The Green Sheet Online Edition

December 26, 2011 • Issue 11:12:02

Fraud trends 2012: Like 2011, only more so

By Nicholas Cucci
Network Merchants Inc.

What will 2012 bring to the payments industry? In this age of technology, personal cardholder information such as credit card data is more vulnerable to fraudsters and computer hackers. According to the Bureau of Justice Statistics, only 23.7 percent of households subjected to some form of identity theft had no direct financial loss as a result. The average out-of-pocket loss was $1,640, but half suffered minor losses of $200 or less.

The emotional impact of identity theft is often far more painful than the actual financial loss. Consumers and regulators should be proactive about guarding and protecting credit card and other personal information.

Play it SAFE

With the global economy struggling to correct itself and fraud continuing to rise, we will see breach notifications become a priority in 2012. We started to see this year that larger data breaches have a trickle-down effect, which causes the government to take action. Congress is considering the so-called SAFE Data Act, which would preempt breach notification laws in 47 states.

The act would require notification of consumers within 48 hours of identifying those whose information has been compromised, except when an inadvertent breach is unlikely to cause harm. The legislation would require companies and other entities that handle sensitive cardholder information to establish and maintain appropriate security policies to prevent unauthorized acquisition of data.

Even with the progress toward a national standard for breach notifications, it still seems the law may be ambiguous. In 2012, we will continue to see the struggle for clarity of the legal requirements for companies handling cardholder data.

For example, what is an inadvertent breach? If the compromised data is limited just to email addresses, the argument could be made that this is partially sensitive data. When a fraudster can't pull down credit card or more sensitive personal information, the next best thing is an email address.

With that, the fraudster can start phishing - a way of attempting to acquire more sensitive data, such as user names, passwords and credit card details, by masquerading in an email as a trustworthy entity. If emails are compromised, will that fall under "unlikely to cause harm"?

A banner year for fraudsters

Some of the largest breaches in history occurred in 2011:

• A server breach at Sony Network Entertainment International LLC from April 17 to 19 reportedly compromised over 100 million card numbers. Sony shut down its network for 23 days because of the breach, which reportedly cost the company over $100 million dollars. Sony discovered the breach on April 19 but did not publicly disclose information about it until April 26.

• A breach at Michaels Stores Inc. was discovered May 2 when the company was notified of possible debit fraud related to its stores in the Chicago area. Through compromised PIN pads, some card data was skimmed between Feb. 8 and May 6. Michaels replaced 7,200 PIN pads in 964 stores in the United States.

• An extremely sophisticated cyber attack took place earlier this year at RSA Security Solutions, the Security Division of EMC Corp., related to its SecurID technology. Organizations use the two-factor authentication system to provide more protection for sensitive data and networks than just a password.

  With two-factor systems, someone accessing a network needs to provide something they know - a password or PIN - and something they have, which can be a thumb-sized hardware token, key fob or software on a mobile device.

  Although the extent of the breach is still unknown, the consequences could be huge. SecurID reportedly has some 40 million SecurID hardware deployments, with an additional 250 million applications on mobile devices.

  Lockheed Martin Corp., a top U.S. weapons manufacturer, was affected by the RSA breach, as were hundreds of other companies. Lockheed reportedly replaced 90,000 SecurID employee devices, paid for by RSA, and employees were required to reset all passwords.

With technology advancing daily, criminals' methods become ever more sophisticated and organized. We need to continuously evolve our defenses in order to stay ahead of fraudsters. Everyone must understand that fraud is still a two-step process. The first step is stealing the data, while the second step is conversion of that data.

Here are our expectations for the top five fraud hazards in 2012.

1. Malware attacks
Malware refers to malicious software designed specifically to gain access and damage victims' computers without their knowledge. In 2009, the incidence of this type of attack was 10 times greater than in 2008. Most malware today is designed for financial gain. It escapes detection while collecting and transmitting sensitive data, such as victims' bank account information, passwords and card details.

Hackers and fraudsters create malware Trojans daily, exploiting new vulnerabilities before they can be detected and fixed. Keeping up to date on your virus definitions gives you the upper hand. Vulnerabilities are usually found in older or out-of-date virus definitions. (A "virus definition" is the database of all virus signature files used by an anti-virus software for virus protection.)

2. Advanced phishing and vishing, SMSishing and whaling
Phishers pretend to be trustworthy entities like banks or credit card companies and send out emails and instant messages prompting users to send sensitive information confirming they are the owners of the accounts.

Now, phishers send out text messages, too (SMSishing). In voice phishing, or vishing, emails ask recipients to make phone calls to dummy numbers where voice prompts ask for credit card numbers. In the fraud world, whaling targets high-worth individuals on social networking sites such as LinkedIn. Fraudsters search profiles for descriptors such as vice president, chief executive officer and chief financial officer.

3. ATM skimming
Skimming devices, placed directly over ATM slots where customers swipe cards, steal cardholder data off mag stripes. The skimmers are so small, authorities have a hard time finding them. Skimming has been around since the early 1990s.

4. SQL injections
In SQL (Structured Query Language) injections, hackers inject malicious coding into web forms, such as log-in fields or browser addresses, to access and manipulate company databases. These attacks can give criminals access to restricted data, such as credit card details and PIN numbers. This is becoming a popular attack because of its versatility.

5. Counterfeiting in non-EMV countries
Many countries outside the United States have adopted the Europay/MasterCard/Visa smart card standard - a chip and PIN technology. glos EMV's higher security has reduced the basis points charged to cover losses in the U.K. from 18 in 2001 to 12 in 2008.

This method of payment security is emerging in the U.S. market. However, the transition will be slow because it necessitates a change of hardware by all merchants wishing to deploy chip and PIN-enabled payment acceptance devices.

Until we make a shift to more secure technology, like EMV, we will continue to see fraudsters attacking card databases and the resulting proliferation of counterfeit credit cards.

Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at ncucci@nmi.com.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.