Many people today that consider themselves to be internet savvy might believe that they are too clever to fall for an online scam.  They know that they should not respond to pleas for help from Nigerian princes that need to move furniture for their long-deceased, well-meaning philanthropist great uncle.  They know that any job posting that requires respondents to send their bank routing information is likely not legitimate.  They know that a bank will never send an email asking their account holders to “verify their passwords” by clicking on a link.  But do they know that they shouldn’t click on that link that promises a sneak peak of the iPhone 5?

According to a recent survey by the Ponemon Institute (in collaboration with PC Tools), the answer is “no.”  The temptation is just too much, even for seemingly savvy internet users.  “Almost half (47%) of US respondents identified an online survey with a prize as either a scam or an attempt to get you to buy something later. However, when presented with the test scenarios, more than half (55%) of US respondents indicated they would be likely to provide their personal information to redeem a prize after completing an online survey,” said Richard Clooke, Online Security Expert, PC Tools.

A recent article on CNet emphasizes point made by the survey. Last spring, a number of Facebook users were scammed by a link that offered a look at the new iPhone 5.   According to Elinor Mills, the author of the article, “People who normally ignore all the other scams involving purported free software or naked celebrity photos clicked that fake news link and even completed a captcha on a second site, which reposted the scam to their own Facebook stream. That probably says more about how fanatical people are about Apple products than anything else. But it did raise the question–what does it take to lure someone to click on something that seems fishy?” It would certainly appear that the old cliche “everyone has their price” is analogous to this situation. If scammers can target the right prey with the right bait, people seem to disregard their concerns about fraud.  Target techies and Jobs-o-philes with a promised look at a future Apple product and they’ll likely click away.

The moral of the story – “think before you click.”  Many people associate internet scams with malware and Trojans, but sometimes scammers are looking for more specific information about users so that they can launch more targeted and sophisticated attacks later on.   For example, in the scam listed above,  scammers could perhaps garner email addresses.  Those addresses could then be used in phishing attacks later on to get more sensitive data from individuals.  It’s important to remember not to let your guard down when it comes to cyberscams.

Dr. Heather Mark, Ph.D.

SVP of Market Strategy

I saw a blog post yesterday that reminded me of complexity and confusion surrounding the relationship between PCI DSS compliance and fraud prevention.  The details of the story are less important than the central idea that the author was communicating –  the notion that merchants should rely on PCI DSS compliance for the prevention of fraud.  The idea behind PCI DSS is of course to reduce the amount of fraud by helping to protect payment data from unauthorized disclosure and use, but it should be noted that the standard is not a fraud prevention program.  It is a data security compliance program.  Understanding the difference between fraud prevention and data security will help to clarify the relationship between the PCI DSS and fraud.

Fraud is the intentional deception for personal gain.  This is a broad definition that includes social engineering as well as the misuse of financial data.  Fraud prevention, then, must be a very broad set of practices and procedures that are put in place to prohibit people from being able to misuse (in this case) payment card data.   All of the major card brands have suggestions and best practices for preventing fraud at the merchant level.  MasterCard Worldwide provides a quick reference guide to help merchants educate their staff on fraud prevention techniques.  Among the suggestions is the notion that staff should be familiar with what a card is supposed to look like.  Valid cards have a number of fraud prevention mechanisms, including embossed numbers and holograms.    (Each of the card brands can also provide a sort of “anatomy of a card” that will keep merchants and their employees current with new card designs and security mechanisms.

Data security is a subset of fraud prevention tools.  Ensuring that the data is adequately protected from unauthorized disclosure (data compromise) helps mitigate the risk of fraudulent transactions.  All of the major card brands require compliance with the PCI DSS with any entity that stores, processes, or transmits cardholder data.  This helps to prevent data thieves from perpetrating fraudulent transactions on a large scale.  Merchants should not rely on the PCI DSS to protect them from fraud schemes.  PCI DSS is designed to help companies protect payment data from thieves, not to protect merchants from fraud schemes.

Dr. Heather Mark, PhD. ; SVP, Market Strategy

It’s that time of year again.  International Fraud Awareness Week, sponsored by the Association of Certified Fraud Examiners (ACFE).  The intent is to raise awareness of fraud in general, as well as trends and emerging schemes.  Payment card fraud alone is estimated to cost the United States $8.6 billion per year.  And that is a 2010 number.  Estimates for 2011 are likely to grow.  Fraud is an interesting animal.  It’s said that the only crime that costs the US economy more money is tax evasion.  While that’s probably open for debate, what is still surprising is the low level of awareness that many small business owners have regarding fraud and fraudulent schemes.  The objective of International Fraud Awareness Week is to educate all organziations, whether small entrepreneurial endeavors to large enterprises, about fraud and how it can be prevented.

Some fraud prevention resources can be found here, including somethings that many organizations may not have considered, such as a fraud policy.  The ACFE publishes an annual Report to the Nations on fraud.  In 2010, some of the highlights (or lowlights depending on your perspective) included the following:

• “Survey participants estimated that the typical organization loses 5% of its annual revenue to fraud.”  To put that into a global perspective, the ACFE estimates that to cost the world economy almost $2.9 trillion annually.

Another year has flown by and the busy season at ProPay is about to begin. We want our merchants to have a successful and stress free holiday season. This is the perfect time to make sure our merchants are up to date on the latest fraud schemes. A fraudulent buyer, chargeback or theft of data can put a damper on your end of year sales.  Here are just a few of the most prevalent fraud trends today.

Spam— Unsolicited email, possibly fraudulent from a company that you didn’t authorize to send you messages.

Phishing/Spoofing— Phishers will impersonate a legitimate company by sending fake emails or creating fake Web sites in order to acquire your personal information—like PINs, credit card or bank account numbers.

Spyware— Software that records your personal information without you realizing it. Several anti-spyware software programs are available to combat spyware.

E Commerce Fraud- Before you buy anything online, ask yourself if the site is legitimate. Look seal from trusted companies that have certified the site as safe and secure. If the deal sounds too good to be true, it probably is.

Get-out-of-debt fraud— Many online debt elimination resources are fraudulent. Be wary. Investigate them thoroughly. If they aren’t a legitimate 501(c)(3) nonprofit organization, then it’s likely that they’re trying to take advantage of your debt-related vulnerability.

International schemes— Don’t respond to emails that suggest you have won or inherited money from someone in a foreign country—Nigeria and Eastern European countries are where many of these emails originate. And any scheme that asks you to give advance money for a larger sum in return is too good to be true, and will always be fraudulent.

Evil twin— A fake Wi-Fi network set up near to and often using a similar name as a real public Wi-Fi network, like those in libraries, parks, and coffee shops. If you unknowingly join the evil twin network, the criminal behind it will have access to all of the information on your computer.

Take a few moments to review this list and to research other fraud trends that could impact you and your business. The small investment of time will be worth it in the long run. Here’s to a successful holiday season and a strong push to the finish line in 2011.

Last week, I attended the PCI SSC Community Meeting in Scottsdale, AZ.   The meeting is held every year so that stake holders in the payments industry can get together and discuss the PCI DSS and its impacts.  Each year brings with it new guidance documents, and sometimes new standards.  This year was no exception and the standard mix of new standards and new guidance was supplemented by discussion of new technologies (perhaps new is a bit of a stretch, as one of the “new” technologies under discussion was EMV – a technology that has been around for decades).  Mobile payments and Near Field Communications (NFC) were also hot topics of discussion and reminded of one my favorite topics – weighing the adoption of technology and its attendant convenience with the protection of payment data.

I am an advocate of a careful risk analysis – there are occasions in which a new technology does introduce risk, but that risk is outweighed by the potential benefit to customers and to the business overall.  In those instances, the organization may determine that the risk is acceptable and the technology is adopted.  In other instances, an organization may determine that the benefits are far outweighed by the risks and the technology is not implemented.  The point is that careful deliberation is sought.  Unfortunately, the current state of the market (economically difficult coupled with rapid technological change) may lead some companies to adopt a new technology as a “me too” strategy.  The appearance may be that by adopting new technologies companies are showing progress and leadership, which will lead to a competitive advantage.  Many times, though, the rapid adoption of new technology without proper vetting can introduce the “unknown unknown” into the environment.

The idea of the “unknown unknown” can be nicely summed up by saying that “you don’t know what you don’t know.”  In other words, one doesn’t have enough experience or knowledge about a particular subject to speak definitively about what its potential risks might be.  The concept was famously speared after Rumsfeld made his famous “unknown unknown” speech.  While pundits and comedians alike had a good time poking fun at Rumsfeld for his use of the terms “known unknowns” and “unknown unknowns,”  he is referencing something that risk analysts and philosophers alike have discussed for years. The premise of Nassim Taleb’s  The Black Swan is largely concerned with operating in a world in which we don’t know what we don’t know.  You can mitigate the number of unknown unknowns through analysis, evaluation, and research.

One of the ways that companies can mitigate the “unknown unknown” in terms of payment security is to evaluate new technologies against the standards established by the industry.  The standards are established to counter the known risks in the payment environment.  Any time a new technology is considered, a good practice is to consider how that technology would be integrated into the existing infrastructure and evaluate that result against the standards and against data security best practices )which sometimes evolve at a faster rate than the standards do.  Certainly this will not bring to light all possible permutations of risk that might arise from the adoption of a new technology, but it will help address an organization’s compliance status and may help mitigate the risk associated with adopting a new technology.

Dr. Heather Mark, PhD; SVP Market Strategy