GS Logo
The Green Sheet, Inc

Please Log in

A Thing A Bigger Thing

Friday, June 15, 2018

Dixons Carphone under fire for slow reporting of data breach

B BC News confirmed reports of a second major data breach at Dixons Carphone PLC, a publicly held British electronics retailer that operates as Currys PC World and Dixons Travel. The company reportedly found anomalies in its POS network in July 2017 but took nearly a year to disclose the malicious activity. In a June 13, 2018, statement, Dixons Carphone revealed the attack may have compromised 5.9 million credit and debit cards and more than 1 million consumer accounts. Security analysts criticized the delayed disclosure and failure to protect critical infrastructure after suffering an earlier attack in 2015. Lee Munson, security researcher at Comparitech Ltd., said the Dixon Carphone breach highlights how commonplace massive data breaches have become. "What is worrying here is the delay between the breach occurring last year and the disclosure today," he said. "Thankfully, under GDPR, non-disclosure for business reasons is no longer possible as the ICO [the Information Commissioner's Office] must be informed within 72 hours whenever possible."

Munson said he expects the incident to impact Dixon Carphone share prices throughout the remediation process and suggested even a short-term dip could be fatal to the retailer. "Of more concern is the affect this could have on the chain's customers, millions of whom have had their personal or payment card information leaked," he added.

Admit culpability

Munson and other security analysts have criticized Dixons Carphone for underplaying the incident's severity by saying it found "no evidence of fraudulent payments being made with the stolen cards." Tom Miller, senior vice president at Virsec called the statement a "disturbing refrain we hear over and over." If they were blind to the breach, not seeing evidence is hardly reassuring, he noted.

"Also disturbing is the comment that 'There is no connection to the previous incident' [the 2015 breach of Carphone Warehouse]," Miller said. "Of course there's a connection – the same organization got breached, fined, didn't take adequate steps to change security, and got breached again."

Michael Magrath, director of global regulations and standards at OneSpan Inc., noted the European Union's data protection legislation, such as the GDPR, will impose heavy fines on organizations with lax data security protocols. "Organizations relying on a single shared secret to protect sensitive personal identifiable information has been very lucrative ‒ for hackers," he said. "While no security solution is 100 percent secure, in 2018 organizations not deploying risked-based authentication solutions are hoping they can dance between the raindrops when it comes to security."

Miller expressed hope the newly enforced GDPR will raise the bar for accountability but said it will take more than harsh penalties to stop data breaches. Businesses need to start "seriously rethinking how they secure sensitive customer data," he said.

Improve protections

Magrath stressed the need for organizations to adopt "multiple, layered authentication technologies," by combining PINs and passwords with biometrics and "analyzing context based on location and device characteristics."

Robert Capps, vice president of business development, NuData Security, a Mastercard company, said bad actors exploit the smallest security gaps to steal customer data. "As we all know, credit card information, combined with other user data from other breaches and social media, can build a complete profile," he said. "In the hands of fraudsters and criminals, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the internet and in the physical world."

Capps said advanced techniques and technologies can protect consumers. "Multilayered technology that thwarts fraud exists right now," he stated. "Passive biometrics and behavioral analytics technology are making stolen data valueless by verifying users based on their inherent behavior instead of relying on their data, such as credit card information. This makes it impossible for bad actors to use stolen data, as they can't replicate the customer's inherent behavior attached to that data."

Apple Pay, Google Pay lose ground at stores
Thursday, June 14, 2018

A ccording to an annual survey of merchants, two major mobile wallet providers lost traction over the past year. Merchants accepting Apple Pay slipped from 48 percent to 35 percent in 2018, while Google Pay dropped from 38 percent 25 percent year-over-year. Support for PayPal, however, surged from 48 percent to 64 percent. Looking at the overall picture, mobile wallet support grew from 22 percent to 29 percent.

Pain points cited by merchants in the 2018 Mobile Payments & Fraud Survey, conducted by Kount Inc. and The Fraud Practice, included maintaining ease of use for consumers for 60 percent of those surveyed. The ability to detect fraudulent order attempts was a challenge for 52 percent. Even with these challenges, nearly one-third of merchants were optimistic that the mobile channel will represent at least half their total revenue by 2020.

Support across the board was up for near field communication at the POS, which grew from 29 percent to 37 percent year-over-year. Twenty-six percent of merchants surveyed indicated they plan to increase or add support for social commerce through social media channels.

The survey also found that while merchant awareness of mobile fraud risks continues to improve, the percentage of merchants that track mobile fraud to understand fraud attempt patterns remains relatively low, representing 35 percent of merchants surveyed.

"For the third consecutive year, merchants are showing signs of complacency and even regression in terms of managing mobile fraud risk," said Don Bush, Vice President of Marketing at Kount.

Merchant perceptions may be driving mobile risk tolerance to some degree. About half of those surveyed viewed traditional ecommerce via desktop browsers as their highest risk channel, compared with mobile web browser transactions (21 percent) and mobile app payments (18 percent). Overall, 38 percent viewed the mobile channel as high risk.

Mobile fraud cannot be ignored

Merchant pullback in mobile fraud monitoring comes at an inauspicious time, since more than 75 percent of financial institution, lender, and food and beverage businesses surveyed have noted increases in mobile channel fraud attempts over the last year.

"Despite the increase in mobile fraud and the evolution of tactics carried out by criminals to commit fraud in this channel, the number of merchants implementing specialized tools has decreased, demonstrating that merchants struggle to properly address fraud in the mobile channel including both apps and mobile browsers," Bush said.

Less than 20 percent of those surveyed have adopted artificial intelligence/machine learning, considered one of the most effective fraud detection tools available. The risk management tools most often used for detecting mobile channel fraud were card verification value check (62 percent), fraud scoring (43 percent), and address verification services (39 percent). Over 83 percent use two or more fraud prevention tools or techniques.

Both companies involved in the survey recommend a dedicated fraud strategy for the mobile channel to coincide with other channels. "Although mobile fraud attempts increased for 60 percent of merchants last year, just 17 percent employ a separate risk management strategy for the mobile channel," said Justin McDonald, Senior Risk Management Consultant at The Fraud Practice.

An area where progress is being made is the ability to detect transactions from mobile devices separately from other channels, which over the past five years, has grown from 16 percent to 46 percent among the merchants surveyed. The survey also found that 52 percent of merchants can tell which mobile operating system is in use.

As to which merchant categories are expected to lead in mobile payment acceptance, merchants selling jewelry (71 percent), electronics and computers (63 percent), health/beauty products (63 percent), and apparel or accessories (56 percent) were the categories most likely to consider the mobile channel very important to their overall strategies in the coming years.

Encryption debated in Washington
Tuesday, June 12, 2018

S ecurity experts are debating the Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act, proposed legislation to create a uniform national encryption policy. Introduced June 7, 2018, by Reps. Ted Lieu, D-Calif., Mike Bishop, R-Mich., Suzan DelBene, D-Wash., and Jim Jordan, R-Ohio, the bill would enable federal agents to access “back doors” into encrypted data. It would also prevent individual states from enacting separate data access policies. ENCRYPT Act supporters call it a necessary protection against counterterrorism; opponents argue it gives too much power to federal law enforcement.

Rep. Lieu believes the bill has received bipartisan support because it addresses conflicting encryption standards for interstate commerce, economic security and cybersecurity. “I can tell you that having 50 different mandatory state-level encryption standards is bad for security, consumers, innovation, and ultimately law enforcement,” he stated. “Encryption exists to protect us from bad actors and can’t be weakened without also putting every American in harm’s way.”

Morgan Reed, president of the App Association, added, “On behalf of app developers and tech innovators across the country and around the world, we can attest to the value of encryption technologies to protect data and prevent crimes. The ENCRYPT Act is a necessary step to ensure Americans can use encrypted technologies to protect themselves and their data, regardless of where they live.”

Reed further noted that encryption protects data from criminal access, but the current patchwork of conflicting state policies creates known vulnerabilities that criminals can exploit. “This legislation establishes national guidelines for the interstate use of encrypted technology and protects the data that drives our local economies and the app economy at large,” he said.

Assigning backdoor keys

Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies, is concerned by the ENCRYPT Act’s potential to force technology companies to implement security backdoors. “Undoubtedly any backdoor that is introduced will be available to both law enforcement and bad actors alike, collectively making us less secure,” he said.

Anthony James, chief marketing officer at CipherCloud, also voiced concerns about granting federal law enforcement unilateral access to civilians’ encrypted data. “Despite the noble objective of nationally standardized encryption in support of law enforcement and counter-terrorist activity, the use by government of forced disclosure, whether at the state level or the federal level, can move the control of your data into someone else’s hands,” he said. “‘Back doors,’ or special APIs that access your data at various points of being used within applications, can also easily circumvent basic protection such as ‘at rest’ encryption for your databases.”

James said the only way civilians can maintain control over their confidential data is to implement Zero Trust end-to-end encryption. This level of protection would not allow anyone to use a backdoor into a third-party-provided cloud application to access data without a user’s explicit knowledge and approval, he noted, adding that only “your decision to deliver your data encryption keys to the requesting party will expose the data.”

Details, questions remain

Ruston Miles, chief strategy officer, executive vice president and founder of Bluefin, pointed out that the PCI Security Standard Council's P2PE solution protects merchants and cardholders by encrypting card data immediately upon entry. "Around the world, a growing number of merchants, from multinational enterprises to local businesses, are using PCI point-to-point encryption to protect their customers’ cardholder data,” he said.

Miles observed that more than 1,600 data breaches were reported in 2017, and nearly all involved transmitting and processing unencrypted payment card data. Additional incidents went unreported or undiscovered, he said. He described the ENCRYPT Act as a well-intentioned effort to create a national security policy but suggested that numerous details will have to be solved during implementation.

Willy Leichter, vice president of marketing at Virsec, said having a standardized national encryption policy seems like a positive move, but it falls short of solving the basic collision of interests around encryption. “Law enforcement wants broader access, while privacy experts (and most of the security industry) don’t want to neuter the effectiveness of encryption,” he said. “This group seems to understand that encryption is a fundamental building block of most digital business, and weakening it, for whatever reasons, can be disastrous.”

U.S. company makes open banking history
Monday, June 11, 2018

O n June 1, Ltd. became the first licensed Payment Initiation Service Provider to conduct an end-to-end payment through a public bank application programming interfact (API). The San Francisco-based open-banking platform provider received confirmation by the UK Open Banking Implementation Entity that it was indeed first to execute this type of transaction.

The initial API payment was executed via Token's network using Santander's API payment initiative endpoints, the company noted. "Billions of payments will follow," said Marten Nelson, co-founder and chief marketing officer at Token. "Ours was the first."

Less than a month earlier, Token, which also operates offices in London and Berlin, was granted authority by the Financial Conduct Authority to deliver payment initiation and account information services under terms of the European Commission's Payment Services Directive 2 designed to increase pan-European competition and participation from non-banks and guarantee faster payments.

Infrastructure in place

According to Token, with the infrastructure operational, banks, merchants and other providers of payment and data services can now leverage open banking to reduce costs, generate new revenues, increase security and deliver a simpler, more convenient digital payment experience for the end user.

Through its universal open API banking platform, Token enables banks, merchants and other third-party providers to connect to any bank in the EU for payments and account information requests, thereby solving the integration pain being felt across the industry caused by multiple, proprietary bank APIs, the company stated.

In addition, unlike competing in-house developed solutions, Token's platform supports the same API across all banks. As a result, merchants and payment processors are able build bank direct payment methods and data aggregation solutions for their customers.

As a team, Token's technology, banking and security experts hail from Google, Apple, Microsoft, Barclays, ACI Worldwide, HSBC, Twitter and Square. In addition, its founder and CEO Steve Kirsch is credited with being the inventor of several groundbreaking Internet technologies.

Paysafe's well-timed open banking card
Friday, June 8, 2018

P aysafe Group, a global provider of end-to-end solutions with U.S. headquarters in Houston, disclosed June 7, 2018, that its prepaid product, paysafecard, will be accepted in the Google Play Store. Paysafe plans to roll out the card in Europe following a pilot test in Poland, which is home to more than 1 million paysafecard cardholders, company representatives stated.

By removing the need for online shoppers to share banking or credit card credentials, Paysafe expects paysafecard to appeal to underbanked, video gaming and privacy-conscious consumers while also complying with European Union privacy regulations. Udo Müller, CEO at paysafecard, said these expectations are consistent with company research on consumer trends.

Addressing fraud concerns

"The risk of fraud and sharing personal data online still concern many consumers," he said. "Lost in Transaction: Payment Trends 2018, our proprietary research launched earlier this week, shows that half of respondents worry about fraudulent purchases and 48 percent worry about the safety of their personal data. This is why offering paysafecard as a way to pay in the Google Play Store has come at the right time to enable consumers and both companies to benefit."

Todd Linden, CEO at Paysafe North America, added, "Seven out of 10 Americans are prepared to accept that fraud is an inevitable risk of shopping online. If retailers, merchants and payments companies want to disrupt the old way of doing things they must make all underlying processes feel secure. Consumers want convenience, but they want protection too."

Balancing innovation, protection

Lost in Transaction: Payment Trends 2018, updates data from Paysafe's 2017 report, providing insights from 5,056 consumers in Austria, Canada, Germany, the United States and United Kingdom. While buying behaviors varied across regions, researchers observed a majority of survey respondents were distrustful of payment-enabled connected devices and emerging ecommerce payment schemes, due to concerns about privacy and security.

Researchers cited Amazon Go and Uber as examples of new invisible payment schemes that add convenience but may also seem too good to be true to some consumers."[B]y making literally everything invisible, merchants risk frightening people rather than enticing them," they wrote. "The advent of regulation such as PSD2 in Europe is likely to amplify this challenge, as consumers are invited to trust new third parties about which they may know very little."

The European Union's Payment Services Directive 2 (PSD2), which became effective Jan. 13, 2018, gives non-banking entities access to financial institutions' consumer data. PSD2 is part of an open banking initiative, designed to encourage competition and innovation in financial services. As a countermeasure, the EU's General Data Protection Regulation was enacted on May 25, 2018, giving consumers more control over how companies use and store their data.

Earning consumer trust

Linden suggested that consumers who trust a payment system's security and fraud protections will be more likely to change buying habits and try new payment schemes. Merchants who do not enhance security may lose customers to others who offer more robust protections, he noted. Following are additional highlights from the report:

"There are more challenges to tackle with other low friction payment technologies as these findings suggest many consumers aren't ready to lose visibility of the payment process." Linden concluded. "It's clear that the benefits are not unilaterally agreed upon, with cultural and infrastructure trends at play, and it may be some time before adoption is widespread."

View prior breaking news

Spotlight Innovators:

North American Bancard | USAePay | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems