Data security and e-commerce fraud are the payments industry’s most critical challenges. Today’s news roundup looks at the latest developments in payments security, recent data breaches, fraud and security trends. Experian reported Delaware, Oregon and Florida were states with the most billing and shipping e-commerce fraud in 2016. Gemalto said data breach incidents grew by 86% in 2016 with 59% of those being personal data theft. It said more than 3 million data breaches happen daily.
The Financial Conduct Authority (FCA) in the UK reported 75 cyberattacks in 2016, up from only five in 2014. More than 1,000 InterContinental Hotels Group (IHG) hotels had cash registers compromised in a 2016 Q4 data breach, much higher than first disclosed by the company. Online banking service Simple has a growing list of angry customers losing their accounts as part of a poorly managed service provider migration.
MasterCard hopes to combat credit card fraud with the introduction of its new biometric fingerprint verification card. Verifi launched a new fraud prevention platform to combat first-party or friendly fraud. Finextra reports 70% of chargebacks are a result of friendly fraud. The Association for Financial Professionals said 75% of companies suffered wire fraud in 2016 and 74% were victims of business email scams.
BioCatch will partner with Experian to combat new account fraud with behavioural biometrics. Notorious Russian hacker Roman Seleznev was convicted and sentenced to 27 years in prison for identity and credit card fraud that hit more than 3500 financial institutions and 500 businesses. The result was more than two million credit cards sold on the black market and losses could grow to billions of dollars. Just in time for tax season, the IRS reports as many as 100,000 consumers could have personal identity data compromised by recent hacking of its data system with information from parents whose children applied for student loans.
Experian: US e-commerce fraud increases as EMV acceptance grows
Delaware, Oregon, and Florida were the top-ranked states for billing and shipping e-commerce fraud in 2016, according to a new report from Experian.
Both Oregon and Delaware saw an increase in e-commerce billing fraud attacks of more than 200 percent. Three states — Florida, California and New York — accounted for more than 70 percent of all e-commerce billing fraud attacks.
“One of the major drivers for the increase in fraud attacks is the continued adoption of EMV terminals for chip-and-pin credit cards,” Adam Fingersh, Experian general manager and senior vice president of fraud and identity solutions, said in a press release. “While these cards reduced counterfeit credit card fraud at the point of sale, they have driven fraudsters online. This pattern is similar to what other EMV markets saw when transitioning to chip-and-pin cards. As more compromised data becomes available from breaches, it’s easier for fraudsters to get their hands on identity data requiring consumers and businesses to stay diligent in protecting themselves.” Via mobilepaymentstoday.com
Here are the data breach statistics for 2016 – fasten seat belts
The latest data breach stats report from vendor Gemalto shows an increase of 86% YoY. Theft of personal data was top of the data breach stats in 2016, accounting for 59% of all data breaches. In addition, 52% of the data breaches in 2016 did not disclose the number of compromised records at the time they were reported.
The Breach Level Index is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are a not serious versus those that are truly impactful (scores run 1-10).
According to the Breach Level Index, more than 7 billion data records have been exposed since 2013 when the index began benchmarking publicly disclosed data breaches. Breaking it down that is over 3 million records compromised every day or roughly 44 records every second.
Last year, the account access based attack on AdultFriend Finder exposing 400 million records scored a 10 in terms of severity on the Breach Level Index. Other notable breaches in 2016 included Fling (BLI: 9.8), Philippines’ Commission on Elections (COMELEC) (BLI: 9.8), 17 Media (BLI: 9.7) and Dailymotion (BLI: 9.6). In fact the top 10 breaches in terms of severity accounted for over half of all compromised records. In 2016, Yahoo! reported two major data breaches involving 1.5 billion user accounts, but are not accounted for in the BLI’s 2016 numbers since they occurred in 2013 and 2014.there Via disruptiveviews.com
Fighting Financial Crime: The Power of Industry Collaboration
With the fourth EU Directive on Money Laundering coming into force in June this year and instances of financial crime becoming increasingly frequent, it is more crucial than ever for teams within Financial Institutions (FIs), as well as across the industry, to collaborate to tackle financial crime and fraud. In 2016, more than 75 cyberattacks were reported to the Financial Conduct Authority (FCA) in the UK compared to just five reports in 2014; the challenges of managing and combatting financial crime risk are becoming more and more difficult. The need to mitigate financial crime is particularly prudent given that statistics from CEB Tower Group show that fines from financial crime have increased by 55,000 percent over the past 10 years, thanks to more frequent and higher value attacks.
In order to tackle financial crime and to lessen the impact of fraudulent attacks, organisations need to ensure that they have the correct infrastructure in place. Anti-Money Laundering (AML), Know Your Customer (KYC) and fraud prevention solutions are all key to reducing and managing financial crime risk, yet knowing which one to prioritize can prove a challenge. Financial crime is unpredictable, therefore FIs need to implement prevention strategies and share resources between teams so that comprehensive customer profiles can be created. These profiles can make a huge difference in identifying unusual behaviour indicative of money laundering, tax evasion, human trafficking and instances of fraud. Ultimately such an approach helps FIs reduce the amount of overall investment required to manage financial crime risk whilst enabling more accurate detection of fraud and money laundering. Via internationalbanker.com
InterContinental Hotel Chain Breach Expands
In December 2016, KrebsOnSecurity broke the news that fraud experts at various banks were seeing a pattern suggesting a widespread credit card breach across some 5,000 hotels worldwide owned by InterContinental Hotels Group (IHG). In February, IHG acknowledged a breach but said it appeared to involve only a dozen properties. Now, IHG has released data showing that cash registers at more than 1,000 of its properties were compromised with malicious software designed to siphon customer debit and credit card data.
Headquartered in Denham, U.K., IHG operates more than 5,000 hotels across nearly 100 countries. The company’s dozen brands include Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, and Crowne Plaza.
According to a statement released by IHG, the investigation “identified signs of the operation of malware designed to access payment card data from cards used on site at front desks at certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016.” Via krebsonsecurity.com
Simple is closing some customer bank accounts, and users are mad as hell
Simple, the online banking service that promised to be a better alternative to big banks like Chase or Citibank, is falling short of some users’ expectations. This time, it comes as a result of the sudden and surprising notice customers received alerting them that their accounts would be closed next month.
On Thursday, Simple sent notice to a small number of customers with the subject line “We have to close your account on May 13.” The notice went on to explain that the closures were the result of a massive account migration the company has been working on for the last several months. Those users wouldn’t make the cut before Simple’s contract with its former partner bank ended, leaving them out in the cold.
In reality, the service sometimes fell short of some users’ expectations, due to occasional outages and glitches that plagued users even after it was acquired by BBVA for $117 million three years ago. Via techcrunch.com
MasterCard debuts a credit card with a fingerprint sensor to fight fraud
Swipe-to-pay. Chip-and-PIN. What next? Credit cards with fingerprint sensors?Turns out that is MasterCard’s latest invention: A new credit card with an integrated fingerprint sensor, which aims to fight in-store fraud.
The card, currently under trial in South Africa, includes a sensor embedded in the plastic of the credit card. It allows customers to authorize a payment with a fingerprint, rather than a PIN code or a signature.
The payments giant said Thursday that the new biometric credit card will work on existing chip-and-PIN readers and won’t require store owners and businesses to buy any new hardware, though older magnetic stripe-only terminals will not be compatible. Via zdnet.com
New Verifi Solution Fights ‘Friendly Fraud’
Payments and risk management solutions provider Verifi, which specializes in serving CNP merchants, just recently announced the launch of a new platform that aims to improve efficiency and cut down on unnecessary chargebacks and fraudulent claims.
Verifi has found that up to 86 percent of cardholders today will bypass the merchant when questioning or disputing a charge and directly contact their issuing bank instead. In some cases, Verifi has found that cardholders will use the dispute process as a means to seek a refund — a practice referred to as first-party or “friendly” fraud. Since issuing banks don’t typically have access to specific purchase details, they will often credit the cardholder and issue a chargeback to the merchant.
According to research cited by Finextra, as much as 70 percent of chargebacks are the result of first-party fraud. Via pymnts.com
Today In Data: B2B Payments Fraud
Fraud can happen on a multitude of levels in nearly any part of the economy.
In the Association for Financial Professionals‘ 2017 Payments Fraud Survey, the organization saw a significant rise in the amount of B2B payment fraud occurrences.
Here are the numbers:
– 75 percent | Percentage of companies experiencing wire fraud in 2016
– 74 percent | Percentage of companies that were tricked by 2016 business email compromise (BEC) scams
– 51 percent | Decline in the use of physical checks in B2B transactions. Via pymnts.com
Experian tackles new account fraud with BioCatch behavioral biometrics
BioCatch, the global leader in behavioral biometrics, announced today that it has teamed up with Experian, the leading global information services company, to integrate its behavioral biometric technology into the company’s fraud and identity platform, CrossCore™, to help prevent new account fraud for its users.
The integration of BioCatch technology into the CrossCore™ platform provides a very powerful level of protection against fraud, getting past information that criminals may have stolen to detect fraud in real-time. For example, this could be focusing on the way a user behaves as he or she fills out an online credit card application. This is all done without compromising the user experience and slowing down the application process.
“New account fraud, which is looked at as the gateway for hackers, ends up costing businesses and consumers a lot of money and headaches — and it’s only getting worse,” Eyal Goldwerger, Chief Executive Officer of BioCatch. “We’re excited to be working with Experian to help prevent new account fraud, providing a completely new layer of security using behavioral biometrics by focusing on ‘how’ a user enters information into an application, not ‘what’ information is being entered, in a seamless way that does not add any friction to the application process.” Via finextra.com
Russian ‘pioneer’ of identity theft and card fraud jailed for 27 years
Roman Seleznev, the Russian MP’s son who was found guilty last year of hacking into point-of-sale (PoS) systems and stealing millions of credit cards, has received the longest-ever sentence for hacking to be handed down in the US. The prosecutors had asked for 30 years, referring to Selznev in a sentencing memorandum as “a pioneer” in the online theft and monetization of card data. At 27 years, the final sentencing came in close to what prosecutors were after.
He was convicted for running a vast credit card and identity theft operation from his homes in Bali, Indonesia, and Vladivostok, Russia, and for selling more than 2m credit card numbers on the black market.
Losses from his crimes, which targeted 3,700 financial institutions and 500 businesses around the world, came to at least $170m. Among his prey were small businesses, some of which struggled to defend against his attacks, and some of which failed to recover at all. Court documents said that total losses could grow to billions of dollars. Via nakedsecurity.sophos.com
Taxing times to fend off cyber fraud
Wily cyber criminals eager to exploit the annual stress that surrounds tax filing to steal valuable, data-rich returns are adding to agencies’ workloads — putting the IRS on the defensive, and forcing the Department of Education to temporarily shut down the IRS data retrieval tool used to populate the Free Application for Federal Student Aid form.
In comments before the Senate Finance Committee on April 6, IRS Commissioner John Koskinen revealed that hackers recently exploited the tax agency’s online data retrieval tool that transfers parents’ financial information to the student-aid application, putting nearly 100,000 people at risk of identity theft. (Nearly 20 million people filed a FAFSA in 2015-16.)
Given that there are more than 200 ways in which the IRS shares, or allows individuals to share, tax data with financial firms, lenders, employers and other government agencies, it is not surprising that vulnerabilities exist. Via gcn.com
LET’S CONNECT