Last week saw a number of stories involving social media sites and their privacy policies.   Recent news stories have warned us about applications that may share our personal data with third party companies, hiding pictures of our exes, and now that applications may “out” people.  In the payments industry there is a tendency to think about privacy issues only as they relate to financial privacy.  For companies and individuals, though, it is important to take a more comprehensive view of privacy.  For companies, the recent focus on the protection payment data can make it difficult to recall that there is a wide variety of personal information contained on our corporate networks.  In addition to the names, addresses, emails, purchase histories and account numbers of clients and customers, organizations store social security numbers,  banking information (direct deposit), and other information about employees.  For individuals, it is important to consider what information is being divulged, what rights the company has to use that data, and with whom that data is being shared.

The news stories referenced in the past week detail the uncertainty around privacy policies and the sharing of information.  Facebook, in answer to allegations contained in the Wall Street Journal article, re-iterated their privacy policies and the transparency of their practices. The challenge that faces any organizations conducting business on the internet is the perception of their privacy practices.  Facebook contends that their privacy policies are perfectly acceptable and that they adhere to those posted policies exactly.  That may well be the case.  I certainly have no knowledge of any intent to share data without appropriate consents from the individuals involved.  However, the fact that the privacy policies as posted may not be immediately clear to individuals using the site puts the company in an uncomfortable situation.

In doing any research on privacy, it is likely that one would come across the “Fair Information Principles.”   These are critical considerations in the creation and implementation of information practices.  The Federal Trade Commission (FTC) has listed several tenets of Fair Information Practices on its website.  Among the five principles is “Choice/Consent.”  In order for a consumer to make a meaningful choice in the use of their information, the policy must be clear.  The consumer must be able to clearly understand the policy in order for the consent to be informed and meaningful.  Simply put, if a consumer cannot understand the privacy policy of the site, any consent that they provide to share their personal information is uninformed, and therefore, insupportable.  That is not to say that the consumer is not intelligent enough to understand the policy, but that many policies have been written in “legal-ese,” rendering it extremely difficult to understand.

What can be done, as an individual or as a company, to protect private information?  As an individual, it is often tempting to click through user agreements and terms and conditions just to get through them.  Doing that, though, may mean that you have given consent to share information that you would rather the company not share.  Reading privacy policies and deciding what information you’d like to share and how that information should be shared can go a long way towards protecting your individual privacy.  Further, if a privacy policy is so convoluted as to be almost incomprehensible, you may want to consider carefully whether you would consent to their privacy policies.  When in doubt,  “opt-out.”

For companies,  a general rule of thumb may be that a comprehensible privacy policy is a defensible privacy policy.  Ensuring that the privacy policy clearly communicates the ways in what data will be shared with whom and who is critical to avoiding costly privacy litigation.  There are a number of frameworks that can be used as a guide for creating and implementing privacy policies.  The FTC, referenced above, has their Fair Information Principles.  The AICPA provides Generally Accepted Privacy Principles, while the OECD offers guidance for transborder information flows.

Dr. Heather Mark, PhD.  SVP of Market Strategy

There is often confusion about what constitutes ID theft.  Adding to the often confusing statitics are the scores or reports, surveys, and other information published on a nearly daily basis that often seem to use the terms interchangeably.  Arguably, there is often a fine line between the two concepts but it is important to know the differences. 

Fraud can be defined most easily as “deception used for gain”.  If I lie to you to trick you into turning over your password, I have employed fraud in that I decieved you for my own gain. 

Credit Card Fraud (or debit, charge card, etc.) is simply the unauthorized use of a card for financial gain. The deception takes place when I pretend I am authorized to use the card.  If I steal your credit card while you are at Yoga class and I use it to purchase some cool new sunglasses, then I have perpetrated credit card fraud.  I did not perpetrate ID Theft.  In the same way if I “skim” the credit card data while you are paying for dinner and I manufacture a counterfeit card to then buy my sunglasses, I have perpetrated credid card fraud.  I have also perpetrated other crimes but for the purpose of this blog post we will limit the discussion.

ID theft is the assumption of another’s identity to further criminal activity.  Expanding upon the example above, if I steal your Social Security Number and Drivers’ License and then assume your identity to contact the bank that issued your credit card and add myself as an authorized user, I have perpetrated ID Theft.  If I then use the credit card I have also perpetrated credit card fraud.  The CC fraud in this case is an indicator of the ID Theft.   After someone has assumed the identity of a person they may open credit card accounts, take out loans, or steal healthcare.  It should be noted that the assumption of an identity may only be for a brief or very specific purpose it does not generally mean that one person is living their life as another although this also has happened.

John Summers, a project officer at FinCEN and a lead in FinCEN’s report, “Identity Theft: Trends, Patterns and Typologies Reported in Suspicious Activity Reports”, sums it up best when he says:  “Identity Theft is a crime facilitator.”  “People don’t steal identities just to steal identities,” Summers says. “They do it to commit a crime and get the money.”

A quick read through the report highlights some interesting statistics.  As an example, the SAR report indicates that 27.5% of ID theft victims knew the suspected theif.  This was either a family member, friend, acquintance or employee working in the victim’s home.  The report also indicates a shift away from identity theft to perptetrate credit card fraud and toward ID theft to facilitate mortgage loan fraud and consumer loan fraud.  The report does state that credit card fraud was teh most prevelant type of ID theft facilitated fraud in the report, however. 

While certainly nobody wants to have their credit card stolen and used fraudulently credit card fraud is much easier to address than identity theft.  US Federal law limits consumer liability to $50 for fradulent charges and most of the card brands have “zero liability” clauses.  ID Theft however can be much more expensive, and challenging to address. 

To identify both credit card fraud and ID theft ensure that you check your credit report regularly and check your various card and bank accounts.  Suspecious activity (such as unauthorized charges) may be an idicator that someone has stolen your identity. 

Chris Mark, EVP; Data Security & Compliance

As companies scramble to shore up their defenses against cybercriminals, the criminals are responding in kind.  Over the past several year, malicious software has taken center stage in the fight to steal sensitive data.  Data theives are continually revising their tools, and tactics to exploit vulnerabilities in security.  The web-browser is once again at the forefront of the fight.  Disturbingly, the criminals are managing to often stay one step ahead of companies.

Trusteer reported today that they have identified and analyzed a new version of the very dangerous Zues financial malware.  Zues (Zbot) is a trojan that is designed specifically to capture banking and other information which is then used for fraud.  In an earlier report Trusteer outlined how Zues was injecting fraudulent Verified by Visa and MasterCard Secure Code pages into financial institution websites and obtaining user credentials which were then used to bypass the control systems. 

Trusteer’s analysis of Zues version 2.1 shows that the developers have upgraded the code to create a much more flexible and dangerous version.  According to Trusteer, the new capabilities include:

• URL matching based upon a full implementation of the Perl Capable Regular Expressions Library (PCRE).  As an example, Zues can now target all URLS that start with HTTPS and zero in on those that contain specific digits or keywords.
• The injection mechanism has been upgraded to use PCRE, as well.  This helps avoid detection by allowing the system to inject into very specific pages without injecting into other pages. 
• Zues has been upgraded with a more fine-grained ‘grabbing’ mechansim which allows it to extract very specific areas of the page (e.g. account balance). 
• Finally, Zues has been upgraded with a 1024-bit RSA public key which is likely used for one-way encryption and authenticating the command and control server to Zues clients.

The increasingly sophisiticated features being added to the malware should provide some indication of how profitable fraud can be.  The Zues developers have a refined R&D capability which allows their product to stay ahead of competing malware products such as Bugat, Clampi, and SpyEye.  More troubling is the fact that modern anti-virus capabilities appear to have limited ability to detect Zues.  As stated by Trusteer:  “This version of Zues is extremely elusive and veritually undetectable by antivirus products.”

Chris Mark, EVP; Data Security & Compliance

The fight against fraud requires all people involved in a transaction to be vigilant. Fraud can mean an assortment of offenses, for example, using a stolen credit card you are not authorized to use to make a purchase. Merchants are also committing a fraudulent activity when not fulfilling their customer’s orders.

ProPay has systems in place that monitor transactions and accounts continuously. Through this procedure, ProPay is able to help prevent fraudulent transactions and help protect our merchants. However, it is imperative that our merchants also actively monitor and review their transactions.

There are a few simple tasks that can help protect a merchant from becoming the victim of fraud. First, make sure you obtain the cardholders billing address. You will want to use that address when processing the transaction. With each transaction you process, you will receive an AVS (Address Verification Service) code. This code helps you know whether or not this is the address the cardholder’s bank has on file for the account. The second step is to make sure you always ship to the verified billing address. If you receive an ‘N’ it is recommended that you reach out to your customer to get the correct billing address prior to fulfillment. We also recommend shipping with delivery confirmation. Having as much documentation for each processed transaction will help fight against a possible chargeback to the account. A third step is to enter the card verification value 2, CVV2, for each transaction. This number is found on the back side of the card and is another source which can be verified through AVS. The AVS codes are listed below for your reference.

Fraudulent activity is a constant factor and requires not only merchants, but processors to be dedicated in fighting the trend of data thieves capturing sensitive information.  Fraud is not limited to only a couple of processors and only some merchants. ProPay is constantly working to prevent fraud causing losses to our merchants. This is an ongoing fight and not one that ProPay will ever take lightly.

If you would like ProPay to work with you to verify the billing address for a credit card, please contact our knowledgeable and friendly customer service at 1-866-573-0951.

Jesse Hutcheon

Most users of Facebook are familiar with some of the well-documented privacy issues that the popular social networking site has had over the years.  In fact, the site just recently debuted a number of new settings and processes designed to help protect users’ personal information.   So, one can imagine the chagrin the company feels as yet another privacy violation has made the headlines.  In this instance, it seems that some of the most popular Facebook applications have become culprits – transmitting personal information despite the users’ privacy settings. 

According to a Wall Street Journal article: 

“Many of the most popular applications, or “apps,” on the social-networking site Facebook Inc. have been transmitting identifying information—in effect, providing access to people’s names and, in some cases, their friends’ names—to dozens of advertising and Internet tracking companies, a Wall Street Journal investigation has found…The Journal found that all of the 10 most popular apps on Facebook were transmitting users’ IDs to outside companies.”

This example illustrates the complexity of privacy issues, irrespective of any security mandates.  In this instance, Facebook’s security is not in question, rather the way in which information is transmitted between the site and it’s third party vendors that provide games and other applications to Facebook’s millions of users.  There are a number of lessons to be taken from this story:

1) Companies must be aware of ALL of the ways in which they are transmitting personal data – whether intentional or not.  Courts take a dim view of the “We didn’t know we were doing that argument.”  We’ve all heard the adage that ignorance is no defence,  and in no arena is that more true than the protection of personal data. 

2) Third-parties must be vetted, evaluated and monitored to ensure that any data that is being transmitted to them is being appropriately used and protected.  One cannot assume that the third party has the same privacy practices.  Contractual obligations, third-party evaluations and annual reviews can help to assure companies that their partners are offering an appropriate level of privacy protections to personal information. 

3) Individuals must take ownership of their online identities.  While it is comforting to point at companies and shake our heads at a lamentable lack of privacy protections, we must also realize that as individuals we have the right and the responsiblity to monitor the data that we provide.  Many applications have separate terms and conditions and may even warn users that installation of the “app” will result in sharing of personal information. 

As life becomes increasingly “virtual,” personal information becomes more and more vulnerable.  Both companies and individuals must be ever more vigilant in the protection of that information. Companies need to ensure that data that has been provided to them is used appropriately and is adequately protected.  Meanwhile, consumers need to be increasingly discriminating in what information they share online and with whom they share it. 

For more information on Facebook’s privacy settings and tools, visit their privacy guide.

Dr. Heather Mark, PhD. SVP of Market Strategy