A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

December 14, 2015 • Issue 15:12:01

Defending your online business from CNP fraud

By Chris O'Donnell
Instabill Corp.

Over the next few years as America migrates to Europay, MasterCard and Visa (EMV) chip-enabled credit cards, the war between cyber thieves and merchants is going to shift to the online sphere. Ask anyone in the payments business – credit card issuers and acquirers, banks and especially security firms – whether card-not-present (CNP) fraud is going to skyrocket, and their responses are never in terms of if, but when. And it could reach plague proportions.

The EMV liability shift began in the United States on Oct. 1, 2015, and businesses of all sizes have been slow to migrate. Eventually they will. And the more secure brick-and-mortar businesses become, the more hackers will turn their attention to e-commerce businesses because they remain easier targets.

CNP fraud rose dramatically in the United Kingdom in the early 2000s, the early days of e-commerce, as well as in Canada when it migrated to EMV credit cards in 2008. Despite the fact that the United States can learn from the transition woes of these two e-commerce models, CNP fraud will escalate. How much this will increase remains a mystery. And this raises the question: How effectively can CNP fraud be mitigated?

Data forensics, a booming industry

Benjamin Hosack's career timing could not have been better. A native of Zimbabwe, he was employed by a well-known data security company until May of 2009, when he and a colleague left to form their own information security firm, Foregenix Ltd.

When business is good for Foregenix, it's usually a bad sign for merchants and consumers. In less than six years, Foregenix has expanded to 50 employees over four offices on four continents. That means businesses large and small are suffering data breaches at a breakneck pace.

"I can tell you that we are seeing a six-fold increase, six times as many cases as we did in 2013," Mr. Hosack said from his office in Marlborough, west of London. "E-commerce businesses are getting hit more and more each year. Attackers are focusing on the CNP environment, and it's been easy for them."

It has already begun. Recent studies by Auriemma Consulting Group and ThreatMetrix found online and mobile attacks grew as high as 25 percent in the second and third quarters of 2015.

Attackers searching daily

Hosack recounted an experiment he and his Foregenix colleagues conducted a year ago. They gained access to the top 1 million websites worldwide for payment transactions through an antivirus company and scanned each to find indications of compromise. "We started picking up a 3 percent compromise rate for a particular webshell on Magento websites," he said, noting they found thousands of websites with security deficiencies.

"The list of the top 1 million e-commerce websites is publicly accessible, and it's very simple to do a scan to identify the website technology and whether they are susceptible to known issues," he added. "Every day, attackers are searching for websites to penetrate. It didn't take us long to run the scan. Any serious attacker knows exactly what to look for. It was easy to do."

Hosack also predicted the United States is going to see a rapid increase in CNP fraud. Whether it will be worse than the increases the U.K. and Canada suffered is unknown. "The Internet has come a long way since the U.K. and Canada converted to EMV," he noted. "There are a lot more websites, so a lot more for the attackers to target. We believe there are going to be some really challenging times ahead for the U.S."

Eastern Europe seems to be the main hub of hackers, but Hosack sees attacks coming from all over the world. He cited the U.K., China, United States and Vietnam as having their share of cyber thieves.

The myth of expensive security firms

It is a common misbelief that subscribing to security services is expensive. According to Hosack, even the smallest e-commerce merchants can afford protection and safeguards. The real expenses come when a merchant suffers a breach and doesn't have a safety protocol in place, giving the attackers a large window via which to steal data.

Above all, he stressed being proactive partnering with a security provider. "It's very affordable; it starts at a cost of zero," he said. "It is important to have a contract in place with a company that is ready to move (in the event of a breach). It doesn't need to cost much to get everything lined up."

Closing the window between breach and response is the key. To add perspective, hackers were rampant for 18 days before mega-retailer Target Corp. hired a security forensics firm, resulting in 70 million consumers whose personal information was stolen.

That is where security can be expensive for a small business merchant: dealing with the liability. But if proper safeguards are in place, the amount of time an attacker spends on a website is reduced, Hosack noted. "Ideally, it's about having the right technology in place," he said. "Attackers are trying to find ways to easily monetize their efforts. We have found that attackers will not spend a lot of time trying to break into a secure site."

Five things CNP merchants must do

The war between merchants and cyber thieves is a perpetual game of one-upsmanship. There is no such silver bullet solution for merchants ‒ only thinking proactively and habitual, diligent checks and safeguards. "We have always advised [clients] that if they don't need to hold credit card data, then they shouldn't," Hosack said.

He offered the following five practices that can enable merchants to remain a step ahead of hackers.

  1. Outsource your payment platform. Merchants whose payment pages are hosted by their payment service provider are much more secure. Not only do hackers need to penetrate the merchant's website, they must find a way to intercept the transaction process, too. "If you can manage transactions through a secure third party, you should," Hosack said. "Putting in a hosted payment page can make it a lot harder [to be hacked]. It makes you a tighter target."
  2. Invest in a web application firewall. E-commerce business owners are human: they miss or forget about regular security updates and patches. A web application firewall acts like a virtual patch.
  3. Monitor changes on your website. A sure sign that a website has been hacked is when files are introduced, changed or deleted. Monitoring changes daily is an essential step in detecting malicious activity quickly.
  4. Use the most current platforms. E-commerce website providers such as Magento, WordPress and osCommerce are regarded as the top e-commerce-friendly websites and come with regular updates and patches.
  5. Test. Test. Test. Hosack recommended outsourcing this function, stating that partnering with a security firm to apply vulnerability scans and play the role of attacker is a worthwhile investment.

end of article

Chris O'Donnell is a Senior Copywriter for the Instabill Corp. in Portsmouth, N.H. Instabill is a full service provider of merchant accounts to e-commerce, MO/TO and POS businesses. A resident of coastal New England, O'Donnell is also a contributor to The Daily News (Newburyport, Mass.) and Newburyport magazine.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing