Accourt Payments Specialists » Security https://www.accourt.com payments specialists Thu, 18 Apr 2024 20:09:55 +0000 en-GB hourly 1 http://wordpress.org/?v=4.2.1 European cross-border and card-not-present fraud on the rise https://www.accourt.com/european-cross-border-and-card-not-present-fraud-on-the-rise/ https://www.accourt.com/european-cross-border-and-card-not-present-fraud-on-the-rise/#comments Thu, 23 Jul 2015 09:01:21 +0000 http://www.accourt.com/?p=3081 Card fraud losses across 19 countries in Europe rose an average of 6% in 2014, according to a new report based on data from Euromonitor International. But the low overall rise masks large shifts in so-called “cross-border” fraud, where criminals use data on cards from one country to commit fraudulent transactions in another country. UK card […]

The post European cross-border and card-not-present fraud on the rise appeared first on Accourt Payments Specialists.

]]>
Card fraud losses across 19 countries in Europe rose an average of 6% in 2014, according to a new report based on data from Euromonitor International. But the low overall rise masks large shifts in so-called “cross-border” fraud, where criminals use data on cards from one country to commit fraudulent transactions in another country.

UK card fraud losses rose by £29 million in 2014, a 6% rise on the previous year. Most of  this increase was

Cross border vulnerabilities of UK fraud

Cross border vulnerabilities of UK fraud

due to cross-border fraud, with domestic losses remaining flat.

In the UK, FICO previously reported a 25% increase in cross-border fraud on debit cards in 2014, compared to 2013. 47% of the fraudulent transactions were taking place in the US – a pattern that seems related to the delay in US adoption of EMV technology. The first wave of the EMV liability shift takes place in October 2015 in the US.

“Banks in the UK and most of Europe adopted EMV technology years ago, so it may appear that they have little to worry about from mag-stripe fraud,” said Martin Warwick, FICO’s fraud chief for Europe. “However, the trends suggest that any European plastic card can be targeted, as criminals try to ‘fill their boots’ before the US finally shuts the door on skimming fraud.”

As reported in the FICO European Fraud Map for the last three years, the leading type of fraudulent card transaction is so-called card-not-present (CNP) fraud. The percentage of fraud losses from CNP fraud averaged 41% for Western European countries, and 23% for Eastern European countries.

In the UK, ecommerce spending in the UK more than doubled between 2008 and 2014, but CNP fraud losses have grown just 1% in that time. However, it has become a greater share of UK card losses, rising from 54% of card losses in 2008 to 70% in 2014.

European Fraud Changes 2013-2014

European Fraud Changes 2013-2014

“We are winning the war on CNP fraud, but we still have a long way to go to get CNP fraud fully under control,” Warwick said. “Authentication of customers and their devices will play an ever-increasing role.This is why FICO has been focused on advances in analytics that assess consumer behavior, and profile not just cardholders but also devices and merchants.”

France had the highest card fraud losses relative to card sales, followed by Greece and the UK, which is the same ranking as last year. Russia saw the fastest growth in card fraud losses – 24% — but card sales in the same period grew 36%.

Fraud severity levels 2013 Vs 2014

Fraud severity levels 2013 Vs 2014

“Any market that is growing will attract criminals attention and that’s exactly what is happening in Russia,” Warwick said. “EMV  has a long way to go to reach maturity in Russia. However, overall Russia has low fraud relative to sales. The key aim for banks will be to ensure that when growth in sales slows they are also in a position to slow the growth in fraud losses”.

The post European cross-border and card-not-present fraud on the rise appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/european-cross-border-and-card-not-present-fraud-on-the-rise/feed/ 0
An introduction to the Trusted Execution Environment for mobile services security https://www.accourt.com/an-introduction-to-the-trusted-execution-environment-for-mobile-services-security/ https://www.accourt.com/an-introduction-to-the-trusted-execution-environment-for-mobile-services-security/#comments Wed, 15 Jul 2015 10:20:24 +0000 http://www.accourt.com/?p=3071 GlobalPlatform, the organization which standardizes the management of applications on secure chip technology, has published a white paper, which introduces the Trusted Execution Environment (TEE) and examines its role in addressing an increasing number of security concerns within the expanding mobile services market. The Trusted Execution Environment is a secure area of the main processor in a […]

The post An introduction to the Trusted Execution Environment for mobile services security appeared first on Accourt Payments Specialists.

]]>
GlobalPlatform, the organization which standardizes the management of applications on secure chip technology, has published a white paper, which introduces the Trusted Execution Environment (TEE) and examines its role in addressing an increasing number of security concerns within the expanding mobile services market.

The Trusted Execution Environment is a secure area of the main processor in a smart phone (or any connected device) which ensures that sensitive data is stored, processed and protected in an isolated, trusted environment.

Architecture of the TEE

An introduction to the Trusted Execution Environment for mobile services security

Industry interest in the Trusted Execution Environment is gaining momentum, as it addresses the needs of most applications by offering a higher level of security than a Rich OS, without the constraints associated with the secure element (SE).

The white paper introduces the Trusted Execution Environment and its general security characteristics, before progressing through the key security concerns and perspectives of various actors and markets.

The paper illustrates particular use cases, offering an understanding of how a TEE lays to rest major concerns within those use cases. In particular, the TEE’s role in the following implementation examples is examined: mobile payments, enterprise (bring-your-own-device), content protection and government eID solutions.

“As mobile and consumer markets for connected devices mature and expand, an increasing number of security concerns demand attention,” explains Kevin Gillick, Executive Director of GlobalPlatform.

“Yet while it’s in the interest of all actors in the mobile services value chain to protect applications on many levels, a balance has to be struck to ensure that security doesn’t compromise the end-user experience or the relative ‘openness’ of the device environment which offers commercial opportunities to so many stakeholders. This need to balance security and openness is a key challenge faced by the mobile services industry today.

“The TEE offers a solution which addresses many security concerns without imposing an undue burden on applications,” concludes Gillick. “This white paper will help audiences understand why this is the case and outlines its relevance for many use cases.”

The post An introduction to the Trusted Execution Environment for mobile services security appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/an-introduction-to-the-trusted-execution-environment-for-mobile-services-security/feed/ 0
Biometrics has a strong future in financial services https://www.accourt.com/biometrics-has-a-strong-future-in-financial-services/ https://www.accourt.com/biometrics-has-a-strong-future-in-financial-services/#comments Tue, 07 Jul 2015 10:32:32 +0000 http://www.accourt.com/?p=3066 The financial services industry must set aside competition and collaborate on biometrics to ensure consistent, easy and convenient services for end users. These are the findings of a survey published today by Mobey Forum, exploring the current attitudes to biometrics within the banking industry, the key use cases, industry drivers and obstacles standing in the […]

The post Biometrics has a strong future in financial services appeared first on Accourt Payments Specialists.

]]>
The financial services industry must set aside competition and collaborate on biometrics to ensure consistent, easy and convenient services for end users.

These are the findings of a survey published today by Mobey Forum, exploring the current attitudes to biometrics within the banking industry, the key use cases, industry drivers and obstacles standing in the way of progress.

Of the 235 respondents from across the world, it is clear that biometric services are a priority. 22% of banks already offer biometrics to their customers and 65% are planning to offer services in the near future. More than half plan to launch fingerprint biometrics for their end users, with an additional 21% focusing on voice recognition.

Do you offer biometric authentication for mobile financial services

Do you offer biometric
authentication for mobile
financial services

Authenticating the user during the login process and during payment or transaction confirmation was cited by 70% as the most important use case for biometrics in financial services.

A number of key drivers for the use of biometrics are explored in the study, with nearly half of respondents stating that it is the convenience for their customers, together with the desire to be viewed as an innovative and advanced bank, which makes biometrics appealing. There are, however, a number of obstacles that need to be overcome. One in five highlighted dependence on technology providers as an issue. In addition, the customer concerns relating to privacy are seen as a barrier.

What kind of technology are you planning to use?

What kind of technology are you planning to use?

“Biometrics in financial services still face challenges,” comments Sirpa Nordlund, Executive Director of Mobey Forum. “It is clear, however, that progress is being made and there are well defined use cases and benefits to moving forward. We believe that inter-bank collaboration will expedite the development of this technology and 42% of the market agrees with us. Successful financial solutions need to be easy and convenient; a collaborative approach will ensure consumers are presented with stable and consistent services, driving adoption.

“We will continue our discussions around biometrics both within our own working group and in our collaborative discussions with the Natural Security Alliance and the Biometrics Institute. We look forward to releasing further analysis in the coming months.”

The post Biometrics has a strong future in financial services appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/biometrics-has-a-strong-future-in-financial-services/feed/ 0
Top 8 future cyber security threats to the financial services sector https://www.accourt.com/top-8-future-cyber-security-threats-to-the-financial-services-sector/ https://www.accourt.com/top-8-future-cyber-security-threats-to-the-financial-services-sector/#comments Thu, 18 Jun 2015 10:00:16 +0000 http://www.accourt.com/?p=2994 Financial services providers must better prepare for the threat that new technologies pose to their cyber security strategies or risk damaging customer and investor confidence. Cyber-crime within the financial services industry has reached unprecedented *levels and currently costs the global economy £266 billion each year. As companies increasingly adapt to emerging technologies, such as digital […]

The post Top 8 future cyber security threats to the financial services sector appeared first on Accourt Payments Specialists.

]]>
Financial services providers must better prepare for the threat that new technologies pose to their cyber security strategies or risk damaging customer and investor confidence.

Cyber-crime within the financial services industry has reached unprecedented *levels and

A handgrenade made out of keyboard keys

Top 8 future cyber security threats to the financial services sector

currently costs the global economy £266 billion each year. As companies increasingly adapt to emerging technologies, such as digital wallet service Apple Pay and Near Field Communication (NFC), the likelihood of hacks and data security breaches is rising.

Neil Cross, Managing Director of Advanced 365, explains, “The financial services industry must find a balance between embracing innovation to establish a competitive advantage whilst meeting needs for greater compliance and cyber security in order to survive. At present, too many firms are preparing for yesterday’s threat instead of updating their strategies to defend against tomorrow’s.”

Cross outlines below the top eight technology threats that financial services firms will face in the future.

  1. Botnet attacks – The Botnet (robots and networks) of Things is a group of computers or internet-connected devices that have been hacked to commit fraud or attack servers. Industry experts estimate that botnet attacks have contributed to the loss of millions of pounds from financial institutions. Mass adoption of the Internet of Things will only exacerbate security challenges as it introduces billions of potential new bots.
  2. Self-mutating computer virus – ‘Pandoras’ are regarded as the next generation of self-mutating computer virus attacks. They are designed to destabilise, confuse and destroy critical electronic infrastructures essential to the financial services industry. From a strategic perspective, they can be used as both offensive and defensive security mechanism.
  3. Near Field Communication (NFC) – NFC allows two devices within a short distance of each other to exchange data. It is increasingly being adopted by banks to introduce new products and facilitate mobile payments. Customers are susceptible to aggressive avatar-based attacks which rely on advanced digital creation assembled from stolen aspects of an individual’s identity.
  4. Payments technology – Mass market adoption of new mobile payments technologies, such as Apple Pay and Google Wallet, is expected to occur by the end of 2016. Hackers are intensifying their efforts as companies and consumers increasingly adopt these new systems and related fraud cases in the United States are already totalling millions of dollars.
  5. Biohacking – Biohacking applies to advanced techniques that use science and technology to affect human performance and could be a target for radical security breaches. Smart implants will be used for identification and authentication of individuals which include the ability to access buildings and activate mobile phones, in addition to making bank transactions to replace smartphone PIN codes.
  6. Big data and the cloud – In ten years’ time, most of the world’s data will move through or be stored in the cloud at some stage. This is expected to result in more sophisticated data security attacks targeting cloud infrastructures, shifting from device-based to cloud-based botnets, hijacking distributed processing power.
  7. Mobile – 80% of internet connections could originate from a mobile platform by 2025. Industry experts predict that mobile devices will no longer be used to crack a phone code or steal data from a device itself. Instead they will be targeted by cyber criminals as a catalyst for obtaining additional data resources that can be accessed via the cloud.
  8. Bring Your Own Device (BYOD) – Heavily regulated industries are struggling with the risks introduced by allowing employees to bring their own devices. A 2014 survey of financial services respondents by PwC revealed that 44% said employees represented the highest and most likely source of security incidents. This figure is 9% higher compared with the all industries’ average.

Cross adds, “Financial services providers must adapt to the new world and the demands it places on their organisation. Businesses that fail to demonstrate a greater awareness of emerging technological challenges and transform their notion of security could fall prey to damaging breaches.”

The post Top 8 future cyber security threats to the financial services sector appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/top-8-future-cyber-security-threats-to-the-financial-services-sector/feed/ 0
One in four UK consumers would share their DNA with their bank to secure financial information https://www.accourt.com/one-in-four-uk-consumers-would-share-their-dna-with-their-bank-to-secure-financial-information/ https://www.accourt.com/one-in-four-uk-consumers-would-share-their-dna-with-their-bank-to-secure-financial-information/#comments Wed, 17 Jun 2015 10:00:26 +0000 http://www.accourt.com/?p=2991 A new mobile identity whitepaper from Telstra reveals the majority of United Kingdom (UK) consumers using mobile banking applications want their mobile devices to instantly recognise them via biometrics, such as fingerprint and voiceprint, instead of having to prove who they are with passwords and usernames. According to Telstra’s “Mobile Identity – The Fusion of Financial Services, […]

The post One in four UK consumers would share their DNA with their bank to secure financial information appeared first on Accourt Payments Specialists.

]]>
A new mobile identity whitepaper from Telstra reveals the majority of United Kingdom (UK) consumers using mobile banking applications want their mobile devices to instantly recognise them via biometrics, such as fingerprint and voiceprint, instead of having to prove who they are with passwords and usernames.

According to Telstra’s “Mobile Identity – The Fusion of Financial Services, Mobile and Identity” report, with smartphones now the primary channel used by Gen X and Gen Y to access and manage their finances, expectations around how financial institutions manage mobile identity are being transformed.

Willingness to Share Personal Information with Financial Services Institution

Willingness to Share Personal Information with Financial Services Institution

“For the last six months, we’ve spoken to consumers and banks all over the world, in an effort to understand how our relationship with our smartphone is affecting our relationship with our financial institutions,” said Rocky Scopelliti, Global Industry Executive for Banking, Finance & Insurance, Telstra.

“What we uncovered is that when it comes to mobile banking applications, consumers no longer believe in just the safety of passwords and usernames.

“Instead, two-thirds of UK consumers think that using biometrics – such as voice, fingerprint, iris and facial recognition – would be more secure and help reduce the risks of fraud.

Willingness to Share Personal Information with Financial Services Institution (by Net Worth $ (Total Investments & Assets – Debt))

Willingness to Share Personal Information with Financial Services Institution (by Net Worth $ (Total Investments & Assets – Debt))

“In fact, one in four UK consumers would even consider sharing their DNA with their financial institution, if it meant it would make authentication easier and their financial and personal information more secure,” he said.

According to the research, while factors such as interest rates and ease of accessing funds used to be the most important considerations when selecting a financial institution, today, more than half of UK consumers cite the security of their finances and personal information their top priority, together with their institutions’ reputation for security.

Despite this, the report found that only a third of UK consumers were ‘very satisfied’ with their institutions’ authentication methods, with one third willing to pay an extra £11 GBP per annum for more sophisticated mobile security measures.

Identity Theft (Global)

Identity Theft (Global)

“Our research shows consumers are using their mobile banking applications in some really cutting edge ways, so they’re expecting much more than ever before from their financial services providers in terms of security, innovation and functionality.

“In fact, Gen X and Gen Y has become so dependent on their smartphones to access their financial services, that it’s led to a behavioral state we are calling ‘no-finapp-phobia’ – the fear of being without financial applications,” he said.

In the UK, Nationwide and NatWest customers are the most satisfied with the identity and authentication methods offered and are accordingly, the most likely to recommend them.

“With our consumption of financial services intrinsically linked with the mobile device, our mobile identity is the key to unlock trust with our service provider.

“For ‘no-finapp-phobic’ Gen X and Gen Y consumers it’s time to create mobile identity solutions that instantly recognise them for who they are,” Mr Scopelliti concluded.

For more information on Telstra’s Mobile Identity – The Fusion of Financial Services, Mobile and Identity whitepaper click here.

The post One in four UK consumers would share their DNA with their bank to secure financial information appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/one-in-four-uk-consumers-would-share-their-dna-with-their-bank-to-secure-financial-information/feed/ 0
Criminals receive 1,425% ROI from Cybercrime https://www.accourt.com/criminals-receive-1425-roi-from-cybercrime/ https://www.accourt.com/criminals-receive-1425-roi-from-cybercrime/#comments Tue, 16 Jun 2015 13:59:25 +0000 http://www.accourt.com/?p=2987 Trustwave has released the 2015 Trustwave Global Security Report which reveals the top cybercrime, data breach and security threat trends from 2014. The report discloses how much criminals can profit from malware attacks, which data they target, how they get inside, how long it takes for businesses to detect and contain data breaches, what types of businesses criminals are […]

The post Criminals receive 1,425% ROI from Cybercrime appeared first on Accourt Payments Specialists.

]]>
Trustwave has released the 2015 Trustwave Global Security Report which reveals the top cybercrime, data breach and security threat trends from 2014.

The report discloses how much criminals can profit from malware attacks, which data they target, how they get

Cybercrime compromises by Industry

Cybercrime compromises by Industry

inside, how long it takes for businesses to detect and contain data breaches, what types of businesses criminals are targeting and where the majority of victims are located. It also reveals the most commonly used exploits, most prevalent malware families and more.

Trustwave experts gathered the data from 574 breach investigations the company’s SpiderLabs team conducted in 2014 across 15 countries in addition to proprietary threat intelligence gleaned from the company’s five global Security Operations Centers, security scanning and penetration testing results, telemetry from security technologies distributed across the globe and industry-leading security research.

2015 Trustwave Global Security Report: Key Highlights

  • Return on investment: Attackers receive an estimated 1,425% return on investment for exploit kit and ransomware schemes ($84,100 net revenue for each $5,900 investment)
  •  Weak application security: 98% of applications tested by Trustwave in 2014 had at least one vulnerability. The maximum number of vulnerabilities Trustwave experts found in a single application was 747. The median number of vulnerabilities per application increased 43% in 2014 from the previous year.
  • The password problem: “Password1″ was still the most commonly used password. 39% of passwords were eight characters long. The estimated time it took Trustwave security testers to crack an eight-character password was one day. The estimated time it takes to crack a ten-character password is 591 days.
  • Where victims reside: Half of the compromises Trustwave investigated occurred in the United States (a nine percentage point decrease from 2013).
  • Who criminals target: Retail was the most compromised industry making up 43% of Trustwave’s investigations followed by food and beverage (13%) and hospitality (12%).
  • Top assets compromised:  42% of investigations were of e-commerce breaches. Forty were of point-of-sale (POS) breaches. POS compromises increased seven percentage points from 2013 to 2014, making up 33% of Trustwave’s investigations in 2013 and 40% in 2014. E-commerce compromises decreased 13 percentage points from 2013 to 2014.
  • Data most targeted: In 31% of cases Trustwave investigators found attackers targeted payment card track data (up 12 percentage points over 2013). Track data is the information on the back of a payment card that’s needed for an in-person transaction. Twenty percent of the time attackers sought either financial credentials or proprietary information (compared to 45% in 2013) meaning attackers shifted their focus back to payment card data.
  • Lack of self-detection: The majority of victims, 81%, did not detect breaches themselves. The report reveals that self-detection leads to quicker containment of a breach. In 2014, for self-detected breaches, a median of 14.5 days elapsed from intrusion to containment. For breaches detected by an external party, a median of 154 days elapsed from intrusion to containment.
  • How criminals break in: Weak remote access security and weak passwords tied as the vulnerability most exploited by criminals in 2014. Weak remote access security or weak passwords contributed to 94% of POS breaches.
  • Spam on the decline: Spam volume continues to decrease making up 60% of total inbound mail (compared to 69% in 2013 and more than 90% at its peak in 2008), but six percent of it included a malicious attachment or link, a slight increase from 2013.
Industry breakdown of IT environments compromised by Cybercrime

Industry breakdown of IT environments compromised by Cybercrime

“To defend against today’s sophisticated criminals, businesses must see attacks from their front windshield instead of their rear view mirror,” said Trustwave Chairman, Chief Executive Officer and President Robert J. McCullen. “By providing a wealth of current, actionable data breach trends and threat intelligence, our 2015 Trustwave Global Security Report helps businesses identify what’s coming so that they can engage the people, processes and technologies needed to thwart cybercrime attacks that can generate close to a 1,500 return on investment.”

Download a complimentary copy of the full 2015_TrustwaveGlobalSecurityReport

The post Criminals receive 1,425% ROI from Cybercrime appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/criminals-receive-1425-roi-from-cybercrime/feed/ 0
Chip and signature is a joke! https://www.accourt.com/chip-signature-joke/ https://www.accourt.com/chip-signature-joke/#comments Fri, 29 May 2015 11:56:01 +0000 http://www.accourt.com/?p=2941 The battle rages on, even at this late stage! Is EMV chip and PIN the sensible option in the US? Or is chip and signature the right way to go? Read the analysis below and decide for yourself.

The post Chip and signature is a joke! appeared first on Accourt Payments Specialists.

]]>

Chip and signature is a joke!

Author:  Vaughan Collie, Partner, Accourt – Payment Specialists.

“The fact that we didn’t go to PIN is such a joke,” says Mike Cook, Walmart’s assistant treasurer and a senior vice president, in reference to the USA’s current migration to EMV where chip and PIN or chip and signature are equally acceptable. “Signature is worthless as a form of authentication,” continues Cook, with Walmart preferring a Chip and PIN mandated approach similar to the UK and most of Europe. Not so says Visa Inc. vice president of risk products Stephanie Ericksen, “we don’t see a need for it; [chip and PIN] will have a shorter shelf life. We’re moving to new technologies and innovation.”

So who is correct, Visa or Walmart?

To answer this question it is most instructive to very briefly revisit the origins of EMV.

EMV in its ‘chip and PIN’ incarnation was ultimately designed for effective use in a predominantly offline card authorisation ecosystem (e.g. the UK at that time), thereby enabling issuers to delegate significant ‘authorisation authority’ to the chip without requiring an online authorisation from the issuer’s host system. Interestingly, the UK and most other European geographies are currently in the final stages of moving to a fully online ecosystem.

Back in 2002, following a number of years of unacceptable growth rates in various fraud types, the UK card industry formally began its migration to EMV chip and PIN. Significantly elevated levels of counterfeit fraud was one of the primary drivers of this decision and EMV chip, coupled with PIN as the cardholder verification method (CVM), was seen as the most effective approach given the predominantly offline nature of the UK authorisation ecosystem and the technology and commercial landscape at the time.

A centrally managed, UK-wide migration programme not only addressed the technical considerations and decisions, but arguably more importantly, the challenges that were likely to be faced by the various sets of stakeholders (e.g. industry, merchants, consumers, etc.). These challenges included the significant societal and cultural move away from signatures as the prevalent form of cardholder verification at the point of sale to the ‘high-tech’ PIN alternative already found in ATM transactions (although not chip-based PIN at that time).

The UK chip and PIN programme was ultimately regarded as an industry success and it certainly achieved one of its objectives: reduce counterfeit and lost and stolen fraud numbers significantly. However, this was not without some fairly harsh lessons being learned at the time and since then, for example:

  • A credible industry business case was extremely difficult to develop due to varying approaches to risk appetite and management across the industry. Ultimately the view was that there was enough of a case to continue and that it was the right thing for the industry to do at the time (coupled with the ‘do nothing’ option being utterly unpalatable for all).
  • Carefully consider the consequences – by effectively mitigating against certain fraud types (e.g. skimming/counterfeit), are you incentivising criminals to supercharge their efforts and focus on other fraud types (e.g. cardholder not present – CNP)? And will these subsequent fraudulent activities lead to a greater problem (e.g. increased CNP fraud) than the one you are solving with chip and PIN?
  • A card scheme liability shift mechanism (effective from October 2015 for POS transactions in the US) is critical to drive appropriate and timely actions across the card payments value chain and industry as a whole. The general EMV liability shift rule-of-thumb is that those stakeholders that implement and enable the highest level of EMV capability/technology within their environments will enjoy the lowest risk of fraud loss (e.g. if a merchant implements a fully EMV capable terminal, that merchant will benefit from the liability shift if a magstripe card is presented).
  • ATMs should have been one of the first channels to convert. ATMs were a primary card skimming enabler (and still suffer today notwithstanding various mitigating measures and technologies that have been developed over the years).
  • Upfront agreement to the phasing out/cessation of CAM (chip) fall-back to magstripe and CVM fall-back is critical to drive desired behaviours and ensure that, for example, cardholders don’t continually ‘forget’ their PINs and therefore continue to rely on signatures. This is of course an extremely difficult and fraught journey for stakeholders to embark upon, especially merchants and consumers, but it has proven time and time again to be the appropriate course of action to support achievement of desired outcomes for EMV migrations.

Surely then, being mindful of these and other learnings, EMV chip and PIN is a must in the US? As ever, it’s not as straightforward as that. There are many factors to consider, not least of which is the cost – financial, operational, customer, social and cultural – of this decision. And apart from cost, are the reasons for deciding for chip and PIN historically still the same today?

Let’s deal with cost first. It is widely established (e.g. UK, Australia, Europe) that implementing EMV chip (typically CDA) is one of the most effective mitigants to skimming/counterfeit fraud. The addition of the PIN element generally mitigates against fraud types such as lost/stolen fraud.

The diagram below provides a perspective on the 2014 card fraud loss landscape in the US. Clearly the predominant fraud types are counterfeit ($3.0bn pa) and cardholder not present ($2.9bn pa), with lost and stolen fraud a not insignificant $0.8bn pa.

Bearing in mind that the US is almost entirely an online authorisation ecosystem and EMV chip and PIN was designed for a predominantly offline ecosystem – does it make sense to invest significantly in infrastructure to support offline PIN?

From purely a financial cost perspective, given significant current economic pressure from all quarters to reduce and manage costs, surely it makes sense to prioritise and focus limited resources on the areas of greatest exposure and impact? In the case of the US, this appears to be counterfeit and CNP fraud losses with lost/stolen appearing as the third priority. Therefore, based on current experience and relatively predictable outcomes, it appears most likely that chip and signature would be the most balanced, cost-effective immediate solution to the skimming/counterfeit fraud issue.

Furthermore, in a world where high-profile data breaches are too common for comfort, this would be a significant step towards rendering card data obtained from these breaches useless in geographies where EMV chip is the only acceptable form of face-to-face card payment type. The caveat however, is that as long as a magstripe exists on today’s payment cards, there is still a risk that, without the application of additional mitigating measures by value chain stakeholders, this data can still potentially be used to commit fraud in online environments (as can EMV cards without additional risk management controls in the online environment – EMV in and of itself does not reduce/remove CNP fraud risk).

One of the next questions is whether the payments ecosystem has changed to the extent that chip and PIN is no longer valid. Clearly the ecosystem has changed dramatically in many respects since the early days of EMV, not least of which is the phenomenal pace of technology advancement in the fraud and risk management space. Much has been written about a multi-layered approach to fraud management (this article will not seek to replicate that discussion) – at this time, EMV should be one component of that multi-layered approach. There are numerous other components such as advanced KYC, real-time behavioural analytics and transaction scoring (with the new breed of self-learning Bayesian modelling beginning to threaten the incumbent neural network based solutions), geographically aware location-based solutions, etc. Many of these solutions did not exist at the time that EMV PIN versus signature decisions were being made in the non-US EMV migrations – needless to say, their existence today significantly influences the considerations that underpin such decisions.

A further, oft-cited justification for ‘ignoring’ PIN is the argument that a large proportion of the general American population is likely to be unable to remember and use their PINs as required. This article cannot support that argument – Americans have been successfully using PIN-based debit card products for many years. For consumers, the EMV PIN experience is identical.

Perhaps a less obvious, but potentially important consideration is how chip and signature cards will be treated outside of the US. Most non-US implementations of EMV have been chip and PIN. US chip and signature cards being presented for payment in geographies that expect chip and PIN are likely to cause significant confusion and friction at the POS.

It is therefore valid to argue that, given the nature of the face-to-face payments ecosystem today and, in the absence of anything else (e.g. removing payment card data from the ecosystem entirely), perhaps chip and PIN is relatively the most appropriate solution. However, when implemented in a predominantly online authorisation ecosystem and in conjunction with a multi-layered fraud and risk management approach, compromising with chip and signature is unlikely to pose the same level of risk it may have done in the past. To Visa’s point, there are other innovations being driven into the market in this space and, while it will take some considerable time for some of these to gain the global ubiquity that is essential to their success, it probably makes sense to balance limited resources, i.e. industry investment, across these innovations in parallel with investment in today’s toolbox for fraud and risk management – of which EMV is definitely a part.

The Walmart position is both valid and unsurprising for a number of reasons – for example, having your till-based check-out staff carrying the burden of authentication, i.e. deciding whether a signature matches the version on the back of the payment card, is entirely unrealistic and has been proven to fail as an effective risk management measure time and again (e.g. there are many examples of ‘Mickey Mouse’ signatures being successfully used in face-to-face transactions…). PIN helps to address this issue, although effective online authorisation screening (e.g. context-aware, dynamic authentication) can be an even more powerful tool in both the face-to-face and online transaction ecosystems. Walmart is also in the position of having already made the investment in a PIN-based strategy – something a number of their competitors are not keen to do.

So, back to our original question, is Visa or Walmart correct. Both actually. There can be no doubt that signature has long been a very poor form of authentication, however, given the US context, implementing PIN where there are more advanced and effective methods of authentication available probably makes less sense today than historically. Value chain stakeholders with potentially significant exposure to fraud risk must consider investing in a sophisticated, multi-layered approach to fraud and risk management. With or without PIN, EMV is not and was never designed to be a standalone silver bullet solution to all payment fraud.

The post Chip and signature is a joke! appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/chip-signature-joke/feed/ 0
Card fraud increases as stolen cards used once every 20 seconds https://www.accourt.com/card-fraud-increases-as-stolen-cards-used-once-every-20-seconds/ https://www.accourt.com/card-fraud-increases-as-stolen-cards-used-once-every-20-seconds/#comments Wed, 15 Apr 2015 12:00:50 +0000 http://www.accourt.com/?p=2903 British businesses were hit by card fraud once every 20 seconds in March, with Worldpay warning that small businesses are likely to have been hackers’ biggest targets. Worldpay saw over 133,000 fraudulent transactions worth £10 million reported in March alone, leaving businesses out of pocket as fraudsters purchased goods and services using stolen card details. […]

The post Card fraud increases as stolen cards used once every 20 seconds appeared first on Accourt Payments Specialists.

]]>
British businesses were hit by card fraud once every 20 seconds in March, with Worldpay warning that small businesses are likely to have been hackers’ biggest targets.

Worldpay saw over 133,000 fraudulent transactions worth £10 million reported in March alone, leaving businesses out of pocket as fraudsters purchased goods and services using stolen card details. Over 67% of all fraudulent transactions happened online, while purchases made over the phone or by mail accounted for 19% of the total.

“Technology to guard against card counterfeiting and fraud has come a long way, yet the rates of attack are truly alarming. Card details are the weakest links in consumers’ and businesses’ defences and the one area that fraudsters know to hone in on,” comments Tim Lansdale, Head of Payment Security at Worldpay.

This graph shows the number of investigations into card breaches (i.e. known breaches) amongst Worldpay customers, by business PCI DSS level during 2011-2014. There were a total of 140 investigations held during this period.

This graph shows the number of investigations into card breaches (i.e. known breaches) amongst Worldpay customers, by business PCI DSS level during 2011-2014. There were a total of 140 investigations held during this period.

Businesses that fail to protect their payment systems are not only left out of pocket when goods are purchased using stolen card details but also face paying for the investigation into the breach and the stiff industry penalties which inevitably follows. They are also likely to face bad publicity, which can swiftly erode the years of trust customers have built up in a business and can lead to even more lost custom in future.”

Small businesses, which accounted for 85.7% of all card data breaches, last year, make easy prey for the more advanced cyber hackers. By contrast, Worldpay has seen a 179% increase in payment security compliance amongst the UK’s biggest businesses, as the boardrooms of larger, better resourced companies look to bulk up their security in line with the card payment industry standards.

Causes of card data breaches

Causes of card data breaches

Regardless of business size, the clean-up costs of being targeted by hackers and suffering a card data breach can run to tens of thousands of pounds. A standard small business forensic investigation into a card data breach costs £11,250 on average and typically attracts at least a £8,000 industry penalty, not including the costs of lost goods and damage to reputation. Worldpay has seen larger businesses pay up to £100,000 for the forensic investigation alone.

“Prevention is clearly better than the cure when it comes to getting hacked. The UK’s largest companies have made great strides to improve their payment security but small businesses are still falling behind and being targeted as a result. Businesses of all shapes and sizes should be taking the necessary measures to protect themselves and their customers and employees,” said Lansdale.

Industries affected by card data breaches

Industries affected by card data breaches

Download the report here

Advice to businesses: How to avoid being a victim:

Card data breaches:

  1. Check you meet the card industry’s standards for keeping card data safe, and that your third party suppliers do too.
  2. Install all the latest patches for servers, operating systems, applications, and frameworks (Java, .NET etc.), to protect your ecommerce website.
  3. Change online system log-ins from the default, and use strong passwords that hackers cannot guess.

Fraud:

  1. Ask your payment processor about online protection, such as Verified by Visa, to make ecommerce payments safer from fraud.
  2. Be wary of high value or unusual orders from a customer you do not know, particularly if the product can be resold easily.
  3. Use the Address Verification Service, to match the customer’s delivery address with the billing address of the card owner.

The post Card fraud increases as stolen cards used once every 20 seconds appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/card-fraud-increases-as-stolen-cards-used-once-every-20-seconds/feed/ 0
Online fraud – an unrelenting, unforgiving battleground… https://www.accourt.com/online-fraud-an-unrelenting-unforgiving-battleground/ https://www.accourt.com/online-fraud-an-unrelenting-unforgiving-battleground/#comments Wed, 01 Apr 2015 13:59:07 +0000 http://www.accourt.com/?p=2887 The recent release of the annual UK fraud figures describes an interesting picture of some successes and some areas for continued concern and renewed action. First, the headline successes. Fraud conducted in the face-to-face retail environment continues to show a healthy decline trend (down 14% on the previous year) with card ID theft (down 19%) […]

The post Online fraud – an unrelenting, unforgiving battleground… appeared first on Accourt Payments Specialists.

]]>
The recent release of the annual UK fraud figures describes an interesting picture of some successes and some areas for continued concern and renewed action.

First, the headline successes. Fraud conducted in the face-to-face retail environment continues to show a healthy decline trend (down 14% on the previous year) with card ID theft (down 19%) and cheques (down 35% off a rapidly decreasing base) also showing notable declines.  These figures show an industry that continues to tackle some of the key fraud issues head-on, however, there are still significant challenges that need to be addressed, writes Vaughan Collie, Partner, Accourt – Payments Specialists.

On the downside, e-commerce and online banking continue to be areas of material concern.

E-commerce fraud has increased by 14%, continuing its worrying upward trend. These figures show an above average fraud-to-sales ratio (i.e. a common industry indicator of how much fraud loss is experienced for every unit of sales) in an industry where online commerce continues to grow exponentially and, with the increasing popularity of commerce through mobile devices such as smartphones and tablets, this remains an area of significant concern.

Annual fraud losses on UK-issued cards 2008 to 2014

Annual fraud losses on UK-issued cards 2008 to 2014 (Source FFA UK)

Online banking fraud has also shown an eye-watering increase of 48%.  One of the key drivers of this is a criminal element adept at basic, low-tech social engineering, preying on unsuspecting, sometimes gullible and vulnerable consumers – making this type of fraud relatively difficult to defend against (especially with legacy fraud management products and techniques).  This is primarily due to the ability of the criminals to bypass the safeguards put in place by the banks and other financial institutions once they’ve stolen sensitive information and/or credentials from consumers via these social engineering techniques.

It is not difficult to see the common element between the highest impact fraud losses is the underlying online ecosystem.  This ecosystem remains popular with criminals due to its inherent detachment from face-to-face interactions (often perceived as more risky) and relatively easy attack scalability coupled with, perhaps most importantly, the relative ease of exploiting human fallibility, especially in technology-enabled channels.

Fortunately, there are a number of advanced tools and techniques that service providers in the online ecosystem can employ to detect, mitigate against and, ultimately, stop future attacks.  However, there are so many products and services available in the market place and this makes it extremely difficult to determine which products, services, tools and techniques are most appropriate and effective at addressing the prevailing threats.  Many of the products and services have been available for a long time and have failed to adapt to the rapidly changing landscape of threats.  Technology and products that used to be good not that long ago are now less effective.

Annual online, telephone banking and cheque losses 2008 to 2014

Annual online, telephone banking and cheque losses 2008 to 2014 (Source FFFA UK)

Furthermore, the P&L challenge to fraud managers is (rightly) changing dramatically.  Whereas fraud management was traditionally seen as a necessary cost of doing business, with very limited ability and budget to materially and positively impact an organisation’s fortunes, modern technologies and best practices enable dynamic fraud managers to positively contribute to the bottom line, but without adversely impacting the organisation’s fraud profile.  Done right, this means that an organisation is able to, for example, enable authorisation of more good sales volume and/or decrease the friction of consumer interactions – all without adversely impacting that organisation’s risk and fraud profile.

How can Accourt help?

  • As a vendor/product independent organisation, Accourt advises on and conducts many vendor and product evaluations, particularly in the payments fraud management ecosystem.
  • Accourt is at the forefront of the emerging and break-through fraud detection and management technologies across all geographies.  With a bedrock understanding of payments across the entire payments value chain, Accourt is consistently able to cut through to and isolate the core value and differentiators of market products, thereby objectively distilling market-leaders from the rest.
  • Accourt’s focus is always an integrated approach, most effectively combining the product and operational aspects of the undertaking to its clients’ benefit.
  • Recognising that many organisations cannot decommission existing products, Accourt has significant practical and pragmatic experience in how to engineer a complementary fit of newer products and technologies alongside the existing legacy.
  • The focus on omni-channel commerce and customer service has further challenged legacy products in the fraud management ecosystem.  Accourt is able to independently identify and advise on those products that have managed to overcome and address this challenge.
  • Coupled with industry-leading fraud management knowledge and experience, Accourt is steeped in deep operational knowledge and experience of chargeback optimisation and implementation.  An integrated approach to fraud and chargeback management generally returns greater operational and financial benefit than a ‘silo’ approach.

The post Online fraud – an unrelenting, unforgiving battleground… appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/online-fraud-an-unrelenting-unforgiving-battleground/feed/ 0
25% of phishing attacks in 2014 targeted financial data https://www.accourt.com/25-phishing-attacks-2014-targeted-financial-data/ https://www.accourt.com/25-phishing-attacks-2014-targeted-financial-data/#comments Fri, 13 Feb 2015 12:40:47 +0000 http://www.accourt.com/?p=2711 The Kaspersky Lab study ‘Financial Cyber Threats in 2014’ reports that 28.8% of phishing attacks in 2014 were intended to steal financial data from users. While carrying out their scams, cyber criminals have shifted their focus from bank brands to payment systems and online shopping sites. Cybercriminals used the names of well-known banks in 16.3% […]

The post 25% of phishing attacks in 2014 targeted financial data appeared first on Accourt Payments Specialists.

]]>
The Kaspersky Lab study ‘Financial Cyber Threats in 2014’ reports that 28.8% of phishing attacks in 2014 were intended to steal financial data from users. While carrying out their scams, cyber criminals have shifted their focus from bank brands to payment systems and online shopping sites.

  • Cybercriminals used the names of well-known banks in 16.3% of attacks; in 2013, the level of bank phishing was 22.2%
  • In the Payment Systems category, cybercriminals mostly targeted data belonging to users of Visa cards (31.02% of detections in the Payment Systems category), PayPal (30.03% of detections) and American Express (24.6%)
  • The names of well-known online shopping sites were used in 7.3% of attacks (6.5% in 2013)
  • In 5.1% of cases, Kaspersky Lab’s protection technologies were triggered by phishing pages mentioning payment systems, which is 2.4 percentage points more than in 2013
  • The proportion of financial phishing detected on Mac systems increased by 9.6 percentage points compared to the previous year, representing 48.5% of all instances in which the anti-phishing component of Kaspersky Lab security products for Mac OS X was triggered
Distribution of instances where anti-phishing technologies were triggered in Kaspersky Lab products in 2014

Distribution of instances where anti-phishing technologies were triggered in Kaspersky Lab products in 2014

Phishing is a type of Internet fraud that is used by cybercriminals to lure users into providing their data (account logins and passwords and other personal information) by creating fake web pages to imitate popular online resources.

Last year, the proportion of financial phishing to all phishing attacks fell by 2.7 percentage points compared to 2013, primarily due to a decrease in the level of banking phishing. At the same time, there was proportionally more phishing targeting other financial categories.

In the Payment Systems category, cybercriminals mostly targeted data belonging to users of Visa cards (31.02% of detections in the Payment Systems category), PayPal (30.03% of detections) and American Express (24.6%). A the same time, in 2014 detections for phishing pages mentioning PayPal saw their share fall by 14.09 percentage points compared to 2013.

Distribution of instances where anti-phishing technologies were triggered in Kaspersky Lab products in 2014 - Payment Systems

Distribution of instances where anti-phishing technologies were triggered in Kaspersky Lab products in 2014 – Payment Systems

Amazon remains the most commonly-attacked brand in the Online Shopping category – 31.7% of attacks in this category used phishing pages mentioning Amazon. However, this is 29.41 percentage points less than in the previous year.

“The rise in financial phishing that we saw in the past has naturally drawn a response from the brands most frequently abused in phishing scams – they are beginning to tackle phishing distribution channels, especially email spam, more actively,” says Nadezhda Demidova, web content analyst at Kaspersky Lab.

“That leads to a reduction in the levels of phishing that targets some of the larger brands. However, cybercriminals immediately responded by targeting new ‘markets’. For example, in 2014 we saw a large number of phishing scams based on websites that sell plane tickets. These are targets that used to be seen fairly infrequently in phishing scams.”

Kaspersky Lab experts have also recorded an increase in the proportion of financial phishing attacks against Mac OS X users. Overall, about 48.5% of all phishing attacks detected on computers with Kaspersky Lab security products for Mac installed on them were designed to steal financial data. In particular banks were mentioned in 29% of attacks, payment systems in 11.21% and online shopping sites in 8.32% of attacks.

You can find information on other changes in the 2014 financial cyberthreats landscape in the full text of the report on Securelist.com

Modern phishing websites are getting more and more sophisticated, making them very hard for users to recognise. That is why we recommend using an Internet security solution with an advanced anti-phishing technology in place.

The anti-phishing module is included in key Kaspersky Lab products for home and corporate users, as well as Kaspersky Fraud Prevention – a platform created specifically to protect banks from online financial fraud. Its three components – anti-phishing databases, Kaspersky Security Network and heuristic analyser – provide robust protection against phishing. The module’s effectiveness has been confirmed by independent test labs.

The post 25% of phishing attacks in 2014 targeted financial data appeared first on Accourt Payments Specialists.

]]>
https://www.accourt.com/25-phishing-attacks-2014-targeted-financial-data/feed/ 0