August 19, 2016
Crashing Waves: Security Breaches, Fraud Detection and What’s Next for CNP – Part II
CardNotPresent.com presents a three-part series stemming from a conversation with industry executives about the recent spate of massive security breaches that have exposed the payment-card information of more than 40 million U.S. consumers. The breach did not occur in a vacuum—there were warning signs. And, the story is not over. While news from Target, Neiman Marcus and Michael’s is devastating, the next 18 months could be worse. And, beyond that are even more waves that will rock the CNP industry. Part II of the series examines what’s in store for the next year and a half and what’s driving a continued spike in card-not-present fraud attempts.
Part II – EMV a Culprit in Breaches?
By D.J. Murphy, Editor-in-Chief, CardNotPresent.com
A few weeks after we flipped the calendar to 2014, while security still dominated the headlines, the FBI quietly circulated a report among retailers warning them to prepare for the worst. The law enforcement agency said attacks like the ones disclosed in December (and subsequent intrusions at arts-and-crafts retailer Michael’s and White Lodging Services, a hotel management company that runs Hilton, Marriott, Sheraton and Westin hotel properties nationwide) “will continue to grow over the near term, despite law enforcement and security firms’ actions to mitigate it.” The FBI estimated in the report that there are at least 20 undisclosed security breaches funneling data into the hands of cybercriminals waiting to profit from it.
In Part I of this series, we detailed how an antifraud technology provider was able to see sharply growing amounts of fraudulent transaction attempts on its e-commerce merchants that indicated the availability of high-quality stolen payment-card information flooding the black market. While they did not know the source of the information, this turned out to coincide with the massive breaches at Target and Neiman Marcus. And, when news of the FBI report became public, fraud and risk-management executives were not surprised by the headline number.
“It looks like there are several other big ones that just haven’t been announced yet. We’ve seen evidence of it,” says Rich Stuppy, vice president of operations for Boise, Idaho-based Kount. “We can’t exactly tell where it’s draining out of. But, we can tell who’s taking it and weaponizing it and using it to steal from customers. Based on this information, our prediction is that there are several more breaches that will be announced soon.”
The Rush to Beat EMV
And, at least until October 2015, don’t expect things to get any better. Amid the constant innovation leveraging the Internet for payment and new devices making commerce easier, there are still challenges facing all players in the ecosystem. One of the biggest changes, and perhaps one of the main reasons the FBI sees so many more breaches on the horizon, according to Stuppy’s Kount colleague, vice president of marketing Don Bush, is the looming liability shift that will see most retailers convert their POS systems to the EMV standard. His contention is that cyber thieves are ratcheting up their activity while they still have the chance.
“These guys are getting while the getting’s good, while POS is still relatively easy to bust into,” says Bush. “And that’s why I think over the next 18 months, you’re going to see more breaches, more of this stuff happening, because as soon as the U.S. goes to EMV, it’s going to be much more difficult. Right now, the bad guys are working hard to get the raw materials that they need to commit fraud,” he says.
Tom Donlea, director of risk services for WhitePages PRO, agrees with Bush and says hackers, most of whom are operating out of Eastern Europe, have learned from the EMV migration in other countries.
“The savvy criminal rings are truly global in their operations and scope,” Donlea says. “Considering the fact that the USA is the last major market to adopt EMV, it is extremely likely these organized crime groups made last minute surges like this for data harvesting at point of sale in Europe, the U.K. and Canada before they implemented EMV as well.”
Donlea says anecdotal evidence from their merchant customers and other colleagues in the industry suggests that the heightened levels of fraud seen since the Target breach will continue.
“It’s virtually guaranteed with this amount of consumer data now being matched with the other identity elements that criminals can use to build legitimate looking profiles,” he explains. “This reality increases the need for merchants to remain very thorough in their use of layered fraud prevention tools and to utilize third-party data sources (if they don’t already) to further verify the identities associated with suspicious transactions.”
Addressing Other Points of Compromise
But, while hackers continue to probe vulnerabilities at the POS before merchants are forced to upgrade their systems in 2015, Dr. Paulo Marques, chief technology officer of antifraud technology provider Feedzai, says it would be folly to ignore other points of compromise. If merchants move to address the vulnerability that resulted in the Target and Neiman Marcus breaches, the payments ecosystem must be ready for other methods of intrusion. If cybercriminals have shown one trait above all others, it’s the ability to adapt quickly to new defenses and change their tactics.
Feedzai is using Big Data, machine learning and algorithms that leverage a much larger sample and range of data to find connections it says other technology might not be capable of. Marques says even when a breach does occur, it’s possible to identify intrusions quicker if banks and merchants are employing the right technology.
“We can’t ignore the complex relationship between the issuing and acquiring side of the business,” he explains. “Banks that issue cards and merchants that accept them both need to locate the points of compromise quickly so they can stop the leaks before further damage occurs. Being able to do continuous point-of-compromise detection is essential to immediately stop data breaches. Banks need to know the true behavior patterns of each of their cardholders on an individual basis. Fraudsters steal personas but they don’t spend like your true customers.”
Marques says the combination of computational power and the ability to “ingest non-traditional data” enables financial institutions or merchants to continuously monitor their vulnerability to data breach and even sniff out an insider who might be working with a hacker to compromise their system. Such a combination, he says, wasn’t possible just five years ago.
Lastly, Marques reminds us that it’s not just merchants, banks and payment providers that are seen by hackers as targets.
“Consider what just happened in Poland, where we are also monitoring payment transactions,” he says. “A large number of home Internet routers were compromised and used to steal e-banking information from unaware users.”
Whatever the source, cybercriminals are operating in force and the incidences of breach are only likely to grow.
Part III of our series examines what comes next. Once the move to EMV occurs, the POS is ostensibly safe, but the card-not-present world braces for a storm of its very own.