$9.5 Billion Being Invested to Make U.S. Smart-er

Posted on January 29th, 2015 by Dan Rampe

Chip And Pin

Report Says Smart Card Updates to 1.2M POS Card Readers and 7M Card-Reading Terminals to Cost $9.5B and Won’t Be Completed till 2018

The retail and payment card industries are committed to converting to Chip and PIN Smart Card technology by December 2015. However, a report by Homeland Security Research Corp (HSRC), a non-governmental marketing research firm,forecasts that it will take until 2018 for Chip and PIN to reach 80 percent of the market. In addition to pointing out this dichotomy, a discountedhotelrooms.org story featuring HSRC’s study discusses other key issues in the adoption of Chip and PIN technology in the United States. The following has been excerpted from the discountedhotelrooms.org article and edited to fit our format. You may find the complete article by clicking on this link.

U.S. only G-20 country using magnetic strips

As of January 2014, 95% of U.S. payment cards still use the 1970’s magnetic strip technology. This makes the U.S. the only G-20 country that uses this insecure technology, while more than 100 countries have converted their payment cards to the secure Chip & PIN smartcard technology by 2004.

France proves effectiveness of Chip and PIN

France…has cut face to face and ATM transactions fraud by more than 80% since the introduction of Chip & PIN EMV smartcards

Major retailers committed to December 2015 implementation date

[Retail] chains such as Home Depot, Target, Walgreens and Walmart joined Visa and American Express and committed to replace the magnetic stripe cards and POS readers to the secured Chip & PIN technology by December 2015.

Feds lead in Chip and PIN

Signed on October 10th, 2014, President Obama’s “BuySecure” Executive Order lays out a new policy to secure payments to and from the federal government by applying Chip & PIN technology to newly issued and existing government credit cards, as well as debit cards like Direct Express. Upgrading retail payment card terminals at federal agency facilities to accept chip and PIN-enabled cards.

Fastest growing private sector security market

According to the report, the U.S. Financial Services, Retail & Payment Cybersecurity Market is the largest and fastest growing private sector cybersecurity market.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

Are Banks Becoming the New Target?

Posted on January 2nd, 2015 by Dan Rampe

Bank

Will EMV Cards and Apple Pay’s Tokenization Have Hackers Shifting Their Focus and Resources from Retailers Like Target to Banks?

As a group, hackers are like rivers. No we don’t mean they’re all wet. If we were looking for a negative descriptor, it would be a darn sight stronger than “all wet.” In any case, what we mean is that like rivers, they often follow the course of least resistance.

With the changeover from stripe cards to EMV chip-and-PIN and the introduction of new technology such as Apple Pay’s tokenization, which cuts down on the amount of consumer data stored by merchants, retailers have become tougher targets with less reward, i.e., data for the cybercriminal’s efforts.

In her article on americanbanker.com, Penny Crosman interviews bankers and tech and security experts to provide an in-depth report on how hackers will adjust to the introduction of EMV, Apple Pay, etc. by shifting their attacks from retailers to banks and other online e-commerce. The following has been excerpted from her piece and edited to fit our format. You may find the complete article by clicking on this link.

Banks take into account new attacks

“How is that [hacking activity] going to stop now that we’ve got Apple Pay and EMV coming along? It’s not going to stop, it’s just going to move to the next likely target,” said James Gordon, chief technology officer at Needham Bank in Needham, Mass.

“Who has the numbers the hackers want? The banks,” Gordon said. “Before, it was the banks and the retailers, retailers just happened to be an easier target. Bankers need to be especially aware that this is just a shift in focus [on the hackers’ part] to banks, front and center.”

Being a target is nothing new

According to the Identity Theft Resource Center, 42 data breaches were carried out against banks in 2014. But other than the massive JPMorgan Chase breach, most of these have been smaller-scale breaches that have fallen under the general public’s radar.

Preparing for more attacks

At the $1.6 billion-asset Needham Bank, Gordon is preparing for EMV in two ways. One is by trying to limit the bank’s exposure to hackers.

“This is easier said than done, but if there are things that can get shut off that aren’t critical to the operation, shut them off,” he said. “If you have less exposed, you have less to watch.” For instance, he’s double-checking firewall rules to make sure nothing’s slipping through the cracks.

More security training

He’s also stepping up security training and education. “We need to stop telling people what’s going on and start showing them examples of [phishing] emails that look spot on, show people how easy it is to put an ATM skimmer on a device, show them videos, don’t just tell them it’s a ‘grave’ threat. We should stop using adjectives and start showing.”

Increase in hacking online transactions and CNP fraud

Neither EMV nor Apple Pay appears to protect online purchases where the consumer must enter [his/her] credit card information, pointed out Philip Smith, director of information technology at the $221 million-asset Harvard State Bank in Harvard, Ill.

“Since online transactions and card-not-present transactions cannot take advantage of the chip or tokenization, we will most likely see an increase in hacking and fraud in these transactions,” he said. “Hackers will continue to attack online merchants and online credit card wallets.”

Apple Pay rival under attack

[Hackers] have already attacked CurrentC, a merchant-backed rival to Apple Pay, stealing the email addresses of early participants. [Smith pointed out that,] “These email addresses [could] then be utilized for directed phishing attacks against those users in attempts to gain their confidential information.”

Threats to new account opening and account takeover

Al Pascual, director of fraud and security at Javelin Strategy & Research, also sees online and e-commerce fraud becoming a bigger risk with EMV adoption.

But the threat he envisions is more around new account opening and account takeover fraud.

“If you can’t steal card data at the point-of-sale, then the next best option is to go out and get the cards directly from the bank,” he said. “You either take over an existing account, and get cards mailed to you from that account, or you steal an identity and apply for an account.”

U.K. EMV adoption resulted in sharp rise in fraud and account takeovers

There was a dramatic rise in fraudulent new accounts and account takeovers in the U.K. when it adopted the EMV standard, Pascual said. “Certainly banks are going to want to be concerned about that, and improving their customer identity programs for new accounts.” They should also be taking advantage of advanced authentication technology.

“If I was a banker, I would really focus on existing account holders, because we’ve already seen this huge increase in account takeovers in the past few years,” he said.

Account takeover isn’t that different from what fraudsters are doing now, he said. “It’s more work and a slightly different MO but it doesn’t require any new tactics or a change in skill sets.”

Banks better prepared for hackers than retailers were

If hackers retrain their focus on banks, most would agree that financial institutions are better braced for attack than retailers have been.

“I’d say based on regulations and our fiduciary responsibility, banks are more secure,” Gordon said. He noted that in informationisbeautiful.net’s visualization of the world’s biggest data breaches, only one bank is associated with a major breach – JPMorgan Chase.

“The track record speaks for itself,” he said.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

Everybody in Australia Will Be Just a Number

Posted on August 8th, 2014 by Dan Rampe

PINwise

PINs Replace Credit Card Signatures in Effort to Crack Down on Fraud Down Under

From August 1, 2014 on, PINs will be the primary form of authorization for cardholders as banks and card companies attempt to slash fraud which has cost Australia some $262 million between 2010 and 2012.

One million not ready

In a piece on smh.com.au (link to article), Kim Arlington quotes Nicole Pedersen-McKinnon, consumer spokesperson for the payment industry’s PINwise campaign, saying, “There are 1 million consumers who are far from ready for this move. [Either they] don’t have PINs or are not yet using their PINs.”

Across Australia, 800,000 merchant payment terminals will upload a software update that makes signatures obsolete.

What happens to people who can’t remember PINs?

Banks will issue signature-preferred cards for people who, for mental or physical reasons, struggle to remember a PIN or use a terminal keypad. The cards have a different built-in verification code which lets customers sign rather than provide a PIN.

Talk about bad advice

Ian Yates, chief executive for the Council on the Ageing Australia, said the Council had reports of bank staff advising elderly people with memory problems to write down their PIN and carry it with them. ‘‘I’m sure that’s not the official bank position … but that’s what some people will do,’’ Yates said. ‘‘The security implications are worrying.’’

And there’s the visually impaired

Greg Madson, president of Blind Citizens Australia, said older members of his organization had never navigated a terminal keypad. “We will be advocating for some sort of uniformity across the design of these [terminals] so that people who are vision impaired … [do] not have to struggle around the keyboard.”

On behalf of Australian retailers

“Retailers just do not look at these signatures,” noted Russell Zimmerman, executive director of the Australian Retailers Association, who knew of one man who regularly signed for credit card purchases as “Mickey Mouse.” Hmmm. Did the guy have big ears, white gloves and a squeaky voice?

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

MasterCard, Visa and American Express Call for Hard-to-Counterfeit Credit Cards and Tokens Replacing Account Numbers to Help Plug Breaches

Posted on February 10th, 2014 by Dan Rampe

Breach

“Once more unto the breach, dear friends, once more; Or close the wall up with our English dead!” (Shakespeare, Henry V).

Piling up English dead to stop hackers sounds a mite extreme – especially if you happen to be English. However, MasterCard, Visa and American Express are pushing for new technologies to make it more difficult for cybercriminals to exploit businesses and their customers.

MasterCard CEO Ajay Banga said merchants and payment processors have to work toward chip technology and tokenization to improve security. “We’ve got to get ahead of this as we go forward otherwise you’re going to have [more breaches like Neiman Marcus and Target]. The more often it happens, the worse it feels.”

Chris McWilton, MasterCard’s president of North American markets, wrote merchants reminding them a “liability shift” is in the works. Merchants not upgrading to a safer technology would be responsible for paying for defrauded customers.

One of those technologies, writes Christina Rexrode on marketwatch.com, is the EMV (Europay, MasterCard, Visa) chip, which is “sometimes called ‘chip and PIN’ or ‘chip technology’ [and is] supposed to be harder to copy than cards with only magnetic stripes.”

Visa’s CEO Charlie Scharf says he’s seen “a large number of the big merchants” commit to chip technology and “a number of the banks” already issuing chip cards.

Banga says, “Everyone needs to be on the bandwagon. Banks need to be there, merchants need to be there, governments are clearly there. We need to get the networks there and the acquirers there, and I think there’s a lot of progress on that front.”

Rexrode writes that “in markets where chip technology was installed, MasterCard [reported] it saw a 60% to 80% decrease in counterfeit fraud.” And, while chip technology would not have prevented a data breach like the one Target suffered, MasterCard’s Banga said chip technology would make stolen data, “much, much, much less valuable to a fraudster, because it’s tough to counterfeit the card, and it’s almost impossible to duplicate all the unique data that flows for that transaction to get approved.”

Tokenization is another safeguard that MasterCard, Visa and American Express are urging be adopted. Tokenization lets customers shop online without entering their account numbers which are replaced by other identifiers known as tokens.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.