Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Credit card fraud

Cost of Phishing and Value of Employee Training

The Ponemon Institute has presented the results of it’s study the Cost of Phishing and Value of Employee Training sponsored by Wombat Security. The purpose of this research is to understand how training can reduce the financial consequences of phishing in the workplace.

Phishing

The research reveals the majority of costs caused by successful phishing attacks are the result of the loss of employee productivity. Based on the analysis described later in this report, Ponemon extrapolate an average improvement of 64% from six proof of concept training projects. This improvement represents the change in employees who fell prey to phishing scams in the workplace before and after training.

As a result of effective training provided by Wombat, Ponemon estimate a cost savings of $1.8 million or $188.4 per employee/user. If companies paid Wombat’s standard fee of $3.69 per user for a program for up to 10,000 users, Ponemon determine a very substantial net benefit of $184.7 per user, for a remarkable one-year rate of return at 50X.

To determine the cost structure of phishing, Ponemon  surveyed 377 IT and IT security practitioners in organizations in the United States. 39% of respondents are from organizations with 1,000 or more employees who have access to corporate email systems.

The topics covered in this research include the following:

  • The financial consequences of phishing scams
  • The financial impact of phishing on employee productivity
  • The cost to contain malware
  • The cost of malware not contained & the likelihood it will cause a material data breach
  • The cost of business disruption due to phishing
  • The cost to contain credential compromises
  • Potential cost savings from employee training

Phishing scams are costly. Often overlooked is the potential cost to organizations when employees are victimized by phishing scams. Ponemon’s cost analysis includes the cost to contain malware, the cost not contained, loss of productivity, the cost to contain credential compromises and the cost of credential compromises not contained. Based on these costs, the extrapolated total annual cost of phishing for the average-sized organization in Ponemon’s sample totals $3.77 million.

Summarized calculus on the cost of phishing. Estimated cost.
Part 1. The cost to contain malware $208,174
Part 2. The cost of malware not contained $338,098
Part 3. Productivity losses from phishing $1,819,923
Part 4. The cost to contain credential compromises $381,920
Part 5. The cost of credential compromises not contained $1,020,705
Total extrapolated cost $3,768,820

The average total cost to contain malware annually is $1.9 million. The first step in understanding the overall cost is to analyze the six tasks to contain malware infections. Drawing from the empirical findings of an earlier study, Ponemon  were able to derive cost estimates relating to six discrete tasks conducted by companies to contain malware infections in networks, enterprise systems and endpoints. The table below summarizes the annual hours incurred for six tasks by the average-sized organization on an annual basis. The largest tasks incurred to contain malware involve the cleaning and fixing of infected systems and conducting forensic investigations.

Documentation and planning represents the smallest tasks in terms of hours spent each year.

Six tasks to contain malware infections. Estimated hours per annum.

Planning 910
Capturing intelligence 3,806
Evaluating intelligence 2,844
Investigating 10,338
Cleaning & fixing 11,955
Documenting 671
Total hours 30,524

The annual cost to contain malware is based on the hours to resolve the incident. These cost estimates are based on a fully loaded average hourly labor rate for US-based IT security practitioners of $62. As can be seen, the extrapolated total cost to contain malware is $1.89 million.

The adjusted cost of malware containment resulting from phishing scams is $208,174 per annum. The final step in determining the cost of malware containment attributable to phishing is to calculate the percentage of malware incidents unleashed by successful phishing scams.

Response to the survey question, “What percent of all malware infections is caused by successful phishing scams?” The percentage rate of malware infections caused by phishing scams was based on Ponemon’s  independent survey of IT security practitioners. As can be seen, the estimated range is less than 1% to more than 50%. The extrapolated average rate is 11%.

Drawing from the above analysis, Ponemon estimate the cost of malware containment as 11% of the previously calculated total cost of $1.9 million.

Cost of malware not contained

In this section, Ponemon estimate the cost of malware not contained at the device level to be $105.9 million. In other words, this cost occurs because malware evaded traditional defenses such as firewalls, anti-malware software and intrusion prevention systems. In this state Ponemon  assume the malware becomes weaponized for attack.

Following are two attacks caused by weaponized malware:

  1. Data exfiltration (a.k.a. material data breach)
  2. Business disruptions

Ponemon determine a most likely cost using an expected cost framework, which is defined as:

Expected cost = Probable maximum loss (PML) x Likelihood of occurrence [over a 12-month period].

Respondents in Ponemon’s  survey were asked to estimate the probable maximum loss (PML) resulting from a material data breach (i.e., exfiltration) caused by weaponized malware. Ponemon’s research shows the distribution of maximum losses ranging from less than $10 million to more than $500 million.

The extrapolated average PML resulting from data exfiltration is $105.9 million.

What is the likelihood of weaponized malware causing a material data breach? In the context of this research, a material data breach involves the loss or theft of more than 1,000 records. Respondents were asked to estimate the likelihood of this occurring. According to the research the probability distribution ranges from less than .1% to more than 5%. The extrapolated average likelihood of occurrence is 1.9 percent over a 12-month period.

The cost of business disruption due to phishing is $66.9 million. Respondents were asked to estimate the PML resulting from business disruptions caused by weaponized malware. Business disruptions include denial of services, damage to IT infrastructure and revenue losses. The research shows the distribution of maximum losses ranging from less than $10 million to $500 million. The extrapolated average PML resulting from data exfiltration is $66.9 million.

How likely are business disruptions due to weaponized malware? Respondents were asked to estimate the likelihood of material business disruptions caused by weaponized malware. The research shows the probability distribution ranging from less than .1% to more than 5%. The extrapolated average likelihood of occurrence is 1.6% over a 12-month period.

The table below shows the expected cost of malware attacks relating to data exfiltration ($2 million) and disruptions to IT and business processes ($1.1 million). The total amount of $3.1 million is adjusted for the 11% of malware attacks originating from phishing scams, which yields an estimated cost of $338,098 per annum.

Recap for the cost of malware not contained Calculus
Probable maximum loss resulting from data exfiltration $105,900,000
Likelihood of occurrence over the next 12 months 1.90%
Expected value $2,012,100
Probable maximum loss resulting from business disruptions (including denial of services, damage to IT infrastructure and revenue losses) $66,345,000
Likelihood of occurrence over the next 12 months 1.60%
Expected value $1,061,520
Total cost of malware not contained $3,073,620
Percentage rate of malware infections caused by phishing scams 11%
Adjusted total cost attributable to phishing scams $338,098

Employees waste an average of 4.16 hours annually due to phishing scams. As previously discussed, the majority of costs (52%) are due to the decline in employee productivity as a result of being phished. In this section, Ponemon estimate the productivity losses associated with phishing scams experienced by employees during the workday. Drawing upon Ponemon’s  survey research, Ponemon  extrapolated the total hours spent each year by employees/users viewing and possibly responding to phishing emails.

The research shows the distribution of time wasted for the average employee (office worker) due to phishing scams. The range of response is less than 1 hour to more than 25 hours per employee each year.

What is the cost to respond to a credential compromise? In this section, Ponemon estimate the costs incurred by organizations to contain credential compromises that originated from a successful phishing attack, including the theft of cryptographic keys and certificates. Ponemon’s  first step in this analysis is to estimate the total number of compromises expected to occur over the next 12 months. The range of responses includes zero to more than 10 incidents.

How likely will a material data breach occur if the credential compromise is not contained? Respondents were asked to estimate the likelihood of a material data breach caused by credential compromise. Ponemon’s research shows the probability distribution ranging from less than .1% to 5%. The extrapolated average likelihood of occurrence is 4% over a 12-month period.

In this section, Ponemon estimates the potential cost savings that result from employee education that provides actionable advice and raises awareness about phishing and other related topics. As a starting point to this analysis, Ponemon obtained six proof of concept studies completed for six large companies.

These reports provided detailed findings that show the phishing email click rate for employees both before and after training. Ponemon provides the actual improvements experienced by companies, ranging from 26 to 99%, respectively. The average improvement for all six companies is 64%.

As a result of Wombat’s training on phishing that includes mock attacks and follow-up with indepth training, Ponemon estimate a high knowledge retention rate. Based on well-known research, training that focuses on actual practices should result in an average retention rate of approximately 75%. Applying this retention rate against the average improvement shown in the six proof of concept studies, Ponemon  estimate a net long-term improvement in fighting phishing scams of 47.75%.

Proof of concept results Improvement %
Company A 99%
Company B 72%
Company C 54%
Company D 26%
Company E 62%
Company F 69%
Average improvement 64%
Expected diminished learning retention over time (1-75%) 25%
Average net improvement 47.75%

The figures below provides a simple analysis of potential cost savings accruing to organizations that use an effective training approach to mitigating phishing scams. As shown before, Ponemon estimate a total cost of phishing for an average-sized organization at $3.77 million.

Assuming a net improvement of 47.75%, Ponemon estimate a cost savings of $1.80 million or $188.40 per employee/user. At a fee of $3.69 per employee/user, Ponemon determine a very substantial net benefit of $184.71 per user, or a one-year rate of return of 50X.

Calculating net benefit of Wombat training on phishing Calculus
Total cost of phishing $3,768,820
Estimated cost savings assuming net improvement at 47.75% $1,799,612
Extrapolated headcount for the average-sized organization 9,552
Estimated cost savings per employee $188.40
Estimated fee of Wombat training per user $3.69
Estimated net benefit of Wombat training per user $184.71
Estimated one-year rate of return = Net benefit ÷ Fee 50X
Advertisements

Cyber Attacks on U.S. Companies in 2014

The spate of recent data breaches at big-name companies such as JPMorgan Chase, Home Depot, and Target raises questions about the effectiveness of the private sector’s information security.

According to FBI Director James Comey

There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked

A recent survey by the Ponemon Institute showed the average cost of cyber crime for U.S. retail stores more than doubled from 2013 to an annual average of $8.6 million per company in 2014. The annual average cost per company of successful cyber attacks increased to $20.8 million in financial services, $14.5 million in the technology sector, and $12.7 million in communications industries.

This paper lists known cyber attacks on private U.S. companies since the beginning of 2014. (A companion paper discussed cyber breaches in the federal government.) By its very nature, a list of this sort is incomplete. The scope of many attacks is not fully known. For example, in July, the U.S. Computer Emergency Readiness Team issued an advisory that more than 1,000 U.S. businesses have been affected by the Backoff malware, which targets point-of-sale (POS) systems used by most retail industries. These attacks targeted administrative and customer data and, in some cases, financial data.

This list includes only cyber attacks that have been made known to the public. Most companies encounter multiple cyber attacks every day, many unknown to the public and many unknown to the companies themselves.

The data breaches below are listed chronologically by month of public notice.

January

  • Target (retail). In January, Target announced an additional 70 million individuals’ contact information was taken during the December 2013 breach, in which 40 million customer’s credit and debit card information was stolen.
  • Neiman Marcus (retail). Between July and October 2013, the credit card information of 350,000 individuals was stolen, and more than 9,000 of the credit cards have been used fraudulently since the attack. Sophisticated code written by the hackers allowed them to move through company computers, undetected by company employees for months.
  • Michaels (retail). Between May 2013 and January 2014, the payment cards of 2.6 million Michaels customers were affected. Attackers targeted the Michaels POS system to gain access to their systems.
  • Yahoo! Mail (communications). The e-mail service for 273 million users was reportedly hacked in January, although the specific number of accounts affected was not released.

April

  • Aaron Brothers (retail). The credit and debit card information for roughly 400,000 customers of Aaron Brothers, a subsidiary of Michaels, was compromised by the same POS system malware.
  • AT&T (communications). For two weeks AT&T was hacked from the inside by personnel who accessed user information, including social security information.

May

  • eBay (retail). Cyber attacks in late February and early March led to the compromise of eBay employee log-ins, allowing access to the contact and log-in information for 233 million eBay customers. eBay issued a statement asking all users to change their passwords.
  • Five Chinese hackers indicted. Five Chinese nationals were indicted for computer hacking and economic espionage of U.S. companies between 2006 and 2014. The targeted companies included Westinghouse Electric (energy and utilities), U.S. subsidiaries of SolarWorld AG (industrial), United States Steel (industrial), Allegheny Technologies (technology), United Steel Workers Union (services), and Alcoa (industrial).
  • Unnamed public works (energy and utilities). According to the Department of Homeland Security, an unnamed public utility’s control systems were accessed by hackers through a brute-force attack on employee’s log-in passwords.

June

  • Feedly (communications). Feedly’s 15 million users were temporarily affected by three distributed denial-of-service attacks.
  • Evernote (technology). In the same week as the Feedly cyber attack, Evernote and its 100 million users faced a similar denial-of-service attack.
  • P.F. Chang’s China Bistro (restaurant). Between September 2013 and June 2014, credit and debit card information from 33 P.F. Chang’s restaurants was compromised and reportedly sold online.

August

  • U.S. Investigations Services (services). U.S. Investigations Services, a subcontractor for federal employee background checks, suffered a data breach in August, which led to the theft of employee personnel information. Although no specific origin of attack was reported, the company believes the attack was state-sponsored.
  • Community Health Services (health care). At Community Health Service (CHS), the personal data for 4.5 million patients were compromised between April and June. CHS warns that any patient who visited any of its 206 hospital locations over the past five years may have had his or her data compromised. The sophisticated malware used in the attack reportedly originated in China. The FBI warns that other health care firms may also have been attacked.
  • UPS (services). Between January and August, customer information from more than 60 UPS stores was compromised, including financial data, reportedly as a result of the Backoff malware attacks.
  • Defense Industries (defense). Su Bin, a 49-year-old Chinese national, was indicted for hacking defense companies such as Boeing. Between 2009 and 2013, Bin reportedly worked with two other hackers in an attempt to steal manufacturing plans for defense programs, such as the F-35 and F-22 fighter jets.

September

  • Home Depot (retail). Cyber criminals reportedly used malware to compromise the credit card information for roughly 56 million shoppers in Home Depot’s 2,000 U.S. and Canadian outlets.
  • Google (communications). Reportedly, 5 million Gmail usernames and passwords were compromised. About 100,000 were released on a Russian forum site.
  • Apple iCloud (technology). Hackers reportedly used passwords hacked with brute-force tactics and third-party applications to access Apple user’s online data storage, leading to the subsequent posting of celebrities’ private photos online. It is uncertain whether users or Apple were at fault for the attack.
  • Goodwill Industries International (retail). Between February 2013 and August 2014, information for roughly 868,000 credit and debit cards was reportedly stolen from 330 Goodwill stores. Malware infected the chain store through infected third-party vendors.
  • SuperValu (retail). SuperValu was attacked between June and July, and suffered another malware attack between late August and September. The first theft included customer and payment card information from some of its Cub Foods, Farm Fresh, Shop ‘n Save, and Shoppers stores. The second attack reportedly involved only payment card data.
  • Bartell Hotels (hotel). The information for up to 55,000 customers was reportedly stolen between February and May.
  • U.S. Transportation Command contractors (transportation). A Senate report revealed that networks of the U.S. Transportation Command’s contractors were successfully breached 50 times between June 2012 and May 2013. At least 20 of the breaches were attributed to attacks originating from China.

October

  • J.P. Morgan Chase (financial). An attack in June was not noticed until August. The contact information for 76 million households and 7 million small businesses was compromised. The hackers may have originated in Russia and may have ties to the Russian government.
  • Dairy Queen International (restaurant). Credit and debit card information from 395 Dairy Queen and Orange Julius stores was compromised by the Backoff malware.
  • Snapsave (communications). Reportedly, the photos of 200,000 users were hacked from Snapsave, a third-party app for saving photos from Snapchat, an instant photo-sharing app.

Securing Information

As cyber attacks on retail, technology, and industrial companies increase so does the importance of cybersecurity. From brute-force attacks on networks to malware compromising credit card information to disgruntled employees sabotaging their companies’ networks from the inside, companies and their customers need to secure their data. To improve the private sector’s ability to defend itself, Congress should:

  • Create a safe legal environment for sharing information. As the leaders of technological growth, private companies are in most ways at the forefront of cyber security. Much like government agencies, companies must share information that concerns cyber threats and attack among themselves and with appropriate private-public organizations. Congress needs to create a safe environment in which companies can voluntarily share information without fear of legal or regulatory backlash.
  • Work with international partners. As with the Backoff malware attacks, attacks can affect hundreds if not thousands of individual networks. These infected networks can then infect companies outside the U.S. and vice versa. U.S. and foreign companies and governments need to work together to increase overall cybersecurity and to enable action against individual cyber criminals and known state-sponsored cyber aggressors.
  • Encourage cyber insurance. Successful cyber attacks are inevitable because no security is perfect. With the number of breaches growing daily, a cybersecurity insurance market is developing to mitigate the cost of breaches. Congress and the Administration should encourage the proper allocation of liability and the establishment of a cyber insurance system to mitigate faulty cyber practices and human error.

Conclusion

The recent increases in the rate and the severity of cyber attacks on U.S. companies indicate a clear threat to businesses and customers. As businesses come to terms with the increasing threat of hackers, instituting the right policies is critical to harnessing the power of the private sector. In a cyber environment with ever-changing risks and threats, the government needs to do more to support the private sector in establishing sound cybersecurity while not creating regulations that hinder businesses more than help them.

Riley Walters is a Research Assistant in the Asian Studies Center, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.

The original research article can be found here.

Airline Information Group (AIG) accuses hotels and Facebook of being culpable in credit card fraud

The AIG has issued a press released on the threat of credit card fraud and how other parties can help reduce what they call the fast-growing epidemic of credit card fraud”. 

In the release, AIG identifies two main culprits for the theft of the credit cards:-

  1. Hackers who break into customer databases and steal credit card numbers and customer data
  2. Employees with access to credit card numbers and the details of card owners from retailers such as gas stations, restaurants and particularly hotels 

Airline Information’s Managing Partner, Michael Smith, says about hotels: “Front line hotel employees can easily access and steal credit card numbers and your personal details. Couple this with outdated IT and business processes related to franchising and it’s a toxic mix. Hotel chains and their franchises often use different reservations systems, requiring that paper copies of credit cards be used in many hotel properties. This is much less secure than the masked electronic credit card information standard in almost any other industry. The result is that hotels can be traced as the source of nearly one third of all credit card fraud globally, which hits our company’s airline clients particularly hard, since airline tickets are a common item purchased with stolen cards.” 

When credit card numbers are hacked or stolen, they are then sold online to be used for online purchases or for making cloned credit cards. Personal data about the cardholders, widely available on the web and Facebook, may also then be used by fraudsters, as credit card criminals are referred to, to assume the identities of the stolen cardholders. 

AIG also claims Facebook is used for the selling of credit card data, as well as for sharing information between fraudsters on how to successfully steal card numbers and commit identity theft. Jan-Jaap Kramer, CEO of the Dutch fraud prevention consultancy, FraudGuard, says: “There are numerous pages on Facebook set up by criminal rings to facilitate and share information about credit card fraud. Many of these pages show all credit card details like CVC code, expiry code, the PIN code for online payments and personal data of the cardholder including home address, date of birth, social security numbers and more. We have asked Facebook to block these pages, but it takes no action. The result is greater fraud losses for consumers and merchants, ruined credit records and misery trying to sort out fraudulent transactions.” 

The Airline Information “calls on Facebook to stop the practice of facilitating the sharing of fraudulent credit card information via Facebook pages. We encourage consumers and merchants to contact Facebook and their government authorities to have Facebook end this consumer-unfriendly practice

PCI DSS Version 3, what does it have in store for you?

The PCI Security Standards Council (PCI SSC), have published PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) 3.0 Change Highlights as a preview of the new version of the standards coming in November 2013.

 Version 3.0 to focus on flexibility, education and awareness, and security as a shared responsibility

The changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.

The seven-page document is part of the Council’s commitment to provide as much information as possible during the development process and eliminate any perceived surprises for organizations in their PCI security planning. Specifically, the summary will help PCI Participating Organizations and the assessment community as they prepare to review and discuss draft versions of the standards at the 2013 Community Meetings in September and October.

Changes to the standards are made based on feedback from the Council’s global constituents per the PCI DSS and PA-DSS development lifecycle and in response to market needs.

Key drivers for version 3.0 updates include:

  • lack of education and awareness
  • weak passwords and authentication challenges
  • third party security challenges
  • slow self-detection in response to malware and other threats
  • inconsistency in assessments

Today, most organizations have a good understanding of PCI DSS and its importance in securing card data, but implementation and maintenance remains a struggle – especially in light of increasingly complex business and technology environments,” said Bob Russo, PCI SSC general manager

The challenge for us now is providing the right balance of flexibility, rigor and consistency within the standards to help organizations make payment security business-as-usual. And that’s the focus of the changes we’re making with version 3.0

Based on feedback from the industry, in 2010 the PCI SSC moved from a two-year to a three-year standards development lifecycle. The additional year provides a longer period to gather feedback and more time for organizations to implement changes before a new version is released. Version 3.0 will introduce more changes than version 2.0, with several new sub-requirements.

Proposed updates include:

  • Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS compliance
  • Security policy and operational procedures built into each requirement
  • Guidance for all requirements with content from Navigating PCI DSS Guide
  • Increased flexibility and education around password strength and complexity
  • New requirements for point-of-sale terminal security
  • More robust requirements for penetration testing and validating segmentation
  • Considerations for cardholder data in memory
  • Enhanced testing procedures to clarify the level of validation expected for each requirement
  • Expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modeling

 These updates are still under review by the PCI community. Final changes will be determined after the PCI Community Meetings and incorporated into the final versions of the PCI DSS and PA-DSS published in November.

PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, mobile acceptance or cloud computing,” added Troy Leach, PCI SSC chief technology officer

PCI SSC releases its Best practices to help prevent card data compromise at ATMs

The PCI SSC has released their latest supplement, the ATM Security Guidelines Information Supplement. 

The guidelines were developed to provide guidance to ATM manufacturers on how to prevent credit cards from being compromised. 

The ATM Industry Association’s (ATMIA) 2012 ATM Global fraud survey reveals that skimming remains the leading global threat to ATMs because criminals use stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. 

Also see Europol reveals €1.5 Billion Euro in Credit Card Fraud, how it is stolen and why they struggle to catch the criminals  

Skimming and other types of attacks on ATMs continue to be top of mind for our constituents,” said Bob Russo, general manager, PCI Security Standards Council. “There are already some excellent resources out there that help with various pieces of ATM security. What this guidance does is pull together these different best practices into one comprehensive set, which is what our stakeholders have been asking for.

The guidance document provides an introduction to ATM security and outlines best practices around the following key areas and objectives:

  • Integration of hardware components to avert magnetic-stripe and other account data compromise and PIN stealing
  • Security of basic software to avert magnetic-stripe skimming and PIN stealing
  • Device management/operation to ensure adequate management of: ATM during manufacturing, ATM in storage of deployed ATM estates and ATM’s individual security configuration
  • ATM application management to address security aspects of the ATM application.

ATM manufacturers, hardware and software integrators, and deployers of ATMs can use this guidance to aid in the secure development, deployment and maintenance of ATMs. As with all PCI guidance documents the ATM Security Guidelines Information Supplement does not replace or supersede the PCI Standards, nor is it to be used as a set of security requirements for the formal certification of ATMs. The PTS POI security requirements provide for the testing and approval of encrypting PIN pads and secure readers used in ATMS for handling PIN and account data, and organizations should continue to use this standard to address these components of ATM security.

For a link to the full document please use my PCI Resources page here.

.

Europol reveals €1.5 Billion Euro in Credit Card Fraud, how it is stolen and why they struggle to catch the criminals

Europol’s Situation Report for Credit Card Fraud 2012 summaries fraudulent activity for credit cards across Europe is a very interesting read. It explains how the criminals act and with what types of techniques and why the Law Enforcement Agencies struggle to catch them.

A summary of the Europol report is below.

  • The criminal market of payment card fraud within the European Union (EU) is dominated by well-structured and globally active organised crime groups (OCGs). Criminal networks have managed to affect non-cash payments in the EU to the extent that protection measures are very expensive and need to be implemented on a global level. Consequently, the use of payment cards can be inconvenient and no longer fully secure for EU cardholders.
  • Payment card fraud is a low risk and highly profitable criminal activity which brings organised crime groups originating from the EU a yearly income of around €1.5 billion euros. These criminal assets can be invested in further developing criminal techniques or can be used to finance other criminal activities or start legal businesses.
  • The EU is increasingly exposed to the threat of illegal transactions undertaken overseas and should develop more efficient solutions to help law enforcement authorities (LEAs) combat the fraud. Europol, gathering intelligence on fraudulent overseas transactions affecting the EU, as requested by competent authorities of Member States (MS), is not entitled to cooperate with non-EU police forces or request specific measures to help combat and prevent fraud against the EU.
  • The majority of illegal face-to-face card transactions affecting the European Union take place overseas, mainly in the United States. The EU should take urgent measures to promote the EMV standard as a global solution against the counterfeiting of payment cards. As full EMV implementation will take time, a temporary solution could be applied, namely the implementation of GeoBlocking, blocking overseas transactions using EU-issued cards unless they have been activated in advance.
  • Common European legal solutions for the security of on-line retail payments (internet, mobile), as well as the mandatory reporting of financial data breaches, should be considered to prevent fraud affecting EU citizens. Prevention and combating card-not-present (CNP) fraud requires specific regulations on the customer’s identification (3D secure protocol) and security of the on-line payment environment. The role of the European Central Bank and Europol is crucial to present the problems and propose specific solutions.

Security of non-cash means of payment is a key factor in the economic stability of the European Union

According to statistics, the total number of payment cards issued in the EU in 2011 reached 726,906,710

The value of legitimate non-cash transactions with EU cards exceeded 3000 billion euros. From a security perspective, EU industry has taken an important step forward by fully implementing the EMV (chip-embedded cards) standard for card-present (CP) transactions, and is advanced with the protection of on-line transactions through the strong identification of customers (3D secure).

Banking institutions are profit-making businesses, so reducing the illegal income of criminals is not always a priority for them when introducing new banking products or services.

Acceptable levels of fraud and expected net profit for banks are more important than the real prevention of fraud that would lead to depriving criminals of the huge amounts of money they are stealing using EU payment cards. With the current global nature in which the banking sector and non-cash transactions operate, security measures in place on a regional (EU) level are not sufficient and have been exploited by criminal networks.

The illicit activities and fraudulent transactions of OCGs performed outside the EU have affected the security and convenience of non-cash payments in Europe and have consequently caused substantial losses to the EU economy.

This report is based mainly on data provided by law enforcement agencies from EU Member States and some cooperating non-EU States. The figures and latest trends were identified based on information from

  • The European Central Bank
  • European Payments Council
  • European ATM Security Team (EAST)
  • Card schemes
  • Fuel Industry Card Fraud Investigation Bureau (FICFIB)
  • “Some” card issuers (note: why not all?)

Since criminals affect both physical transactions with payment cards (shops, ATMs), and the internet environment, for the purpose of this report payment card fraud is divided into card-present (CP) fraud and card-not-present (CNP) fraud.

The implementation of EMV (Chip and PIN) technology in the European Union is seen as the key driver to reducing domestic payment card fraud. It should be stressed that cardholders’ confidential data is more secure on a chip-embedded payment card than on a magnetic strip card. Chip-embedded cards support dynamic authentication, requiring dynamic values for each transaction, and cannot be easily copied. The EMV card is considered to be well protected against skimming.

As the EU banking industry migrates to the EMV environment, losses caused by illegal domestic transactions in the EU have gradually decreased since 2008. However, at the same time, the level of illegal transactions overseas has seen a sharp increase. In 2011, almost all fraudulent face-to-face transactions with EU cards took place overseas. This phenomenon is determined by the level of technical protection of EU payment card terminals, ATM and Point-of-Sale (POS) terminals are fully EMV compliant. In response, criminal networks have targeted the weak points of the system and have undertaken criminal activities using non-EMV compliant terminals overseas. Due to this phenomenon, and the lack of specific agreements on reimbursement of losses caused by less protected terminals, the majority of the loss burden caused by this fraud is on the EU card issuers, which are specific banks in the EU.

Europol note “there has been no specific solution to this problem proposed by the card industry”

There are several countries operating as a substantial market for illegal transactions with counterfeit EU cards. The problem of illegal transactions in the US has been reported to Europol by all 27 EU Member States. There are also other locations where criminal groups with EU origins are cashing counterfeit cards.

The top six locations are:

  1. United States
  2. Dominican Republic
  3. Colombia
  4. Russian Federation
  5. Brazil
  6. Mexico

This trend has led to a situation in which, even after huge investments by the EU banking industry to install hardware and software to accept EMV cards, the problem has become even bigger, as it is extremely difficult to prevent and investigate crimes committed outside of EU borders.

The ultimate solution to this problem would be to implement the EMV standard on a global level, including making United States’ merchants compliant.

As a short term solution, in October 2010 Europol and the European Central Bank recommended that all SEPA (European-issued) cards should be EMV (chip-embedded) only. The first Member State to follow this recommendation is Belgium, where debit cards have chips embedded and the magnetic strip is no longer active. This solution, called GeoBlocking, in practical terms limits the possibility to misuse debit cards in regions without Chip and PIN verification. The implementation of GeoBlocking has been extremely positive from a security point of view with significant falls in skimming incidents and skimming-related losses (a decrease to almost zero in Belgium).

It should be stressed that there are some constraints to such solutions. The baseline for branded cards is that the cards are accepted globally. From this perspective the chip-only cards are not in line with this policy. The use of GeoBlocked cards is also less convenient for card holders as the card must be activated every time before travelling to non-EMV compliant countries. According to a research poll carried out by EAST, 60% of customers would be in favour of the GeoBlocking solution, including 28% of respondents who would be happy to contact their banks to activate the magnetic strip on their cards, and 12% who would like to hold a chip-only card.

This compromise is the price that card issuers and card holders pay as a result of the criminal activities of organised networks. It can be concluded that organised criminal groups have already managed to affect the EU payment card market to the extent that the use of cards is not cheap for card issuers and is less convenient for cardholders.

Investigations into card-present (CP) fraud
Industry reported an increasing number of incidents against ATMs in the EU were 20,244 in 2011 compared to 12,383 in 2010.

The statistics include all types of attacks against ATMs, including

  • skimming
  • using stolen cards
  • physical traps to obtain cash

According to reports provided by EU law enforcement authorities, organised crime groups adjust their profiles and criminal techniques relatively quickly and smoothly. Not only can they produce skimming devices to bypass the latest anti-skimming technology but they also explore new possibilities, including cash traps, prepaid cards or malware, as a source of cash and card data.

Most criminal structures operate internationally so cross-border cooperation is a key to final success. Taking into account that suspects use specific countermeasures, corrupt police officers and hire the best lawyers, investigative measures in such cases are very difficult. The criminals’ use of sophisticated technical equipment forces investigative teams to cooperate closely with forensic experts, who can decode information and analyse seized electronic storage devices. Unfortunately, in most of these cases, investigative measures focus on the criminal activities taking place in the European Union. Law enforcement agencies and judicial authorities, being limited by legal provisions, time frames and financial restrictions, can rarely investigate fraudulent transactions performed overseas.

In practical terms, investigative measures rarely lead to dismantling the whole criminal structure. Judicial authorities press charges mainly for the part of the criminal activities that are performed in the EU, which is usually considered as the preparatory stage and not always associated with any financial losses. Consequently, in the majority of such cases the sentences are relatively lenient and suspects can leave jail on bail. Even if some criminals from an OCG are arrested for a period of time they can be easily replaced by others so that the criminal group is still active.

In June 2011 a global operation, ’Night Clone’ was brought to a successful conclusion with almost 70 suspects arrested in the EU and overseas. The operation had a very big impact and for several months, illegal activities of many other OCGs ceased.

Card-not-present (CNP) fraud
Payment card data is the ideal illicit internet commodity as it is internationally transferable. Europol, in its report on Internet Facilitated Organised Crime concluded that organised crime groups clearly benefit from globalisation, using foreign payment card data to purchase goods and services on-line. Credit card information and bank account credentials are the most advertised goods on the underground economy’s servers.

According to Europol’s intelligence, in 2011 around 60% of payment card fraud losses, totalling 900 million euros, were caused by card-not-present (CNP) fraud.

Within the major card-not-present fraud investigations supported by Europol, the main sources of illegal data were data breaches, often facilitated by insiders and malicious software. In most of these cases the quantity of compromised card details is substantial, reaching hundreds of thousands or millions, enabling criminals to sell the bulk data on the internet.

So far most of the credit card numbers misused in the EU have come from data breaches in the US. However, since 2010, Europol have observed a growing number of financial data breaches against EU-based merchants and card processing centres. Most of the investigations into these breaches are based on information on illegal transactions carried out using compromised cards, as the reporting of such attacks by the affected companies is still a weak point.

A major problem in the EU is the lack of proper regulations for reporting data breaches to police authorities. Law enforcement agencies, even if aware of a breach, have difficulties finding information on, and links to, the point of compromise, stolen data and illegal transactions. The lack of legal provisions on reporting data breaches is not the only problem. One of the key factors making industry reluctant to report incidents to law enforcement authorities is the lack of trust in investigative possibilities as well as the need to maintain the reputations of the respective private entities. On the other hand, the lack of reporting leads to a small number of international investigations and a low level of prioritisation of such cases within LEAs. The problem ends up with the situation where, despite a dynamic increase in CNP fraud, it is not reflected in the statistics of cases reported and investigated by EU police forces. Consequently, since the problem is not reflected in police statistics, this phenomenon is not prioritised and it is difficult to initiate international cooperation in such cases.

From the security perspective, as with the security of face-to-face transactions, there is a lack of common global standards on the protection of card-not-present transactions. Major investments by EU industry have been made in the 3D secure protocol (MasterCard secure code; verified by VISA). However, despite this strong 3D secure verification, it is not a worldwide solution and, even on the EU level, not all on-line transactions are protected with it.

Investigations into CNP fraud and its initial stage data breach is typically very demanding. As identified by Verizon, such cases are usually quite large and complex, often involving numerous parties, inter-related incidents, multiple countries, and many affected assets. In addition to that, as stated earlier, the majority of such cases are not reported to LEAs, as industry mainly focuses on preventive measures rather than relying on the outcome of investigations. The results of internal inquiries are used to improve security measures and rarely focus on the identification of individuals responsible for the breaches.

As far as investigations into illegal on-line card transactions affecting the EU are concerned, they are mainly concerned with:

  • illegal ordering of high value goods on the internet
  • combating networks of mules set up to receive and transfer goods ordered on the internet
  • illegal transactions – purchases of services from travel companies/airlines
  • physical transactions with counterfeit credit cards – with data sourced from the internet
  • investigations into OCGs from the Baltic states and South East of Europe
  • the proper coordination of information – where possible, data breaches should be linked to illegal transactions
  • assets seizure – the network of mules shall be determined in order to localise the entry/exit points of goods

EU Member States reported many constraints and challenges faced during such investigations. The lack of legal provisions for reporting on-line incidents and data breaches, which are usually of an international nature, creates problems in individual cases under the responsibility of the respective MS, including the possibility to connect illegal transactions reported by other countries and decisions on the place of final prosecution. The global dimension and protection of financial and personal data is a major problem as far as the efficiency and time-frames of investigations are concerned. From a practical perspective, the involvement of Russian-speaking, well organised and hermetic structures cause huge problems with regards to infiltrating individuals and collecting evidence on their criminal activities. Since the majority of criminal activities are on-line, the best solution is to task specialised cybercrime teams with such cases.

As there is still little experience on such card-not-present fraud cases where data breaches and illegal transactions make EU companies and consumers the key targets the role of Europol is crucial, to analyse information and spread strategic and operational information, ultimately ensuring the efficiency of investigative measures.

Europol Summary of Credit Card Fraud in 2012
The financial crisis has had a big impact on the approach of private financial services companies and LEAs. Currently, all decisions are thoroughly scrutinised and assessed from an economic and ‘priority’ perspective.

Private industry focus on products and services which bring profit in the first instance. Such companies can accept a certain level of fraud without making any effort to identify the individuals responsible for that fraud. From the law enforcement perspective it is increasingly suggested that, since losses caused by payment card fraud can be easily covered by private industry, there is no point in investing resources on investigations. The problem is even bigger as investigations must be performed on an international level, so the investment must be higher and comes with no guarantee of final success or seizure of assets.

All that leads to the dangerous situation in which the illegal income for members of organised crime groups, reaching 1.5 billion euros a year, is not identified and recovered. It seems that the EU response to the payment card fraud problem is not harmonised or fully supported by all actors card schemes, card issuers, processing centres, law enforcement agencies and judicial authorities.

The EU still has to rely on outdated technology which does not adequately protect payment card transactions. One policy option available to strengthen security levels is to abandon the magnetic strip on payment cards for internal EU transactions.

As far as new technologies are concerned, including mobile or contactless payments, it is still not well analysed but there are certain doubts about their properly coordinated and standardised implementation to guarantee resistance to fraud.

The coordinated approach of industry and LEAs should lead, not only to the security of non-cash payments, but should also make sure that all incidents, including data breaches, are reported for further investigation. The position or reputation of the reporting entity should be protected and should not be undermined based on such a report.

Taking into account the global dimension of the problem, law enforcement and judicial authorities should take necessary steps to increase knowledge and awareness on the investigative skills and possibilities available. The role of Eurojust, as the agency for judicial cooperation, is extremely important to coordinate investigations and ensure the efficiency of prosecution and assets seizure in such cases.

The EU still has to rely on outdated technology which does not adequately protect payment card transactions. One policy option available to strengthen security levels is to abandon the magnetic strip on payment cards for internal EU transactions.

As far as new technologies are concerned, including mobile or contactless payments, it is still not well analysed but there are certain doubts about their properly coordinated and standardised implementation to guarantee resistance to fraud.

The coordinated approach of industry and LEAs should lead, not only to the security of non-cash payments, but should also make sure that all incidents, including data breaches, are reported for further investigation. The position or reputation of the reporting entity should be protected and should not be undermined based on such a report.

Taking into account the global dimension of the problem, law enforcement and judicial authorities should take necessary steps to increase knowledge and awareness on the investigative skills and possibilities available. The role of Eurojust, as the agency for judicial cooperation, is extremely important to coordinate investigations and ensure the efficiency of prosecution and assets seizure in such cases.

Proper coordination of information processing and reporting to the involved countries is critical for efficient investigations. A centralised database is very important to link members of criminal networks, fraudulent incidents and investigations. Europol, having a specialised team with an existing operational database and a newly-created technical platform, can play an important role in such cases.

The missing links that remain are the legal solutions on cooperation with non-EU States and the communication of data with non-EU States and the communication of data with Private Industry.

You may also with to read

.

RSA’S October Online Fraud Report

Below is a summary of RSA’s October Online Fraud Report.

October was Cyber Security Awareness Month. A public relations effort made by several US-based government bodies to increase security-literacy across the tiers that make up our digital society. By encouraging each and every Internet user to “Stop, Think, Connect,” the Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) hope to increase security within the home, business environment, and ultimately within the entire nation. While this effort was founded in the U.S., its aspirations of increasing security literacy among the general public could easily be embraced across the globe.

Ironically, October also marks a major milestone for RSA, reaching the official shut down of over 500,000 phishing attacks around the globe. Sometimes viewed as one of the oldest scams in the book, phishing is still a very popular method among cybercriminals.

RSA recently estimated that worldwide losses from phishing attacks alone during H1 2011 amounted to over $520 million, and losses incurred from phishing attacks during the 12-month period of H2 2010 through H1 2011 reached nearly $1 billion.

Phishing Attacks per Month

The number of phishing attacks identified by RSA in September increased by 45%, setting a new all-time high of 38,970 attacks. As in the month prior, this increase was largely attributed to repeated attacks on a handful of large financial institutions which have been heavily targeted throughout the past few months.

Number of Brands Attacked

The total number of brands attacked decreased 15%, dropping from 351 targeted brands in August to 300 brands in September. Last month, no new brands endured their first phishing attack, compared to seven newly-targeted brands in August. Monthly counts of newly-targeted brands last year hovered around 20 to 25 entities per month indicating a slowdown in the trend of attacks on new targets.

US Bank Types Attacked

In September, the portion of targeted brands among U.S. credit unions dropped from 19% to 6%. In contrast, the portion of targeted brands among regional U.S. banks increased 5%, while attacks against nationwide U.S. banks increased 8%. Nationwide banks continue to be the most lucrative target among phishers likely because their customer bases are large and geographically dispersed.

Top Hosting Countries

The U.S. hosted two out of three worldwide phishing attacks in September. Since September 2010, the only countries that have consistently hosted the highest portions of phishing attacks have been the U.S., UK, and Germany.

Top Countries by Attack Volume

The U.S. and UK continue to remain the top two countries targeted by the highest volume of phishing attacks. In September, they endured 79% of the world’s phishing attacks. Brazil, Canada, and South Africa remained among the top five countries in September in terms of phishing attack volume.

Top Countries by Attacked Brands

U.S. and UK brands accounted for 43% of all the brands targeted worldwide by phishing in September.

The full report can be found here.

The RSA September Online Fraud Report Summary is here.

.

Five Ways to Fall Victim to Credit Card Fraud

Fox News Talk
Image via Wikipedia

Originally published on September 09, 2011 by Fox News this article by Lora Shinn is a simple but effective way of avoiding becoming another victim of credit card fraud.

Review these mistakes to avoid becoming a victim of  debit or credit card fraud.

1. Failing to Look for Skimmers

Thieves may attach skimming devices to the exterior  of an ATM or point-of-sale terminals requiring a PIN, or personal identification  number. It’s worth the few seconds it takes to glance before you swipe.

“Always take a look at the machine to see if there  (are) any visible traces of activity, such as glue or scuff marks or loose bits  around the PIN pad or the place where you insert your card,” says Manisha  Thakor, co-author of “On My Own Two Feet: A Modern Girl’s Guide to Personal  Finance.” “Those are telltale signs that an attempt may have been made to attach  a skimmer.”

She says you should pay close attention when you’re  visiting an ATM in a low-traffic locale, where it’s easier for someone to attach  a device. When in doubt, use a different ATM.

2. Banking Online in a Cafe

You may have free Wi-Fi access at your favorite  coffee shop, but you might not want to use it to check the balance in your  savings account. If you’re using an open wireless network, it’s easier for  hackers to intercept online transactions, passwords and other private business.

 “It’s not the time to do financial business, your online banking or your  shopping,” says Marian Merritt, a Norton Internet safety advocate at Symantec,  a manufacturer of security software.

That goes for websites that start with HTTP and  HTTPS as well because you don’t know how securely the coffee shop, hotel or  other free Internet access point is set up. Hackers can set up “man in the  middle” attacks to grab your passwords, card number and other information while  you’re on the public network. So enjoy the latte and save checking your credit  card statement for later.

3. Responding to Phishing Messages

If you receive a text message on your phone from  your bank, and it asks you to log into your card account immediately — but you  didn’t contact the bank — raise your mental drawbridge. The same goes for a  message that arrives via Facebook, Twitter  or any other mode of communication.

“Any unsolicited phone call, email, text or social  media message could be a phishing attempt,” says Erik Mueller, vice president of  payment system integrity at MasterCard  Worldwide. “Be skeptical of these messages, especially if they request credit or  debit card data or personal information, or link to another website or Web  page.” With the right data, a phisher will quickly find a way to commit credit  card fraud.

If you think the message might be legitimate or you  have concerns about fraud, contact your issuer directly using the customer  service phone number on the back of your debit or credit card.

4. Ignoring Your Rights and Responsibilities

If you’ve lost your credit or debit card, suspect it  was stolen or think someone has lifted your number off the Internet, call your  card issuer immediately. Credit cards offer the greatest protection against  fraud. Most card issuers provide zero-liability fraud protection, and federal  law says once you report the loss or theft, you have no further responsibility  for unauthorized charges. Your maximum liability under federal law is $50 per  card.

With debit cards, your responsibilities and rights  change. While you may have zero-liability fraud protection on your debit card,  it may not apply to PIN-based transactions or ATM withdrawals. Federal law also  has some caveats when it comes to debit card fraud protection. If someone made  fraudulent purchases with the debit card data and you don’t report the theft  immediately, your liability could skyrocket, especially if you wait longer than  60 days to report it. In addition, if a thief uses your debit card to drain your  bank account, you’ll be short on cash while your bank investigates.

5. Not Using Free Fraud Protection

Additional fraud protection is available for free by  numerous card issuers and financial institutions, though most require a little  investigation or enrollment. For example, the Verified by Visa program sets up  Visa cardholders with an additional password they can use to shop at  participating online merchants. MasterCard SecureCode works similarly. It  requires the user to enter the correct PIN during checkout at a participating  online retailer.

Another option: Try one-time or “virtual” credit  card numbers, which are offered by some banks such as Citibank  and Bank of America. These numbers are used for only one purchase and then are  no longer usable — so you don’t have to worry they’ll be swiped and reused by a  fraudulent user.

You can also minimize debit and credit card fraud by  making use of free account alerts, which notify you when certain transactions or  changes occur, such as a transaction for more than a certain dollar amount or a  purchase made overseas.

Check your bank or card issuer’s site to find out  whether they participate in these programs and services.

The original Fox News post can be found here.

.

Benefits of PCI Compliance – direct and indirect

Credit cards
Image via Wikipedia

Many Merchants see the Payment Card Industry’s Data Security Standard (PCI DSS) as an expense they could do without. 

The counter argument is most businesses would struggle if nothing was done to tackle Credit Card Fraud because the Credit Card companies would need to charge Merchants a higher transaction rate to cover their losses. 

So, what other reasons could there be for becoming PCI Compliant? 

The answer very much depends on your business type and the loyalty of your customers and prospective customers. 

Some very good reasons for becoming PCI compliant are listed below.

Continue reading “Benefits of PCI Compliance – direct and indirect”

PCI Awareness Training – official courses are now available

The PCI Council has announced that it is offering PCI Awareness Training to anyone interested in learning more about PCI DSS.

The dates of the official council courses are

  • 2 March 11, 2011 London, England 09:00-17:30 $995 USD plus local taxes
  • 3 April 1, 2011 Sydney, Australia 09:00-17:30 $1500 USD plus local taxes

 Course Description

  • What is PCI and what does it mean to companies that must meet compliance with the DSS?  An overview of the payment card industry, the terminology used within the industry, the flow of transaction data through the various components that make up the payment card industry, and the relationships between the various organizations in the process.
  • How the credit card brands differ in their validation and reporting requirements – Detailed coverage of the classifications and compliance requirements for merchants and service providers and details about the various card brands’ compliance programs.
  • Roles and Responsibilities – Descriptions of the key actors in the compliance process including high-level overviews of the Qualified Security Assessor (QSA), Internal Security Assessor (ISA), Payment Application Qualified Security Assessor (PA-QSA) and Approved Scanning Vendor (ASV) programs.
  • PCI Data Security Standard (DSS) – An overview of the current DSS (version 2.0), the testing procedures for validating compliance, and what constitutes compliance with the requirements.
  • PCI Hardware and Communications Infrastructure – Generalized overview of the types of devices used by organizations to accept payment cards and communicate with the verification and payment facilities.
  • PCI Reporting – An overview of the different types of reports that must be submitted to the card brands or their designated agents to demonstrate compliance (or non-compliance) of the organizations filing the reports.
  • Real world examples – An overview of compliance issues and mitigation strategies including defining compensating controls, creating policies and modifying the cardholder data environment.

 

PCI often fails because of an employee’s action so it is good to see the PCI Council has launched these courses. However, there is only one course in Europe and it is on a first come first served basis which means only a few of the millions of European Merchants will gain any advantage.

I have found “general” PCI Awareness courses fail to meet the needs of organisations because:

  • The course will be pitched at differing skill levels, from beginners (hopefully there are not too many left) to experts who may have been through external Audits by a QSA.
  • It is not specific to an industry type, the needs of an e-commerce merchant are very different to a mail order/telephone merchant.
  • The individual employee has the daunting task of taking the knowledge and rehashing it for the rest of their organisation. Even if they have the slide ware they never have the gravitas of an external trainer or QSA who can handle all the questions that will be fielded.

 

There are alternative sources of training who will deliver public or bespoke courses for an organisation.

In a recent client scenario, we provided a 1-day classroom based training for senior managers, a series of ½-day road trip stop local sites for branch workers and 1-hour web-based sessions for field-based staff.

This ensured the right people gained the right knowledge when and where the client required it.

Find the details of the PCI Council courses here or ping me an email for ideas on how you can make your employees more aware of PCI.

Downloadable: CyberSource’s report on UK Online Fraud 2011

The report is based on an industry wide survey, and addresses the detection, prevention and management of online fraud.

The Cost of Fraud

On average, the percentage of annual online revenue that businesses expect to lose to payment fraud in 2010 has dropped from 1.8% to 1.6%.

The survey revealed that this does vary dramatically by merchant size:

  • very large businesses expected to lose £365,500 to online payment fraud, equating to an average of 1.5%
  • Large businesses expect to lose £173,500 (1.2%)
  • Medium businesses £66,000 (2.4%)
  • Small businesses £3,500 (1.5%)

The report delivers:

  • Key fraud metrics, including review and order reject rates
  • Most widely used fraud detection tools
  • Chargeback practices; re-presentment and win rates
  • Merchants’ fraud management priorities for 2011

Download the report here, required registration.

29% of credit card holders hit by fraud as global fraud rises

ACI Worldwide conducted fraud research in 14 countries and found that 29% of the 4,200 respondents had been victims of credit card fraud in the last 5 years.

The percentage in the UK was above the norm at 33%, a rise of 6% in the last 18 months. This estimates the number of UK Consumers hit by credit card fraud as 14.6 million in the past five years.

Other countries fared better, such as the Netherlands with 11% experiencing fraud whilst others, like China with a 43% fraud rate, fared worse.

ACI Worldwide http://www.aciworldwide.com

Top 5 Riskiest Places To Use Your Credit Card | B2B News

From B2B News

You can still be a victim of credit card fraud even if you use it with utmost caution. Credit card companies and banks are more and more often putting the onus of catching phony or incorrect credit card charges on the consumer.
The most important thing is to check your billing statement. And there are organizations like Creditcards.com that offer tips on how to keep your cards safe as well. Here, we take a look at 5 of the riskiest places you might use your card, according to Creditcards.com, and what you can do to stay away from dangers.

 Non-Bank Owned ATMs

Encryption at these ATMs is often not as good as at bank ATMs. These ATMs also are more likely to be hacked. And in some cases, people have put up devices that look like ATMs but don’t give out cash. Instead, they are just card-skimming devices aimed at stealing your credit card or debit card information.

 Flea Markets

Flea market merchants are often transient and can be difficult to locate if there is a problem with charges. It’s especially true for vendors who don’t have online credit card terminals and instead make carbon copies of your credit card.

That doesn’t mean those vendors are necessarily fraudulent, but it makes the transaction less secure. The credit card company might have trouble doing a charge back. If you’re going to the flea market, take cash. It’s also easier to negotiate that way.

 Small Shops/Cafes in Foreign Countries

These smaller merchants have a significantly higher percentage of credit card fraud as reported by large banks and credit card companies. Many of these transactions end up being written off by the banks because the merchants simply can’t be located. There’s just a higher chance of fraud when you get outside of the mainstream, so when in doubt, use cash.

Non-Secure Online Checkout

Any safe, reputable e-commerce site is going to have a secure checkout page, like the one shown at left. If that doesn’t appear, it should be a red flag. You can almost be sure it’s not legitimate, and even if it is, you’re opening yourself to that transaction being seen by others.

Purchases on Smart Phones

Purchases on smart phones can also be less than secure. If your smart phone connects to a public wi-fi signal, you’re going to be much less secure. Someone else can potentially see the transaction, or malware can be placed on your device that can potentially transmit your personal information

Top 5 Riskiest Places To Use Your Credit Card | B2B News.

14 Arrested for Credit Card Fraud

First 4 digits of a credit card
Image via Wikipedia

Authorities arrested 14 members of a criminal ring that has netted $30 million in credit card and bank frauds

Courthouse News Service.

Blog at WordPress.com.

Up ↑

%d bloggers like this: