The Green Sheet Online Edition
April 11, 2011 • Issue 11:04:01
Payment fraud, rising to the challenge
Recent reports about RSA, a leading provider of security and risk solutions, being breached by hackers drives home a critical point: in today's interconnected world no one is immune to fraud. Since its start in 1982, RSA's corporate moniker has become synonymous with data security. The company, which became the security division of EMC in 2006, invented public key cryptography, and its authentication products have been implemented at many of the largest companies (including banks) in the world.
So when Art Coviello, RSA's Executive Chairman, penned an open letter to customers in March 2011, explaining that hackers had penetrated RSA's security walls and stolen information about SecureID, an authentication product widely used in online banking, some experts saw it as a wake-up call.
"It shows that there's really no 100 percent security," said Markiyan Malko, PCI program manager at Merchant Warehouse, a Boston-based ISO. "There are a lot of sophisticated hackers out there. It demands that we stay vigilant every day."
Paul Martaus, an industry consultant based in Mountain Home, Ark., said the severity of the RSA breach depends on who's behind the incident. "It could well be an attempt by someone who has an axe to grind to embarrass RSA," Martaus said. Or it could be something more sinister, like an international fraud ring. "The big question is, what did they get?" he added.
Hackers clearly have become more sophisticated and persistent. Kaspersky Labs, an international information technology security firm that tracks malware, recorded 1.5 billion incidents involving malware last year alone.
Data breaches are costly
Data breaches are a costly proposition. The latest data from the Ponemon Institute, a Michigan-based research center, indicates data breaches cost U.S. companies about $214 per compromised record in 2010, and averaged $7.2 million per breach event. And as Dr. Larry Ponemon, the institute's founder, explained, it's not just the direct costs that matter. The indirect costs like customer churn can have a huge impact on a breached company's bottom line.
"The fact is that individuals still care deeply about their personal information, and they lose trust in companies that fail to protect it," Ponemon noted in a March blog post.
Yet, according to a 2010 survey by Information Security Media Group, 75 percent of banks first learn of fraud incidents from their customers. A report detailing survey results - The Faces of Fraud: How to Counter 2011's Biggest Threats - reveals that 82 percent of responding banks
had been hit by credit and debit card frauds in 2010. In addition:
- 63 percent experienced check fraud.
- 40 percent were invaded by phishing/vishing attacks.
- 37 percent experienced automated clearing house/wire frauds related to account takeovers.
- 32 percent were victimized by third-party POS skimming schemes.
It's a challenge to stay ahead of online fraudsters
The anonymity of the web renders online merchants easy prey for fraudsters. And the resulting costs to online merchants are more than just dollars lost to fraudulent sales. There are other costs: sales declined due to overzealous fraud filters; labor associated with reviewing orders manually, tracking down fraudsters and dealing with chargebacks (as well as the cost of the chargebacks themselves); implementing fraud management tools; and loss of customer trust.
According to the 12th Annual Online Fraud Report from CyberSource Corp., the online payment company owned by Visa Inc., one-third or more of e-commerce merchants spend 0.5 percent or more of online revenues managing fraud.
In 2010, fraud losses amounted to 0.9 percent of revenues at online retailers, CyberSource reported, down from 1.2 percent in 2009. However, "fraud pressure" increased. Fraud pressure is defined as the sum of orders rejected due to suspicion of fraud in addition to accepted orders that later turn out to be fraudulent.
Over the past seven years, the average percent of accepted orders that later turn out to be fraudulent has varied from 0.9 percent to 1.3 percent of revenues, CyberSource reported. Online merchants rejected 2.7 percent of all incoming orders for suspicion of fraud last year, up from 2.4 percent in 2009.
PCI risks run high among smaller merchants
Fraud isn't just an e-commerce problem. And it's not just a risk posed to the largest retailers either. In fact, small retail establishments have become ever more vulnerable to data breaches and other methods of fraud as larger stores tighten controls in response to Payment Card Industry (PCI) Data Security Standard (DSS) and other edicts.
According to Visa, Level 4 (small) merchants account for more than 85 percent of all card data compromises. To put this into perspective, the federal government estimates there are more than 24 million small businesses currently operating in the United States.
Results of a study undertaken by First Data Corp. and the National Retail Federation suggest small merchants overall are knowledgeable about the PCI DSS. Sixty-five percent of merchants in a survey pool dominated by those with sales under $100,000 a year said they knew about PCI requirements. Yet only 49 percent had completed a self-assessment as mandated by the PCI DSS; 42 percent didn't know they were required to perform annual self-assessments.
Perhaps even more telling, the First Data/NRF survey found 60 percent of merchants did not know they were liable for fines levied by the card companies if they are found to be responsible for data breaches that result in mandatory card replacements.
Separately, a 2010 survey of Level 4 merchants conducted by Merchant Warehouse and PCI compliance company ControlScan found just 45 percent of merchants with staffs of 10 or fewer were familiar with the PCI DSS requirements.
PCI requirements for merchants vary according to yearly card transaction volumes. The very largest establishments are designated Level 1 and have the most stringent compliance demands; the very smallest are grouped together as Level 4 merchants. PCI requirements for Level 4 merchants are basic; they include completing a yearly self-assessment questionnaire and maintaining good system firewalls.
Risks are multifaceted
Experience suggests certain categories of companies also are more prone to data breaches than are others. Food and beverage establishments are the most breached, according to Trustwave, a security services and incident response firm based in Chicago. Trustwave's Global Security Report 2011 indicates the food and beverage sector accounted for 57 percent of all card data breach investigations in 2010. (Many of the most successful attacks involved firms that believed they had comprehensive data security plans in place, TrustWave noted.)
Echoing a widely held sentiment among data security experts, Robert J. McCullen, Chairman and Chief Executive Officer of Trustwave, said, "[O]rganizations that approach their initiatives firmly committed to including security as an integrated requirement, and not just as a checkbox, will be most resilient to attack, reduce their risk to compromise, and be able to best protect both sensitive data and reputation."
Another troubling finding reported by Trustwave: one organized crime syndicate may be responsible for more than 30 percent of all 2010 data breaches. Martaus isn't surprised by this; he said there is plenty of evidence to suggest hackers are being compensated handsomely by international criminal enterprises and a few foreign governments that aren't on friendly terms with the United States.
According to Kaspersky Labs, China and countries formerly part of the Soviet Union are home to several organized hacker gangs. This may also explain the growing sophistication of attacks, such as those targeting mobile platforms and social networking sites.
Social networking sites "are becoming cybercriminals' platform of choice to expand and propagate destructive botnets," Trustwave reported. And mobile devices "offer cybercriminals an open door to corporate authentication credentials, sensitive data and trade secrets."
Nicholas Cucci, Director of Marketing for Network Merchants Inc. and a Certified Fraud Examiner, describes social networking websites as a boon to phishing (where fraudsters masquerade as trustworthy parties to con consumers out of sensitive information, like account numbers and passwords).
He suggested that consumers put themselves at risk if they reveal too much personal information on social networking sites, including their birthplaces and high schools, two common challenge questions used by credit card companies.
One result is that NMI has stepped up efforts to ferret out potentially fraudulent transactions. It does this using advanced technologies like data mining and geo-tagging (pinpointing, geographically where an order is originating), Cucci said.
Mobile vulnerabilities are a concern
Concerns over vulnerabilities posed by mobile payments have taken on added urgency, as evidenced by the November 2010 decision by the PCI Security Standards Council to not approve any mobile payment applications as PCI DSS compliant until it had more time to study the situation.
Much of the concern over mobile payments stems from the lack of uniformity among operating systems that support mobile devices. "The Android is completely different from the iPhone, and BlackBerrys are different from both," Malko said. There's also scant oversight of application developers. "With mobile, anybody with $100 and a little time can create their own application," Malko added. "It's scary."
Merchant Warehouse had been ready to introduce a new mobile payment product that had already passed initial compliance testing when the PCI SSC issued its edict, which sent the company back to the drawing board.
What it came up with was a mobile payment web page that serves as a stand-in terminal for mobile and web transactions and is hosted at the company's PCI DSS-certified server, thereby eliminating the merchant's PCI compliance burden.
The addition of MerchantWARE TransPort.Mobile and a companion solution for web merchants makes it possible for application developers to remove card processing functions from their software while retaining full functionality, the company explained in an announcement. "This is a huge step for compliance," Malko said. "It keeps data off the device."
NMI has taken a slightly different approach, rolling out a mobile payment application that uses geo-tagging, encryption and other advanced tools to support secure mobile transactions anywhere a merchant can find a Wi-Fi connection.
"You're going to see more companies doing things like this," Cucci said. "That's how we're going to be combatting fraud going forward the next 12 to 18 months."
Both Merchant Warehouse and NMI aim to achieve the same end: secure mobile payments.
Skimming is a huge problem
Terminal manufacturer VeriFone Inc. also has concerns about mobile payment security, in particular a new miniature card-reading device developed for smart phones and called Square. In an open letter to the public, VeriFone CEO, Douglas G. Bergeron suggested Square is poised to become a card-skimmer's dream tool, an allegation that Square Inc. disputed.
Skimming is one of the oldest types of fraud involving credit and debit cards. It entails the capturing of mag stripe data from legitimate cards (typically during the checkout process) and using that data to create counterfeit cards or to ring-up charges at online stores. (A slightly more sophisticated and increasingly more common form of skimming targets ATMs and employs miniature cameras to capture PINs.
The Better Business Bureau reported that losses from credit and debit card skimming now top $1 billion a year. Javelin Strategy & Research estimated one in five credit/debit cardholders have been victims of card skimming.Skimming is often the work of criminal gangs employing ever more sophisticated technologies. Here are just some of the stories news organizations were following in March 2011.
- The indictment of three men by a grand jury in Hawaii who are accused of skimming card data from self-serve gas pumps at four Aloha Island Mini-Mart locations. The stolen data was used to make counterfeit cards that were then used in California to defraud more than 150 cardholders at six Hawaiian financial institutions, according to a report in the Honolulu Star Advertiser.
- The arrest of two California men accused of skimming more than 3,600 card numbers from pumps at three gas stations in the San Francisco Bay Area during a two-week period in December 2010.
- The discovery by police in Vancouver, British Columbia, of an ATM skimmer and miniature camera at a local credit union.
- The seizure of 189 hand-held skimmers and 36 ATM-mounted devices in Australia last year.
- The arrest by Thai police of members of an international criminal organization believed to be responsible for skimming thousands of ATM cards at machines around Europe and Asia and creating clone cards, according to Thai press reports.
Stunning technological advances continue to open new frontiers for payment professionals, particularly in the e-commerce and mobile payment spheres. Let's get the jump on data thieves, so we stop them in their tracks before they have a chance to do the same to us.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.