GS Logo
The Green Sheet, Inc

Please Log in

A Thing A Bigger Thing

Monday, August 20, 2018

Over 2,300 breaches exposed 2.6 billion records in first half of 2018

M ore than 2,300 data breaches were publically disclosed during the first six months of this year, exposing roughly 2.6 billion consumer records, according to a new report from Risk Based Security Inc. And more than four in 10, or 1,000 of breaches reported occurred at U.S. business, the Richmond, Va., firm reported.

The company said its research suggests breach activity fell from 2017 during the first three months of the year, but began rising during the second quarter, and is on track to exceed the 3,000 reported breaches reported in 2017.

Fraud remains the number one source of compromised records, representing 47.5 percent of all records compromised between Jan. 1 and June 30, Risk Based Security said. Hacking led the pack in terms of number of breaches, accounting for 54.6 percent of all reported breaches during those six months. Phishing for user names and passwords, then using the stolen credentials to access systems or services “stands out as a particularly popular attack method” employed by hackers so far this year, the firm added.

“At the mid-year point, 2018 closely mirrors 2016’s breach experience but still trails the high water mark set in 2017,” the firm wrote. Risk Based Security specializes in risk identification and management tools that it develops based on its own data breach and vulnerability intelligence gathering.

Incidents leveling off, compromised records rising

This year “is remarkable in that the number of public disclosed breaches appears to be leveling off while the number of records exposed remains stubbornly high,” said Inga Goddijn, executive vice president at the firm. “It’s not easy to characterize 2.6 billion records exposed as an improvement, even if it is less than the 6 billion exposed at this time last year,” she added.

Michael McGrath, director of global regulations and standards at OneSpan Inc., the digital security firm formerly known as Vasco Security, agreed, stating, “2.6 billion records is a staggering number. Sadly Americans have become accustomed to breach notification letters arriving in the mail.”

Ryan Wilke, vice president of customer success at NuData Security, said the deluge of exposed records has been driving merchants and their banks to step up their fraud detection and mitigation activities with new tools that can work in real time.

Stronger detection, mitigation

“These companies are increasingly taking steps to ensure that the massive amounts of stolen credentials cannot be used by fraudsters to log into an intended victim’s account, or otherwise be used for fraud,” Wilke said. “Fortunately, new multilayer approaches incorporating passive biometrics and behavioral analytics are enabling retailers, ecommerce entities and others to actually analyze user interactions and contextualize behavior in real time before fraud can occur.”

With these tools a customer’s identity can be verified using hundreds of indicators, including their unique online behavior, rather than through static information such as passwords and security questions, Wilke explained. “Such unique information defies fraudulent replication and helps stop fraud attempts in their tracks,” he said.

NuData specializes in online and mobile fraud solutions that leverage biometrics and machine learning tools to flag potential fraudulent transactions and interactions. The company was purchased last year by Mastercard, which said at the time of the acquisition that it was intended to strengthen the card company’s efforts around device-level security and authentication, and to support “near real-time collaboration” between card issuers, merchants and transaction processors.

Payments prominently featured in Inc. 5000
Friday, August 17, 2018

T he latest ranking of fastest-growing privately held U.S. companies, compiled annually by Inc. Magazine, includes numerous payments industry firms, which reflects growth and diversity in financial services. Inc. editor James Ledbetter noted that American companies encourage and depend on continual growth, which can present a unique set of challenges. For example, it is not easy to find good talent, Ledbetter pointed out. "A business that is doubling or tripling in size every few months usually needs new staff constantly--and that pace of hiring brings risk," he wrote.

CardFlight's founder and CEO, Derek Webster attributed his company's 139th ranking in the 2018 Inc. 5000 to his staff's talent and dedication, stating, "Our motivated team of almost 40 professionals work hard to enable our partners to serve small businesses everywhere."

Andy Powell, co-founder and CEO at CallRail, said his entire team is "ecstatic to make a second appearance on the Inc. 500. The ranking is a testament to our customer-centric culture."

Payments honorees represented numerous business categories across several industry sectors. The partial listing set forth in this article reflects the payments industry's expanding role in retail, hospitality and software as electronic transactions become increasingly embedded into U.S. lives and livelihood.

Advertising, marketing, business services

Merchants increasingly rely on service providers to help them solve business problems beyond payment card processing. Advertising and marketing solutions are delivering smart metrics and analytics that deliver real-time insights into customer behavior and campaign effectiveness. Exponential growth in emerging technologies has also benefitted payments industry companies working with ancillary industry service providers.

Following is a sampling of companies that blend these offerings:

Financial services

Numerous payments industry technology companies and service providers were grouped in the financial services sector, including the following organizations:


Omnichannel and bring-your-own-device solutions are increasing demand for intelligent software solutions that are compatible with mobile, online and in-store commerce. These companies provide cloud-based subscription service offerings:

Qualifying criteria

Ledbetter noted the companies listed in 2018 collectively amassed $206.2 billion in revenue in 2017, a 158 percent increase from $79.8 billion in 2014. Companies must meet the following standards to qualify:

Ledbetter additionally noted that companies on the 2018 Inc. 5000 list have all grown by at least 50 percent over the last three years.

Neil Randel, CEO of FAPS (No. 4271), called his company's listing in the 2018 Inc. 5000 list "a wonderful affirmation of the advancements we've made in the payments space, particularly given the rapid disruption happening within our industry. It also reinforces the critical role of payment-related service providers, and how a well-deployed payment technology solution can help businesses of all sizes achieve positive cash flow and increased profitability."

This article does not purport to contain every company on this year's list that is associated with the payments realm. If your payments-related business was named to the 2018 Inc. 5000 list and is not mentioned here, send a press release to, and we'll post it under News From the Wire on our home page.

This article does not purport to contain every company on this year's list that is associated with the payments realm. If your payments-related business was named to the 2018 Inc. 5000 list and is not mentioned here, send a press release to, and we'll post it under News From the Wire on our home page.

FBI warns of impending global ATM cash-out blitz
Wednesday, August 15, 2018

T he FBI is warning banks, transaction processors, and operators of ATMs and ATM networks of an impending cyberheist involving ATMs. This is according to a confidential alert sent by the FBI to U.S. banks and obtained by Krebs on Security, which tracks cybersecurity breaches and trends.

The impending ATM cash-out scheme is imminent and will be global in reach, the FBI said, and it's not apt to be a one-off occurrence.

ATM cash-out schemes start with crooks hacking into bank or card processor systems to purloin account numbers and PINs, and to knock out fraud controls (such as ATM cash withdrawal limitations). Using the account information, they clone debit cards and enlist foot soldiers who work simultaneously, hitting ATMs and draining as much money as possible from accounts.

Virtually all such attacks to date have been launched on weekends. Recently, for example, news broke of a series of ATM cash-outs that resulted in several million dollars being siphoned from accounts at a small Virginia bank between May 2016 and January 2017. All of those heists occurred over holiday weekends, according to published reports.

The scheme the FBI is warning about now could result in crooks emptying millions of dollars from bank accounts worldwide in just a few hours, Krebs reported.

"The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global automated teller machine cash-out scheme in the coming days, likely associated with an unknown card-issuer breach," the alert stated. "Historic compromises have included small-to-medium-sized financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities. … The FBI expects the ubiquity of this activity to continue or possibly increase in the near future."

Vigilance as 'table stakes'

The FBI urged banks to review and boost security measures, such as strong password requirements and two-factor authentication. Other offered advice included:

While the advice is sound, Jonathan Sander, CTO at STEALTHbits Technology, said it points to obvious failures on the part of many banks. "[W]hat the FBI is advising should be considered table stakes for any organization operating infrastructure as sensitive as ATMs," he said. "To imagine that security pros at a bank can't force IT to have strong password policies and two factor for administrative users is very shocking."`

Sander urged banks and processors to do more. "Not only should these networks have their admins locked down with multi-factor [authentication] and strong passwords, they ought to be using specialized privilege access workstations or at least be using session controls," he said. He also recommended strict procedures for automated actions that require privilege, such as backups and patches. And real-time monitoring.

"The general idea is that the basics for these sorts of systems ought to be in the rear view," Sander added. "It's a bit surprising that the FBI must see enough shops without those basic controls that they feel they need to give that advice."

U.S. in cybercrime crosshairs, researchers say
Tuesday, August 14, 2018

D ata protection methodologies and legislation have made little impact on international cybercrime, according to a new study published Aug. 8, 2018 by U.K.-based Juniper Research Ltd. The Future of Cybercrime & Security: Threat Analysis, Impact Assessment & Leading Vendors 2018-2023, predicts a plethora of attacks will continue to grow, defrauding organizations of more than 146 billion personal records worldwide over the next five years.

Researchers place the United States at the epicenter of criminal activity due to the country's disparate methodologies for storing and transmitting data. The resulting patchwork of vulnerabilities makes U.S. firms vulnerable to opportunistic criminals, researchers noted. Without additional protections in place, experts said, more than half of international data breaches are expected to originate in U.S. companies by 2023.

Ryan Wilk, vice president of delivery - customer success at NuData Security, a Mastercard company, said Juniper's projections make a strong case for implementing multilayered security across a range of industries and financial institutions. Advanced technologies such as passive biometrics and behavioral analytics protect individuals and organizations from the credential theft, because consumers' unique behaviors cannot be duplicated by hackers, he added. "With these technologies, the massive amounts of stolen credentials cannot be used to log into someone else's account or otherwise used for fraud," Wilk stated. "The user's identity is established using hundreds of indicators derived in part from the user's unique online behaviors instead of static 'known knowns' such as passwords, challenge questions, and government identification numbers."

Protect critical infrastructure

Juniper researchers recommend that a multilayered approach to security combine recent data protection legislation, such as GDPR and PSD2, with strong technology mandates to reinforce cybersecurity across network endpoints, cloud security, identity and access management and the Internet of Things. These efforts are critical for small and midsize businesses, which account for 99 percent of all companies but contributed just 13 percent of cybersecurity spending in 2018, researchers noted.

One reason small business owners spend so little on cybersecurity is their tendency to use consumer-grade products that cost less than $500 per year to install and maintain. Researchers pointed out that these retail products are insufficient protections against newer forms of malware, which require a more holistic approach than simple endpoint and perimeter protections. Failure to implement advanced security strategies will leave numerous small businesses vulnerable to data breaches, which can cost millions of dollars and have devastating impacts on consumers and businesses alike, noted research author James Moar.

"Juniper's strategic analysis of 48 leading cybersecurity companies shows that AI and predictive analytics are now table stakes for this market," Moar said. "These technologies need to be made available to all businesses, regardless of size."

Wilk added that Juniper's findings should serve as a "terrifying reminder for every organization transacting online to substantially tighten and continually test their security and authentication strategies and ensure that payment data, sensitive records, and personally identifiable information are secure."

Treasury's regulatory easement may benefit fintechs
Friday, August 10, 2018

I n response to Executive Order 13772, issued in February 2017, the U.S. Department of the Treasury has been easing restrictions pertaining to key financial services sectors. The department previously published guidelines for the bank and credit union, capital market, and asset management and insurance sectors. The fourth and final report of the series, published July 31, 2018, provides guidance for fintech firms.

U.S. Secretary of the Treasury Steven T. Mnuchin said Treasury staff members who crafted the reports met with numerous stakeholders in consumer financial data aggregation, lending, payments and credit servicing sectors, and he expects ensuing recommendations to drive rapid adoption of competitive technologies, data security and operational efficiencies. The goal is to simplify regulatory standards and create a financial system that supports all stakeholders, including nonbank finance and fintechs, he added.

"American innovation is a cornerstone of a healthy U.S. economy," Mnuchin stated. "Creating a regulatory environment that supports responsible innovation is crucial for economic growth and success, particularly in the financial sector."

Core principles, recommendations

Treasury reports, which include extensive glossaries of commonly used acronyms and abbreviations, are organized under the following core principles:

Critics remain skeptical

Critics appreciate U.S. government efforts to create a fintech-friendly environment but say more can be done. Forbes contributing writer Sarah Kocianski suggested proof of concept will be achieved when recommendations are implemented.

"There are many obstacles still to be overcome, such as federal and state regulators agreeing to the proposals in the first place, before you even get to a stage where they agree to work together and implement them," she wrote in "We're A Long Way Off from the U.S. Being a Utopia for Fintech," published Aug. 7, 2018. "There is also the fact that some of the recommendations, while being good for businesses, are not so great for consumers."

Kocianski cited the "Payday Rule" as an example, noting it requires lenders to determine a borrower's creditworthiness while failing to protect vulnerable consumers. This would likely "be damaging to both individuals and the economy in the longer run," she noted.

Forbes contributing writer Aaron Stanley expressed disappointment that cryptocurrency and blockchain technologies were only "mentioned in passing" in the Treasury report. "Money transmission licensing rules have been a perpetual thorn in the side of cryptocurrency companies operating in the U.S.," Stanley wrote in a July 31, 2018, article titled "What Does the U.S. Treasury Fintech Report Mean for Crypto?" Activities are regulated on a state-by-state basis, without a unified license passporting structure such as the model being used by the European Union, he added.

On the positive side, Stanley noted the report contains constructive approaches to streamlining regulations."The core theme of the 222-page report is that more governmental support for innovators and entrepreneurs is required across the board, and that Treasury is keen to provide that push when necessary within the regulatory ranks," he wrote.

A full copy of the report is available at: .

View prior breaking news

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems