GS Logo
The Green Sheet, Inc

Please Log in

A Thing A Bigger Thing

Friday, June 22, 2018

Vectra finds tunnels in encrypted web traffic

T he 2018 Spotlight Report on Financial Services, published by Vectra Co. on June 20, describes how cybercriminals use hidden tunnels to access encrypted networks. Researchers believe this methodology may have been used in the 2017 Equifax data security breach, when hackers stole 145.6 million consumer records while remaining undetected for 78 days.

Chris Morales, head of security analytics at Vectra, observed that hackers mimic user behavior to blend into networks, which makes them difficult to expose. Once they are in a network, they burrow even further, escaping detection while setting up remotely accessible command and control centers to exfiltrate data.

"What stands out the most is the presence of hidden tunnels, which attackers use to evade strong access controls, firewalls and intrusion detection systems," he stated. "The same hidden tunnels enable attackers to sneak out of networks, undetected, with stolen data."

Chris Prevost, vice president, solutions at Prevoty Inc., has seen criminals use social engineering and remote command injection (RCI) to target protected networks. "Last year, we saw some very interesting RCI exploit payloads targeting web applications/web services that relied on old, vulnerable versions of the Struts 2 framework to execute unwanted commands on the victims' web servers," he stated. "Preventing attacks on web applications/web services often boils down to the basics ‒ make sure the code that you deploy is free from security bugs."

Prevost said it can be challenging to protect websites that use third-party, multilayered software. He recommends implementing code review and security testing using web application firewalls and runtime application self-protection technologies to improve protection and visibility. "A multilayered, defense-in-depth strategy targeting attacker reconnaissance, ingress, lateral movement and exfiltration is the best practice and really the only way to lower the risk of a serious breach," he said.

Implement post-breach protections

Robert Capps, vice president, business development at NuData Security, a Mastercard company, urges retailers and ecommerce companies to protect consumers from identity theft. "Bad actors continue to dig tunnels to access private data, but the real concern is, what are they doing with that data?" he said. "Account takeover is the main outcome of stealing personal data, so being able to protect users beyond their credentials is key to block post-breach damage." Advanced biometrics and behavioral analysis can stop fraudsters from using stolen data to log into someone else's account or to create synthetic identities, Capps noted. "Many global merchants have successfully incorporated passive and active biometrics and behavioral analytics to verify customer identities through the real-time analysis of hundreds of indicators derived from the user's online behavior," he added. "This approach isn't solely reliant on static data such as passwords and challenge questions, and it obfuscates much of what would attract bad actors seeking to steal and sell or reuse consumer data."

Plug hidden tunnels

Will LaSala, director of security solutions and security evangelist at OneSpan, said organizations sometimes unwittingly create vulnerabilities that become exploited by hackers. "Hidden tunnels should be protected at all times," he said. "Many app developers put holes through firewalls to make services easier to access from their apps, but these same holes can be exploited by hackers. Using the proper development tools, app developers can properly encrypt and shape the data being passed through these holes." LaSala advises developers to use secure application programming interfaces and encrypted data within an application before applying a network layer, suggesting it will protect apps from remote command injections. Rushing to implement a new feature to maintain customers or to increase business may lead to situations where a hidden tunnel is created and not secured, he noted.

A multilayered security approach to application development can be an effective deterrent to malicious hidden tunnel attacks, LaSala said. "By leveraging development tools that create end-to-end secure communications whenever a hidden tunnel is needed, developers can start with a solid foundation of security before hackers attack," he added. "Applying application shielding techniques can often harden the application from attack even further."

SCOTUS says yes to expanded online sales tax collection
Thursday, June 21, 2018

A fter 26 years, the Supreme Court overruled its decision in Quill Corporation v. North Dakota. At the time, the justices decided the U.S. Constitution prohibits states from forcing businesses to collect sales taxes unless those businesses have a substantial connection to the state, such as a physical location. In a 5 to 4 ruling handed down June 21, 2018, the court ruled in favor of the plaintiff in South Dakota v. Wayfair Inc., et al., which means Internet retailers can now be required to collect sales taxes in states where they have no physical presence.

Writing for the majority, Justice Anthony M. Kennedy stated, "Quill puts both local businesses and many interstate businesses with physical presence at a competitive disadvantage relative to remote sellers. Remote sellers can avoid the regulatory burdens of tax collection and can offer de facto lower prices caused by the widespread failure of consumers to pay the tax on their own." The other justices joining him were Samuel A. Alito Jr., Ruth Bader Ginsburg, Neil M. Gorsuch and Clarece Thomas.

Far from unanimous

Chief Justice John Roberts, while not in favor of the 1992 Quill decision, felt the matter would be better addressed by Congress. "E-commerce has grown into a significant and vibrant part of our national economy against the backdrop of established rules, including the physical-presence rule," he wrote. "Any alteration to those rules with the potential to disrupt the development of such a critical segment of the economy should be undertaken by Congress." Justices Stephen G. Breyer, Elena Kagan and Sonia Sotomayor also dissented.

Roberts also said, "The burden will fall disproportionately on small businesses. The court's decision today will surely have the effect of dampening opportunities for commerce in a broad range of new markets."

The 1992 decision came at a time when the Internet was not the force it is today. Justice Kennedy stated that back then, mail order sales totaled only $180 million; in 2017, he added, "e-commerce retail sales alone were estimated at $453.5 billion."

Amazon has already been collecting sales tax in states that charge it, whether Amazon has a physical presence there or not. The behemoth has not, however, been collecting sales tax for merchants participating in Amazon Marketplace.

In the suit decided today, South Dakota sought to collect taxes from online retailers with more than $100,000 in annual sales or 200 transactions in the state. While the South Dakota law provides exemptions to the smallest retailers, today's ruling may open the door for states seeking to collect sales taxes from a larger group of sellers, including small businesses.

NRF weighs in

National Retail Federation President and CEO Matthew Shay responded to the ruling, stating, "Retailers have been waiting for this day for more than two decades. The retail industry is changing, and the Supreme Court has acted correctly in recognizing that it's time for outdated sales tax policies to change as well. This ruling clears the way for a fair and level playing field where all retailers compete under the same sales tax rules whether they sell merchandise online, in-store or both."

The NRF had argued in a 2017 friend of the court brief that the Quill Corp. decision was outdated and that sales tax collection is no longer a burden for online sellers due to changes in technology. In particular, the NRF mentioned a variety of free or low-cost software now available to automatically collect sales tax owed.

The full impact of the ruling is unknown. Shay shared his views on next steps. "While today's decision is a major victory, there's still work to be done," he said. "Congress must now follow the court's lead and pass legislation implementing uniform national rules that provide consistency and clarity for retailers across the country."

Collaborations reduce chargebacks, study finds
Tuesday, June 19, 2018

A Javelin Strategy & Research study, underwritten by Verifi and published in May 2018, cites communication gaps as a leading cause of disputes and chargebacks. The 36-page report, titled The Chargeback Triangle, examines chargeback costs and impacts while demonstrating how to prevent chargebacks by resolving open issues.

In 2017, chargeback volumes reached $31 billion, including $19 billion in merchant losses and $12 billion in issuer losses, researchers found. Matthew Katz, CEO at Verifi, said improved collaboration among industry stakeholders would dramatically reduce these numbers.

"The report clearly indicates that collaboration between issuers, merchants and consumers is critical to resolve disputes effectively and avoid the direct and extended costs that chargebacks and consumer-initiated 'friendly fraud' cause for merchants and issuers alike," he stated. "In the end, the consumer pays the price in the form of higher purchase prices, as well."

In an interview with The Green Sheet, Katz called for industrywide changes in risk mitigation and chargeback management. "When you consider the sheer size of the card brands and major card issuers like Capital One and Wells Fargo, it's hard for enterprises that are so large with so much investment in technology to keep up with the times," he said. "We rely on each other to make changes across the board ‒ from cardholders all the way through to the merchant."

Sunk costs, attrition

Researchers found the costs of managing the chargeback process frequently exceed the value of a disputed product or service. "For every dollar in disputed transactions, an additional $1.50 is spent [by merchants and issuers] on fees, management expenses ‒ including technology and outsourcing ‒ and personnel," they wrote.

Following are additional report highlights:

Card brand mandates

The report references the Visa Claim Resolution (VCR) process, a newly launched initiative by Visa designed to simplify disputes. Katz expects banks to make additional investments in the program. "The benefit of being a card brand is having the ability to mandate a change," he said. "Visa set an effective date of April 14, 2018, for VCR, and Mastercard will be introducing a similar program in the near term. There has been a learning curve in the two months following VCR's effective date in terms of what works, what doesn't and how to improve."

Katz said at first glance, VCR may appear to oversimplify chargebacks, but it hasn't done away with former reason codes. Instead, it aggregates 22 original reason codes into 20 categories, which are then organized into four distinct themes, he noted. This is meant to bring clarity to the chargeback system, while maintaining a consistent experience across all channels.

"In retail, the buying experience is consistent across all channels, whether you are buying a shirt in a store, online or by using a mobile app," Katz said. "What is different are the risks involved in each channel and how merchants, acquirers and issuers monitor and view these risks. These channels are predicated on the same concept of buying a shirt."

Differentiate CNP merchants

Noting that most card not present (CNP) merchants are held accountable to the same risk thresholds, Katz said he would like to see more differentiation across CNP channels. "Internet, mobile, retail and IoT [Internet of Things] commerce need to be viewed differently by the card brands and monitored differently than they are now," he said. "The card brands need to set lower risk tolerances in channels that have a higher propensity for risk."

The IoT is a uniquely different CNP channel, Katz said, because unlike retail, online and mobile transactions, where consumers can make additional impulse purchases, the IoT facilitates targeted micro transactions. "The proliferation of commerce-enabled appliances raises the potential for curious children and inattentive consumers to inadvertently place orders," he said. "We may have to monitor our phones, appliances and wearables with the same vigilance as we currently monitor our networks and primary connected devices and networks."

Srii Srinivasan, CEO at Dallas-based Chargeback Gurus Inc., said CNP merchants that offer stellar customer service and lenient refund policies generally have reduced chargeback volumes. She recommended the following additional CNP best practices:

Pan-European digital bank to launch
Monday, June 18, 2018

A lior Bank developed a new digital platform with the intent to establish a bank that bundles best-in-class financial services from different fintechs and financial institutions. Four distinct enterprises have now joined forces to create such a bank. Set to launch in the fourth quarter of 2018, the pan-European digital bank is a collaboration between Alior Bank, solarisBank, Mastercard and Raisin.

Alior Bank stated it will deliver multicurrency accounts with international transfers and deposits; solarisBank will add the banking infrastructure with its technological, compliance and regulatory framework; Raisin, through its network of partner banks and more than 100,000 customers, is adding various savings and investment possibilities to the offering; and Mastercard’s Benefit Optimization program will be used to offer additional value-added services to customers.

Leveraging open banking

The open API platform will leverage the opportunities of EU directive PSD2 and open banking, Alior Bank added.

"Thanks to this platform, customers will be able to access the best of each collaborator's offer in a fast and efficient way," said Daniel Daszkiewicz, Head of FinTech at Alior Bank. "For example, a customer in Germany, while opening an account with solarisBank, will instantaneously gain access to a multicurrency account with Alior Bank and to Raisin's savings products. Thanks to the cooperation with Mastercard on the other hand, customers will be able to buy additional value-added services that will facilitate clients' global lifestyles. This is our first cross-border collaboration to this extent, and it is a very challenging project at the same time, because it puts a bank in a totally new position."

“The new platform – for which solarisBank will provide the infrastructure for accounts and transactions – is an exciting step to build a digital, financial ecosystem for Europe," said Marko Wenthin, co-founder and CCO at solarisBank. "Moreover, this partnership with such an innovative financial institution proves to us the success of our banking-as-a-platform approach.”

The product will be available for all EU residents with a focus on the German market during the first phase of the project, the partners stated. For further details as they develop, visit

Dixons Carphone under fire for slow reporting of data breach
Friday, June 15, 2018

B BC News confirmed reports of a second major data breach at Dixons Carphone PLC, a publicly held British electronics retailer that operates as Currys PC World and Dixons Travel. The company reportedly found anomalies in its POS network in July 2017 but took nearly a year to disclose the malicious activity. In a June 13, 2018, statement, Dixons Carphone revealed the attack may have compromised 5.9 million credit and debit cards and more than 1 million consumer accounts. Security analysts criticized the delayed disclosure and failure to protect critical infrastructure after suffering an earlier attack in 2015. Lee Munson, security researcher at Comparitech Ltd., said the Dixon Carphone breach highlights how commonplace massive data breaches have become. "What is worrying here is the delay between the breach occurring last year and the disclosure today," he said. "Thankfully, under GDPR, non-disclosure for business reasons is no longer possible as the ICO [the Information Commissioner's Office] must be informed within 72 hours whenever possible."

Munson said he expects the incident to impact Dixon Carphone share prices throughout the remediation process and suggested even a short-term dip could be fatal to the retailer. "Of more concern is the affect this could have on the chain's customers, millions of whom have had their personal or payment card information leaked," he added.

Admit culpability

Munson and other security analysts have criticized Dixons Carphone for underplaying the incident's severity by saying it found "no evidence of fraudulent payments being made with the stolen cards." Tom Miller, senior vice president at Virsec called the statement a "disturbing refrain we hear over and over." If they were blind to the breach, not seeing evidence is hardly reassuring, he noted.

"Also disturbing is the comment that 'There is no connection to the previous incident' [the 2015 breach of Carphone Warehouse]," Miller said. "Of course there's a connection – the same organization got breached, fined, didn't take adequate steps to change security, and got breached again."

Michael Magrath, director of global regulations and standards at OneSpan Inc., noted the European Union's data protection legislation, such as the GDPR, will impose heavy fines on organizations with lax data security protocols. "Organizations relying on a single shared secret to protect sensitive personal identifiable information has been very lucrative ‒ for hackers," he said. "While no security solution is 100 percent secure, in 2018 organizations not deploying risked-based authentication solutions are hoping they can dance between the raindrops when it comes to security."

Miller expressed hope the newly enforced GDPR will raise the bar for accountability but said it will take more than harsh penalties to stop data breaches. Businesses need to start "seriously rethinking how they secure sensitive customer data," he said.

Improve protections

Magrath stressed the need for organizations to adopt "multiple, layered authentication technologies," by combining PINs and passwords with biometrics and "analyzing context based on location and device characteristics."

Robert Capps, vice president of business development, NuData Security, a Mastercard company, said bad actors exploit the smallest security gaps to steal customer data. "As we all know, credit card information, combined with other user data from other breaches and social media, can build a complete profile," he said. "In the hands of fraudsters and criminals, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the internet and in the physical world."

Capps said advanced techniques and technologies can protect consumers. "Multilayered technology that thwarts fraud exists right now," he stated. "Passive biometrics and behavioral analytics technology are making stolen data valueless by verifying users based on their inherent behavior instead of relying on their data, such as credit card information. This makes it impossible for bad actors to use stolen data, as they can't replicate the customer's inherent behavior attached to that data."

View prior breaking news

Spotlight Innovators:

North American Bancard | USAePay | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems