EMV Chips Are a Good Idea. Right?

Posted on May 22nd, 2015 by Dan Rampe

EMV

With Wholesale Adoption Just Months Away, EMV Chips Show Downsides Cybercriminals Can Exploit to Defraud CNP Merchants

Is it the law of unintended consequences, Murphy’s Law, or some other cosmic statute that insists on a downside to just about every creation from bathtubs to beer?

Take the bathtub. Here is a device without which civilized society could not live in harmony (or at least proximity). Even this most benign and useful of objects has a downside. According to the United States Centers for Disease Control and Prevention (CDC), about two-thirds of accidental injuries happen in the bathtub or shower. (Yes, we looked it up.) Beer? Well, the Yin and Yang of beer is fairly self-evident – especially for people who’ve slipped in the bathtub after consuming too much of the stuff.

The EMV chip’s negatives

The EMV chip, which most security experts agree, will slash fraud at the register or Point-of-Sale (PoS) also has its downside. In a recent news release titled, Six Months Ahead of EMV Chip Deadline, ThreatMetrix Offers Strategies to Protect against Expected Increase in Online Fraud, Alisdair Faulkner, ThreatMetrix chief products officer observed, “From a consumer perspective, the shift to EMV is good news as it will make it harder for cybercriminals to counterfeit credit cards and conduct fraudulent purchases in stores. But from an online merchant perspective, as it becomes more difficult for cybercriminals to monetize on counterfeit cards, their goals are now going to shift to use [of] stolen credit card data through online channels. Right now – ahead of the October deadline – is the time for retailers to start implementing systems that look at cybercrime in context to combat the growing breadth and intelligence of fraud following the widespread adoption of EMV in the U.S.”

A note of caution sounded about EMV at the CardNotPresent.com Annual Conference and Expo

In his article on digitaltransactions.net, and based on interviews with key participants at the Conference and Expo, Kevin Woodward reports on types of fraud the EMV chip could foster. The following has been excerpted from his piece and edited to fit our format. You may find the full article by clicking on this link.

Stolen in transit

Though credit and debit issuers are staggering their chip card issuance, there remains a risk that criminals could intercept these mailings and use the cards to commit fraud, said Jackie Barwell, director of fraud product management at ACI Worldwide Inc., a … vendor of online payment security services.

One major concern of hers is that in the United States, EMV chip cards are active when mailed to cardholders, making them vulnerable to criminals who might steal them from mailboxes.

Online fraud to dramatically increase

“The challenge that comes with EMV moving forward, especially for card-not-present, is that fraud will dramatically increase,” said Terry Dooley, executive vice president and chief information officer for …Shazam Inc., a regional PIN-debit network.

Instead of criminals walking into a store to attempt to make a fraudulent transaction, they’ll go online….

Only 3 percent use 3D Secure technology to help reduce risk

Operated as Visa Inc.’s Verified by Visa and MasterCard Inc.’s SecureCode, 3D Secure systems try to replicate the point-of-sale experience by prompting cardholders to enter a secret code in a pop-up window when checking out from a retailer’s site. The measure is meant to reduce fraudulent online transactions.

“Only 3% of merchants use 3D Secure,” said Tricia Lines Hill, senior vice president of business development and marketing communications at First Atlantic Commerce, a…payment processor. “This has to change when EMV rolls out.”

Friction at the checkout hinders 3D Secure adoption

Many merchants balked at using the technology because they viewed it as disruptive to the checkout process, and not enough of their shoppers had payment cards that supported the technology.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

ThreatMetrix Announces the “ThreatMetrix Cybercrime Report: Q1 2015,” Sees Cybercrime Surge on Backs of Breaches

Posted on May 6th, 2015 by Dan Rampe

blog-header

The Report Examines Cybercrime Attacks Detected by the ThreatMetrix® Digital Identity Network, Which Analyzes More Than One Billion Transactions Monthly

San Jose, CA – May 6, 2015 – ThreatMetrix®, the fastest-growing provider of context-based security and advanced fraud prevention solutions, today announced the availability of its “ThreatMetrix® Cybercrime Report: Q1 2015,” which examines cybercrime attacks detected by the ThreatMetrix® Digital Identity Network during Q4 2014 and Q1 2015. These attacks were detected during real-time analysis and interdiction of fraudulent online payments, logins and new account registrations.

During this period, the ThreatMetrix Digital Identity Network analyzed more than six billion transactions, with nearly one-third originating from mobile devices, and protected more than 250 million active user accounts across 3,000 customers and 15,000 websites. Through its analysis of the top customer transactions across industries, the ThreatMetrix Digital Identity Network provides unique insight into legitimate end customers’ “digital identities,” even as they move between applications, devices and networks and highlights some representative key market trends.

The number of attacks on businesses is trending up as crimeware tools gain traction providing tools to fraudsters to automate cybercrime attacks leveraging the customer data made available from breaches. As such, the ThreatMetrix Digital Identity Network is seeing more and more traffic that is cloaked – the masking of an identity. This is especially true for new account creations wherein the fraudsters use stolen identities with these tools to defraud businesses. Mobile fraud also proliferates as more users carry out transactions on their devices, with device spoofing now becoming the most popular attack vector.

Strong Growth in Online and Mobile Commerce Along with Fraud

The report highlights the trends in the 2014 holiday shopping season, which was a period of record online transactions and unprecedented number of attacks. These attacks are directly associated with the growing data breaches over the past year. Impersonation or “spoofing” attacks are now the most common threat and ThreatMetrix identifi­ed more than 11.4 million fraud attempts during peak holiday shopping. The “ThreatMetrix Cybercrime Report: Q1 2015” is the first of its kind to analyze how stolen and compromised identities are used for cybercrime.

Trust is critical for customer loyalty and e-commerce merchants had a spike in account login transactions as customers revisited retailers to view offerings/deals and make purchases. While new account creation rates were lower than other transaction types, they had two times higher instance of fraudulent transactions driven by the availability of stolen identities in the wild from massive breaches. E-commerce transactions broken down consist of the following percentages and risks:

  • One percent of transactions were account creation, with 6.7 percent high risk
  • 80 percent of transactions were account logins, with 2 percent high risk
  • 19 percent of transactions were payments, with 2.6 percent high risk

“In the wake of recent data breaches, customers’ digital debris is floating in the cyber world for fraudsters to compromise, making accurate insight into digital identities of the utmost importance for businesses, especially in the e-commerce industry,” said Vanita Pandey, senior director, strategy and product marketing at ThreatMetrix. “ThreatMetrix data shows an upswing in account takeover and identity spoofing attacks following recent massive data breaches. While guest checkouts previously represented the highest risk, due to the breadth of digital debris at cybercriminals’ fingertips, fraudsters are much more likely to use a stolen username and password combination than to use compromised credit card information, which has a shorter life span. As the volume of e-commerce transactions increase, it gives cybercriminals more places to poke and exploit. Retailers need to leverage a digital identity network to get a comprehensive view of customers to accurately differentiate between trusted and fraudulent transactions.”

Cybercrime Surges Across All Transaction Types in the Financial Services Industry

In addition to e-commerce, the “ThreatMetrix Cybercrime Report: Q1 2015” examines financial services transactions and authentication attempts. While online banking authentication transactions continue to dominate the ­financial services industry, the payment transactions increased during this period driven by the increasing adoption of alternate payment methods and bankcard authentication solutions, and increase in online money gifting during the holiday season. The impact of breaches and consumer credentials in the wild is more evident in the financial services industry, with a substantial increase in fraud rates across all transaction types. Financial services transactions broken down consist of the following percentages and risks:

  • One percent of transactions were account creation, with 2 percent high risk
  • 76 percent of transactions were account logins, with 2.6 percent high risk
  • 23 percent of transactions were payments, with 3.2 percent high risk

“On the backs of major data breaches, we’re seeing a trend in cybercriminals using more sophisticated, automated crimeware tools that are deliberately targeting first generation device identification and authentication solutions used by most financial institutions,” said Pandey. “Fraudsters are shifting from exploiting hardware and software to exploiting people – taking bits and pieces of their digital identities that have been compromised through breaches, and attempting to make transactions disguised as those individuals. As cybercriminals move to exploit financial institutions, those businesses need a more sophisticated view of their users. They need to look at their customers’ behaviors, devices and identities as a whole – the ultimate behavioral biometric.”

In both the e-commerce and financial services industries, businesses must prepare for the growth of new in-store technologies such as Europay-MasterCard-Visa (EMV) and Apple Pay with the wide adoption of the Apple Watch and other connected devices (IoT). As these technologies cut down point-of-sale fraud, the attacks will move to the online channel. Global shared intelligence will be crucial as businesses prepare for the 2015 holiday season.

Media Industry Continues to See Highest Percentage of High-Risk Transactions

The analysis of transactions from the media industry, consisting of social media, content streaming and online dating websites, show a strong growth in payment transactions through media organizations while the overall fraud levels continue to be higher than other industries. Illegal access to content outside of approved geographies, combined with spamming and fraudulent bot-driven account creation, represent the key drivers of fraudulent transactions in the media space. Broken down, media consist of the following percentages and risks:

  • 22 percent of transactions were account creation, with 3.8 percent high risk
  • 26 percent of transactions were account logins, with 6.2 percent high risk
  • 52 percent of transactions were payments, with 4 percent high risk

“From a fraudster’s perspective, social media is the gas station of the connected world,” said Pandey. “It provides a quick and easy way to assess the validity of a stolen credit card or credentials. The media industry has the highest incidence rate of high-risk transactions due to the low authentication threshold – often only consisting of a username and password combination. These identities are easily compromised, especially following a significant number of data breaches, as many people use the same login credentials across websites.”

Mobile Represents One-Third of All Activity in The ThreatMetrix Digital Identity Network

Mobile usage represents nearly one-third of all activity on the ThreatMetrix Digital Identity Network and continues to grow as more and more consumers use their mobile phone, tablets and connected devices (such as the Apple Watch) to access content, make purchases, conduct banking transactions and pay bills.

ThreatMetrix analyzes mobile transactions from more than 200 countries and territories across the globe with consumers from emerging economies conducting a much higher percentage of transactions from mobile devices. The report found that the growth in mobile brought more mobile attacks, with spoofi­ng being most prevalent. However, the attack volumes are still lower than desktop as mobile devices are not conducive to massive fraud attacks.

“While desktop fraud still dominates, as mobile usage continues to grow, especially in emerging markets, the channel will eventually see new, sophisticated criminals targeting mobile transactions,” said Pandey. “With businesses focused on lowering consumer friction on mobile, fraudsters are increasingly targeting mobile platforms and devices to spoof identities. Businesses need to be prepared for an uptick in spoofing attacks as mobile continues to grow.”

Device Spoofing Remains Top Attack Vector

Leveraging activity across industries, mobile and desktop, the report also identified the top attacks by transaction type and found spoofing, such as IP address, geolocation, identity and device spoofing to be the most common attack types across all transaction attempts. Device spoo­fing remains the top attack vector, with more than six percent of transactions. As crimeware tools gain traction, the ThreatMetrix Digital Identity Network is seeing more and more traffic that is cloaked, especially for new account creation wherein the fraudsters use stolen identities along with these tools to defraud businesses.

Cybercrime continues to be a well-funded, organized business with sophisticated technology and strong knowledge sharing across organized crime rings, nation states, and decentralized cyber gangs. Recent massive data breaches have resulted in an increase in attacks targeted towards businesses across all regions and industries. Cybercriminals continue to share information as well as develop tools that will help bypass the fi­rst generation fraud prevention solutions. The only effective solution for businesses is to share information about fraud trends across their customer bases to stop cybercriminals in their tracks. ThreatMetrix delivers advanced fraud protection, frictionless authentication, and customer protection through a real-time collective response using intelligence gathered from billions of transactions in the ThreatMetrix Digital Identity Network.

To learn more, download the “ThreatMetrix Cybercrime Report: Q1 2015” eBook

ThreatMetrix Resources

About ThreatMetrix

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real-time customer driven-analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Digital Identity Network, which analyzes more than one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2015 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
Walker Sands Communications
Tel: 312-241-1178
Email: beth.kempton@walkersands.com

 

The Great Retailer vs. Credit Union Dust Up

Posted on May 5th, 2015 by Dan Rampe

EMV

A Retail Group Suggesting Slowing Implementation of New Secure Cards and Holding Off a Shift in Payment Fraud Liability Sets Off War of Words

The switchover to EMV cards is not a matter of black-and-white. Perhaps there aren’t fifty shades of gray, but there are definitely gray areas that need exploring. For instance, will cybercriminals abandon point of sale (PoS) fraud only to turn their attention to online fraud?

In a ThreatMetrix news release, “Six Months Ahead of EMV Chip Deadline, ThreatMetrix Offers Strategies to Protect Against Expected Increase in Online Fraud,” ThreatMetrix’s chief products officer advised that “from a consumer perspective, the shift to EMV is good news as it will make it harder for cybercriminals to counterfeit credit cards and conduct fraudulent purchases in stores. But from an online merchant perspective, as it becomes more difficult for cybercriminals to monetize on counterfeit cards, their goals are now going to shift to using stolen credit card data through online channels. Right now – ahead of the October deadline – is the time for retailers to start implementing systems that look at cybercrime in context to combat the growing breadth and intelligence of fraud following the widespread adoption of EMV in the U.S.”

And there are other issues that have cropped up like the one that has credit unions and retailers throwing verbal darts at each other. Specifically, who gets stuck with the tab when payment fraud does occur? In her piece on thehill.com, Elise Viebeck talks about what happened when the Food Marketing Institute (FMI) told card networks it would be a good idea to delay plans to shift liability for payment fraud to parties using “the least-secure” technology. The following has been excerpted from her piece and edited to fit our format. You may find the full article by clicking on this link.

The war of words begins

The letter [from FMI] prompted a fierce response from the National Association of Federal Credit Unions (NAFCU), which criticized the group’s request in a letter to top lawmakers. “FMI is more concerned about the cost of complying with the EMV standards and how quickly they can process transactions than it is about consumers and doing everything they can to protect their customers from future breaches,” wrote NAFCU President and CEO Dan Berger. “FMI’s delay tactic is remarkable given the extraordinary number of merchant and retailer breaches that have occurred in recent months.”

Oh yeah!

[The] Retail Industry Leaders Association (RILA) fired back at the NAFCU, accusing financial institutions of rolling out chip-and-signature cards as opposed to chip-and-pin cards, which it called more secure. “Chip and PIN cards have become the mainstay in the rest of the industrialized world, sharply reducing fraud and cyber-attacks, while unfortunately making U.S. retailers and consumers the prime target for would-be hackers and credit thieves around the globe,” the group said. “NAFCU and others in the financial services industry have yet to adequately explain why they refuse to use readily available and proven technology to safeguard American consumers.” The RILA also said it has not called for a delay of the liability date.

The bottom line is who’s picking up the tab?

Financial institutions and retailers have long been at odds over who is responsible for data breaches and what should be done to fight them.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

Visa Kicks Off 20-CityTour to Overcome Small Biz Resistance to EMV

Posted on March 17th, 2015 by Dan Rampe

EMV

Tour Explains How EMV Technology’s Benefits Outweigh Costs of Implementation

Following on the heels of American Express’s “Small Merchant EMV Assistance Program,” a $10 million campaign to speed up adoption of EMV payment terminals, Visa is launching its own “Small Business Chip Education Tour.” The idea behind both tours is to get small merchants on-board with EMV, which has faced resistance from some merchants because they can’t see the cost versus benefits of adopting the new technology.

One huge cost could be in NOT implementing EMV. That’s because as of October, if merchants haven’t upgraded their point-of-sale systems to accept EMV cards, and a card they’ve accepted is used for fraud, liability for that fraud will fall to either the bank or merchant who hasn’t done an upgrade.

To answer both negative and positive questions by small businesses about EMV and to explain the technology, Visa is kicking off a twenty-city tour beginning in Austin, Texas. An article on pymnts.com discusses the tour and what it aims to accomplish. The following has been excerpted from the pymnts.com article and edited to fit our format. You may find complete piece by clicking on this link.

Merchants can speak with those who’ve already adopted EMV

[The tour launches at] the Greater Austin Hispanic Chamber of Commerce Small Business and Entrepreneurial Showcase, where guests will be able to speak with payments experts about payment and chip technology to better understand how it works. They will also be able to speak with merchants who’ve already migrated to the new tech to learn from firsthand experiences.

Topics addressed

The tour will cover topics such as how EMV technology is used to prevent data breaches that involve sensitive account data being attacked. Demonstrations will also be given on how the technology works.

Partnering with the U.S. Hispanic Chamber of Commerce

“For small businesses, running smoothly and protecting their customers is of top importance, particularly in the digital age,” said Javier Palomarez, the president and CEO of the U.S. Hispanic Chamber of Commerce.

Webinars available

To further its mission, Visa has used this event to partner with financial institutions, business groups, media organizations and consumer advocacy groups to create educational events across the U.S. This includes a stop in Orlando, Florida, on April 3. Webinars will also be available on the Visa’s chip website.

Small merchants, biggest segment

“As the largest segment of merchants in the U.S., it’s critical that small businesses understand how chip technology works and what it means to the protection of their business and the data of their customers,” Kim Lawrence, senior vice president of Corporate Initiatives at Visa.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

 

Have EMV Terminals? American Express Has a Hundred Simoleons for You.

Posted on March 9th, 2015 by Dan Rampe

American Express

American Express Rolls Out a “Small Merchant EMV Assistance Program” to Help Speed up Adoption of EMV Payments

Have to clear up something for anyone who’s not exactly sure what simoleons are. Okay they’re not a lost tribe of South Sea islanders discovered by Tim Cook using Google Earth who now do their tweeting on iPhones instead of conch shells. Also, they’re not anything you’d top with chipotle sauce – unless you wanted to put your money where your mouth is.

Simoleons are simply bucks, clams, ducats, greenbacks, smackers, i.e., dollars. And, as part of its Small Merchant EMV Assistance Program, American Express will give one hundred of those dollars to any U.S. merchant who’s already adopted EMV terminals. We should mention this is a one time only offer.

In her story on paymentweek.com, Melanie Macinas writes additional facets of American Express’s $10 million campaign to speed up the adoption of EMV payment terminals. The following has been excerpted from her article and edited to fit our format. You may find the full article by clicking on this link.

Educational resources

Small merchants will also receive educational resources on EMV via email, telephone hotline, and website.

EMV ambassadors

American Express Fraud Squad ambassadors will also visit Atlanta, Houston, Miami, and New York City to personally meet with small merchants and discuss with them the advantages of EMV.

Many small merchants still unaware of EMV

[Anré Williams, President, Global Merchant Services, American Express, notes,

“Unfortunately, many small merchants do not know about EMV or what they need to do to take advantage of it. We created the Small Merchant EMV Assistance Program to help them. By providing financial and educational assistance, we hope small merchants more quickly adopt EMV so they can ensure their customers feel safe when shopping at their stores.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

$9.5 Billion Being Invested to Make U.S. Smart-er

Posted on January 29th, 2015 by Dan Rampe

Chip And Pin

Report Says Smart Card Updates to 1.2M POS Card Readers and 7M Card-Reading Terminals to Cost $9.5B and Won’t Be Completed till 2018

The retail and payment card industries are committed to converting to Chip and PIN Smart Card technology by December 2015. However, a report by Homeland Security Research Corp (HSRC), a non-governmental marketing research firm,forecasts that it will take until 2018 for Chip and PIN to reach 80 percent of the market. In addition to pointing out this dichotomy, a discountedhotelrooms.org story featuring HSRC’s study discusses other key issues in the adoption of Chip and PIN technology in the United States. The following has been excerpted from the discountedhotelrooms.org article and edited to fit our format. You may find the complete article by clicking on this link.

U.S. only G-20 country using magnetic strips

As of January 2014, 95% of U.S. payment cards still use the 1970’s magnetic strip technology. This makes the U.S. the only G-20 country that uses this insecure technology, while more than 100 countries have converted their payment cards to the secure Chip & PIN smartcard technology by 2004.

France proves effectiveness of Chip and PIN

France…has cut face to face and ATM transactions fraud by more than 80% since the introduction of Chip & PIN EMV smartcards

Major retailers committed to December 2015 implementation date

[Retail] chains such as Home Depot, Target, Walgreens and Walmart joined Visa and American Express and committed to replace the magnetic stripe cards and POS readers to the secured Chip & PIN technology by December 2015.

Feds lead in Chip and PIN

Signed on October 10th, 2014, President Obama’s “BuySecure” Executive Order lays out a new policy to secure payments to and from the federal government by applying Chip & PIN technology to newly issued and existing government credit cards, as well as debit cards like Direct Express. Upgrading retail payment card terminals at federal agency facilities to accept chip and PIN-enabled cards.

Fastest growing private sector security market

According to the report, the U.S. Financial Services, Retail & Payment Cybersecurity Market is the largest and fastest growing private sector cybersecurity market.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

Are Banks Becoming the New Target?

Posted on January 2nd, 2015 by Dan Rampe

Bank

Will EMV Cards and Apple Pay’s Tokenization Have Hackers Shifting Their Focus and Resources from Retailers Like Target to Banks?

As a group, hackers are like rivers. No we don’t mean they’re all wet. If we were looking for a negative descriptor, it would be a darn sight stronger than “all wet.” In any case, what we mean is that like rivers, they often follow the course of least resistance.

With the changeover from stripe cards to EMV chip-and-PIN and the introduction of new technology such as Apple Pay’s tokenization, which cuts down on the amount of consumer data stored by merchants, retailers have become tougher targets with less reward, i.e., data for the cybercriminal’s efforts.

In her article on americanbanker.com, Penny Crosman interviews bankers and tech and security experts to provide an in-depth report on how hackers will adjust to the introduction of EMV, Apple Pay, etc. by shifting their attacks from retailers to banks and other online e-commerce. The following has been excerpted from her piece and edited to fit our format. You may find the complete article by clicking on this link.

Banks take into account new attacks

“How is that [hacking activity] going to stop now that we’ve got Apple Pay and EMV coming along? It’s not going to stop, it’s just going to move to the next likely target,” said James Gordon, chief technology officer at Needham Bank in Needham, Mass.

“Who has the numbers the hackers want? The banks,” Gordon said. “Before, it was the banks and the retailers, retailers just happened to be an easier target. Bankers need to be especially aware that this is just a shift in focus [on the hackers’ part] to banks, front and center.”

Being a target is nothing new

According to the Identity Theft Resource Center, 42 data breaches were carried out against banks in 2014. But other than the massive JPMorgan Chase breach, most of these have been smaller-scale breaches that have fallen under the general public’s radar.

Preparing for more attacks

At the $1.6 billion-asset Needham Bank, Gordon is preparing for EMV in two ways. One is by trying to limit the bank’s exposure to hackers.

“This is easier said than done, but if there are things that can get shut off that aren’t critical to the operation, shut them off,” he said. “If you have less exposed, you have less to watch.” For instance, he’s double-checking firewall rules to make sure nothing’s slipping through the cracks.

More security training

He’s also stepping up security training and education. “We need to stop telling people what’s going on and start showing them examples of [phishing] emails that look spot on, show people how easy it is to put an ATM skimmer on a device, show them videos, don’t just tell them it’s a ‘grave’ threat. We should stop using adjectives and start showing.”

Increase in hacking online transactions and CNP fraud

Neither EMV nor Apple Pay appears to protect online purchases where the consumer must enter [his/her] credit card information, pointed out Philip Smith, director of information technology at the $221 million-asset Harvard State Bank in Harvard, Ill.

“Since online transactions and card-not-present transactions cannot take advantage of the chip or tokenization, we will most likely see an increase in hacking and fraud in these transactions,” he said. “Hackers will continue to attack online merchants and online credit card wallets.”

Apple Pay rival under attack

[Hackers] have already attacked CurrentC, a merchant-backed rival to Apple Pay, stealing the email addresses of early participants. [Smith pointed out that,] “These email addresses [could] then be utilized for directed phishing attacks against those users in attempts to gain their confidential information.”

Threats to new account opening and account takeover

Al Pascual, director of fraud and security at Javelin Strategy & Research, also sees online and e-commerce fraud becoming a bigger risk with EMV adoption.

But the threat he envisions is more around new account opening and account takeover fraud.

“If you can’t steal card data at the point-of-sale, then the next best option is to go out and get the cards directly from the bank,” he said. “You either take over an existing account, and get cards mailed to you from that account, or you steal an identity and apply for an account.”

U.K. EMV adoption resulted in sharp rise in fraud and account takeovers

There was a dramatic rise in fraudulent new accounts and account takeovers in the U.K. when it adopted the EMV standard, Pascual said. “Certainly banks are going to want to be concerned about that, and improving their customer identity programs for new accounts.” They should also be taking advantage of advanced authentication technology.

“If I was a banker, I would really focus on existing account holders, because we’ve already seen this huge increase in account takeovers in the past few years,” he said.

Account takeover isn’t that different from what fraudsters are doing now, he said. “It’s more work and a slightly different MO but it doesn’t require any new tactics or a change in skill sets.”

Banks better prepared for hackers than retailers were

If hackers retrain their focus on banks, most would agree that financial institutions are better braced for attack than retailers have been.

“I’d say based on regulations and our fiduciary responsibility, banks are more secure,” Gordon said. He noted that in informationisbeautiful.net’s visualization of the world’s biggest data breaches, only one bank is associated with a major breach – JPMorgan Chase.

“The track record speaks for itself,” he said.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

Unconventional Wisdom on EMV

Posted on November 24th, 2014 by Dan Rampe

EMV

Two Javelin Analysts Argue EMV Will Not Shift Cybercriminals’ M.O.s From P.O.S. to Online

Everybody knows that when EMV becomes the American standard next October, beaten cybercriminals will drop Point of Sale theft like a hot rock and take to the hills or try their collective hands at online fraud and thievery. P.O.S. crime goes down, online crime goes up. Everybody knows that, right? Wrong.

Two Javelin Strategy & Research analysts, Nick Holland, retail payments practice lead and Al Pascual, fraud and security practice lead just don’t buy into the conventional wisdom. In his piece on digitaltransactions.net, John Stewart explains the analysts’ reasons for bucking convention. The following has been excerpted from his piece and edited to fit our format. You may find the complete, unedited article by clicking on this link.

Sticking a pin in the balloon

“The balloon-squeezing mythology [squeeze a balloon at one end and it expands at the other] needed to be revisited with a fresh set of eyes. Does this idea that EMV forces fraud to other areas still hold water? We had our doubts.”

They’re heeere (Think the classic line from Poltergeist)

The “missing” factor, argue[d] Holland and Pascual…is the explosive growth of e-commerce. In other words, rapidly rising volume in this channel has already attracted plenty of fraudsters in recent years, a trend that will only continue with or without EMV in physical stores. “They’re already there,” [said] Holland. “They already leapt online years ago.”

Half of all transaction fraud online

To buttress their point, Holland and Pascual point to current e-commerce fraud statistics. In the United States, online traffic accounts for just 8.5% of all electronic-transaction volume, yet nearly half of all transaction fraud occurs online.

Multitasking

Fraudsters, in their nefarious way, tend to be multitaskers, attacking all forms of payments in all channels opportunistically. EMV has proven itself effective in other countries against counterfeit-card fraud at the point of sale. But to Holland and Pascual, the idea that criminals confine themselves to just that form of fraud, and then move on to card-not-present crime only when frustrated by EMV, is naïve.

e-Commerce fraud soaring

[e-Commerce] fraud in the United States is due to soar, even if the move to EMV will have little to do with it. If volume drives fraud, and if, as predicted by Javelin, online volume grows to more than 10% of all e-payments within three years, then card-not-present fraud can only grow much worse. “Card-not-present fraud is already very big and will get bigger,” warns Holland.

Same-day delivery delivers fraud

Exacerbating this problem, he says, is the nascent trend toward same-day or even faster delivery. While this trend promises greater convenience for consumers, it opens new opportunities for fraudsters with stolen payment credentials, Holland warns.

“Increasingly, you’ve got this situation where you’re shopping locally but accessing inventory globally,” he notes. “[There’re] clearly avenues of fraud there, particularly when you’re getting the goods within hours. Certainly, the time between instigating payment and the delivery of the goods is short and rapidly truncating. The fraud-mitigation response needs to be tailored to that.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

The EMV Cards That Never Were

Posted on October 29th, 2014 by Dan Rampe

EMV

U.S. Banks Received Tens of Thousands of Dollars Charged on EMV Cards — Despite Not Having Sent Customers Chip-Enabled Cards!

During World War II, British intelligence used a real dead body to create a fictitious Royal Marine Major William Martin. The body was dropped in the sea by a submarine and washed ashore on a Spanish beach where it was hoped it would fall into the hands of German intelligence. Attached to the body was a briefcase containing letters falsely stating that an Allied attack would be launched against Sardinia and Greece rather than Sicily, where the invasion took place.

Operation Mincemeat, the macabre name given to the highly successful ruse which may have saved thousands of Allied lives, was turned into a book and movie titled, The Man Who Never Was. Now, Brian Krebs on his blog, KrebsonSecurity.com, relates the story of the EMV Cards that never were and the very real fraudulent credit and debit card transactions that could cost financial institutions in the USA and Canada tens of thousands of dollars. The following has been excerpted from Krebs blog and edited to fit our format. You may find the complete, unedited article by clicking on this link.

Card data compromised as part of Home Depot breach

[At] least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.

[All the charges were] submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards [hadn’t] begun sending customers chip-enabled cards.

Charges difficult to dispute

Banks usually end up eating the cost of fraud from unauthorized transactions when scammers counterfeit and use stolen credit cards. Even so, a bank may be able to recover some of that loss through dispute mechanisms set up by Visa and MasterCard, as long as the bank can show that the fraud was the result of a breach at a specific merchant (in this case Home Depot).

However, banks are responsible for all of the fraud costs that occur from any fraudulent use of their customers’ chip-enabled credit/debit cards — even fraudulent charges disguised as these pseudo-chip transactions.

Replay attacks

According to [one bank Krebs spoke with], MasterCard officials explained that the thieves were probably in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.

Bad EMV implementation at Canadian bank

Avivah Litan, a fraud analyst with Gartner Inc., said banks in Canada saw the same EMV-spoofing attacks emanating from Brazil several months ago. One of the banks there suffered a fairly large loss, she said, because the bank wasn’t checking the cryptograms or counters on the EMV transactions.

“The [Canadian] bank in this case would take any old cryptogram and they weren’t checking that one-time code because they didn’t have it implemented correctly,” Litan said. “If they saw an EMV transaction and didn’t see the code, they would just authorize the transaction.”

Litan said the fraudsters likely knew that the Canadian bank wasn’t checking the cryptogram and that it wasn’t looking for the dynamic counter code.

It appears with these attacks that the crooks aren’t breaking the EMV protocol, but taking advantage of bad implementations of it.

Cybercriminals kept doubling down

[It] appears that the largest share of those phony transactions were put through using a payment system called Payleven, a mobile payment service popular in Europe and Brazil that is similar in operation to Square. Most of the transactions were for escalating amounts — nearly doubling with each transaction — indicating the fraudsters were putting through debit charges to see how much money they could drain from the compromised accounts.

Important to set up EMV properly

[Litan observes] “A lot of banks will loosen other fraud controls right away, even before they verify that they’ve got EMV implemented correctly. They won’t expect the point-of-sale codes to be manipulated by fraudsters.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Chips Ahoy! It’s in the Cards.

Posted on June 19th, 2014 by Dan Rampe

EMV

By the end of 2015, microchips will be embedded in most U.S. credit cards as issuers go full-speed ahead to EMV standard

EMV chips are on the horizon. By the end of 2015, they’ll be in the hands of the majority of Americans. The Aite Group, an independent research and advisory firm that focuses on business, technology and regulatory issues, projects that 70 percent of all U.S. credit cards, and roughly 41 percent of debit cards (1.1 billion total) will be EMV-enabled by the end of 2015.

As reported by Jaikumar Vijayan, who covers data security and privacy issues; security legislation and regulations; online, mobile and wireless security and more for Computerworld, 18 of the top 40 credit and debit card issuers, including 7 of the top 10 banks, are going ahead with EMV implementation plans.

The Aite Group’s research director, Julie Conroy, observes that “A majority of Americans will have EMV cards in their wallets by the end of 2015.”

While replacing striped credit and debit cards with new EMV credit and debit cards on the surface appears straightforward, there’s a lot more to it. In his story on computerworld.com, Vijayan looks at the factors and actors involved in implementing the new technology. The following has been edited to fit our format. You may find the full article by clicking on this link.

Americans will simply sign

[Unlike] many other countries where EMV cardholders are required to enter a Personal Identification Number (PIN) for in-person transactions, just a signature will be required in the U.S.

In fact, 13 of the 18 banks reviewed by Aite plan to issue EMV cards that require only a signature. Just one bank currently plans to issue EMV cards with a PIN requirement, while four have not decided what route to take, Conroy said.

Implementation timeline

Visa and MasterCard currently require U.S. retailers to implement technology for supporting EMV transactions no later than October 2015. However, they do not require card issuers or merchants to require PINs.

After the October 2015 deadline, merchants that do not have EMV infrastructure in place will face greater liability exposure in the event of a data breach.

The price of EMV

The move to EMV is expected to cost U.S. retailers and banks several billion dollars. An estimated 13 million point-of-sale systems around the country have to be upgraded or replaced to support EMV transactions.

Conroy expects that big banks will spend around $1.30 for each EMV card while smaller banks could pay between $3 and $5 per card. Banks and financial companies will also need to replace or upgrade ATM machines to support EMV.

To PIN or not to PIN

Some retail groups have expressed concern over the lack of a PIN requirement. The National Retail Federation, for instance, argues that the true security benefits of EMV technology can only be realized with a PIN. They have noted that while a signature-based EMV card will help address some kinds of fraud, such as that involving cloned cards, it can’t stop crooks using card-not-present tactics in online or phone transactions.

Not everybody’s onboard

The NRF suggests that instead of spending billions on the current U.S. EMV plan, credit card companies require other approaches, such as end-to-end encryption of card data or a PIN requirement for all transactions.

Migration is well underway

“Aite’s projections provide another important data point that the migration from magnetic stripe to chip technology is well underway,” said Ellen Richey, Visa’s chief enterprise risk officer.

“By the end of next year, chip cards should be very real for consumers, and when widely adopted will have a dramatic impact on counterfeit fraud rates,” she said in an email.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.