EMV Chips Are a Good Idea. Right?

Posted on May 22nd, 2015 by Dan Rampe

EMV

With Wholesale Adoption Just Months Away, EMV Chips Show Downsides Cybercriminals Can Exploit to Defraud CNP Merchants

Is it the law of unintended consequences, Murphy’s Law, or some other cosmic statute that insists on a downside to just about every creation from bathtubs to beer?

Take the bathtub. Here is a device without which civilized society could not live in harmony (or at least proximity). Even this most benign and useful of objects has a downside. According to the United States Centers for Disease Control and Prevention (CDC), about two-thirds of accidental injuries happen in the bathtub or shower. (Yes, we looked it up.) Beer? Well, the Yin and Yang of beer is fairly self-evident – especially for people who’ve slipped in the bathtub after consuming too much of the stuff.

The EMV chip’s negatives

The EMV chip, which most security experts agree, will slash fraud at the register or Point-of-Sale (PoS) also has its downside. In a recent news release titled, Six Months Ahead of EMV Chip Deadline, ThreatMetrix Offers Strategies to Protect against Expected Increase in Online Fraud, Alisdair Faulkner, ThreatMetrix chief products officer observed, “From a consumer perspective, the shift to EMV is good news as it will make it harder for cybercriminals to counterfeit credit cards and conduct fraudulent purchases in stores. But from an online merchant perspective, as it becomes more difficult for cybercriminals to monetize on counterfeit cards, their goals are now going to shift to use [of] stolen credit card data through online channels. Right now – ahead of the October deadline – is the time for retailers to start implementing systems that look at cybercrime in context to combat the growing breadth and intelligence of fraud following the widespread adoption of EMV in the U.S.”

A note of caution sounded about EMV at the CardNotPresent.com Annual Conference and Expo

In his article on digitaltransactions.net, and based on interviews with key participants at the Conference and Expo, Kevin Woodward reports on types of fraud the EMV chip could foster. The following has been excerpted from his piece and edited to fit our format. You may find the full article by clicking on this link.

Stolen in transit

Though credit and debit issuers are staggering their chip card issuance, there remains a risk that criminals could intercept these mailings and use the cards to commit fraud, said Jackie Barwell, director of fraud product management at ACI Worldwide Inc., a … vendor of online payment security services.

One major concern of hers is that in the United States, EMV chip cards are active when mailed to cardholders, making them vulnerable to criminals who might steal them from mailboxes.

Online fraud to dramatically increase

“The challenge that comes with EMV moving forward, especially for card-not-present, is that fraud will dramatically increase,” said Terry Dooley, executive vice president and chief information officer for …Shazam Inc., a regional PIN-debit network.

Instead of criminals walking into a store to attempt to make a fraudulent transaction, they’ll go online….

Only 3 percent use 3D Secure technology to help reduce risk

Operated as Visa Inc.’s Verified by Visa and MasterCard Inc.’s SecureCode, 3D Secure systems try to replicate the point-of-sale experience by prompting cardholders to enter a secret code in a pop-up window when checking out from a retailer’s site. The measure is meant to reduce fraudulent online transactions.

“Only 3% of merchants use 3D Secure,” said Tricia Lines Hill, senior vice president of business development and marketing communications at First Atlantic Commerce, a…payment processor. “This has to change when EMV rolls out.”

Friction at the checkout hinders 3D Secure adoption

Many merchants balked at using the technology because they viewed it as disruptive to the checkout process, and not enough of their shoppers had payment cards that supported the technology.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

The Great Retailer vs. Credit Union Dust Up

Posted on May 5th, 2015 by Dan Rampe

EMV

A Retail Group Suggesting Slowing Implementation of New Secure Cards and Holding Off a Shift in Payment Fraud Liability Sets Off War of Words

The switchover to EMV cards is not a matter of black-and-white. Perhaps there aren’t fifty shades of gray, but there are definitely gray areas that need exploring. For instance, will cybercriminals abandon point of sale (PoS) fraud only to turn their attention to online fraud?

In a ThreatMetrix news release, “Six Months Ahead of EMV Chip Deadline, ThreatMetrix Offers Strategies to Protect Against Expected Increase in Online Fraud,” ThreatMetrix’s chief products officer advised that “from a consumer perspective, the shift to EMV is good news as it will make it harder for cybercriminals to counterfeit credit cards and conduct fraudulent purchases in stores. But from an online merchant perspective, as it becomes more difficult for cybercriminals to monetize on counterfeit cards, their goals are now going to shift to using stolen credit card data through online channels. Right now – ahead of the October deadline – is the time for retailers to start implementing systems that look at cybercrime in context to combat the growing breadth and intelligence of fraud following the widespread adoption of EMV in the U.S.”

And there are other issues that have cropped up like the one that has credit unions and retailers throwing verbal darts at each other. Specifically, who gets stuck with the tab when payment fraud does occur? In her piece on thehill.com, Elise Viebeck talks about what happened when the Food Marketing Institute (FMI) told card networks it would be a good idea to delay plans to shift liability for payment fraud to parties using “the least-secure” technology. The following has been excerpted from her piece and edited to fit our format. You may find the full article by clicking on this link.

The war of words begins

The letter [from FMI] prompted a fierce response from the National Association of Federal Credit Unions (NAFCU), which criticized the group’s request in a letter to top lawmakers. “FMI is more concerned about the cost of complying with the EMV standards and how quickly they can process transactions than it is about consumers and doing everything they can to protect their customers from future breaches,” wrote NAFCU President and CEO Dan Berger. “FMI’s delay tactic is remarkable given the extraordinary number of merchant and retailer breaches that have occurred in recent months.”

Oh yeah!

[The] Retail Industry Leaders Association (RILA) fired back at the NAFCU, accusing financial institutions of rolling out chip-and-signature cards as opposed to chip-and-pin cards, which it called more secure. “Chip and PIN cards have become the mainstay in the rest of the industrialized world, sharply reducing fraud and cyber-attacks, while unfortunately making U.S. retailers and consumers the prime target for would-be hackers and credit thieves around the globe,” the group said. “NAFCU and others in the financial services industry have yet to adequately explain why they refuse to use readily available and proven technology to safeguard American consumers.” The RILA also said it has not called for a delay of the liability date.

The bottom line is who’s picking up the tab?

Financial institutions and retailers have long been at odds over who is responsible for data breaches and what should be done to fight them.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

$9.5 Billion Being Invested to Make U.S. Smart-er

Posted on January 29th, 2015 by Dan Rampe

Chip And Pin

Report Says Smart Card Updates to 1.2M POS Card Readers and 7M Card-Reading Terminals to Cost $9.5B and Won’t Be Completed till 2018

The retail and payment card industries are committed to converting to Chip and PIN Smart Card technology by December 2015. However, a report by Homeland Security Research Corp (HSRC), a non-governmental marketing research firm,forecasts that it will take until 2018 for Chip and PIN to reach 80 percent of the market. In addition to pointing out this dichotomy, a discountedhotelrooms.org story featuring HSRC’s study discusses other key issues in the adoption of Chip and PIN technology in the United States. The following has been excerpted from the discountedhotelrooms.org article and edited to fit our format. You may find the complete article by clicking on this link.

U.S. only G-20 country using magnetic strips

As of January 2014, 95% of U.S. payment cards still use the 1970’s magnetic strip technology. This makes the U.S. the only G-20 country that uses this insecure technology, while more than 100 countries have converted their payment cards to the secure Chip & PIN smartcard technology by 2004.

France proves effectiveness of Chip and PIN

France…has cut face to face and ATM transactions fraud by more than 80% since the introduction of Chip & PIN EMV smartcards

Major retailers committed to December 2015 implementation date

[Retail] chains such as Home Depot, Target, Walgreens and Walmart joined Visa and American Express and committed to replace the magnetic stripe cards and POS readers to the secured Chip & PIN technology by December 2015.

Feds lead in Chip and PIN

Signed on October 10th, 2014, President Obama’s “BuySecure” Executive Order lays out a new policy to secure payments to and from the federal government by applying Chip & PIN technology to newly issued and existing government credit cards, as well as debit cards like Direct Express. Upgrading retail payment card terminals at federal agency facilities to accept chip and PIN-enabled cards.

Fastest growing private sector security market

According to the report, the U.S. Financial Services, Retail & Payment Cybersecurity Market is the largest and fastest growing private sector cybersecurity market.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

Are Banks Becoming the New Target?

Posted on January 2nd, 2015 by Dan Rampe

Bank

Will EMV Cards and Apple Pay’s Tokenization Have Hackers Shifting Their Focus and Resources from Retailers Like Target to Banks?

As a group, hackers are like rivers. No we don’t mean they’re all wet. If we were looking for a negative descriptor, it would be a darn sight stronger than “all wet.” In any case, what we mean is that like rivers, they often follow the course of least resistance.

With the changeover from stripe cards to EMV chip-and-PIN and the introduction of new technology such as Apple Pay’s tokenization, which cuts down on the amount of consumer data stored by merchants, retailers have become tougher targets with less reward, i.e., data for the cybercriminal’s efforts.

In her article on americanbanker.com, Penny Crosman interviews bankers and tech and security experts to provide an in-depth report on how hackers will adjust to the introduction of EMV, Apple Pay, etc. by shifting their attacks from retailers to banks and other online e-commerce. The following has been excerpted from her piece and edited to fit our format. You may find the complete article by clicking on this link.

Banks take into account new attacks

“How is that [hacking activity] going to stop now that we’ve got Apple Pay and EMV coming along? It’s not going to stop, it’s just going to move to the next likely target,” said James Gordon, chief technology officer at Needham Bank in Needham, Mass.

“Who has the numbers the hackers want? The banks,” Gordon said. “Before, it was the banks and the retailers, retailers just happened to be an easier target. Bankers need to be especially aware that this is just a shift in focus [on the hackers’ part] to banks, front and center.”

Being a target is nothing new

According to the Identity Theft Resource Center, 42 data breaches were carried out against banks in 2014. But other than the massive JPMorgan Chase breach, most of these have been smaller-scale breaches that have fallen under the general public’s radar.

Preparing for more attacks

At the $1.6 billion-asset Needham Bank, Gordon is preparing for EMV in two ways. One is by trying to limit the bank’s exposure to hackers.

“This is easier said than done, but if there are things that can get shut off that aren’t critical to the operation, shut them off,” he said. “If you have less exposed, you have less to watch.” For instance, he’s double-checking firewall rules to make sure nothing’s slipping through the cracks.

More security training

He’s also stepping up security training and education. “We need to stop telling people what’s going on and start showing them examples of [phishing] emails that look spot on, show people how easy it is to put an ATM skimmer on a device, show them videos, don’t just tell them it’s a ‘grave’ threat. We should stop using adjectives and start showing.”

Increase in hacking online transactions and CNP fraud

Neither EMV nor Apple Pay appears to protect online purchases where the consumer must enter [his/her] credit card information, pointed out Philip Smith, director of information technology at the $221 million-asset Harvard State Bank in Harvard, Ill.

“Since online transactions and card-not-present transactions cannot take advantage of the chip or tokenization, we will most likely see an increase in hacking and fraud in these transactions,” he said. “Hackers will continue to attack online merchants and online credit card wallets.”

Apple Pay rival under attack

[Hackers] have already attacked CurrentC, a merchant-backed rival to Apple Pay, stealing the email addresses of early participants. [Smith pointed out that,] “These email addresses [could] then be utilized for directed phishing attacks against those users in attempts to gain their confidential information.”

Threats to new account opening and account takeover

Al Pascual, director of fraud and security at Javelin Strategy & Research, also sees online and e-commerce fraud becoming a bigger risk with EMV adoption.

But the threat he envisions is more around new account opening and account takeover fraud.

“If you can’t steal card data at the point-of-sale, then the next best option is to go out and get the cards directly from the bank,” he said. “You either take over an existing account, and get cards mailed to you from that account, or you steal an identity and apply for an account.”

U.K. EMV adoption resulted in sharp rise in fraud and account takeovers

There was a dramatic rise in fraudulent new accounts and account takeovers in the U.K. when it adopted the EMV standard, Pascual said. “Certainly banks are going to want to be concerned about that, and improving their customer identity programs for new accounts.” They should also be taking advantage of advanced authentication technology.

“If I was a banker, I would really focus on existing account holders, because we’ve already seen this huge increase in account takeovers in the past few years,” he said.

Account takeover isn’t that different from what fraudsters are doing now, he said. “It’s more work and a slightly different MO but it doesn’t require any new tactics or a change in skill sets.”

Banks better prepared for hackers than retailers were

If hackers retrain their focus on banks, most would agree that financial institutions are better braced for attack than retailers have been.

“I’d say based on regulations and our fiduciary responsibility, banks are more secure,” Gordon said. He noted that in informationisbeautiful.net’s visualization of the world’s biggest data breaches, only one bank is associated with a major breach – JPMorgan Chase.

“The track record speaks for itself,” he said.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

Everybody in Australia Will Be Just a Number

Posted on August 8th, 2014 by Dan Rampe

PINwise

PINs Replace Credit Card Signatures in Effort to Crack Down on Fraud Down Under

From August 1, 2014 on, PINs will be the primary form of authorization for cardholders as banks and card companies attempt to slash fraud which has cost Australia some $262 million between 2010 and 2012.

One million not ready

In a piece on smh.com.au (link to article), Kim Arlington quotes Nicole Pedersen-McKinnon, consumer spokesperson for the payment industry’s PINwise campaign, saying, “There are 1 million consumers who are far from ready for this move. [Either they] don’t have PINs or are not yet using their PINs.”

Across Australia, 800,000 merchant payment terminals will upload a software update that makes signatures obsolete.

What happens to people who can’t remember PINs?

Banks will issue signature-preferred cards for people who, for mental or physical reasons, struggle to remember a PIN or use a terminal keypad. The cards have a different built-in verification code which lets customers sign rather than provide a PIN.

Talk about bad advice

Ian Yates, chief executive for the Council on the Ageing Australia, said the Council had reports of bank staff advising elderly people with memory problems to write down their PIN and carry it with them. ‘‘I’m sure that’s not the official bank position … but that’s what some people will do,’’ Yates said. ‘‘The security implications are worrying.’’

And there’s the visually impaired

Greg Madson, president of Blind Citizens Australia, said older members of his organization had never navigated a terminal keypad. “We will be advocating for some sort of uniformity across the design of these [terminals] so that people who are vision impaired … [do] not have to struggle around the keyboard.”

On behalf of Australian retailers

“Retailers just do not look at these signatures,” noted Russell Zimmerman, executive director of the Australian Retailers Association, who knew of one man who regularly signed for credit card purchases as “Mickey Mouse.” Hmmm. Did the guy have big ears, white gloves and a squeaky voice?

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

MasterCard, Visa and American Express Call for Hard-to-Counterfeit Credit Cards and Tokens Replacing Account Numbers to Help Plug Breaches

Posted on February 10th, 2014 by Dan Rampe

Breach

“Once more unto the breach, dear friends, once more; Or close the wall up with our English dead!” (Shakespeare, Henry V).

Piling up English dead to stop hackers sounds a mite extreme – especially if you happen to be English. However, MasterCard, Visa and American Express are pushing for new technologies to make it more difficult for cybercriminals to exploit businesses and their customers.

MasterCard CEO Ajay Banga said merchants and payment processors have to work toward chip technology and tokenization to improve security. “We’ve got to get ahead of this as we go forward otherwise you’re going to have [more breaches like Neiman Marcus and Target]. The more often it happens, the worse it feels.”

Chris McWilton, MasterCard’s president of North American markets, wrote merchants reminding them a “liability shift” is in the works. Merchants not upgrading to a safer technology would be responsible for paying for defrauded customers.

One of those technologies, writes Christina Rexrode on marketwatch.com, is the EMV (Europay, MasterCard, Visa) chip, which is “sometimes called ‘chip and PIN’ or ‘chip technology’ [and is] supposed to be harder to copy than cards with only magnetic stripes.”

Visa’s CEO Charlie Scharf says he’s seen “a large number of the big merchants” commit to chip technology and “a number of the banks” already issuing chip cards.

Banga says, “Everyone needs to be on the bandwagon. Banks need to be there, merchants need to be there, governments are clearly there. We need to get the networks there and the acquirers there, and I think there’s a lot of progress on that front.”

Rexrode writes that “in markets where chip technology was installed, MasterCard [reported] it saw a 60% to 80% decrease in counterfeit fraud.” And, while chip technology would not have prevented a data breach like the one Target suffered, MasterCard’s Banga said chip technology would make stolen data, “much, much, much less valuable to a fraudster, because it’s tough to counterfeit the card, and it’s almost impossible to duplicate all the unique data that flows for that transaction to get approved.”

Tokenization is another safeguard that MasterCard, Visa and American Express are urging be adopted. Tokenization lets customers shop online without entering their account numbers which are replaced by other identifiers known as tokens.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.