GS Logo
The Green Sheet, Inc

Please Login

Banner Ad
Skyscraper Ad
Breaking News
Updated: Thursday, May 28, 2015

Threat indices rise as 'fullz' rush in to IRS site

T he Internal Revenue Service confirmed reports of a wide-scale attack on one of its web portals, describing the incident as "a sophisticated effort" involving "unauthorized access" to numerous taxpayer accounts. The agency did not directly refer to it as a security breach. A statement issued May 26, 2015, indicated identity thieves had used the Get Transcript web portal to obtain approximately 100,000 consumer records, initiating an estimated 15,000 fraudulent tax refunds.

The Get Transcript portal is temporarily closed pending oversight by the IRS Criminal Investigation unit and Treasury Inspector General for Tax Administration. The IRS reported it will notify about 200,000 taxpayers whose accounts were targeted by criminals, including the 50 percent whose accounts were not compromised due to attempted break-ins that failed to authenticate.

The IRS stated it will offer free credit monitoring services to approximately 100,000 taxpayers whose Get Transcript accounts were illegally accessed, "to ensure this information isn't being used through other financial avenues."

Analysts have speculated that unusual activities in the Get Transcript portal began as far back as February 2015. However, the IRS detected no unlawful activities in its main computer system, which handles tax filing submissions. At a May 26 press briefing, IRS Commissioner John Koskinen claimed the IRS security infrastructure is essentially intact. "This is not a hack or data breach," he said. "These are impostors pretending to be someone."

Big data, big crime

In his book Future Crimes, Global Security Adviser and Futurist Marc Goodman wrote that nearly 20 percent of U.S. and European consumers have been victims of identity theft.

"These stolen identities are often referred to as 'fullz' by hackers and contain names, addresses, Social Security numbers, dates of birth, workplaces, bank account numbers, bank routing numbers, state driver's license numbers, mother's maiden names, e-mail addresses, and additional online account names and passwords," he wrote.

Goodman went on to predict that tax refund identity theft will cost the IRS as much as $21 billion over the next five years, "all because we're leaking massive amounts of data from deeply insecure systems that can easily be traded at tremendous profit on the Dark Net." The underbelly of the Internet, the Dark Net is populated by those who purposely dodge the prying eyes of search engines, using protocols and domains most folks will never stumble upon, as well as software that encrypts information and guarantees anonymity among users.

Security analysts are concerned by the scope and sophistication of recent cyber security attacks, which have enabled criminals to leverage stolen personally identifiable information to gain access to consumers' financial assets and identities.

The IRS revealed that criminals were able to answer personal identity verification questions that are typically known only to taxpayers. "In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems," it stated.

Senate Finance Committee wants answers

Government leaders have been critical of the IRS' attempts to downplay the seriousness of the situation. In a letter to IRS Commissioner John Koskinen dated May 27, Senator Orrin G. Hatch, Chairman of the Senate Committee on Finance, referred to the IRS incident as a data security breach, stating that his committee "has an obligation to ensure that proper protections are in place and that such a breach is less likely in the future."

Hatch also noted a separate investigation initiated by the committee in April into stolen identity refund fraud. He described it as a key concern highlighted by the recent IRS breach. He believes it is critically important for the committee to fully understand what took place and what appropriate legislative responses may be required to reduce the risk of recurrence.

Hatch wrote, "To this end, I ask that you provide my Committee staff with a confidential briefing by no later than June 5, 2015." The briefing would cover the following questions:

  1. When did the breach occur?
  2. When did the agency learn of the breach, and how did it become aware?
  3. What information allowed the hackers to obtain access, and what is the agency's understanding of how the attackers gained this information?
  4. Is the agency working to cross-reference the stolen identities used in this attack with identities compromised in recent breaches of other organizations?
  5. To what information did the attackers gain access? Does your agency know the extent to which the attacks were successful for each identity?
  6. Does the agency have information indicating the geographic source of the attack?
  7. To the best of your knowledge, have the attackers subsequently used the taxpayer information obtained in this breach? Press reports indicate that about 15,000 refunds were claimed subsequent to this attack. Is this correct?
  8. Describe the agency's coordination with other federal departments. Has the agency requested assistance or information from other federal departments, and if so, has it received that assistance or information?

Federal departments referenced in Hatch's letter may include The Cyber Threat Intelligence Integration Center, which monitors foreign cyber threats, and the Department of Commerce's National Institute of Standards and Technology, a consortium of technology experts committed to enhancing critical security infrastructure. These committees are integral to a far-reaching executive order signed into law on April 1, when President Obama authorized a broad range of tools and law enforcement mechanisms designed to identify and prosecute cyber criminals.

Ready or not, PCI 3.0 is here
Tuesday, May 26, 2015

T he deadline for PCI 3.0 mandatory compliance is fast approaching. If you and your merchants are compliant that's good news. The bad news: the odds are against ongoing compliance. That's why card data security needs to be a multifaceted undertaking.

"PCI, EMV, point-to-point encryption – all of these things have to be done together," said Don Brooks, Senior Security Engineer at security services company Trustwave. These days EMV (short for Europay, MasterCard and Visa, the technical standard for chip cards and chip-reading terminals) is garnering much attention, with its looming October 2015 deadline for compliance.

However, compliance with the latest Payment Card Industry Data Security Standard (PCI DSS, or often just PCI) is mandatory beginning June 30. Acquirers and their partners should be working now to ensure merchants are and remain compliant with PCI 3.0, Brooks advised in an interview with The Green Sheet. "Ultimately it all comes down to the acquirer and the ISO making sure merchants are doing the right thing," he said.

PCI 3.0, released in 2014, updates the standard, which was previously updated in 2011. The effective date was January 1, 2015, but mandatory compliance was delayed for six months to provide companies sufficient time to complete implementation routines. PCI requirements apply to all organizations that accept, process, store or transmit payment card data – from the largest national acquirers to the smallest merchants.

More hands-on approach

The scope of PCI 3.0 is much broader than past versions, placing greater responsibility on merchants for protecting the integrity of POS devices, networks and authentication protocols, as well as for oversight of third-party service providers. "The changes focus on responding to what the bad guys are doing," Brooks said.

Over the past few years, for example, hundreds (possibly thousands) of malware-infected POS devices have been the source of major card-data breaches. So PCI 3.0 specifically requires that merchants keep tabs on and regularly inspect POS devices for tampering and substitution, and that they train employees to be on the lookout for signs of device tampering.

Also, as PCI compliance requirements have expanded, more merchants are outsourcing risk management and PCI compliance routines. It's an understandable step – even the simplest self-assessment forms are pages long – but it comes with its own set of responsibilities. Under PCI 3.0, for example, merchants need to validate authentication routines used by third-parties and ensure they use unique authentication credentials for each customer. They also must require that third-party providers acknowledge in writing their responsibilities concerning cardholder data.

Compliance improves, or does it?

Security breaches are a major source of concern for organizations large and small. Indeed, few companies seem immune. A survey of 9,700 businesses by the consultancy PricewaterhouseCoopers (PwC) revealed those companies alone detected nearly 43 million "security incidents" last year. Incidents are not breaches, but they can lead to breaches. PwC estimated (based on its data) that security incidents have been increasing at a compound annual rate of 66 percent since 2009, when there were fewer than 9 million incidents.

Worse, many companies remain unaware of their responsibilities for protecting card data. Software Advice, a unit of the consultancy Gartner Inc., surveyed small and midsize businesses on PCI 3.0 in December 2014 and found nearly one in five did not even know what PCI was; 30 percent did not know the penalties for noncompliance. Just 38 percent said they were "very confident" they would be compliant with the updated PCI rules; fewer yet, 16 percent, expressed confidence in their understanding of the new rules regarding third-party provider oversight.

Meanwhile, Verizon Communications Inc., which operates a unit focused on card data security and PCI compliance, reported that although overall compliance with PCI continues to improve, few organizations are able to sustain compliance over the long term.

The Verizon 2015 PCI Compliance Report analyzes the outcomes of nearly 3,000 PCI assessments conducted by its Qualified Security Assessors last year, as well as forensic investigation reports produced by the company's security unit. It revealed that between 2013 and 2014, compliance with 11 of the 12 PCI requirements was up, with the biggest increase in compliance witnessed in procedures for authenticating network access. The only area where compliance was lower was with testing security systems. In fact, most of the lowest compliance scores involved testing procedures, the report noted.

"Compliance with the Payment Card Industry Data Security Standard (PCI DSS) continues to improve, but four out of five companies still fail at interim assessment," the Verizon report stated. "This indicates that they've failed to sustain the security controls they put in place."

Second Sally Beauty breach a 'wake-up call'
Friday, May 22, 2015

D enton, Texas-based specialty retailer Sally Beauty Holdings Inc. revealed on May 15, 2015, that the company had suffered its second security breach in less than two years. The publicly traded company, with approximately 4,800 stores worldwide and annual revenues of $3.8 billion, withheld details on the recent attack but confirmed it is fully cooperating with ongoing investigations.

Sally Beauty President and Chief Executive Officer Chris Brickman, who replaced the company's outgoing CEO, Gary Winterhalter, in February 2015, declined to speculate on details of the intrusion, deferring to the ongoing forensics investigation. He did, however, encourage customers to monitor payment card and bank accounts for suspicious activity.

"We are working diligently to address the issue and to care for any customers who may have been affected by the incident," he stated, while noting that payment card brand rules stipulate customers will not be responsible for fraudulent charges to their accounts if said charges are promptly reported. The company also established a dedicated toll-free hotline and email address for customers to direct concerns about the breach and its possible impact on their payment cards.

Second call to first responders

In March 2014, Sally Beauty became aware of an unauthorized intrusion into its internal processing systems, affecting approximately 25,000 customer records. Four card issuers subsequently traced fraudulent transactions to payment cards linked to the attack. Security analysts believe account details for approximately 260,000 credit and debit cards were stolen.

The company said it hired Verizon Communications Inc. to conduct an investigation and lead efforts to "remediate and mitigate the issues caused by this security incident." These efforts included offering a free year of credit monitoring and identity theft protection to consumers whose cards may have been affected.

The security community views the second breach at Sally Beauty as a wake-up call for retailers, demonstrating the need for ongoing vigilance and compliance.

"This second Sally breach illustrates how vulnerable companies continue to be, even when they should be on notice," said Michele Borovac, Vice President at HyTrust, a cloud-security company based in Mountain View, Calif. She went on to say that attackers are getting smarter and that sometimes even the best perimeter measures are not enough to "stop the kill chain."

Multipronged security benefits

Borovac and her team have seen a recurring pattern in recent breaches, in which attackers have used administrator credentials to gain access to internal security systems. "Organizations must take a fresh look at their internal security systems, processes and people, and put controls in place to protect these privileged accounts," she said.

Many security analysts consider the multipronged data security strategies that incorporate a combination of compatible technologies and services to be the best defense against cyber attacks.

Marcin Kleczynski is CEO of Malwarebytes, an anti-malware solutions provider headquartered in San Jose, Calif. In recent years Kleczynski and his colleagues have seen a marked uptick in cyber attacks across multiple industries. The majority of these attacks focus primarily on stealing financial data. "The financial industry needs to make a greater effort toward evolving our current digital payment technologies to something far more secure," he said.

Kleczynski urged consumers to demand greater security in the financial world and encouraged business owners to adopt smarter, more secure technologies.

We can enhance security and protect consumer data by "employing, or at least experimenting with, numerous security technologies like two factor authentication, chip and PIN and even dynamic card numbers," he said, adding that these technologies create additional layers of defense, which render a customer's financial information as useless if it is stolen.

An ounce of prevention

The retail and payment communities are well aware of the devastating effects of data security breaches on retailers. As of this writing, Sally Beauty's stock had been declining since the breach become public knowledge. Some financial analysts have questioned if the company has the resilience to survive the second major attack.

Dr. Mike Lloyd, Chief Technology Officer at Sunnyvale, Calif.-based cyber-analytics platform RedSeal Inc., recommended the use of automated technologies to help organizations identify security gaps before breaches occur.

"Much like a chain, a network is only as strong as its weakest links, and it's very clear now that we face persistent thieves, organized like ants, who will find whatever we leave open to take," he said.

Will Google 'buy' push retailers' buttons?
Tuesday, May 19, 2015

G oogle Inc. is widely rumored to have near-term plans for incorporating a buy button into its mobile search pages, according to mainstream media reports that began circulating on May 15, 2015. Retail analysts suggest that the development would mark a strategic shift for the search engine, moving it from a neutral position to head-to-head competition with retailers and e-commerce marketplace giants such as Inc., eBay Inc. and

Google's buy button would facilitate impulse purchases during routine product searches, sources say. Similar to Amazon's one-click payment method, buy buttons would transport consumers to an e-commerce site where their personal information and buying preferences would be stored so they could complete purchases. Buy buttons would have the potential to prolong average visit times on the Google site, as opposed to current Google searches that link to websites outside Google's footprint. The Amazon Marketplace has successfully leveraged this model, hosting an array of third-party sellers that transact directly with Amazon customers who buy their goods and services without ever leaving

Limited pilot, limited disclosure

Industry analysts have anticipated Google's response to increasing competition from Amazon, which has gained a reputation as a search engine as well as an online marketplace. A recent study by Forrester Research found that in the third quarter of 2014, 39 percent of U.S. shoppers initiated online searches on Amazon, compared with only 11 percent who began product searches on Google. These indicators demonstrate the value of aggregated search and e-commerce functions.

In the first phase of Google's pilot, buy buttons will reportedly only be featured in mobile searches conducted on smartphones and tablets, appearing only on sponsored products endorsed and paid for by leading retailers.

While there has been widespread speculation about buy buttons' overall impact on e-commerce, a Google spokeswoman said that the company had nothing to announce. "We continuously explore and test many ideas for improving the experience for consumers," she said.

Facebook, Twitter, Pinterest explore online marketplace

Payments analysts have long predicted that widespread popularity of social media sites would inevitably lead to new forms of social commerce. In July 2014, Facebook, Twitter and Pinterest all disclosed plans to add buy buttons to their social media sites, prompting speculation that the monetization of social media was finally at hand. Facebook shared that it was testing a buy button for news feeds and product pages. "With this feature, people on desktop or mobile can click the "Buy" call-to-action button on ads and Page posts to purchase a product directly from a business, without leaving Facebook," the company stated. Facebook further noted that "none of the credit or debit card information" used in its e-commerce transactions would be shared with third parties, and consumers would have an option of storing their payment cards on Facebook. Twitter's "Buy Now" button, which first appeared on July 1, 2014, on a single retail site, went viral as followers around the world re-tweeted images of the button embedded next to different retail products. The event was a bit of a dust-up, as the button itself was inactive and part of a limited beta test. However, the excitement created by its appearance was indicative of Twitter's broad e-commerce potential.

Pinterest is also experimenting with a buy button that would enable visitors to click and buy "pinned" products directly on the site. The button follows the successful release of the "Pin It" button, which enables single click pinning to Pinterest of products of interest users find on other websites.

Just buttons for now, no selling or shipping

While speculation grows regarding Google's buy button plans, there are no indications that Google will do anything more than expedite and streamline mobile commerce, prolonging the average visits of millions of shoppers who access its site from mobile phone browsers and Android apps. Its plan to improve efficiencies of Internet shopping is widely believed to be a direct challenge to Amazon's search and online advertising prowess.

Additionally, Google is experimenting with membership programs that facilitate a range of VIP services, much like the popular Amazon Prime program that has gained approximately 40 million subscribers. Google Express, launched in 2014, is being tested in major regional markets in the United States, including New York, San Francisco, Washington, D.C., Boston, and Los Angeles. Subscribers who pay a $95 annual membership fee can use the service to order online from participating retailers, including Costco Wholesale Corp., Staples Inc., and Walgreen Corp. for unlimited same-day delivery on orders over $15. ShopRunner Inc. introduced a similar program with a $79 dollar annual fee that provides members with exclusive discounts and two-day shipping from participating retailers, including such well-known brands as Staples Inc., General Nutrition Centers Inc., Neiman Marcus Group Inc., and American Eagle Outfitters Inc.

SEAA hosts Transaction Cardi Gras in New Orleans
Monday, May 18, 2015

T he Southeast Acquirers Association held its 14th annual conference April 20 to 21, 2015, in New Orleans with a balanced blend of exhibits, entertainment and presentations. The two-day event included networking, presentations, seminars and entertainment in a city known for hospitality, music and world-class cuisine.

Leading industry processors, manufacturers, vendors, leasing companies and technology startups convened in the exhibit hall. Monday evening's opening reception was followed by a Bourbon Street pub crawl led by a live jazz band. Show highlights included an ETA Certified Payments Professional seminar, an array of contests and an eclectic mix of guest speakers.

"In our experience, it was a well-organized, high quality event with a great balance between social gatherings and informative discussions around payments, acquiring and merchant relationships," said conference exhibitor Stephen Ramminger, Senior Business Operations Manager at Atlanta-based ControlScan.

SEAA, ETA strategic partnership

Presenter Jason Oxman, Chief Executive Officer of the Electronic Transactions Association, drew applause when commenting on the ETA's active collaboration with regional industry associations.

"I'm honored to have the opportunity to represent the industry," he said, reflecting on the ETA's 25-year history and continuing focus on education, advocacy and exchange of information. He shared findings from a newly released Goldman Sachs study in which 64 percent of respondents stated they expect merchant volumes to increase in 2015; approximately 45 percent of merchants said they were on track to achieve EMV (Europay, MasterCard and Visa) compliance by the end of 2015.

Oxman noted that the ETA now has four full-time lobbyists in Washington, D.C., currently monitoring six pending bills in Congress. He expressed confidence in the newly formed bipartisan Congressional Payments Caucus and the payments industry's role in powering payments throughout the United States.

Eclectic presentation mix

Casey Porter, Director of Product Delivery at Visa Inc., co-presented with Oxman on the role of ISOs and merchant level salespeople in the ever-changing payments market. Porter said Visa is working with processors and acquirers "to drive our value and sell our issuing products into the merchant base," through timely offers and discounts at the POS.

Keynote speaker and author Mac Fulfer shared his Amazing Face Reading sales techniques, which included a live demonstration involving four brave audience volunteers. Fulfer noted that sales professionals can take their cues from a prospect's facial characteristics to adapt sales presentations. "There is no law against using face reading," he said.

Other presentations by industry experts included advice on selling merchant portfolios, using technology to acquire new merchants, and effective ways to build a personal brand through networking and relationships.

Whodat2015 innovation awards

Winners of the SEAA's Whodat2015 Innovation Program were honored at the conference. Ten finalists competed in four categories: originality, revenue opportunity, presentation quality and market impact.

Finalists had eight minutes to present innovations to a judging panel during the opening session on April 20. Contest rules stipulated that solutions must be production-ready at the time of competition. Entrants were limited to one product per submission form and two product submissions per company with an April 1 deadline.

First prize winner Ping 2 Credit Mobile received $1,000, a complimentary exhibit space in the Payments Next Zone at Transact 16, and a complimentary booth at the 2016 SEAA. Second place winner Click a Waiter Inc. received $500. Third place winner Jory LLC received $300, and fourth place winner Quisk Inc. received a $200 prize.

Pay it forward with lagniappe

Lagniappe, a word that means a little something extra, is thought to have originated in New Orleans from the Spanish la ñapa. It also can be used to describe the spirit of camaraderie and partnership at Transaction Cardi Gras.

Gary DeBaise, Account Representative at New York-based Xpress-Pay, said that exhibiting at SEAA increased the company's visibility and credibility. He described the show's overall atmosphere as "friendly professionalism" and offered an example, stating, "I met someone at lunch and he opened a conversation right away about my business, his business and how we can potentially work together."

Michael Doron, Managing Director of Pay.On America Inc., was also pleased by booth traffic and level of interest at the conference. "There's a growing need for secure, PCI-compliant, cross-border e-commerce in the card-not-present space," he said, noting that attendees and fellow exhibitors were equally interested in learning about his company's products and services.

View prior breaking news

Spotlight Partnerships:

North American Bancard