Entries tagged with “fraud”.

You may have seen headlines (small ones, but headlines nonetheless) regarding the re-authorization of the Safe Web Act.  The full name of the act, which is far more descriptive of its actual function, is ‘‘Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act of 2006.’’  As implied in its title, the bill was originally passed in 2006, but was set to expire this year unless it was re-authorized.  On Dec. 7, 2012, President Obama re-authorized the act until 2020.  So does this mean that the web is now safe all the time for everyone?  No, but it allows the Federal Trade Commission certain powers that enable them to find and prosecute scammers, even if they are not domestic criminals.

The main thrust of the act is to allow the FTC to go beyond the US borders when investigating online criminal activity, especially as related to consumer protection. the act empowers the FTC to share information about scams and the criminals behind them with foreign law enforcement agencies.  Previously, the FTC had been restricted to sharing only with other US agencies.  Additionally, the FTC is empowered to aid foreign agencies in the investigation of online scams.  Further, the FTC will have the right to get information from foreign agencies.  The law provides “enhanced investigative and litigating tools” to the FTC to allow them to pursue investigation and actions more effectively.

This is not a complete summary of the law, but it does allow consumers to know that the FTC takes online scams and fraud very seriously and has been empowered, through 2020, to pursue these criminals even if they are not within the boundaries of the United States.  As Mary Bono Mack (R-CA), the bills lead sponsor says, “This is a win-win. It’s good for American consumers. It’s good for the future of e-commerce. And it’s the right thing to do for our nation and our friends around the world.”

Barnes and Noble has reported that PIN entry devices in dozens of its stores have been hacked.  According to the company, one device in each of 63 different stores  had been compromised. The company said that its website and purchase made on the Nook were not impacted by the breach.    Reports indicate that the stores involved in the compromise were located in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island. B&N is working with banks to notify affected customers.    The company acted swiftly in disconnecting the devices in all of its more than 700 stores once the breach was discovered. Further, the company altered the process for using a card to a more secure method.  Rather than swiping the card, the consumer will now hand the cashier the card to be swiped, a process the company believes to be more secure.

There are two security issues at play here. The first is the question of physical security.  How many times have you walked into a grocery store, or any store for that matter, and used the PIN pad device without the assistance of the clerk?  While that certainly adds convenience, it can also introduce risk.  The following video demonstrates just how easy it can be to compromise a PIN pad machine.

As you can see, without the proper physical security, attaching a skimming device or tampering with the machine can take just a matter of seconds. If you are accepting cards it is vitally important to think about the physical security of the data, as well as the technical security.  If you use a mobile device, ensure that it is with you at all times.  If it is not with you, it should be locked in a secured location.  If you are using a Point of Sale solution or a PIN pad device, make sure that it is secured to the counter and that you can tell whether or not the device has been altered.  In the video above, the clerk noticed that machine had been tampered with and was able to prevent the theft of data.

The second issue at play here is the technical aspect of security.  This is of particular consequence, because thieves that are able to access full card data can make counterfeit cards and the volume of fraudulent transactions increases significantly.  To counter this, the PCI SSC has drafted a number of documents specifically aimed at protecting PIN pad devices.  You can find all of the PCI SSC security documents on the Library section of their website.

Security of transaction data is not an “online only” problem.  Thieves are able to extrapolate physical theft into credit card fraud.  That means the physical instruments that we use to accept credit card transactions must be afforded the same level of protection as the systems in which we store that data (e.g. databases or POS applications).

Another article out today reinforces the notion that we, as consumers, may not be serious about protecting our sensitive information.  According to an interview on NPR with Nick Berry of Data Genics, more than 10% of ATM cards can be accessed using the PIN 1234.  Other common PINs include 2222, 8888, and 8520.  These PINs are easy to remember, but unfortunately, the bad guys are onto the trend as well.  With only 4 digits, it can be difficult to come up with a “complex” PIN in the same way we come up with complex passwords.  But there are some things that you can do to help minimize the chance that a hacker or thief could “guess” your PIN.

1) Use the PIN the bank issues – Sometimes your bank will issue a PIN that has been generated randomly.  Often, people will change this PIN to something that is easy to remember – a birthdate or anniversary.  The randomly generated number has no obvious connection to the user.  So imagine if your wallet is stolen.  The thief won’t be able to use numbers readily available on your ID (like your birthdate) to guess your PIN and access your account.

2) Choose seemingly random numbers – Using numbers that are connected to your life can make them easy to guess.  Assuming your bank doesn’t assign a PIN, you can choose random numbers (or at least numbers that seem random).  I had a friend that used the jersey number of her favorite athlete and his rookie year as a PIN.  It was easy for her to remember, but a stranger would have to be pretty clever (and very familiar with her and her favorite athlete) to guess her PIN.

3) Vary your PIN – Most people use the same PIN for every card.  Makes it easy to remember, right?  It also makes it easy to guess.  If I lose my wallet and my PIN for every card is my birthdate, then every account that I have is vulnerable.

The PIN is such an important component to consumer protection, yet it is often neglected.  If your credit card is stolen and used fraudulently, you have some protections built in from the card brands.  However, there are no such protections for your bank account.  If you can prove that the card is in your possession at the time of a fraudulent charge, you do have some protections.  However, if you have lost the card, and someone is either accessing the ATM or making purchases using a PIN, it can be very difficult to recover your funds.  With that in mind, choosing a strong PIN becomes vitally important.

Sometimes it is the small things that make a difference.  I had a conversation with a friend last week about the pros and cons of using a payment aggregator for processing, as opposed to a traditional merchant account.  While we had a pretty lengthy discussion ranging over a variety of topics, there was one detail that stuck in my colleague’s mind.  I had asked how her merchant name shows up on receipts.  She hadn’t thought about that before and said she was going to go back and check it out.  Sure enough, she said, the merchant name showed up as something that even she would have found difficult to recognize as her business.  Why does that matter?  One word – chargebacks.

Often when customers don’t recognize the name on their statement, they will call their issuing bank and chargeback the purchase. If your merchant name is not immediately recognizable to customers on their statements, you run the risk of getting hit with unnecessary chargebacks.  Not only does this result in one-time charges and fees to the merchant, but repeated chargebacks can result in increased fees and may even cause processors, whether traditional processors or aggregators, to suspend the merchant’s ability to process payments.

This is a fairly easy thing to check, and to fix.  If you are unable to change your merchant name, and there are some legitimate reasons why that might be the case, then make sure your customers know what to look for on their statements.  This can be done either as a message on the receipt or on your website.  If you have a storefront, you may place a sign next to the register.  Anything that might reduce the likelihood of confusion on your customers’ part can help you reduce the likelihood of chargebacks.

I read an article today titled, “When Cyber Fraud Gets Difficult, Criminals Revert to Old-Fashioned Schemes.“  As the name implies, the article states that when technology makes it difficult to commit fraud online, the criminals default to the path of least resistance, abandoning the virtual crime world to go back to tried and proven methods of real-world fraud schemes. While this probably isn’t news to most experienced data security or risk professionals, it might be surprising to others that don’t spend their days locked in virtual battle with the “bad guys.”  Maybe that’s a little extreme, but it can sometimes feel that way when it comes to the protection of sensitive data.  What struck me about this article, though, is that it is easy to get lulled into the notion of relying on technology to battle fraudsters and data thieves. At the end of the day, awareness and training can be just as, and in some cases, more important than technology alone.

To illustrate this example, let me describe a scene that I witnessed the other day.  I was in a local convenience store to get my daily (alright, hourly) caffeine fix.  The customer in front of me asked the cashier for several packages of chewing tobacco. In fact, he cleaned the store out of its entire stock of this particular brand.  I’d certainly never seen anyone purchase so much tobacco for their personal use.  When the purchase was totaled, the young man paid with a gift card.  My alarm bells went off as this is a generally recognized fraud scheme,  but the cashier calmly completed the purchase and the young man left with a huge quantity of chewing tobacco.  Those of us in risk and data security know that it is not unusual to use stolen payment data or even stolen funds to purchase gift cards.  Those ill-gotten cards are then often used to purchase goods that can be resold.  Typically, one cannot purchase tobacco products with a gift card – its a practice prohibited by most acquirers and merchants.  Nevertheless, the point here is that the cashier had not been trained on common fraud schemes – even the low tech ones.

The lesson of the article, and it’s a good one, is that while technology plays an important role in fraud prevention, it must be part of a two-pronged approach.  That approach should include awareness training for staff, so that they can be prepared to identify and prevent potential fraudulent purchases.