GS Logo
The Green Sheet, Inc

Please Login

Banner Ad
Skyscraper Ad

Friday, April 28, 2017

Chipotle doubles down on security

A data security breach at Denver-based Chipotle Mexican Grill recently roiled the quick service restaurant chain. Intruders reportedly gained access to the company's POS systems, capturing data from payment card transactions between March 24 and April 18, 2017. Chipotle has enhanced POS security and is working with its payment processor, law enforcement and forensic security experts in an ongoing investigation, company representatives stated.

"Because our investigation is continuing, complete findings are not available, and it is too early to provide further details on the investigation," read the company's April 25, 2017, statement. "We anticipate providing notification to any affected customers as we get further clarity about the specific timeframes and restaurant locations that may have been affected."

Representatives urged consumers to monitor payment card statements and report any unusual or suspicious charges to their card-issuing banks. "Payment card network rules generally state that cardholders are not responsible for such charges," the company further stated.

Industry-wide vulnerabilities

Sándor Bálint, Security Lead for Applied Data Science at Balabit, said the Chipotle breach is a reminder that credit card payments have a host of security issues. Credit card numbers, used as confidential identifiers, pass through many hands in the payment system, placing the burden of protecting consumers on merchants and payment service providers, who are challenged with dealing with this fundamental architectural flaw, he said.

Processing, storing and handling this data should be kept to an absolute minimum, he added. Organizations should treat cardholder data like nuclear waste, minimizing the number of people who "glow in the dark," Bálint said. This will reduce the scope of people and systems dealing with data (defined as the CDE, or cardholder data environment), and the costs of Payment Card Industry Data Security Standard (PCI DSS) compliance.

Bálint further recommended that organizations implement a blend of preventive, detective and corrective measures. "Even with the best intentions, and with robust controls in place, breaches may not be entirely preventable," he said. "That's why the PCI DSS has an entire chapter of requirements devoted to monitoring and testing."

When organizations detect anomalies, the time it takes to react and implement corrective measures is also critical, he noted. "If we can't prevent something but we react almost immediately when it happens, we can greatly reduce any damage that can be done," he said. "Therefore, shortening that interval between detection and response should be the goal ‒ the right tools for data collection and analysis can offer dramatic improvements and increased security."

Continued growth expected

Financial analysts do not expect Chipotle's stock price or level of consumer confidence to be affected by the security breach. Buoyed by the company's strong performance in the first quarter of 2017, as well as its appropriate responses to a tainted food incident in 2015 and the recent data security breach, investors and shareholders expect Chipotle to continue its upward mobility. The company's first-quarter net income rose from $26.4 million in 2016 to $46.1 million in 2017; the 17.8 percent increase reflects well on Chipotle's management, vision and execution, financial analysts stated.

Analysts at SunTrust Robinson Humphrey, a corporate investment bank, expect continued improvement in same-store sales due to mobile channel and digital order growth and positive reaction to a television advertising campaign launched April 10 that will run through July. "Chipotle's same-store sales accelerated in the first quarter, and we believe the drivers are in place to sustain the recovery," they stated.

CSBS takes OCC to court over nonbank charter plan
Thursday, April 27, 2017

T he controversy over the U.S. Office of the Comptroller of the Currency's proposal to create a new charter for nonbanks is drawing heat from bank regulators. On April 26, 2017, the Conference of State Bank Supervisors filed a complaint in the United States District Court for the District of Columbia against the OCC. The CSBS wants to stop the OCC from moving forward with what it believes is an unlawful attempt to create a national nonbank charter that will harm markets, innovation and consumers.

The CSBS is the national organization of bank regulators from all 50 states, American Samoa, District of Columbia, Guam, Puerto Rico and U.S. Virgin Islands. “The OCC’s action is an unprecedented, unlawful expansion of the chartering authority given to it by Congress for national banks," said John W. Ryan, CSBS President and Chief Executive Officer. "If Congress had intended it to be used for another purpose, it would have explicitly authorized the OCC to do so."

Agency overstepping

According to the CSBS, the complaint asserts that "by creating a national bank charter for nonbank companies, the OCC has gone far beyond the limited authority granted to it by Congress under the National Bank Act and other federal banking laws. Those laws authorize the OCC to only charter institutions that engage in the 'business of banking,' which under the National Bank Act requires an institution, at minimum, to receive deposits. Yet the OCC is attempting to create a new special purpose charter for nonbank companies that do not take deposits, without express statutory authorization. The OCC does not have the authority to create a special purpose charter for nonbanks without specific congressional approval."

Ryan further noted that if the OCC is allowed to proceed with the creation of a special purpose nonbank charter it will "set a dangerous precedent that any federal agency can act beyond the legal limits of its authority. We are confident that we will prevail on the merits. … The OCC’s proposed action ignores Congress, seeks to preempt state consumer protection laws, harms markets and innovation, and puts taxpayers at risk of inevitable fintech failures. This is a dangerous combination and one the court should decisively halt. To protect consumers and taxpayers, to promote innovation, and to ensure fair and open competition, CSBS was forced to take legal action against the OCC charter.”

CSBS on the job

Additionally, Ryan pointed out that state regulators already supervise a vibrant financial services marketplace that includes nonbanks and banks. State regulators supervise roughly three-quarters of all U.S. banks and a variety of non-depository financial services. CSBS, on behalf of state regulators, also operates the Nationwide Multistate Licensing System to license and register non-depository financial service providers in the mortgage, money services businesses, consumer finance and debt industries.

"Tens of thousands of mortgage, money transmission, debt collection and consumer finance companies – not to mention over 75 percent of this nation's banks ‒ already operate under the state system,” Ryan said. “That regulatory structure has produced a robust platform for innovation. Moving forward, state regulators will continue to streamline regulation and automate licensing across state lines, ensuring the system will work even better for state-licensed companies and consumers while protecting taxpayers.”

The CSBS complaint, with exhibits, is available at .

One hacker down, law enforcement ramps up
Tuesday, April 25, 2017

T he April 21, 2017, sentencing of a Russian hacker to 27 years in prison reflects an escalating global fight against cybercrime. The U.S. Secret Service Electronic Crimes Task Force initially investigated the case, receiving assistance from the CCIPS Cyber Crime Lab and the Office of International Affairs and U.S. Attorney's Office for the District of Guam. Combined efforts of government agencies and law enforcement led to the arrest and trial of 32-year-old Roman Valeryevich Seleznev, authorities stated.

Seleznev, operating under the alias Track2, had infected POS systems with malware to steal and resell credit card data on dark websites. When taken into custody in the Maldives in April 2014, he reportedly had more than 1.7 million stolen credit card accounts stored in his laptop, mostly from small merchants in the western area of Washington State. The breaches affected approximately 3,700 financial institutions and more than 500 small merchants, representing more than $169 million in combined losses, according to sources familiar with the investigation.

Crime has no borders

Judge Richard A. Jones, of the U.S. Western District of Washington State, convicted 32-year-old Seleznev on 38 counts, as follows:

Seleznev may face additional charges in other U.S. jurisdictions, including racketeering and possession of illegal access devices in the District of Nevada and bank and wire fraud charges in the Northern District of Georgia.

Seattle Chief of Police Kathleen O'Toole said, "Crime has no borders. This individual is responsible for defrauding victims out of millions of dollars in Seattle alone, and we are proud to work with our federal partners to bring him to justice."

Escalating fight

David Vergara, Head of Global Product Marketing at Vasco Data Security, said the Seleznev case reinforces the point that cybercrime comes in many shapes, sizes and channels, but is all designed to monetize stolen data, using malware as the primary transmission vehicle.

"The escalating threat of cybercrime is clearly galvanizing government agencies to increase collaboration and share talented resources," he said. "This is evident in the effort required to nab this Russian hacker that single-handedly caused $169 million in financial losses, and even drove some businesses under."

Vergara further noted that small businesses, with typically weak security, represent the path of least resistance to most hackers, who leverage disciplined coding skills, extensive networks and knowledge of their targets to maximize results.

For Seleznev, it was "a simple volume game, peeling millions of credit card numbers from point-of-sale systems at smaller restaurants, for example, with well-crafted malware," Vergara said. "Although this hacker generated tens of millions in personal gains through sophisticated POS attacks, increased focus and collaboration between government agencies ultimately won him 27 years behind bars."

Improved security, vigilance

Adam Atlas, Attorney at Law expressed a hope shared by numerous industry experts that "chip-and-PIN adoption, as well as better PCI compliance on the part of merchants, will result in this kind of criminal activity being less tempting for bad actors."

Atlas said victims of crimes should never be held responsible for crimes, but he emphasized the need for all payments industry stakeholders to understand and implement security guidelines, such as the Payment Card Industry Data Security Standard (PCI DSS).

"I think issuers also have a role to play in terms of connecting the dots between the IP addresses where cards are usually used and where they are suddenly used for criminal purposes," he added. "In short, all parts of the payment system are part of the solution to fight cybercrime."

Renewed interest in money order fraud
Monday, April 24, 2017

W hat’s old is new again, even in payments. A pair of indictments handed down this month by the Brooklyn District Attorney, in New York City, shows fraudsters are still attracted to check scams. The two indictments allege fraud involving money order transactions totaling close to a half million dollars over the course of several years.

The alleged fraudsters, nine in all, are accused of taking advantage of recent innovations, like mobile check deposit, and availability schedules that can, at times, provide customers with access to funds from deposits before deposited items are deemed fraudulent.

Face amounts altered

One indictment alleges that two Brooklyn residents undertook a rather traditional fraud. The two are accused of depositing forged and doctored money orders (issued by the U.S. Postal Service and Western Union) totaling over $375,000 at local branches of Bank of America, Citibank and TD Bank between 2013 and 2017. Some of the doctored money orders were also cashed at local check cashing establishments. The original face amounts were between $1 and $6, but were altered to reflect face values of $1,000, according to the indictment. “These defendants allegedly carried out an elaborate scheme to systematically steal hundreds of thousands of dollar,” Acting District Attorney Eric Gonzalez said in an April 20, 2017, statement about the indictments. “Financial crimes of this scale not only hurt our banks – they undermine the public’s trust in institutions we all rely upon for our livelihoods and our economy.”

Mobile deposits multiplied

The other indictment alleges seven Brooklyn residents took advantage of mobile deposit options to deposit the same forged postal money orders into multiple bank accounts, withdraw those funds as soon as possible, and then cash the paper items at local USPS locations. The scam is alleged to have involved more than 150 money order deposits and over $100,000 in losses.

The indictment, handed down on April 13, alleges the seven defendants enticed 47 people with accounts at TD Bank, Santander and Bancorp to relinquish control of those accounts (including debit cards and PINs) for a promised sum of money. Then they allegedly purchased postal money orders for amounts ranging from $700 to $12,000 to carry out the scam, which involved depositing the same items into multiple accounts using smartphones.

“Mobile check deposit schemes are one of many fraud schemes gaining popularity in recent yearsm” said U.S. Postal Inspector in Charge Philip R. Bartlett. “These schemes present a real challenge for financial institutions and law enforcement.” Bartlett’s office led the investigation that resulted in the seven being indicted.

Risks analyzed

A 2016 report by Guardian Analytics revealed that 72 percent of mobile banking fraud involves mobile deposits. The trend is particularly concerning given the growing availability of mobile deposit, as both the number of banks offering and number of consumers using mobile deposit have been charting double-digit growth rates, the report stated.

However, a study last year by found problems with and losses from so-called “duplicate deposits” are minimal and isolated. Only 25 percent of banks and credit unions surveyed by the remote deposit capture (RDC)-centric website reported losses from duplicate deposits. What’s more, better than half of those that did incur losses (51 percent) said the losses fell within their risk tolerance levels, so they made no changes to procedures as a result.

“Most FIs see RDC as a homerun,” said John Leekley, founder and Chief Executive Officer of “Better than 90 percent of those surveyed said the benefits of mobile RDC outweigh the costs and risks, while 52 percent indicated the benefits far outweigh the costs and risks.”

Experian study finds increased ecommerce fraud
Friday, April 21, 2017

A new study by Experian Information Solutions Inc. found a 33 percent increase in ecommerce fraud in 2016, compared with the previous year. The findings were consistent with Experian's forecasts and not surprising to security analysts.

Analyzing millions of ecommerce transactions, researchers concluded certain geographical regions were hot spots for cybercriminals. Miami, Houston, and South El Monte, Calif., earned the dubious distinction of being top-ranked cities for fraud. The states with the highest concentration of billing and shipping fraud were Delaware, Oregon and Florida, company representatives stated. They also attributed a record number of data breaches in 2016 to vulnerabilities in security infrastructures.

"There were 1,093 data breaches last year, a 40 percent increase from 2015, according to the Identity Theft Resource Center," Experian stated. "The recent Federal Trade Commission (FTC) 2016 Consumer Sentinel Network Data Book announced a jump in consumers who reported that their stolen data was used for credit card fraud, from 16 percent in 2015 to more than 32 percent in 2016. The record number of data breaches is a signal that future fraudulent activities will take place."

EMV pushes fraud online

Payment analysts anticipated the U.S. EMV (Europay, Mastercard and Visa) migration would push fraudsters to ecommerce, which was the case in other regions that previously achieved widespread EMV adoption. Experian found evidence that fraudsters who trafficked in counterfeit POS fraud have, indeed, shifted focus to digital channels. Experian expects more thieves to follow suit.

"Criminals rob banks because that's where the money is," said Monica Eaton-Cardone, Chief Operations Officer and co-founder at Chargebacks911. "It's the same thing for fraudsters, hackers and career criminals; they are all seeking the quickest possible path to someone else's money, and the widespread usage of EMV is driving them online."

Eaton-Cardone said ecommerce fraud skyrocketed by 80 to 100 percent in Australia, Canada and the United Kingdom during early-stage EMV adoption. "Predictably, the same trend lines are now taking root in the United States," she said. "What we've learned is criminals don't abandon their desire to commit crime, but they do modify their behavior. Online merchants and e-stores would be wise to modify their behavior, as well, because the threat of cyber fraud is rapidly rising."

Evolving threat landscape

Fraudsters' resourcefulness and creativity is reflected in the sophisticated ways in which packages are rerouted. They reportedly use re-shippers or shipping "mules," freight forwarders, and international ports and airports where fraudulent order can be picked up and quickly dispatched to final destinations. "From a shipping perspective, 10 states saw at least a 100 percent increase in fraudulent orders, having a significant impact on the overall population attack rate," Experian stated.

Eaton-Cardone added, "Every single link in the transactional chain has vulnerabilities that can be exploited. Merchants must relentlessly and methodically examine and strengthen each individual link in their transactional chain until it's no longer a tempting target for fraudsters and criminals to exploit.

Eaton-Cardone said payment acquirers can also play an important role because they have a vested interest in helping merchants avoid exposure to fraud. Without a magic bullet or one-size-fits-all solution, payments industry stakeholders must remain vigilant in this ongoing game of cat-and-mouse, and merchants should consider working with a third-party expert consultant when necessary, she noted.

"Fighting fraud requires a specialized knowledge of proactive tactics and preventive options," Eaton-Cardone said. "But the absolute worst thing you can do is ignore the problem because that incentivizes more attacks. Once the criminals smell blood in the water, you're in real trouble."

Current, future trends

Experian researchers warned that 2017 is perpetuating the same accelerating fraud trends, with a 56 percent increase in reported data breaches year-to-date, compared with the same period in 2016. "Our annual fraud attack rate data brings to light the increase of e-commerce attacks over the last year across the U.S.," the company's researchers stated. "This latest data is a strong indicator that other types of fraud have already occurred and can help businesses understand how to better protect themselves and their customers."

Eaton-Cardone said the U.S. chargeback issuance rate is 240 percent higher than in Japan or China, a disadvantage for American merchants. "Chargeback fraud, also called friendly fraud, costs online merchants over $40 billion annually, and the problem is growing by 20 percent each year," she said. "Friendly fraud is considerably different than criminal fraud; the same fraud filters that shield you from criminal fraud are largely ineffective at stopping chargebacks."

We're on the front lines in the war against chargeback fraud, she added, and clearly, the threat-level is rising. "If you sell a product or service online, you need to protect yourself," she stated. "This is no longer an option, but a business necessity."

View prior breaking news

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services