Updated: Tuesday, September 16, 2014
Flawed coding blamed for recent data breaches
T he proliferation of data breaches at major U.S. retailers is a direct result of poorly coded software, according to a software analysis and measurement firm. The global data analytics firm, CAST, said seven out of 10 retail and finance applications are vulnerable to the Heartbleed-style malware attacks that have caused havoc among U.S. retailers nationwide in recent months.
CAST revealed in its 2014 CAST Report on Application Software Health (CRASH) that financial and retail industry applications are the most vulnerable to data breaches, with 70 percent of retail and 69 percent of financial services applications having "data input validation violations" that can lead to breaches. "This is particularly concerning, considering the amount of personal and financial customer data often held in applications across these industries," CAST said.
Lev Lesokhin, CAST Executive Vice President, described faulty code as a product of rushed deadlines faced by IT staff. "So long as IT organizations sacrifice software quality and security for the sake of meeting unrealistic schedules, we can expect to see more high-profile attacks leading to the exposure and exploitation of sensitive customer data," he said.
FI security coding fails
A Trustwave 2012 slide presentation entitled "Whitelist is the New Black" defined input validation as the "process of verifying the correctness of data supplied to an application before using that data." The data security firm noted that input validation is the hardest part of ensuring applications are secure. "Most vulnerabilities are a result of user-controlled data not being validated, or not being validated appropriately," Trustwave said.
CAST said poorly written code that did not properly validate data resulted in the notorious Heartbleed malware attack, which exposed over 60 percent of the Internet's servers to potential attacks. "As of June, 21, 2014, it's estimated that 309,197 public web servers still remained vulnerable," the researcher noted.
In its CRASH report, CAST singled out the financial services industry for the worst coded applications, the most surprising finding of the report. "[T]he data showed that the financial services industry has the highest number of input validation violations per application (224) even though their applications, on average, are only half as complex as the largest application scanned," CAST said.
Dr. Bill Curtis, Chief Scientist at CAST and CRASH report author, believes CAST's findings discredit the idea that software security and software quality are mutually exclusive. "The CRASH Report data proves this is false," he said. "Badly constructed software won't just cause systems to crash, corrupt data and make recovery difficult, but also leaves numerous security holes."
Home Depot the latest victim
In April 2014, the Heartbleed bug was detected by Trustwave in the popular OpenSSL security protocol, which is described as a cryptographic library used in securing e-commerce sites, email services and file transfer protocol programs. The bug is a weakness in the code that can be exploited by hackers to circumvent encryption and gain access to sensitive cardholder and enterprise data.
Heartbleed had reportedly gone undetected for over two years, time in which hackers could exploit the weakness to steal SSL certificates that establish encrypted communications for such activities as consumers making online purchases with bankcards or when administrators log onto networks.
The most recent big breach occurred at The Home Depot. The home improvement retailer said it first learned about the breach on Sept. 2, 2014, from law enforcement and its banking partners, and that the compromise began the previous April, affecting its U.S. and Canadian stores, but not its operations in Mexico, nor customers shopping via its online store.
Security reporter Brian Krebs wrote in a Sept. 14 post on his KrebsonSecurity blog that multiple financial institutions reported a steep increase over the past few days in ATM withdrawal fraud using data stolen from Home Depot customer accounts. While the retailer reassured customers that no debit card PIN data was compromised in the attack, Krebs noted that fraudsters can use other types of data that was stolen, such as ZIP codes, to reset debit cardholders' PINs via automated phone systems that employ weak cardholder authentication methods.
"The card data for sale in the underground that was stolen from Home Depot shoppers allows thieves to create counterfeit copies of debit and credit cards that can be used to purchase merchandise in big-box stores," Krebs wrote. "But if the crooks who buy stolen debit cards also are able to change the PIN on those accounts, the fabricated debit cards can then be used to withdraw cash from ATMs."
In the wake of the breach coming to light, a class-action lawsuit in the Atlanta district court was filed by the Georgia law firm of Harris Penn Lowry LLP. The suit alleges that Home Depot did not inform its customers of the breach until after Krebs broke the story on his blog site.
Apple Pay may set mobile payment security standard
Friday, September 12, 2014
A pple Inc. is known for setting trends, if not defining whole new market categories, as represented by the iPhone and iPad. But now, with the Sept. 9, 2014, launch of the iPhone 6, and Apple's first foray into the wearable device market with the Apple Watch, the tech giant has come out with a mobile contactless payment system called Apple Pay that could potentially set the standard for mobile security for the entire marketplace. By defining the security standard that wary consumers buy in to, the market for mobile contactless payments at the POS may finally take off.
Here's an excerpt from Apple's statement: "Apple Pay will change the way you pay. When you add a credit or debit card with Apple Pay, the actual card numbers are not stored on the device nor on Apple servers. Instead, a unique Device Account Number is assigned, encrypted and securely stored in the Secure Element on your iPhone or Apple Watch. Each transaction is authorized with a one-time unique number using your Device Account Number and instead of using the security code from the back of your card, Apple Pay creates a dynamic security code to securely validate each transaction."
Apple Pay leverages near field communication (NFC) technology embedded in smartphones to conduct contactless, in-store payments. Customers' sensitive payment data is tokenized and stored within the secure element of the NFC chip. When users pay with their phones at the POS, one-time tokens are generated in the place of the payment data. When Apple's biometric fingerprint scanning technology, Touch ID, is added to the mix, a potent security environment is erected around mobile payments.
Redefining card present
Randy Vanderhoof, Executive Director of the Smart Card Alliance, said, "[Apple Pay] really raises the bar on secure implementation of payments, because adding the biometric authentication to the transaction provides a much more secure validation to the merchant and to the issuing bank that the proper individual is making the payment transaction – and that they can trust that transaction."
Vanderhoof added that the card brands recognized the higher degree of security associated with Apple Pay and "rewarded" Apple with the lower card-present interchange fee, even though mobile contactless transactions are by literal definition card-not-present (CNP) and subject to higher fees. "So they are redefining the definition of card-present here," Vanderhoof said. "They're doing this because Apple is able to provide the same, in fact more, security, to the payments network that would normally exist when the physical card is involved."
Because CNP transactions are considered more prone to fraud, they are placed in a higher interchange category, which translates into merchants paying more to accept CNP transactions.
In analysis of Apple Pay, Alcaraz Research said, via the Seeking Alpha website, that the 15 to 25 basis point discount the card brands have provided to Apple Pay transactions means that "Apple Pay processing fees can just be around 1.25 to 1.35 percent, much lower than PayPal's card-not-present transaction fee of 2.7 percent."
Vanderhoof noted that Google Wallet transactions also fall into the CNP interchange fee category because no comparable security protocols are in place, as Android-based phones are not equipped with biometric security technology.
Boon to the market
But the benefits of the Apple Pay security ecosystem to Apple, and the 220,000 U.S. retail locations that already accept contactless payments, will potentially extend to the entire mobile payments marketplace. Vanderhoof said the lower interchange category will act as an incentive for Apple to more aggressively market Apple Pay, which will result in more consumers wanting to use it and more merchants wanting the ability to accept it, creating a momentum of adoption and usage.
"It certainly does provide a very strong incentive for Apple to invest more marketing clout behind the wallet solution, which will then create more mobile payment transactions, which will replace the less secure magnetic stripe transactions more quickly," Vanderhoof said, "So the benefits are then going to be shared across the entire market; merchants and issuers are going to benefit from the higher security and the less likelihood of fraud by the way Apple has implemented Apple Pay."
It won't take many consumers coming into stores and asking if merchants accept Apple Pay for reluctant retailers to reconsider upgrading terminals to accept contactless payments. "I think merchants are probably going to be rethinking the future of NFC and contactless payments with this announcement," Vanderhoof said. "The previous implementations of NFC and mobile wallets hasn't had a real big impact on consumers, and therefore it hasn't caught the attention of too many of the merchants.
"But now with Apple jumping into the fray, it may give [merchants] further reason to upgrade their point of sale to be NFC capable and perhaps turn that NFC acceptance on sooner than they may have."
Additionally, Apple has created a security and mobile payment model that competitors can emulate. "It certainly is a model to consider for other solution providers to step up their creative ways to demonstrate a stronger link between a cardholder and the payment transaction, like Apple is doing with their biometric Touch ID," Vanderhoof stated.
However, Vanderhoof cautioned against rushing to crown Apple Pay the dominant mobile payments scheme. "With any new payments player in the market, and changes that happen in the direction by which consumers can transact at the point of sale, it takes some time for those new features to catch on and be fully vetted and operational."
But the stars seem to be aligning nonetheless. "I would say the signals are very good for what Apple has done, but it's a little bit too early to put a flag in it and call it a huge success or a huge game changer," Vanderhoof said.
CurrentC, a non-Apple, non-NFC mobile wallet
Tuesday, September 9, 2014
A pple Inc. made a big splash Sept. 9, 2014, when it announced Apple Pay, its near field communication (NFC)-powered mobile wallet, will be available on the soon-to-be-released iPhone 6, iPhone 6 Plus and Apple Watch. Some analysts have weighed in, stating not only is this the death knell for plastic payment cards, it is also the birth of a behemoth that could knock out competing mobile payment schemes vying for market dominance.
One such competitor is Merchant Customer Exchange, a mobile wallet being developed by leading retailers. Of all the high profile mobile wallet developers, MCX has been the most secretive. On Sept. 3, 2014, MCX offered a tantalizing peek into CurrentC, the brand name for its mobile wallet expected to launch in 2015.
MCX seems focused at the outset on the loyalty aspect of its wallet. MCX said, "CurrentC will simplify and expedite the customer checkout process by applying qualifying offers and coupons, participating merchant rewards, loyalty programs and membership accounts, and offering payment options through the consumer's selected financial account, all with a single scan."
As a mobile app offered to consumers as a free download from the app stores of Apple and Google Inc., CurrentC will be able to store and automatically apply retailer-specific offers and discounts from the merchants on MCX's prodigious network, which includes 7-Eleven Inc., Best Buy Co. Inc., Lowe's, Sears Holdings, Shell Oil Products US, Sunoco Inc., Target Corp. and Wal-Mart Stores Inc. CurrentC will also allow consumers to earn rewards that apply to the loyalty and membership accounts stored in the app. "Existing rewards, once entered, are detected, applied and earned automatically during the transaction," MCX said.
MCX also placed an emphasis on the data security that underscores the mobile app and corresponding network. "CurrentC will provide a more secure payment experience than traditional methods by storing users' sensitive financial information in its cloud vault rather than locally on the mobile device," MCX said. "Furthermore, the application uses a token placeholder to facilitate transactions instead of constantly passing the data between the user, merchant and financial institution. These innovative approaches to security are only a sample of industry leading tools used by CurrentC to create a comprehensive, layered approach to information security."
CurrentC is also being touted as merchant friendly, with retailers not having to upgrade current POS systems to integrate MCX's app. "CurrentC is a software-based solution that works with most existing point-of-sale and payment terminals – providing merchants large and small with a cost-effective entry point into the mobile payments movement," MCX said. "CurrentC will utilize a secure paycode and will not require additional hardware from most customers or merchants."
MCX said CurrentC will remain in private pilot testing mode through 2014, with regional and national rollouts to follow in 2015.
Ubiquitous brand-name reach
MCX launched in August 2012. Its network comprises over 70 brand-name retailers that together process in excess of $1 trillion annually in transactions at more than 110,000 retail outlets that span practically every vertical market, from quick service restaurants to convenience stores/gas stations, big box retailers and national grocery markets.
On mobile marketer Mobiquity Inc.'s blog page, Mobiquity Technical Advisor Robert McCarthy wrote in an August 2014 post that FIS Global will process CurrentC payments, while Paydiant Inc. is building the white-labeled mobile app. McCarthy noted that the FIS-owned mobile app developer mFoundry powers Starbucks Coffee Co.'s popular mobile wallet, as well as the Bank of America banking app.
McCarthy believes MCX's partnership with Paydiant was a wise move. "Paydiant’s technology will allow MCX member merchants to leverage existing smartphones, POS and payment terminals," he wrote. "It will include an easy-to-implement application programming interface (API) to enable MCX members to integrate complete mobile wallet capabilities and value-added services into their own branded iPhone and Android applications. In addition, the solution will allow retailers to avoid sharing sensitive customer information with third parties."
With the Starbucks app, transactions are facilitated at the POS by means of quick response (QR) codes. McCarthy thus believes that the MCX solution will likely leverage QR codes as well. "This is obviously an intriguing initiative, one promising massive change in the industry," he wrote, adding that MCX may result in "something wildly disruptive and valuable to consumers and merchants alike."
Focused on merchants, not consumers
Initial reactions from payment consultants to MCX's announcement focused on the emphasis MCX puts on retailer issues, namely loyalty and merchant acceptance, rather than the consumer experience. Aite Group LLC Analyst Nathalie Reinelt said, "[I]t appears that they will be deeply focused on loyalty programs compared to Google Wallet and Isis (Softcard), which should offer a greater incentive for consumers to give their mobile payment platform a try."
Rick Oglesby, Senior Analyst/Consultant at Double Diamond Group LLC, added that "MCX is really focused on the merchant; it wants to promote merchant branding, build merchant-to-consumer relationships and reduce the cost of merchant acceptance."
MCX will also be able to leverage its extensive merchant network to drive consumer adoption. Oglesby said the ideal time to enroll consumers in a new program is at the POS, as less effort is needed at that time to convince consumers to change payment behaviors. "Because MCX is merchant controlled, it can best access consumers at the point of payment and is therefore very well positioned to drive change in payment behavior," he noted. "This should be a big advantage for MCX/CurrentC."
As for the "secure paycode" technology MCX mentioned in its announcement, Reinelt believes it could mean either QR code- or bar code-based payments. In terms of sophistication, such payment methods are technologically simple in comparsion to NFC schemes. However, Reinelt pointed out that both Google Wallet and Softcard use NFC technology but have struggled to win over consumers.
"However, Starbucks – which uses barcode technology, but offers an attractive loyalty program – continues to see impressive growth in their mobile payment volumes," Reinelt said."The important aspect of MCX's offering isn't that it is not using NFC, it's that it is focusing on loyalty and tokenized secure payments, which will set them up to be highly competitive."
Oglesby also believes tokenization is a key feature of CurrentC. "Traditional NFC models pass a standard card number through an NFC-equipped terminal," he said. "A tokenized solution can use a broader set of technologies (QR code, bluetooth, sound emission, or even NFC). We may eventually see MCX embrace NFC, but not without tokenization, and not within the rules imposed by the traditional payment networks."
Will MCX succeed? Will NFC-based Apple Pay soon dominate the field? With mobile technology developing at such a rapid clip, is it possible a new contender could rise and grab the lion's share of the market, leaving current contenders in the digital dust? It's still too early to tell.
CFPB gives RTPs more time
Friday, September 5, 2014
I n the area of international remittances (money transfers), the Consumer Financial Protection Bureau issued final revisions to its controversial rules that govern the business practices of remittance transfer providers (RTPs). But in issuing the final rules, the CFPB granted a kind of reprieve to RTPs, such as banks and credit unions, by pushing back the compliance deadline for certain types of transactions to July 2020.
The remittance rules, which went into effect in October 2013, require RTPs to disclose exchange rates, fees and taxes to consumers before consumers initiate international money transfers at the POS. The rules also allow consumers a 30-minute window after transactions are made to cancel them and be reimbursed for transaction costs. RTPs must also provide disclosure and program information in the languages of the consumer groups that the remittance services are marketed to.
But in April 2014, the CFPB responded to RTP concerns that remittance fees are not necessarily known at the time transactions are made; for example, foreign entities to which remittances are sent can impose fees on consumers that RTPs can't control. Therefore, the CFPB initially granted a temporary rule exemption that expired July 21, 2015, for those transactions. Now, in the CFPB's revised rules, the deadline stands at July 21, 2020, for when RTPs must be able to ascertain the fees for problematic remittances.
"If the temporary exception expired in July 2015, current market conditions would make it impossible for insured institutions to know the exact fees and exchange rates associated with a minority of their remittance transfers," the CFPB said. "Without the exemption, these insured institutions reported that they would have been unable to send some transfers to certain parts of the world that they currently serve. The Bureau believes that this exception is limited and is not used for most remittances by insured institutions."
The CFPB added that the July 21, 2020, deadline is final and cannot be extended. The agency believes the extension to 2020 will provide RTPs enough time to "develop reasonable ways to provide consumers with exact fees and exchange rates for all remittance disclosures."
One aspect of the rule that has not been revised is the 100 remittances-per-year threshold imposed by the CFPB. RTPs that provide fewer than 100 international money transfers per year will not have to comply with the rules. RTPs and the associations representing them argued that the threshold is too low, with 1,000 and 6,000 being floated as more reasonable cut-off points.
The National Association of Federal Credit Unions welcomed the CFPB's extension, but decried the overarching direction of the rules. NAFCU Director of Regulatory Affairs Michael Coleman said NAFCU and its members "remain concerned about the overall rule and the incredible burden it places on any credit union facilitating more than 100 remittances yearly for its members. As it stands, this rule is pushing credit unions out of the market."
Where to draw the line
In a July 30, 2012, letter addressed to Congress, several FI associations, including the American Bankers Association and the Credit Union National Association, said the international remittance rules "impose arbitrary and unworkable requirements on consumer-initiated international transfers of all sizes and purposes that will drastically curtail the availability of international transfers to consumers."
At the time, CUNA advised the CFPB that the threshold should be 1,000 transactions per year. Pat Keefe, Vice President, Communications & Media Outreach at CUNA, said most of CUNA's members would fall under that 1,000 threshold and would therefore not be subject to the rules, and some CUNA members that didn't fall under that threshold might eliminate their international remittance services due to the costs of complying with the rules.
International remittances offered through banks and credit unions are processed primarily over the "open" automated clearing house (ACH) network. The associations' letter stated, "While these [open] networks enable consumers to send funds account-to-account to almost anywhere in the world, they do not enable a financial institution in the U.S. to access the exact exchange rate, third-party fees and foreign taxes required by the final rule."
In contrast, "closed" network-operating RTPs, such as The Western Union Co. and Moneygram Inc., are seen as having an easier time complying with the CFPB's rules because they oversee the operations of their overseas agents that handle remittances on the receiving end.
Overseas U.S. military bases excluded
In accordance with the Dodd-Frank Act of 2010, a new section was added to the Electronic Fund Transfer Act (EFTA) that requires the CFPB, an agency created by Dodd-Frank, to regulate RTPs. The CFPB's international remittance rules were added to Regulation E of the EFTA requiring disclosure requirements of RTPs, as well as make RTPs liable for money transfer errors, even if customers provide inaccurate account numbers or routing information.
In connection with its August 2014 rule revisions, the CFPB published version 3.0 of its small entity compliance guide. The guide said the rules cover cash-to-cash, cash-to-account, international wire and international ACH transfers, as well as certain prepaid card transactions. Mailed checks would not be subject to the rules because they are not transactions conducted electronically, the guidance said.
Additionally, the rules cover the transfers initiated by individual senders for "personal, family, or household purposes," and not remittances made by businesses. The CFPB also treats U.S. military bases in foreign lands as "states" so that transfers made by senders in the United States to military personnel stationed overseas do not fall under the rules. However, transfers made from military bases to foreign countries are considered international remittance transfers and are covered by the rules.
NAFCU said its members were "happy to see the Bureau explicitly specify that U.S. military installations located abroad are states for the purposes of the remittance rule.”
Funding options for IADs
Tuesday, September 2, 2014
T he merchant cash advance alternative funding option for small to midsize businesses (SMBs) has been well documented. But ATM ISOs are SMBs, too, and yet not as much attention has been given to the alternative funding avenues available to them. Super G Funding LLC, which specializes in funding ISOs, devoted a white paper to the challenges and opportunities for ATM ISOs, also termed independent ATM deployers (IADs), in finding capital to grow their businesses.
Like most merchants, IADs are having trouble obtaining traditional bank loans in the present economy, said Super G Funding in Lending Challenges and Solutions for Growing Your IAD in Today's Economy. Fortunately, a number of financing options are available to IADs, including equity investment strategies. IADs can turn to venture capitalists, angel investors, public investors and corporate investment firms to gain capital, said Super G Funding.
However, the downside to going the equity investment route is that investors carry more risk than traditional lenders. "As equity investors rarely have the same rights as debtors, companies are not required to repay the original investments should the business collapse," the paper noted. "Since there is the risk of losing their investment should a business fail, equity investors require higher returns than lenders and usually demand a seat on the board and require approval for any major changes or expenditures – often taking control out of the hands of the IAD's management team."
Alternative to the alternatives
Another funding option for IADs is selling off merchant portfolios, with multiples ranging between 12 to 35 times monthly residuals and larger portfolios commanding the highest multiples. But Super G Funding recommended that IADs sell portfolios only when they leave the business completely.
However, an alternative to the alternatives exists: borrowing against residuals through residual loans, which allows IADs to remain in business and maintain control of the business. "A residual loan resembles a cash advance product but doesn't take a cut of each day's transaction fees," Super G Funding said. "Instead, it takes monthly draw-downs for interest and principal before the borrowing IAD receives the residuals.
The alternative lender explained that, under the terms of a residual loan, the IAD has its processor temporarily assign distribution of residuals to the lender; the lender takes its monthly cut and forwards the remainder to the IAD. In addition, IADs can be easier to get than bank loans, can be funded in five to seven business days and can qualify for loans that are often five times their monthly residual streams.
"Because a residual loan's criteria is based on an IAD's residuals, credit history is not a factor," said Super G Funding Chief Executive Officer Darrin Ginsberg. "Instead, the lender looks at the past 12 months of residuals, what makes up the residual stream, how those residuals are performing and then bases the risk factor on those criteria."
IADs in the same SMB boat
Super G Funding reiterated the analysis of Meredith Whitney, CEO of New York-based Meredith Whitney Advisory Group LLC, who said small business credit has "contracted at one of the fastest paces of any lending category."
Todd McCracken, National Small Business Association President and CEO, chimed in, saying, "Not only have small-business owners been unable to find new credit over the last four years, nearly a third have had their existing credit slashed, and one in 10 had their loans called in early."
But the biggest factor in IADs unable to secure traditional funding is that banks simply do not understand the IAD business model based on residuals. "[B]anks have strict credit criteria based on eligible collateral, and residual streams are not a traditional asset to borrow against," Super G Funding said. "Banks also have to know how ISO and IAD residual streams evolve in order to properly manage that risk – something institutions are unlikely to look into unless they are focused on lending to payment processing-based businesses."
View prior breaking news