August 19, 2016
Data Breaches: Ripples Turn to Waves for Merchants Downstream
By Karisse Hendrick, Editor-at-Large, CardNotPresent.com
More than ever before, headlines naming large U.S. retailers as victims of a data breach have been topping the news. As both consumers and as professionals in the card-security industry, we all hold our breath when a new breach is announced. But, the media does not focus its attention on the after-effects of a breach, and how the data that is stolen is used for financial gain. Although credit-card numbers often are used to create counterfeit cards, fraud patterns in the wake of breaches indicate stolen data also is used at card-not-present merchants. In order to be prepared for millions of pieces of fraudulently obtained identifying data deluging your Websites and call centers, it is important to acknowledge and be aware of the impacts to your business this breached data has on the incoming fraud.
Not all attacks are yielding credit card numbers. If that information is not included in the data compromised in an intrusion, it is easy for other businesses to assume there is no threat to their bottom line. In our new reality, however, that is unfortunately not true. Exposed e-mail addresses, usernames and passwords can be just as damaging (if not more) to your business. The way fraud will present itself to your business is dependent on the actual data that was stolen. To get you thinking about this, we have compiled examples of how data from recent breaches may be impacting your business.
Credit-card numbers, once they have been identified as compromised, are the easiest change both consumers and issuers can make to head off fraud. There will always be a span of time, however, between the breach and when the cardholder and/or issuing bank are made aware of it. Following a breach that compromised just credit-card numbers, merchants might see primarily reshipping schemes or what is known as “clean fraud.” Clean fraud is straightforward fraud many merchants experience every day, using a stolen credit card with no other attack method.
In this new age of fraud, depending on indicators such as AVS (Address Verification Service) match, shipping address and IP address location are not going to be very effective. Over the last year, it has been reported that credit-card numbers are being bundled into groups based on location to assist fraudsters in masking fraudulent orders. For instance, a fraudster in Southern California may purchase a bundle of credit cards with billing addresses (or that were used in locations) near them, so the shipping address and/or IP address are near the billing address, making an order appear legitimate. Some tools that may be effective in combating this fraud type are advanced fraud screening and case management tools, device identification (to alert you if more than one credit card is being used on a specific device) and risk-based authentication such as 3DSecure and Verified by Visa.
From a consumer perspective, almost no one is willing to change an e-mail address, which, in some ways, makes the compromise of e-mail addresses worse than that of credit cards. While “cashing out” on this data is not as quick or simple as credit cards, cybercriminals have a longer timeframe to do so, and the effort is not too high in getting to a payout. The primary way fraudsters turn e-mail addresses into money is through phishing schemes. While it’s an old trick, and most consumers are on the lookout for the more obvious ones, it still works. If the phishing scam is asking the consumer for a monetary return (ex: kidnapping/ransom hoax, African lottery, etc.), it has little impact on a merchant. However, some of the most effective scams are the ones impersonating a legitimate company. Most times, a fake email will ask the consumer to log in to their account to make a required change (ironically, most advise consumers this is because the account has been compromised). This then provides the fraudster with the consumer’s username and password, which they typically use for multiple merchants. So, even if the phishing e-mail is not impersonating your company, you could still become a victim. In addition to enabling account takeovers, phishing schemes also greatly impact the brand of the company that it is fraudulently represented. Regardless of the fact that they were unauthorized, consumers still associate the scam e-mails with the brand it is impersonating. These also result in higher call volume to customer support centers to either “claim a prize” or find out if the e-mail was legitimate.
Currently, the best way to prevent phishing scams from victimizing your consumers is to continue to educate them on the difference between an e-mail from you and a possible phishing e-mail. What are some things you will never send to your customers? Which e-mail address and domain name will you be using for e-mail communications? Unfortunately, relying on consumers is not a foolproof tactic, so also taking precautions against account takeover attempts are also important (covered in the next section).
E-mails/Usernames + Passwords
Our discussions with merchants seem to indicate the combination of e-mail addresses or usernames and passwords being compromised has had the biggest impact on card-not-present fraud. One gaming merchant once attributed a 30 percent increase in account-takeover fraud over a four-month period to a single breach of this information. The premise is simple. If a consumer has a specific username and password combination for one Website, they most likely will use this at others. Fraudsters will test this at Websites selling similar items, or at popular companies, where most consumers have accounts. Using these credentials, they then have access to stored payment methods. In addition, several merchants are seeing account takeovers occur solely to access a legacy account, with fraudsters knowing that new accounts are the most scrutinized by standard fraud tools. Beyond the impact this type of fraud has on your business, it also can impact your legitimate consumer, either through having their card-on-file stolen or credits on the account used, along with a feeling of insecurity on your site.
Attacks of this nature are still growing and morphing as tools are introduced to stop it. Some merchants have found it effective to require CVV2 re-entry on stored-value cards, but only when stored cards are the target. Others have implemented a required password update upon login or educate their consumers on the importance of password diversity in creative ways, as well as on the account-creation page. Device identification, biometrics and similar tools that provide real-time behavior analytics track the device as opposed to a user, to identify when multiple orders are placed on one device and to authenticate a user. There never will be a single solution that works for everyone, and fraud tools or systems should be determined based on your business model, vertical and order volume, in addition to the type of fraud you are experiencing. These suggestions are based on what has worked for some merchants and shouldn’t be considered an exhaustive list .
Data breaches are generating an ever-increasing mountain of valuable information for fraudsters and different bits are being used in different ways. Every breach, no matter the extent or the type of information that was illegally obtained, will impact merchants downstream. Knowing the source and type of the data infiltrating the black market will help you identify which tools and processes to invest and how to leverage them to protect your business.