With identity theft in the news on nearly a daily basis and the
requirement that owners of customer information keep it private as
well as the expense that chargebacks from fraud cause merchants,
security is at the top of mind of card issuers, acquirers, ISOs and
their merchants.
Identity theft is the fastest growing crime in America, hitting 27.3
million victims in the past five years, and costing them over $56
billion in damages, according to a study from Javelin Strategy &
Research. It has become so prevalent that an identity thief strikes,
on average, every 3.5 seconds.
There have been some 61 million customer records that have been
compromised in the last couple of years, according to Brandon Hoff,
Chief Marketing Officer for CipherOptics. While there have been a
number of reports about lost customer information on tapes and other
media, less than 4 percent of records have been compromised in this
manner, according to Hoff. Seventy-six percent of these records have
been hacked into from a remote location while another 12 percent have
been lost to employees, partners or other business partners.
This trend could grow, Hoff and some others say, as wireless devices
become more predominant. The security for wireless devices isn’t as
mature as it is for wireless devices.
“Ninety-three percent of the attacks are malicious,” Hoff adds. “Only
seven percent [of customer information breaches] are accidental.”
Hoff adds that the breaches can come from any device connected to the
network. He discovered a computer worm sitting on a printer at a
previous company. So Hoff strongly recommends that companies with
customer information secure their networks. That means not only
installing various security applications, but also ensuring that
patches download and install automatically because security threats
continue to evolve.
Business, Legal Issues Make Fraud Costly
Beyond meeting industry standards for fraud prevention to protect
their own businesses from chargebacks and higher interchange fees,
merchants also need to protect customer information to abide by the
increasing number of state laws that are either on the books or are
in discussion. While many states have their own nuances in the
legislation, most are patterned after California SB 1386 which
requires that companies with California customers who suspect a data
breach, report that to all customers.
Congress is considering similar legislation, but that may already be
the de facto standard. When that occurred with ChoicePoint, the
company first reported it to California customers, but eventually
reported the problem to all customers when other states pressed the
matter. The data theft and subsequent actions cost the company $11.4
million.
So any merchants who retain customer information must similarly
protect it for legal as well as business reasons.
“Merchants can outsource all of their processing, but they can’t
outsource the risk of storing customer information,” says Hoff.
There have also been reports that consumers will shy away from online
and other electronic forms of payment if identify theft isn’t reigned
in.
The card companies have all added their own security precautions,
perhaps the most comprehensive of which is the Payment Card Industry
Data Security Standard. The standards require vendors and merchants
to follow specific procedures for auditing, logging, configuration,
access controls and encryption.
The PCI data security standard, endorsed by Visa, MasterCard
International, Discover Card, JCB and American Express, requires
merchants and service providers that store, process or transmit
customer credit card data to adopt aggressive security controls and
processes.
While following all of these demands could be daunting for a
merchant, particularly a small business, they can meet the rules by
ensuring that any equipment that they use is certified as PCI-
compliant. So vendors who don’t have their equipment certified yet
are striving to do so.
To help those in the industry discuss PCI-related issues in an open
forum, pciFile.org has established a free service for people who have
passed Visa’s auditor certification process.
This service primarily serves Visa certified auditors, known as
“qualified data security professionals,” but also welcomes posts from
security professionals who help merchants and service providers
comply with this new security standard.
pciFile is co-moderated by Mike Dahn, the primary author and
instructor of Visa’s QDSP certification program. Sharing the task is
David Shackleford, who also leads The SANS Institute’s class on PCI
compliance.
Similarly, the MasterCard Site Data Protection Program is designed to
help issuers, acquirers, retailers and service providers - third
party processors and data storage entities - proactively protect
themselves. MasterCard Site Data Protection identifies
vulnerabilities in security and Web site configurations. A key focus
of the program is to help acquirers ensure that retailers and payment
transaction providers store MasterCard account data in accordance
with PCI.
MasterCard urges merchants to onsite reviews, security self
assessments and security scans.
Retailers are a central focus of the MasterCard Site Data Protection
Program. These businesses typically have access to and may sometimes
store MasterCard account data. MasterCard Site Data Protection is
designed to ensure that only necessary data is stored, and stored
securely.
New Products, Services Launched
Vendors continue to roll out new products and services designed to
help merchants meet the challenge of protecting customer information
and, as an extension, protecting their businesses.
AmbironTrustWave,
formed a new business unit, SpiderLabs, to focus on
detecting and mitigating the latest threats from online hazards such
as hackers and viruses.
SpiderLabs serves as the firm’s data security services division with
core expertise in penetration testing, application security, incident
response and forensics, and managed security services. The
name SpiderLabs is derived from AmbironTrustWave’s information
security management cycle:
- Simulate - In this stage, real-world tests such as “ethical
hacking” or “penetration testing” are conducted to measure the data
security controls of an organization.
- Prepare - To help application developers and software manufactures
produce secure applications such asPOS software, SpiderLabs maintains
an advanced application and hardware testing facility.
- Defend - Through its network operating center, SpiderLabs provides
management and monitoring services around the clock.
- Respond - SpiderLabs has a full team of investigators and incident
response specialists.
Several organizations have used SpiderLabs services to enhance the
security of their products and comply with industry regulations such
as Visa U.S.A’s Payment Application Best Practice standard.
“We have used the services of SpiderLabs to test our payment
applications software and middleware, and they have been instrumental
in our proactive approach to achieving stringent security standards,”
said Marco Mabante, Vice President of Compliance and Integration at
VeriFone.
SellitSAFE.com, a compromised card notification and monitoring
company, is offering a fraud protection service to merchants that
enables them access to a database of compromised credit card numbers
and enabling notification of processing potentially fraudulent
transactions.
For $10 a month and 10 cents per transaction, SellitSAFE monitors its
customers’ business dealings, collecting data from a variety of
sources and searching the Internet for compromised credit card data
then tagging questionable sales transactions. SellitSAFE also offers
a 30-day trial.
FactorTrust uses the mobile phone as a unique identifier to provide
secure payer authentication for online credit card transactions. The
FactorTrust service captures, stores and matches the consumer’s
mobile phone number to their credit card information during the order
confirmation process. An SMS text message is then sent to the
consumer requesting verification to proceed with the online order. If
the credit card was being used fraudulently, the consumer would be
alerted immediately, wherever they are at that time. The online
merchant has access to their own merchant dashboard to see the
results prior to shipping the order, reducing potential chargebacks
and lost inventory.
The release of this new purchase and payer authentication service
coincides with mainstream acceptance of mobile phones and SMS
globally and the rapid momentum building in North America. According
to Forrester Research, over 82 percent of adults have mobile phones
in North America and virtually all of them are SMS-capable.
“The cornerstone of our strategy is to provide a trusted network for
online commerce,” FactorTrust CEO Rable.
“We set out to develop a solution and process that addressed both
consumers’ concerns and merchants’ risks equally. We accomplished
that with a fast, easy-to-use and convenient authentication service
that provides consumers peace of mind and merchants lowered costs and
increased revenue.
“Even if the percentage of fraud holds at about 2 percent, with
online sales expected to grow each year at 14 percent, the increase
in fraud dollars would have a huge impact on online retail as a
whole. The current fraud and authentication solutions are just not
having enough of an impact to offset the continued high growth in
online commerce,” Rable added.
Affinion Group, a global affinity marketer, and Edentify, Inc., a
provider of identity management and fraud detection solutions,
recently entered into an exclusive marketing agreement that will
allow Affinion to incorporate Edentify’s IDBenchmark solution into
its product offerings.
Edentify’s IDBenchmark uses a proprietary process to assess and score
the risk of fraud associated with specific manipulated identities,
and will allow Affinion to analyze the identity data of its own
members and determine the level of risk linked to possible incidences
of identity manipulation and theft.
Users of Affinion’s ID theft prevention services, including
PrivacyGuard, PC Safety Plus, HotLine and others, now have access to
Edentify’s identity risk score, allowing them to proactively monitor
risk levels. Affinion Group is also using this technology in
developing new ID theft products.
“Our service, coupled with Edentify’s revolutionary technology, keeps
consumers one step ahead of would-be ID thieves, and is perhaps their
best chance of avoiding identity-related criminal abuse,” says Frank
Abagnale, an Affinion Group spokesperson and well known former
forger. “Punishment for fraud and recovery of stolen funds are so
rare that prevention is the only viable course of action. This new
offering provides unsurpassed opportunities to deter this spiraling
crime.”
“Taking a proactive approach to securing identity information is the
most effective way to prevent identity fraud,” says Terrence
DeFranco, Edentify CEO. “By interfacing our technology with
Affinion’s ID theft prevention services, consumers can see exactly
how risky their online buying behavior, for example, might be, and
make the necessary adjustments in their behavior to secure their
identity information.”
The first product to use this new technology will be IdentitySweep, a
real-time identity management service for consumers to be launched
later this year.
MagTek has made its security solution, MagnePrint, available off the
shelf to aid merchants and processors in combating fraud. MagnePrint
includes hardware that attaches to a card reader and software that
sits on the backend. These work together to authenticate the card,
says Kirian Gandhi, Vice President of Business Development for MagTek.
“This enables the [magnetic stripe] card in your wallet to be a
secured card,” Gandhi says. “Our solution reads the unique properties
of the magnetic stripe card. That provides more powerful security
than you have [with other solutions] today.”
The product itself was developed over the last several years and has
been commercially available for the last several months.
The hardware encrypts the data before sending it to the server,
protecting the information during transmission.
“In transaction security, you need to determine that the cardholder
is valid, that the card is not counterfeit and that the transmission
of the information is not compromised,” Ghandi says. “When you do
those three things, you have end-to-end security.”
Encryption Use Growing
Though the protection has been available for several years, companies
are now looking more closely at encryption solutions. Encryption
protects the data even if a system gets hacked or if a data tape or
some other storage media is compromised.
The level of encryption largely depends on the worldwide scope of a
company’s business. France requires that any encryption higher than
128-bit pay an additional tax. So companies doing business in France
wouldn’t want to push their encryption past that level. In the late
1990s, France charged companies who used encryption above a 40-bit
standard, but that level was determined to be too weak for most
applications.
Additionally, 128-bit encryption is usually considered strong enough
for most uses because it’s virtually impossible to crack. That’s the
level used by financial institutions for Internet banking
transactions. Some firms, however, boost that encryption one level
higher – to 256-bit. Many encryption applications enable the user to
determine the encryption level.
New Security Experts Sought
Incentives are also becoming part of the battle to stop fraud. The
International Information Systems Security Certification Consortium,
Inc. recently awarded a pair of scholarships to computer security
professionals.
“For many years we have been supporting the training of computer
security professionals,” said Corey Schou, Consortium Vice Chairman.
“This is a way to establish that food chain. Every professional that
we certify has a commitment to the profession that we do not increase
security problems. We’re helping the develop a better cadre of folks
to work [in the industry] and a group of professionals to make sure
that people don’t get involved with spam.”
The scholarships drive more people to enter the computer security
profession, Schou added.
With technologies aiding those new professionals, “we are coming much
closer to solving the issue of [transaction] security,” MagTek’s
Gandhi says. Yet security professionals agree that fraud perpetrators
will continue to hone their skills. So the issue of fraud and fraud
protection will continue to evolve. 
|
