Updated: Wednesday, December 11, 2013
New POS skimmer threat exposed
J ust in time for the holidays − a new type of skimming device designed to steal cardholder data at the POS. As reported Dec. 3, 2013, on security blog site KrebsonSecurity, the new skimmer is a thin plastic overlay that fits over the PIN pad of standard POS terminals. A small battery and flash storage card affixed to the underside of the device records mag stripe data as cards are swiped through terminals and captures passcodes as they are keyed in.
"Such a device would be an enticing buy for a crooked employee at a retail store," said security reporter Brian Krebs. "It might even be installed surreptitiously by thieves posing as customers at a retail establishment."
A video posted along with the blog demonstrated the skimmer on a Verifone Inc. POS terminal. Krebs said the overlay is a "remarkably simple but brilliant POS skimming device that can be installed and removed in the blink of an eye." Krebs noted that the fraudster from whom he received the video sells the skimmer on underground web forums.
Overlay attack vector
Verifone responded to the news with a warning that the overlay − also called a shell − is not designed solely for its terminals. "This particular method of fraud, which is also known as an 'Overlay Attack,' can be used on any vendor's POS terminal or PIN pad," the manufacturer told The Green Sheet. "As with most skimming efforts, daily inspection of payment devices will quickly reveal such skimming efforts."
Karisse Hendrick, Industry Specialist at the Merchant Risk Council, said the skimming device is concerning because it would be harder to detect than other skimmers. "Historically, we have seen that some of the early skimming devices were fairly obvious, at least to the trained eye, and it was quite obvious that these were added to the terminal and not safe," she said.
The MRC, an association geared to helping retailers minimize fraud and other threats to business stability, has noticed that fraudsters are increasingly sophisticated in both the fraudulent devices they deploy and in their behavior, especially in the e-commerce realm.
"As merchants add tools and train employees to detect fraudulent transactions, fraudsters patiently study which transactions are flagged and which appear legitimate, and then develop elaborate ways to mask their behavior to 'fit in' with legitimate customer orders," Hendrick said.
Fraud for the holidays
Hendrick remarked that the holiday shopping season can be a particularly pernicious time for fraud attacks. "Fraudsters are opportunists at heart, so they will take advantage of any situation that they can to try to blend in with legitimate purchases and activity," she said. "While fraud is a year-round business, like with all payment fraud, when sales increase, fraud also increases."
Hendrick noted that during the holiday rush, it can be more challenging for merchants to detect fraud schemes because of higher than usual volumes of in-store and online transactions, as well as a greater amount of legitimate high-dollar transactions.
Hendrick said merchants can help guard against attacks by keeping abreast of current fraud threats through publications and communication with other merchants. Since fraudsters often specialize in specific retail sectors, it is worthwhile for merchants to establish open lines of communication with competitors, she added.
Fraudsters are apparently doing just that. "Most often we see that if a fraudster is successful once, they have shared this with others within their community, and your company no doubt will be a target for others," Hendrick said.
To combat fraudsters and their schemes, employee training is vital. "It is … critical to train all frontline staff, especially customer service employees, whether seasonal or permanent, to be on the lookout for suspicious or abnormal customer behavior, whether in person or in an online order," Hendrick said. "They are your first line of defense and your eyes and ears."
Hendrick believes it is the responsibility of all participants in the transaction value chain – from merchants to back-end payment processors – to collaborate to prevent fraud. “Just like the fraudsters work together, in order to be effective, merchants, ISOs, service providers and card brands should be working together to protect both consumers and retailers from fraudulent activity," she said.
Hendrick noted that participation in the MRC and its forum for communication between merchants, acquirers, the card brands and fraud prevention firms helps reduce fraud. She stated that MRC members experience 50 percent less fraud than non-MRC members, which results in lower fraud monitoring costs and fewer fraud-related chargebacks.
China restricts bitcoin – for now
Friday, December 6, 2013
C hina's central bank notified the organizations comprising the country's banking infrastructure that they are not allowed to deal in bitcoin. The People's Bank of China said it made the declaration to protect China from the risks associated with the volatile alternative virtual currency and its money laundering potential. But the move may be a precursor to China eventually regulating bitcoin, a development that would confirm the long-term viability of the controversial digital currency.
On Dec. 5, 2013, the PBC, along with China's other bank regulatory agencies, issued a blanket statement to the country's financial and payment institutions that they cannot have any association with Bitcoin, either to buy or sell it, or in any way establish processes for exchanging, underwriting or saving it.
In a statement, PBC said it made the decision "to protect the public's property rights, to protect RMB's official currency status, to prevent money laundering risk and to protect financial stability…" The RMB (renminbi) is China's official currency.
PBC said bitcoin is "not currency in the true sense. Bitcoin is a specified virtual commodity, it does not have equal legal status with currency, and it cannot and should not be circulated as currency on the market." The bank noted that no financial institution issues bitcoin, no central authority regulates it and that it is exchanged anonymously, which makes it a prime money laundering tool.
In the wake of PBC's announcement, the value of bitcoin on the open market dropped as much as 30 percent, from a high of over $1,200 per bitcoin unit.
Good news for bitcoin
Tom Waters, Director of Sales at Bank Associates Merchant Services, believes that the PBC's notice is a first step in the eventual regulation of bitcoin in the East Asian economic powerhouse. "This notice is actually pretty good news for bitcoin," he told The Green Sheet. "It suggests that China is open to the technology and is preparing for its widespread adoption by taking precautionary measures."
Waters noted that the PBC is not shutting down the bitcoin marketplace in China, where the practice is increasing in popularity and where the largest bitcoin exchange by volume, Shanghai-based BTC China, operates. "In other words, the banks cannot perform direct, bitcoin-related services," he said. "Nothing really speaks directly to independent exchanges or the banks' relationships to those exchanges."
Instead, the PBC is attempting to keep the cryptocurrency from facilitating money laundering activities and destabilizing the RMB. "Exchanges are allowed to continue as long as they operate within the confines of the law," Waters said. "Bitcoins can be freely used for online commerce as long as consumers recognize that they are taking all the risk. Bitcoin processors are allowed to continue as long as they are not deemed financial institutions."
Bitcoin's low cost paradigm
In the United States, the federal law enforcement community officially took notice of bitcoin in March 2013 when the Financial Crimes Enforcement Network (FinCEN) sought to define virtual currencies, and bitcoin in particular, for the purposes of regulating them in the fight against money laundering and other illegal activities. FinCEN does not distinguish between types of currency, virtual or otherwise, when it comes to its anti-money laundering efforts.
Also in March, Amazon.com integrated the bitcoin payment functionality of Atlanta-based BitPay Inc. for its Fulfillment-by-Amazon web service that facilitates distribution for merchants who sell goods on Amazon. BitPay said the integration represented the first move into large-scale e-commerce for "companies wishing to accept payments over the bitcoin peer-to-peer payment network."
BitPay settles bitcoin transactions in U.S. dollars. Waters equated BitPay's process to dynamic currency conversion, where exchange rates are locked in at the time transactions are made. Therefore, merchants receive full value for a bitcoin transaction worth $100 at the time of the transaction, rather than $50 if the volatile currency loses half of its value tomorrow, Waters said.
Unlike critics of the virtual currency, Waters believes bitcoin is around for good because it provides benefits to vendors, merchants and consumers alike. He said bitcoin is not costly for consumers to exchange, can be exchanged almost instantly and that it is nearly universal as a worldwide accepted currency. He added that bitcoin payments would also reduce chargebacks for merchants because bitcoin transactions are nonrefundable; nor do merchants have to pay fees to banks or other network operators as they do to accept bankcards.
The bitcoin payment option may not be ideal for the local grocery store, but it can be for high-risk merchants vulnerable to credit card fraud, and for businesses in the small-ticket market, such as e-book sellers, where micro transactions as small as a quarter can be conducted securely via bitcoin payments, according to Waters.
Bitcoin is also attractive to payment vendors because of its low processing costs, he noted. "You can charge 1 percent [of the transaction] and make 0.8 percent profit on that transaction as an alternative form of payment," he said. "I think this is why PayPal says they are not averse to accepting it."
Waters estimated that Amazon's profit margin could double on bitcoin payments if it offered that option for consumers. "They [Amazon] will essentially be able to charge less than a credit card payment and they will be able to retain that profit for themselves," he said.
Cyber Monday sets sales record
Wednesday, December 4, 2013
S ometimes retail trends reveal themselves slowly over time, but occasionally they smack you square in the face. An example of the latter occurred this year on Cyber Monday, the quintessential Monday following Thanksgiving: online sales jumped by 20 percent or more over 2012's one-day e-commerce yardstick.
The IBM Digital Analytics Benchmark put the Cyber Monday online payments increase at 20.6 percent, with traffic from mobile devices growing to 31.7 percent of all online traffic. This represents a 45 percent jump from the same day in 2012. Additionally, mobile-based transactions increased by 55.4 percent year-over-year, IBM reported.
Internet analytics firm comScore Inc. set total desktop online spending on Cyber Monday at $1.735 billion, an 18 percent rise from the previous year. The researchers thus pronounced Cyber Monday 2013 as the "heaviest online spending day in history and the second day this season (in addition to Black Friday's $1.198 billion) to surpass $1 billion in sales."
Meanwhile, online identity verification firm CardinalCommerce Corp. reported that the number of Cyber Monday transactions touching its network were up by 61 percent from 2012.
Visa Inc. analysis of its Cyber Monday shopping data confirmed this data. On its Dec. 3, 2013, corporate blog, Visa's chief economist, Wayne Best, said $2.6 billion was spent online using Visa-branded cards, a 28 percent increase from the same day in 2012. An accompanying infographic stated that Visa cardholders made 28 million transactions on Monday, up by 29 percent from 2012.
Details from IBM's report shed light on additional e-commerce trends. The report found that consumers surf the Internet more often with smartphones than tablets, but tablets were used to make purchases more than twice as often as smartphones. Additionally, tablet users spent more on average than smartphone users, $126.30 to $106.49, respectively.
A majority of online retailers are being aggressive in their mobile marketing campaigns, as well. In comparing daily marketing activity over the previous two months to the five-day shopping period from Thanksgiving to Cyber Monday, IBM said retailers sent 77 percent more "push" notifications (text messages and popup messages within mobile apps) to customers.
Furthermore, the shopping cart conversion rate went up by 12.6 percent on Cyber Monday compared with Black Friday. IBM attributed the rise to consumers believing they were getting the best deals on Monday.
Foot traffic follows awareness
While the staggering increase in e-commerce activity on Cyber Monday is good news for online businesses, it is less joyful for primarily brick-and-mortar retailers. Small businesses without web presences, or with limited presences, are likely experiencing a decline in sales as consumers shift to purchasing online via smartphones and tablets.
ISOs and merchant level salespeople can increase small businesses' share of the growing e-commerce pie by bolstering their online presences. The August 2012 Small Business Happiness Index survey from online business card provider Vistaprint N.V. said 69 percent of micro businesses surveyed had websites, but only 46 percent of them were actually selling products via those sites.
Brick-and-mortar merchants can also leverage awareness and loyalty campaigns, such as Small Business Saturday, to drive traffic into physical stores. Payments industry consultant Linda S. Perry believes the results of the American Express Co.-created annual promotion for small businesses is reason for optimism. "I think it's a great promotion," she said. "It's well-run and easy to use."
Since 2010, AmEx has urged its U.S. cardholders to shop at local small businesses on the Saturday following Black Friday. According to data compiled by AmEx and the National Federation of Independent Businesses, spending at smaller merchants on Small Business Saturday reached $5.7 billion, up by 3.6 percent from the same day in 2012.
The figure may not be as impressive as Cyber Monday results, but it represents a positive trend that can be built upon through awareness and participation. In the Small Business Saturday Consumer Insights Survey, which was conducted by Redshift Research for AmEx using email invitations and an online survey, consumer awareness of Small Business Saturday rose to 71 percent from 67 percent a year ago. And of consumers who were aware of the day, 46 percent said they shopped at small businesses on that day, the survey said.
"With awareness up, the end result was increased spending at small businesses," AmEx and the NFIB said.
NRF sees glass half full for holiday shopping kick-off
Monday, December 2, 2013
I n gauging holiday shopping trends over the long 2013 Thanksgiving weekend, the National Retail Federation reported an increase in the amount people spent online, and a rise in the amount of shoppers who took to the stores (whether virtual or brick-and-mortar), which combined to offset a reduction in overall spending by consumers.
In the survey conducted for the NRF by Prosper Insights & Analytics, U.S. consumers were found to have spent on average $407.02 from Thursday to Sunday, down from $423.55 over the same period in 2012. However, the amount of "unique" holiday shoppers hit an estimated 141 million, up by 2 million from 2012.
And of about 59 million individuals who shopped online over the long weekend, the average spend stood at $177.67, "or approximately 43.7 of their total weekend spending, up from 40.7 percent last year," the NRF said.
While media reports cast the numbers as a reflection of consumers' tightening budgets in a sluggish economy, NRF President and Chief Executive Officer Matthew Shay put a positive spin on the results. "Cold weather, unique promotions and unbeatable prices put millions of Americans in the mood to shop for holiday gifts this weekend," he said. "Retailers' late night and early morning promotions struck just the right chord for those hoping to kick off the holiday shopping season with friends and family."
Shay expects retailers to aggressively promote in-store and online offerings with discounts and other deals up until Christmas Day.
Breaking down the numbers
From Nov. 29 to 30, 2013, Prosper polled 4,464 consumers. The results suggest consumers spent more on practical goods than on luxury items, with:
- 57.5 percent buying clothing and clothing accessories
- 37.7 percent buying electronics
- 36.1 percent buying books, CDs, DVDs and video games
- 34.5 percent buying toys
- 29.6 percent buying gift cards
- 16.9 percent buying jewelry
Furthermore, 54.2 percent of survey respondents visited department stores and 38.9 percent frequented discount stores. Meanwhile, the survey found that about 3 percent fewer shoppers (76.4 percent of total survey participants) were less willing to take advantage of online and in-store promotions to purchase nongift items, perhaps as a consequence of economic belt tightening.
However, advertising circulars and emailed offers were still found to be effective ways for merchants to entice consumers to shop with them over the holiday weekend.
According to the survey, 49.2 percent of shoppers sought information about promotions and sales via advertising circulars, while 33 percent conducted online searches to find deals. "Additionally, 36.8 percent made sure to keep track of emails from retailers, 16.4 percent reviewed retail companies' Facebook accounts for information, and 12.2 percent browsed stores to find bargains and sales," the NRF said.
FTC raps processor for boarding scammers
Wednesday, November 27, 2013
S hould ISOs and their processing partners be held responsible when scam artists use them to process payments that turn out to be fraudulent? The Federal Trade Commission believes the answer is yes, especially if there are signs of fraud, for example, accusations of unauthorized transactions.
Last week the FTC proposed a settlement resolving allegations that California-based Process America Inc. and the company's three owners opened "scores of merchant accounts" for Infusion Media Inc. Infusion was an online marketing company that ran a bogus work-at-home scheme variously known as Google Money Tree, Google Pro and Google Treasure Chest.
The FTC shut down that company in late 2009, but only after it had made more than $15 million in unauthorized transactions involving consumer credit and debit cards that were handled by Process America. The FTC alleges Process America and its principals knew or should have known the transactions from Infusion were not authorized by accountholders.
"Evidence that consumers were being charged without their permission included plainly deceptive statements on merchant websites, notices that the merchant should be placed on the Visa and MasterCard chargeback monitoring programs and chronically excessive chargeback rates," the commission said in a statement detailing the proposed settlement. In two years – 2008 and 2009 – Process America opened 131 merchant accounts that were used by Infusion to process unauthorized card payments.
The FTC also alleges that Process America went to lengths to evade Visa Inc. and MasterCard Worldwide fraud monitoring programs, including distributing transactions across multiple merchant accounts, a practice known as load balancing.
To resolve the FTC's allegations, the three company principals – Kim Ricketts, Keith Phillips and Craig Rickard – agreed to permanent injunctions from merchant acquiring ISO and processing businesses. The company also is banned from engaging in sales activities. In addition, the order imposed a monetary judgment on one of the owners and then suspended it, "based on his inability to pay," the FTC said.
The FTC has jurisdiction over ISOs and others in the merchant acquiring space under several federal consumer protection and interstate commerce statutes.
Process America is not the first company to take heat from the FTC for acquiring or processing payments from fraudsters. In April 2013, the payment processing company Automated Electronic Checking Inc. and two of its principals were hit with lifetime bans from merchant services.
The company was also ordered to pay $950,000 in funds debited from consumer accounts by a scam artist. As it did with Process America, the FTC alleged AEC should have known the transactions it acquired and processed were fraudulent.
The Green Sheet Inc. office will be closed from noon on Wed., Nov. 27, 2013, to 8:30 a.m. Pacific Standard Time on Mon. Dec. 2, 2013. Happy Thanksgiving!
View prior breaking news