GS Logo
The Green Sheet, Inc

Please Log in

A Thing A Bigger Thing

Saturday, December 8, 2018

Fraud, ID theft on sale this holiday season

T o celebrate the 2018 holidays, the Dark Web is having a clearance sale on personally identifiable information, offering criminals a generous inventory of names, addresses, dates of birth and Social Security numbers, at prices as low as $2 per record. Bryan Lewis, president and CEO at Intellicheck, a security technology provider, said much of the stolen data has been vetted for accuracy during a lengthy incubation period.

"Bad guys are building a product, packaging it and getting it ready for sale," Lewis said. "Before these records go on the Dark Web, they are cross-referenced and confirmed with other data."

The 2017 Equifax breach compromised 145 million civilian records, Lewis noted. This event and increasingly complex, sophisticated identity theft schemes make the 2018 holiday season a dangerous time for holiday shoppers and retailers. "Javelin Strategy and Research puts the total value of identity theft at nearly $17 billion dollars last year," he added. "On average, an identity was stolen every 1.88 seconds in the United States in 2017. More than 57 million records have been exposed this year according to the Identity Theft Resource Center."

Bad Santa

Chris Marchand, vice president, business development at Verifi, a risk mitigation company, has seen increased friendly fraud, also known as chargeback fraud, throughout the holiday season. These events increase merchant headaches and costs. They occur when consumers make purchases with their own credit cards but then, after receiving the goods or services, ask their credit card issuers to reverse charges. These false chargebacks are often triggered by credit card statement sticker shock. Some issuers would rather process a chargeback than risk losing a customer, he stated.

"Adding fuel to the fire, some customers dispute legitimate transactions due to billing confusion, such as the merchant's name not matching their trading name or forgetting about a purchase made," Marchand said. "Consequently, merchants face loss of revenue and merchandise, plus fines and fees applied by acquiring banks."

Merchants and card issuers should collaborate and share transaction information to resolve issues at the earliest possible stage, Marchand advised, adding that merchants "need to ensure they deliver the best customer experience while arming themselves against chargebacks at an already frantic time of year."

Forewarned, forearmed

Lewis said Intellicheck recently found a news organization's contact email and password for sale on the Dark Web. Intellicheck had been working with the company but does not use the same password on multiple sites. "Fortunately, our corporate policy is they have to use different passwords [on different websites], so we weren't at risk," he said. "You open yourself up to security threats when you do that."

Javelin Strategy provided additional protections against identity theft in the whitepaper titled 2018 Identity Fraud: Fraud Enters a New Era of Complexity, as follows:

"There is enough data on every one of us; it's far too easy to steal identities," Lewis said. "Cybercriminals used to be able to steal a little bit about you, but Equifax had all the information about you in one place and for the first time, Social Security numbers are more prevalent than credit card numbers on the Dark Web."

Walmart accepting cash for in-store online ordering
Wednesday, December 5, 2018

J ust in time for holiday shoppers, Walmart introduced Order and Pay. It's a new in-store ordering option that enables shoppers in physical store locations to order and pay for items that aren't available in the store. Consumers work with Walmart associates on the floor to process online orders from Walmart's Dotcom store and then pay for the items at the physical POS, along with other items selected from the shelves (if any).

Consumers can pay with cash, credit and debit cards, checks, and Walmart Pay. The ability to pay with cash is expected to appeal to the unbanked and underbanked, who may not have access to other payment methods or who simply prefer to use cash.

"We've known for some time that the future of the retail store will mean blurring the lines between online and offline stores, and leaders like Walmart are making this more and more into a permanent reality," stated Gavin Bisdee, Vice President of Global Marketing at Zynstra Ltd., a provider of intelligent infrastructure for retailers. "This new service from Walmart will enhance the in-store experience for consumers, making the buying process even more convenient and frictionless. It also tees up the ability to improve the productivity of Walmart store associates, giving them more cross-sell and upsell opportunities."

Online-offline blend a growing trend

Walmart isn't the only retailer to provide sales associates apps that facilitate blending of online an offline channels. Since October 2017, Target associates have been able to use their in-store devices to create online orders for customers. Associates have mobile card readers for shoppers who want to pay quickly on the floor and avoid waiting in line at the POS. Amazon operates its Whole Foods subsidiary stores, as well as its own brick-and-mortar locations, including the cashierless Amazon Go and Amazon 4-star stores, where online and offline services are both in the mix. "At its core, this move from Walmart is one step further in seamlessly merging its online and offline experiences to ensure that the brand is present in all the channels the customer wants to shop in," said Danielle Roberts, Senior Product Manager at Kibo, a provider of omnichannel commerce software. "With this move, when a consumer says, 'I saw this product on your website,' the Walmart associate will have one more digital tool within his/her arsenal to not only save the sale but instantly improve the experience for the shopper."

Roberts also pointed out that the initiative provides an easier way for associates to find merchandise consumers are looking for. "If you rely only on in-store inventory to save the sale, you run the risk of a product not being where it should be which is in the hands of the shopper – especially with the added chaos of the holidays," she noted. "All in all, the primary competitive advantage Walmart and other traditional retailers have over Amazon is leveraging their many stores to provide a better consumer experience. At least for now, Amazon does not have that option."

The Order and Pay service is now available year-round at 4,700 Walmart stores. It includes items featured on, but not yet its marketplace fare.

PCI SSC updates guidance for phone-based payments
Tuesday, December 4, 2018

U pdated PCI Security Standards Council (PCI SSC) guidance, published Nov. 28, 2018, addresses the increasingly complex landscape of accepting payments by phone. Spearheaded by a PCI SSC Special Interest Group of call center and technology experts, Protecting Telephone-based Payment Card Data outlines best practices for mitigating fraud by removing sensitive data from scope.

Ben Rafferty, global solutions director at Semafone and Special Interest Group member, said the council last issued call center guidance in 2011, and the landscape has evolved significantly in recent years. The new guidance pertains to a new set of risks posed by Voice over Internet Protocol (VoIP), softphones and chatbots, he said, noting that these emerging technologies are potential targets for card-not-present fraud.

"Because protecting payment card data within contacts centers is the core of Semafone's business, we invested our time to share our expertise for the new guidance," Rafferty said. "Drawing from our experience descoping enterprise contact centers around the globe, we hope to provide clarity on securing these critical payment channels."

Simplifying call center compliance

Recommended scope reduction techniques include masking technologies that make payment card data indecipherable to call center agents or advanced routing schemes that send card data directly to processors. These techniques have been shown to simplify compliance, safeguard data and build customer trust, experts noted.

Following are additional areas, identified by the council, in need of scope reduction:

Telephony, network segmentation

Michael Simpson, security analyst at SecurityMetrics, said phone-based payments are widely used by call centers, universities and fundraisers. These companies should not be storing cardholder data and sensitive authentication data and CVV codes; merchants that accept credit card payments over the phone need to implement solutions that stop recording when data is entered, he noted.

"Unfortunately, any time you have human intervention, you'll make mistakes," he said. "Systems designed to pause when sensitive data is transmitted may still contain sensitive data because the agents forget to use the feature."

Simpson went on to say that merchants must submit annual risk assessments to their acquiring banks to get buy-off on storing sensitive data. However, not all large call centers are merchants; some are just service providers, he stated. In these cases, service providers should ask their merchant bank and merchant service provider for a copy of their annual risk assessment to make sure their storage methods are approved and compliant, he added.

Fed torpedoes move to fully electronic checks
Monday, December 3, 2018

T he Federal Reserve Board has torpedoed industry efforts to make checks a fully electronic payment option. Regulatory changes disclosed earlier this month make it clear that financial institutions cannot clear electronically created items (ECIs) through the Reserve Bank System. While most checks start out as paper items, the majority today clear between banks and credit unions (often through the Reserve Banks) as electronic images – over 99 percent by the Fed's reckoning. The conversion from paper to electronic images is often executed by payees using their banks' remote deposit capture services, or at the bank of first deposit.

ECIs are like paper checks in every respect except that they originate as electronic messages, which eliminates the need to truncate paper checks and significantly compresses the clearing cycle placing it on par with electronic payments. In fact, experts note, it is not uncommon for ECIs to clear and post on a same-day basis.

No one knows for certain how many ECIs clear through the banking system on a daily basis, since they are generally indiscernible from electronic image files of checks that start out as paper. A 2017 analysis by the firm All My Papers suggested about 80 million ECIs clear through the banking system each year. Most ECIs are business payments, stated David Walker, president of Tiller Endeavors LLC, and former president of the Electronic Check Clearing House Organization.

Fed's rationale questioned

Broader adoption of ECIs has been held back by a lack of clarity over ECIs since check laws pivot on the existence of paper documents. Walker and others had urged the Fed to address this through its check collection rule set, Regulation J. But Reg J amendments proposed by the Fed earlier this year included a ban on clearing ECIs through the Reserve Bank System. Last month, the Fed decided to adopt the proposal, despite receiving 14 comment letters in opposition and just three in favor of the ban on clearing ECIs through Reserve Banks. And it added that it "will not conduct further studies on ECIs at this time."

Walker said he was disappointed by the Fed's ruling, and he called into question the Fed's rationale. "The arguments they gave frankly don't make any sense," he said.

The Fed's decision to ban ECIs from the Reserve Bank clearing system comes as the Fed continues to push the concept of faster payments, with an eye toward near-real-time clearing and settlement. Walker noted, however, that such a system will likely need to be built from scratch, and that it could take a decade, or more, for such a system to achieve the scope of existing interbank clearing and settlement systems, like the check and automated clearing house systems. ECIs take an existing payment method, the paper check, and render it a truly electronic method, he noted.

In discussing its Reg J amendment, the Fed said that nothing about its decision would stop banks from agreeing to clear ECIs between one and other. But because a large share of checks clear through the Reserve Bank System – 45 percent on the forward collection side and 68 percent of returns, according to the Fed's data – most experts expect banks will not encourage business clients to use ECIs rather than issue paper checks. The Reg J amendment on ECIs takes effect Jan. 1, 2019.

Experts back multifactor authentication to stem stealth attacks
Friday, November 30, 2018

T he 2018 holiday season has been marked by increasingly stealthy and sophisticated attacks against consumers, merchants and financial institutions, security analysts have noted. Bimal Gandhi, CEO at Uniken, a security platform, cited the Marriott Starwood data security breach which just came to light as the latest example of compromised data being resold and exploited at scale.

Marriott International disclosed Nov. 30, 2018, that the data breach may have compromised up to 500 million consumers whose personally identifiable information (PII) had been registered on the Starwood Hotel site. Marriott acquired the Starwood properties in September 2016, making it the world's largest hotel chain. Early forensic reports indicate the breach may have been initiated as far back as 2014, when unauthorized parties allegedly copied and encrypted information.

"Events like this Marriott Starwood breach underscore the sheer folly of continued reliance on outdated security methods such as using PII in authentication, given the sheer proliferation of stolen and leaked PII now available on the Dark Web," Gandhi stated. "Every piece of customer information that a company holds represents a potential point of attack, and each time a partner or agent accesses it, that becomes a potential attack point as well."

Gandhi urged hospitality merchants, banks and ecommerce service providers to move to advanced authentication schemes that can operate independently of PII disclosure. Migrating beyond PII authentication will preclude bad actors from hacking into networks, he advised.

"Invisible multifactor authentication solutions that rely on cryptographic key-based authentication combined with device, environmental and behavioral technologies provide just such a solution," Gandhi said. "By their very nature, they are easy to use, issued and leveraged invisibly to the user, remove human error, and defy credential stuffing and other common attacks."

Beware of 'locked' apps, websites

In his Nov. 26, 2018, blog post, "Half of all Phishing Sites Now Have the Padlock," security analyst Brian Krebs of Krebs on Security reported that cybercriminals have found a way to spoof legitimate ecommerce sites by using website addresses that begin with "https://" and the familiar padlock icon to signal they use the secure version of hyper text transfer protocol. Krebs called increased use of lock icons an alarming shift that dupes Internet users into believing that green locks indicate a website is legitimate or safe.

"In reality, the https:// part of the address (also called "Secure Sockets Layer" or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can't be read by third parties," Krebs wrote.

Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, agreed with Krebs' assessment, noting the "green padlock" can give users a false sense of security, because they assume it means a website is safe to use. This is not always the case, he stated.

"Attackers are always quick to adapt any innovative means to increase the click-through of their phishing sites," Bilogorskiy added. "It does not cost them anything to get an SSL certificate from Let's Encrypt to obtain the 'green padlock'. In fact, Let's Encrypt has become the largest certificate issuer in the world with over 380 million certificates issued on 129 million unique domains. That said, I am not surprised that attackers have doubled the number of HTTPS phishing sites in a year."

View prior breaking news

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios