Entries tagged with “Risk”.


For those of us in the security space, it’s common to hear about crime rings based out of Eastern Europe that are targeting US companies and consumers.  Stealing the data and selling it to make a fast buck has been something that we prefer to identify as something that happens from abroad.  A recent report from ID Analytics, though, tells us that we have plenty of trouble with that particular crime here at home.

ID Analytics, a leader in consumer risk management, has undertaken a study to identify crime rings in the US that specialize in identity theft.  According to the report,  there are more than 10,000 separate crime rings operating in the United States.  Those rings appear to be most highly concentrated  in Washington D.C.; Detroit; Tampa, Fla.; Greenville, Miss., Macon, Georgia; and Montgomery, Ala.    Another unusual finding of the report was that a large number of these rings were comprised of friends and family working together.  You know what they say.  “The family that defrauds together…”

This report is interesting on a couple of levels.  First, there has been an assumption that Identity Theft is often the work of career criminals.  The report seems to contradict this, pointing out the almost communal nature of identity theft rings.  The individuals work together and even share identity information, like social security numbers, in an effort to get new lines of credits.  Secondly, while we do know that many breaches do originate from abroad, it is important that we not overlook the threat that we face here at home.   Another surprising revelation in the report is the genesis of the crimes.  Again, we tend to think of identity theft as an urban crime.  While most of the victims were city dwellers, the report shows that the crime rings originate largely in rural areas.

It would be interesting to see if longitudinal studies would uncover a relationship between the economic downturn, particularly as it hit these rural areas, and the increase in the formation and activity of identity theft rings.  It is sometimes easy to think of identity theft in the abstract, and that may entice people that wouldn’t be attracted to violent crime as a means of supporting themselves.

Another article out today reinforces the notion that we, as consumers, may not be serious about protecting our sensitive information.  According to an interview on NPR with Nick Berry of Data Genics, more than 10% of ATM cards can be accessed using the PIN 1234.  Other common PINs include 2222, 8888, and 8520.  These PINs are easy to remember, but unfortunately, the bad guys are onto the trend as well.  With only 4 digits, it can be difficult to come up with a “complex” PIN in the same way we come up with complex passwords.  But there are some things that you can do to help minimize the chance that a hacker or thief could “guess” your PIN.

1) Use the PIN the bank issues – Sometimes your bank will issue a PIN that has been generated randomly.  Often, people will change this PIN to something that is easy to remember – a birthdate or anniversary.  The randomly generated number has no obvious connection to the user.  So imagine if your wallet is stolen.  The thief won’t be able to use numbers readily available on your ID (like your birthdate) to guess your PIN and access your account.

2) Choose seemingly random numbers – Using numbers that are connected to your life can make them easy to guess.  Assuming your bank doesn’t assign a PIN, you can choose random numbers (or at least numbers that seem random).  I had a friend that used the jersey number of her favorite athlete and his rookie year as a PIN.  It was easy for her to remember, but a stranger would have to be pretty clever (and very familiar with her and her favorite athlete) to guess her PIN.

3) Vary your PIN – Most people use the same PIN for every card.  Makes it easy to remember, right?  It also makes it easy to guess.  If I lose my wallet and my PIN for every card is my birthdate, then every account that I have is vulnerable.

The PIN is such an important component to consumer protection, yet it is often neglected.  If your credit card is stolen and used fraudulently, you have some protections built in from the card brands.  However, there are no such protections for your bank account.  If you can prove that the card is in your possession at the time of a fraudulent charge, you do have some protections.  However, if you have lost the card, and someone is either accessing the ATM or making purchases using a PIN, it can be very difficult to recover your funds.  With that in mind, choosing a strong PIN becomes vitally important.

“When good people…cease their vigilance and struggle, then evil men prevail.” - Pearl S. Buck

When I was learning to ride a motorcycle my instructor gave me one piece of advice that always stayed with me.  He said “keep your head on a swivel.”  In other words, while I had to make sure that I was doing everything I should be doing, I also had to make sure that I was constantly looking out for what other people may be doing.  That way I could correct my course, or at least take some action to ensure that what the other people were doing wouldn’t put me in danger.  While this is certainly good advice for riding motorcycles, it is also good advice for data security.  It may seem like a stretch, but bear with me.

In securing our customers’ payment data, we have a guideline (actually a set of fairly stringent requirements) in the form of the Payment Card Industry Data Security Standards (PCI DSS).  To learn more about these standards visit this site.  Following these guidelines ensures that we are doing what we “should” in terms of protecting the data.  But that doesn’t mean that others won’t be taking action to put you (and your data) in danger – in the form of data compromise.  That means that you have to stay vigilant for what others might be doing – “keep your head on a swivel” –  to ensure that you are addressing newly identified risks and vulnerabilities that may not be addressed by the guidelines.

Recent trends indicate that small merchants are increasingly becoming targets of data thieves.  In a recent interview, Vantiv Vice President David Mattei stated, “…now we’re seeing an increase in the number of breaches in which smaller numbers of cards are compromised. Small, independent merchants are being targeted because of the ease with which fraudsters can compromise those payment systems.” That means that as small merchants, even if we are PCI DSS compliant, we must remain vigilant against potential attack.  One way to foil the fraudsters in this case is with the use of a P2P Encryption and tokenization solution. In this instance, the data is removed from the merchant system and replaced with “tokens,” or abstract representations of the cardholder data.  While merchants can still use the data to run reports, issue refunds or fight chargebacks, data thieves would find the tokens to be worthless.

The lesson in all of this is that we must remain on guard against new threats, even if we are doing everything “by the book.”  Leveraging secure technologies like tokenization can help ease the burden of compliance and render you and your customers more secure in the long run.

Sometimes it is the small things that make a difference.  I had a conversation with a friend last week about the pros and cons of using a payment aggregator for processing, as opposed to a traditional merchant account.  While we had a pretty lengthy discussion ranging over a variety of topics, there was one detail that stuck in my colleague’s mind.  I had asked how her merchant name shows up on receipts.  She hadn’t thought about that before and said she was going to go back and check it out.  Sure enough, she said, the merchant name showed up as something that even she would have found difficult to recognize as her business.  Why does that matter?  One word – chargebacks.

Often when customers don’t recognize the name on their statement, they will call their issuing bank and chargeback the purchase. If your merchant name is not immediately recognizable to customers on their statements, you run the risk of getting hit with unnecessary chargebacks.  Not only does this result in one-time charges and fees to the merchant, but repeated chargebacks can result in increased fees and may even cause processors, whether traditional processors or aggregators, to suspend the merchant’s ability to process payments.

This is a fairly easy thing to check, and to fix.  If you are unable to change your merchant name, and there are some legitimate reasons why that might be the case, then make sure your customers know what to look for on their statements.  This can be done either as a message on the receipt or on your website.  If you have a storefront, you may place a sign next to the register.  Anything that might reduce the likelihood of confusion on your customers’ part can help you reduce the likelihood of chargebacks.

I read an article today titled, “When Cyber Fraud Gets Difficult, Criminals Revert to Old-Fashioned Schemes.“  As the name implies, the article states that when technology makes it difficult to commit fraud online, the criminals default to the path of least resistance, abandoning the virtual crime world to go back to tried and proven methods of real-world fraud schemes. While this probably isn’t news to most experienced data security or risk professionals, it might be surprising to others that don’t spend their days locked in virtual battle with the “bad guys.”  Maybe that’s a little extreme, but it can sometimes feel that way when it comes to the protection of sensitive data.  What struck me about this article, though, is that it is easy to get lulled into the notion of relying on technology to battle fraudsters and data thieves. At the end of the day, awareness and training can be just as, and in some cases, more important than technology alone.

To illustrate this example, let me describe a scene that I witnessed the other day.  I was in a local convenience store to get my daily (alright, hourly) caffeine fix.  The customer in front of me asked the cashier for several packages of chewing tobacco. In fact, he cleaned the store out of its entire stock of this particular brand.  I’d certainly never seen anyone purchase so much tobacco for their personal use.  When the purchase was totaled, the young man paid with a gift card.  My alarm bells went off as this is a generally recognized fraud scheme,  but the cashier calmly completed the purchase and the young man left with a huge quantity of chewing tobacco.  Those of us in risk and data security know that it is not unusual to use stolen payment data or even stolen funds to purchase gift cards.  Those ill-gotten cards are then often used to purchase goods that can be resold.  Typically, one cannot purchase tobacco products with a gift card – its a practice prohibited by most acquirers and merchants.  Nevertheless, the point here is that the cashier had not been trained on common fraud schemes – even the low tech ones.

The lesson of the article, and it’s a good one, is that while technology plays an important role in fraud prevention, it must be part of a two-pronged approach.  That approach should include awareness training for staff, so that they can be prepared to identify and prevent potential fraudulent purchases.