Security Now: What’s Top of Mind at Several Security Firms
By Kimberly Wheeler
Consumers expect an electronic payment experience that is convenient, easy, fast, and, above all, safe. Payments professionals are under pressure to deliver enhanced, protected payment experiences in a sophisticated and evolving landscape of security threats. These demands create technical challenges for merchants, pushing them to find a way to secure not only their payment processes but also every stage of the payment lifecycle, from the moment consumers first visit the merchant’s website or store to the time of checkout and beyond.
One of the most crucial aspects of addressing these challenges is simply staying informed of the shifting threats facing the industry, say experts. To that end, we asked several to offer their perspectives on key issues and pressing fraud trends across the market, as well as the solutions available to mitigate them.
Trends: ‘Industrialization’ of fraud and insufficient security measures
As businesses scramble to fend off evolving security threats to card-not-present transactions, the fraudsters perpetrating them are only getting more sophisticated and more organized, and that in itself is a concerning trend, notes Don Bush, vice president of marketing at Kount, a fraud detection and prevention service.
“Data breaches used to be kind of an anomaly. But over the past three or four years, they have become commonplace—so common that some 2 billion records have been compromised,” he says. “When you consider that only 3.5 billion people on the planet have regular internet access, that’s pretty dramatic.”
Calling it the “industrialization of fraud,” Bush explains the fraud market has become increasingly easy for the average criminal to enter, with few barriers, if any. Stolen data and the tools to use it are readily available, easily obtained, and inexpensive to use. In addition, fraudsters are becoming increasingly sophisticated in how they profit from their stolen data and goods, using them to develop their own businesses.
“Within the fraud market, all of these submarkets are developing,” he says.
“We’re seeing fraud groups starting to specialize. If I’m a fraudster who specializes in shoes, I know how much I can charge, shipping, what the market will bear, distribution points, what websites to set up or go to to sell what I steal. Ridiculous as it sounds, it’s true. Fraudsters can sell everything from PayPal accounts to nutritional supplements because they have good data, know the market, and know how to turn it into cash.”
Segments of the market going through a digital transformation are particularly vulnerable, Bush suggests, because they often don’t anticipate the volume and diversity of threats that they are now exposed to in the card-not-present (CNP) environment. Merchants transitioning to digital platforms may mistakenly take a similar security approach to CNP that they would with card-present transactions. To make matters worse, many merchants designate their in-store loss prevention managers to oversee security for their digital platforms, even though those personnel often lack the necessary training, experience, and expertise.
“It’s more naive than negligent—they’re naive to the sophistication of fraudsters, how they can infiltrate an app, and don’t necessarily understand that, with a card-not-present transaction, different rules apply, different liability,” Bush explains. “With in-store purchases, liability is on the bank as the point of sale, but when you’re online, the liability is on the merchant. And when you are inexperienced at dealing with fraud, it gives criminals a whole new avenue of opportunity.”
While data breaches aren’t going away, Bush says businesses can protect themselves by employing more thorough fraud mitigation tools—asking for card verification value or address verification just isn’t enough. He recommends that merchants first check with their payment processor to identify tools or services the processor has vetted and offers to its clients as part of its service. Another option is to obtain a complete platform fraud system that combines various security screening and fraud mitigation tools into one platform, making it easier to use and reducing the need for technical support.
“A complete platform will take all these different screening tools and feed their results into a sophisticated machine-learning algorithm that will tell you whether a transaction is high-risk or legitimate,” Bush says. “That type of assistance happening in milliseconds gives the merchant a chance against these fraudsters.”
Regardless of the type of fraud system a business is using, Bush says it is essential for merchants to conduct a fraud audit at least once a year.
“Merchants will change payment types, processors, might go to new countries, or offer new products, and, every time they make a change, it’s a new opportunity for fraudsters to infiltrate and make trouble,” Bush warns. “Do a fraud audit at least annually, maybe every six months or even quarterly. Run the numbers that you have available, the benchmarks that tell you whether you are doing better or worse than before—your manual review rate, your false positive rate, acceptance rate, chargeback rate.”
Trends: Internal fraud and merchandise pick-ups
While many merchants tend to focus on the fraudster threats from outside of their organizations, it is equally important to look inside the business, says Monica Eaton-Cardone, owner, co-founder, and chief operating officer of Chargebacks911, a company dedicated to mitigating chargeback risk and eliminating chargeback fraud.
Chargebacks911 has seen a concerning trend of internal fraud among its merchant clients, says Eaton-Cardone. This type of threat is posed by current or former employees and affiliates, such as contractors, who have access to a merchant’s network or data. It can involve anything from stealing customer account information to installing harmful scripts on a merchant’s system.
“We are seeing more prevalent instances of collusion and internal and affiliate fraud,” she explains. “Specifically, we see this happening more and more often when businesses are going through seasonal growth around October—increasing the manual review team, increasing tech support, increasing staff across the board, and using more affiliates.”
While the number of incidents may be increasing, the speed with which they are identified is not keeping pace—incidents of internal fraud can often take as long as 18 months to detect. Eaton-Cardone says the key to detecting internal fraud is a multifaceted approach to protection that involves regular reviews, not just of transactions but specifically of declines. “Merchants need to take a multilayered approach to cybersecurity. It’s absolutely crucial,” she suggests. “Many companies become victimized because they have one fraud solution in place, and it’s just not enough.”
Manual review is one layer that Eaton-Cardone recommends companies build into their fraud mitigation approach. “There are still patterns that only the human eye will detect. Take a sampling of all decline data and give that to a human review team that can look for bizarre trends. More intelligence and understanding can be gained from analyzing decline patterns than from just looking at approved transactions.”
Another threat that Eaton-Cardone notes is on the rise is a relatively little-discussed scheme that involves merchandise pick-ups at stores.
Most major brands and retailers allow customers to order items online and arrange to pick them up at a local store. The problem is that many merchants do not require any type of identity verification at pick-up. Customers may be asked to show a receipt, but they are rarely required to provide a photo ID or to sign anything to pick up their item. Meanwhile, the companies don’t become aware that store pick-up fraud has taken place until two to three months afterward when they receive a chargeback for the item.
“Store pick-up fraud has grown by 26 percent with the merchants we serve,” Eaton-Cardone says. “Invariably, the fraudster uses a stolen credit card, just a simple AVS certification and Zip code, orders the item, then they go pick it up and sell it on Ebay, and no one ever gets caught. This is a massive loophole that affects every client that we have in big-box retail.”
While the problem is serious, the solution is simple, says Eaton-Cardone. Merchants can protect themselves and consumers simply by changing their store policies to require customers to show photo ID when they pick items up at the store. And again, she notes, reviewing revenue declines can help identify trends like store pick-up fraud.
“Study your chargeback data,” Eaton-Cardone stresses. “Chargeback analysis has the richest data because it tells you all of your mistakes. Most of us learn our lessons from our mistakes. The gold mine in your business is the data in the chargebacks.”
Trend: Ransomware
Although it is imperative that businesses be on the lookout for new security threats and trends, it is also important to keep an eye on those threats that have been around for a while, and even those that may seem dormant, says David Ellis, senior vice president of forensic investigation at SecurityMetrics.
Ransomware is one of the top security concerns for the electronic payments industry, but many merchants may not even consider it a threat anymore. Still, these malware attacks persist and continue to block users’ access to their own systems, causing not only loss of revenue, time, and data but also consumer confidence.
Ransomware attacks are not a rare scenario and, according to Ellis, they are every bit as damaging as other fraud methods garnering more attention and action. He describes a recent ransomware attack on a SecurityMetrics customer with more than 1,000 locations, in which the company focused on securing its cardholder data environment but lowered its defenses in other parts of its network.
“They got hacked outside of their [cardholder data environment], but the hackers had built a robust ransomware and it locked up all of their systems,” he recalls. “For several days, they could not do anything. They couldn’t process card transactions or even send emails. It brought them to their knees because the card data environment itself wasn’t targeted for data, their overall structure was. It completely impacted their business.”
Ellis explains that ransomware attacks are most often delivered to a merchant’s system through employee emails. Some phishing attempts are obvious and unlikely to fool employees, he says, but those attempts are often meant to distract employees and lower their defenses so that they won’t recognize more sophisticated attempts.
“The fraudsters are creating a veil that has someone thinking, ‘That’s what phishing looks like, these blatantly obvious attempts that no one is falling for,’” he explains. “But, the reality is that fraudsters have gotten so much better about disguising phishing emails with malicious payloads attached to them … and are now even able to pose as a person’s bank.”
Defending against ransomware, Ellis says, is largely about educating employees to look for and recognize phishing emails, no matter how sophisticated. However, to detect ransomware and other breaches, merchants also need to employ regular file integrity monitoring—not just a program to monitor the company’s systems but a person to monitor the program.
“Not every attack is going to throw up red flags immediately,” he says. “Some breaches have taken as long as five to six months before someone caught on because, even though the company had ample, terrific security logs and the early warning systems and file monitoring systems were throwing out alerts, nobody was watching.”
Ellis encourages businesses to consider designating an employee who has the specific responsibility to monitor daily security logs and scan for anomalies. The designated employee should also be able to receive phone notifications when security systems detect unusual or suspicious activity and should know how to recognize and respond to both false positives and real threats.
“When a merchant can identify a breach right away, they’re able to secure the systems and lock out the hackers within hours or days,” Ellis says. “Imagine being able to catch it in the first few days versus once it’s been going on for months or even years.”
Trends: Account takeovers and loyalty program abuse
Among many other advances in fraud activity, the shift from simple card information theft to full account takeover is a concern, says Vered Gottesman, vice president of marketing at Forter, an e-commerce fraud prevention company.
“Fraudsters are not just looking at transactions anymore,” Gottesman says. “Instead, they’ve moved upstream and identified more sophisticated ways to attack. Account takeover is an ever-increasing form of fraud. They don’t just steal the customer’s card information—now, they conduct transactions posing as the customer.”
With account takeover, fraudsters access data that can be used right at the point of sale to obtain products and services through the victim’s account. Speed of detection often depends on how vigilantly the victim monitors his or her account, as the transactions often don’t raise red flags for less accurate fraud mitigation tools that rely on human reviewers to approve or deny online payments.
More specifically, Gottesman says incidents of account takeover fraud involving loyalty program abuse have recently spiked. Fraudsters hack user accounts and deplete loyalty or reward points without the user noticing. Many merchants design their loyalty programs for ease of use rather than security, which often means that users aren’t required to enter a form of payment or other information that would verify their identity. Once they obtain access to a victim’s loyalty program account, fraudsters can use the payment and personal data displayed in the account to make purchases, accrue points, then redeem them before the fraud is detected.
Gottesman says these trends reflect a perfect storm that makes it easier for fraudsters to access account information and pose as the consumer, perpetrating crimes undetected.
“What you have is all these different circumstances emerging at the same time,” she explains. “You have the huge increase in online fraud, the abundance of data available, the ability for fraudsters to specialize and become automated, the commoditized hardware, and the really high—and increasing—cost to merchants.”
To combat these fraud-enhancing factors, Gottesman recommends that merchants structure their organizations in a way that emphasizes fraud as something that impacts the whole business, educating employees from every department that could be affected to improve their awareness of, and vigilance for, emerging trends in fraud.
She also recommends employing a customized fraud protection service: “In the face of rising threats and the complexity of the fraud that is emerging, you just can’t use a one-size-fits-all approach,” she says. “Every business is different—every business has a unique risk profile and different needs. Businesses shouldn’t take a simplified or overly standard approach to fraud protection.”
Kimberly Wheeler is a contributing writer to Transaction Trends.
Image credit: Vagabondatheart/iStock/Getty Images