Payment Processor Breach Puts Consumers and Merchants at Risk
The Washington Post reported that another large Payment Processor disclosed that they had been breached, potentially exposing 100′s of millions of credit card details to fraudsters.
Robert Baldwin, CFO of Heartland Payment Systems conceed that credit card numbers, expiry dates and names were compromised but commented that
The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address
Im wondering if fraudsters and hackers with this level of sophistication also have access to a White Pages or Facebook search?
Even if information such as CVV code data is not compromised along with the card data, an online merchant still has the option not to decide to make this extra verification information mandatory. Worse, I had a meeting with an Online Payment Gateway yesterday who described how fraudsters pose as legitamet merchant accounts but will then authorize a large volume of stolen credit card transactions which ultimately leave the payment gateway holding hundreds of thousdands in losses.
The Heartland Breach is only one of many, which calls into question the entire notion of a merchant or gateway being able to confidently process a credit card transaction based just on the user’s credentials alone. The shear number of both compromised credit card accounts and compromised computers that fraudsters can conduct transactions through mean that new solutions need to be sought out.
Programs like Verified by Visa mitigate this risk somewhat by requiring an additional password to authentiate the transaction, however this introduces friction into the purchasing experience and is not widely supported.
ThreatMetrix provides its Merchant and Payment Gateway customers with an alternative identity verification method that has zero impact to the customer and her purchasing experience by transparently profiling, identifying and recognizing the actual device used in the transaction.
This provides a number of unique benefits.
Detect credit card list washing: If the credit card details are stolen, ThreatMetrix will detect multiple credit card details linked to the same computer even if fraudsters attempt to spoof their location and IP Address with Proxies, even if transactions are conducted across multiple sites.
Stop first time fraud attempts: Even if a device in the transaction is not recognized, ThreatMetrix provides real-time anomaly detection such as if the transaction is being conducted through a botnet proxy or compromised PC that is infected and under the control of a fraud ring.
Accept more orders and registrations: ThreatMetrix enables merchants and websites to verify whether the combination of the user’s credit card and the device in the transaction has previously been successfully transacted before, allowing the confident acceptance of orders and registrations that might otherwise be rejected.
