for eliminating the CFPB in S.370; Rep. Ratcliffe's bill, H.R. 1031, recommends eliminating Title X of the Dodd-Frank Act, which formed the basis for establishing the independent bureau. The lawmakers claim the CFPB has created excessive bureaucracy, stunted economic growth and failed to protect consumers.
"The legislation that Rep. Ratcliffe and I are introducing today gives Congress the opportunity to free consumers and small businesses from the CFPB's regulatory blockades and financial activism, which stunt economic growth," Cruz stated. "While there's much more to do to scale back the harmful regulatory impositions of Dodd-Frank, this legislation takes a critical step in the right direction."
Rep. Ratcliffe added, "The CFPB's lack of accountability to the American people was quickly evidenced when – contrary to its name – it ended up hurting many of the very folks it was intended to help. While Sen. Cruz and I have been sounding the alarm on the CFPB's federal overreach for some time now, I'm optimistic at our renewed chances of advancing this effort with a willing partner in the White House."
Division, revision of power
Amid proposals for doing away with the CFPB, there are few recommendations for replacing it. S.370 calls for eliminating CFPB but does not offer alternative consumer protections. H.R.1031 was issued without any text other than its title: "To eliminate the Bureau of Consumer Financial Protection by repealing title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act, commonly known as the Consumer Financial Protection Act of 2010."
In the absence of recommendations, political analysts can only speculate about how consumer interests will be protected in a post-CFPB environment. Before the CFPB's inception, consumer protection was a collective effort of disparate government agencies with differing levels of authority.
"It's hard to imagine how repealing the CFPB would cut back on bureaucracy, when you consider how many agencies were formerly responsible for consumer protection," said a financial analyst familiar with the proceedings. "In fact, one of CFPB's biggest benefits is its resourcefulness in providing a one-stop-shop and faster remediation for a range of consumer credit and banking issues."
The analyst additionally noted that the CFPB is more than just a complaint bureau; the bureau provides practical and educational resources to consumers, as well as data, research and compliance guidelines to business owners.
If the CFPB were eliminated, a number of government agencies would continue to provide guidance on various consumer protection issues, as follows:
- Office of the Comptroller of the Currency protects financial institutions, federally chartered branches and foreign banks.
- Office of Thrift Supervision protects federal thrifts and thrift holding companies.
- National Credit Union Administration provides oversight to federal and state credit unions.
- Federal Reserve Board protects financial institutions and their nonbank subsidiaries, bank holding companies, state chartered member banks, edge and agreement corporations, branches and agencies of foreign banking organizations operating in the United States and their parent banks, Equal Credit Opportunity Act rulemaking, and electronic remittances, payment systems, and checks.
- Federal Deposit Insurance Corp. protects state-charted insured banks and insured branches of foreign banks.
- Federal Housing Finance Agency protects the mortgage industry through Federal Home Loan Banks, Fannie Mae and Freddie Mac.
- Department of Housing and Urban Development oversees real estate settlement procedures, FHA-insured mortgage loans and Fair Housing Act regulations.
- Department of Veterans Affairs protects veterans and oversees VA-guaranteed mortgage loans.
- Internal Revenue Service provides guidance, oversight and enforcement of tax filers and tax preparers.
- Federal Trade Commission provides oversight of nonbanks and debt collection services.
- Department of Defense oversees payday lending to active duty military and family members.
- Department of Justice enforces anti-fraud best practices and Fair Housing Act.
As proposed legislation makes its way through Congress, and the D.C. Circuit Court prepares to revisit the CFPB's constitutionality, consumer advocates point to the CFPB's accomplishments and remain cautiously optimistic about the agency's future.
"Will the agency that in a few short years has saved consumers $12 billion – and deterred a slew of rip-offs, scams and schemes that banks and financial predators avoided for fear of the CFPB – be able to continue to do its job?" said Robert Weissman, President of Public Citizen. "Or will the big banks get their way and have the agency neutered?"
Arby's under the microscope after breach
Friday, February 17, 2017
A tlanta-based Arby's Restaurant Group Inc. disclosed Feb. 9, 2017, that a data breach may have affected more than 355,000 consumer credit and debit cards. Payment Systems for Credit Unions, a trade association representing more than 800 credit unions, notified Arby's in January 2017 when its card-issuing member banks traced thousands of compromised cards to select corporate stores in the fast food chain. PSCU analysts believe the POS systems became infected with malware between Oct. 25, 2016 and Jan. 19, 2017.
Christopher Fuller, Senior Vice President of Communications at Arby's, stated that not all corporate restaurants had been affected and emphasized the situation has been fully contained.
Noting in a Feb. 9 statement that consumer credit and debit cards have become a tempting menu item for fraudsters, B. Dan Berger, President and Chief Executive Officer of the National Association of Federal Credit Unions, called for a national standard of protection.
"The continuing saga of retail data breaches have become a national nightmare," Berger stated. "Cybercriminals are on a binge to capture American consumers' valuable personal and financial data at every opportunity."
Berger said that data breaches climbed 40 percent in 2016, compared with the previous year, a record that is being surpassed in 2017. "In 2017, we have already hit 110 breaches, a 36 percent hike over the same time last year," he said. "[The Arby's] breach is another example of why Congress must act to implement national data security standards for retailers now."
Berger additionally cited statistics from the Identity Theft Resource Center that found retailers were targeted in 45.2 percent of the 494 data breach incidents reported in 2016. He vowed to push for legislation designed to protect retailers while holding them responsible for breaches.
Berger said the NAFCU is seeking to pass legislation to protect credit unions that comply with the Gramm-Leach-Bliley Act. The federal law, passed in 1999, provides guidance to businesses and financial institutions on methods for managing and storing personally identifiable information (PII). The law requires companies to clearly, conspicuously and accurately disclose information-sharing practices and allow customers to opt out of sharing their information with third parties.
Alex Vaystikh, a cybersecurity veteran with expertise in applied research and product development, is Chief Technology Officer at SecBI, an Israeli cybersecurity company. Vaystikh sees similarities between the Arby's breach and the highly publicized Target Stores Inc. intrusion reported in 2013, because in both cases, malware operated within the merchant's network, collecting data and “exfiltrating” it over several months. "The malware spread from device to device, controlled remotely by an opportunistic hacker," he stated.
Vaystikh suggested the long span of the Arby's attack may indicate two distinct possibilities: Arby's may be operating without sensors (for example, network gateways that log the network behavior of their device populations), or the company lacks the analytics tools that can process the huge amounts of data generated by the gateways.
"To date, the leading cause of breaches has been a lack of analytics to empower the security analysts," he said. "This is what happened to Target, as the company attested in its post-breach public brief to the Senate. It's probably what happened to Arby's in this case too."
Arby's is working closely with the FBI and the cybersecurity firm Mandiant on the continuing post-mortem investigation and has taken measures to "eradicate the malware from systems at restaurants that were impacted," according to company representatives.
The company created a new website, arbys.com/security, where it will post updates on remedial activities. A statement on the website reminds guests to monitor their payment card accounts for suspicious activity. "If guests discover any unauthorized charges, they should report them immediately to the bank that issued their card," Arby's stated.
View prior breaking news