By Nicholas Cucci
Network Merchants Inc.
What will 2012 bring to the payments industry? In this age of technology, personal cardholder information such as credit card data is more vulnerable to fraudsters and computer hackers. According to the Bureau of Justice Statistics, only 23.7 percent of households subjected to some form of identity theft had no direct financial loss as a result. The average out-of-pocket loss was $1,640, but half suffered minor losses of $200 or less.
The emotional impact of identity theft is often far more painful than the actual financial loss. Consumers and regulators should be proactive about guarding and protecting credit card and other personal information.
With the global economy struggling to correct itself and fraud continuing to rise, we will see breach notifications become a priority in 2012. We started to see this year that larger data breaches have a trickle-down effect, which causes the government to take action. Congress is considering the so-called SAFE Data Act, which would preempt breach notification laws in 47 states.
The act would require notification of consumers within 48 hours of identifying those whose information has been compromised, except when an inadvertent breach is unlikely to cause harm. The legislation would require companies and other entities that handle sensitive cardholder information to establish and maintain appropriate security policies to prevent unauthorized acquisition of data.
Even with the progress toward a national standard for breach notifications, it still seems the law may be ambiguous. In 2012, we will continue to see the struggle for clarity of the legal requirements for companies handling cardholder data.
For example, what is an inadvertent breach? If the compromised data is limited just to email addresses, the argument could be made that this is partially sensitive data. When a fraudster can't pull down credit card or more sensitive personal information, the next best thing is an email address.
With that, the fraudster can start phishing - a way of attempting to acquire more sensitive data, such as user names, passwords and credit card details, by masquerading in an email as a trustworthy entity. If emails are compromised, will that fall under "unlikely to cause harm"?
Some of the largest breaches in history occurred in 2011:
With two-factor systems, someone accessing a network needs to provide something they know - a password or PIN - and something they have, which can be a thumb-sized hardware token, key fob or software on a mobile device.
Although the extent of the breach is still unknown, the consequences could be huge. SecurID reportedly has some 40 million SecurID hardware deployments, with an additional 250 million applications on mobile devices.
Lockheed Martin Corp., a top U.S. weapons manufacturer, was affected by the RSA breach, as were hundreds of other companies. Lockheed reportedly replaced 90,000 SecurID employee devices, paid for by RSA, and employees were required to reset all passwords.
With technology advancing daily, criminals' methods become ever more sophisticated and organized. We need to continuously evolve our defenses in order to stay ahead of fraudsters. Everyone must understand that fraud is still a two-step process. The first step is stealing the data, while the second step is conversion of that data.
Here are our expectations for the top five fraud hazards in 2012.
Hackers and fraudsters create malware Trojans daily, exploiting new vulnerabilities before they can be detected and fixed. Keeping up to date on your virus definitions gives you the upper hand. Vulnerabilities are usually found in older or out-of-date virus definitions. (A "virus definition" is the database of all virus signature files used by an anti-virus software for virus protection.)
2. Advanced phishing and vishing, SMSishing and whaling
Phishers pretend to be trustworthy entities like banks or credit card companies and send out emails and instant messages prompting users to send sensitive information confirming they are the owners of the accounts.
Now, phishers send out text messages, too (SMSishing). In voice phishing, or vishing, emails ask recipients to make phone calls to dummy numbers where voice prompts ask for credit card numbers. In the fraud world, whaling targets high-worth individuals on social networking sites such as LinkedIn. Fraudsters search profiles for descriptors such as vice president, chief executive officer and chief financial officer.
3. ATM skimming
Skimming devices, placed directly over ATM slots where customers swipe cards, steal cardholder data off mag stripes. The skimmers are so small, authorities have a hard time finding them. Skimming has been around since the early 1990s.
4. SQL injections
In SQL (Structured Query Language) injections, hackers inject malicious coding into web forms, such as log-in fields or browser addresses, to access and manipulate company databases. These attacks can give criminals access to restricted data, such as credit card details and PIN numbers. This is becoming a popular attack because of its versatility.
5. Counterfeiting in non-EMV countries
Many countries outside the United States have adopted the Europay/MasterCard/Visa smart card standard - a chip and PIN technology. glos EMV's higher security has reduced the basis points charged to cover losses in the U.K. from 18 in 2001 to 12 in 2008.
This method of payment security is emerging in the U.S. market. However, the transition will be slow because it necessitates a change of hardware by all merchants wishing to deploy chip and PIN-enabled payment acceptance devices.
Until we make a shift to more secure technology, like EMV, we will continue to see fraudsters attacking card databases and the resulting proliferation of counterfeit credit cards.
Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next