Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Fraud

100 Percent of Retailers Disclose Cyber Risks

According to BDO’s analysis of risk factors listed in the most recent 10-K filings of the 100 largest U.S. retailers, risk associated with a possible security breach was cited unanimously by retailers, claiming the top spot, up from the 18th spot in 2007.

Since major retail security breaches began making national headlines in 2013, retailers have become acutely aware of the growing cyber threat and cyber-related risks. Between new point-of-sale systems and evolving digital channels, the industry faces unique vulnerabilities: Retailers are responsible for safeguarding consumer data as well as their own, in addition to protecting against potential gaps in security related to third-party suppliers and vendors.

2016 marks the 10th anniversary of our retail risk factor analysis, and throughout the decade, we’ve seen the retail landscape undergo a dramatic evolution in response to the recession, new and maturing e-commerce channels and evolving consumer preferences,” said Doug Hart, partner in BDO’s Consumer Business practice. “Retailers over the years have proven to be in tune with the industry-wide issues and trends that could pose risks to their businesses, and they are clearly not tone deaf when it comes to reacting to the urgency of cybersecurity

The following chart ranks the top 25 risk factors cited by the 100 largest U.S. retailers:

Top 20 Risks for Retailers 2016 2015 2014
General Economic Conditions #1 100% #1 100% #1 100%
Privacy Concerns Related to Security Breach #1t 100% #4t 99% #8 91%
Competition and Consolidation in Retail Sector #3 98% #1t 100% #3 98%
Federal, State and/or Local Regulations #4 96% #1t 100% #2 99%
Natural Disasters, Terrorism and Geo-Political Events #5 94% #7 96% #13 87%
Implementation and Maintenance of IT Systems #6 93% #4 99% #7 92%
U.S. and Foreign Supplier/Vendor Concerns #6t 93% #6 98% #4 96%
Legal Proceedings #6t 93% #9t 95% #8t 91%
Labor (health coverage, union concerns, staffing) #9 91% #7t 96% #5 94%
Impediments to Further U.S. Expansion and Growth #10 90% #12t 92% #17 78%
Dependency on Consumer Trends #11 88% #9 95% #6 93%
Consumer Confidence and Spending #12 87% #15 89% #8t 91%
Credit Markets/Availability of Financing and Company Indebtedness #13 85% #11 94% #11 89%
Failure to Properly Execute Business Strategy #14 82% #12 92% #11t 89%
Changes to Accounting Standards and Regulations #15 76% #14 90% #13t 87%
International Operations #16 73% #17 86% #15 80%
Loss of Key Management/New Management #16t 73% #19 80% #16 79%
Marketing, Advertising, Promotions and Public Relations #18 66% #25 68% #24 64%
Consumer Credit and/or Debt Levels #19 62% #27 65% #23 65%
Joint Ventures #20 61% #21 76% #18 74%

Additional findings from the 2016 BDO Retail Risk Factor Report:

Cyber Risks Include Compliance Measures

As the cyber threat looms larger, retailers are bracing for new and emerging cybersecurity and data privacy legislation. Risks associated with cyber and privacy regulations were cited by 76 percent of retailers this year. This is in line with the findings from the 2016 BDO Retail Compass Survey of CFOs, in which nearly 7 in 10 retail CFOs said they expected cyber regulation to grow in 2016. These concerns have been highlighted by President Obama’s recently unveiled Commission on Enhancing National Cybersecurity and continued debate in Congress over information sharing between the government and private industry.

Retailers have not escaped regulatory scrutiny. The industry is also subject to Europay, Mastercard and Visa (EMV) standards that bolster credit card authentication and authorization. Industry analysts estimate that just 40 percent of retailers are compliant with EMV standards despite the Oct. 1, 2015 deadline.

“Mandating EMV chip-compliant payment systems is an important first step in shoring up the industry’s cyber defenses, but it’s just the tip of the iceberg,” said Shahryar Shaghaghi, National Leader of the Technology Advisory Services practice group and Head of International BDO Cybersecurity. “Online and mobile transactions remain vulnerable to credit card fraud and identity theft, and POS systems can still be hacked and provide an access point to retailers’ networks. New forms of malware can also compromise retailers’ IT infrastructure and disrupt business operations. Every retailer will experience a data breach at some juncture; the real question is what mechanisms have been put in place to mitigate the impact.”

E-Commerce Ubiquity Drives Brick & Mortar Concerns

Impediments to e-commerce initiatives also increased in ranking, noted by 57 percent of retailers in 2016, a significant contrast from 12 percent in 2007. In 2015, e-commerce accounted for 7.3 percent of total retail sales and is continuing to gain market share.

As e-commerce grows and businesses strive to meet consumers’ demand for seamless online and mobile experiences, retailers are feeling the effects in their physical locations. The recent wave of Chapter 11 bankruptcies and mass store closings among high-visibility retailers has raised concerns across the industry. Ninety percent of retailers are worried about impediments to growth and U.S. expansion this year. Meanwhile, risks associated with owning and leasing real estate jumped 14 percentage points to 54 percent this year.

Heightened worries over the impact of e-commerce on physical locations are far reaching, driving concerns over market competition for prime real estate and mall traffic to rise 19 percentage points to 46 percent. Meanwhile, consumer demand for fast shipping fueled an uptick in risks around the increased cost of mail, paper and printing, rising 10 percentage points from seven percent in 2015 to 17 percent this year.

General Economic Conditions Hold Weight

General economic risks have been consistently top of mind for retailers throughout all ten years of this survey. Even at its lowest percentage in 2008, this risk was still the second most cited, noted by 83 percent of companies.

Despite the fact that since 2013, general economic conditions have remained tied for the top risk, concerns about specific market indicators have receded.

For more information on the 2016 BDO Retail RiskFactor Report, view the full report here.

About the Consumer Business Practice at BDO USA, LLP

BDO has been a valued business advisor to consumer business companies for over 100 years. The firm works with a wide variety of retail and consumer business clients, ranging from multinational Fortune 500 corporations to more entrepreneurial businesses, on myriad accounting, tax and other financial issues.

The State of Cybersecurity in Healthcare Organizations in 2016

ESET and the Ponemon Institute have announced results of The State of Cybersecurity in Healthcare Organizations in 2016.

According to the study, healthcare organizations average about one cyber attack per month with 48% of respondents said their organizations have experienced an incident involving the loss or exposure of patient information during the last 12 months. Yet despite these incidents, only half indicated their organization has an incident response plan in place.

The concurrence of technology advances and delays in technology updates creates a perfect storm for healthcare IT security,” said Stephen Cobb, senior security researcher at ESET. “The healthcare sector needs to organize incident response processes at the same level as cyber criminals to properly protect health data relative to current and future threat levels. A good start would be for all organizations to put incident response processes in place, including comprehensive backup and disaster recovery mechanisms. Beyond that, there is clearly a need for effective DDoS and malware protection, strong authentication, encryption and patch management

Key findings of the survey:

78% of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old.

63% said the primary consequences of APTs and zero-day attacks were IT downtime

46% of respondents experienced an inability to provide services which create serious risks for patient treatment.

Hackers are most interested in stealing patient information

  • The most attractive and lucrative target for unauthorized access and abuse can be found in patients’ medical records, according to 81% of respondents.

Healthcare organizations worry most about system failures

  • 79% of respondents said that system failures are one of the top three threats facing their organizations
  • 77% cyber attackers
  • 77% unsecure medical devices

Technology poses a greater risk to patient information than employee negligence

  • 52% of respondents said legacy systems and new technologies to support cloud and mobile implementations, big data and the Internet of Things increase security vulnerabilities for patient information
  • 46% of respondents also expressed concern about the impact of employee negligence
  • 45% cited the ineffectiveness of HIPAA mandated business associate agreements designed to ensure patient information security

DDoS attacks have cost organizations on average $1.32 million in the past 12 months

  • 37% of respondents say their organization experienced a DDoS attack that caused a disruption to operations and/or system downtime about every four months. These attacks cost an average of $1.32 million each, including lost productivity, reputation loss and brand damage.

Healthcare organizations need a healthy dose of investment in technologies

  • On average, healthcare organizations represented in this research spend $23 million annually on IT
  • 12% on average is allocated to information security
  • Since an average of $1.3 million is spent annually for DDoS attacks alone, a business case can be made to increase technology investments to reduce the frequency of successful attacks

Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks,” said Larry Ponemon, chairman and founder of The Ponemon Institute. “As evidenced by the headline-grabbing data breaches over the past few years at large insurers and healthcare systems, hackers are finding the most lucrative information in patient medical records. As a result, there is more pressure than ever for healthcare organizations to refine their cybersecurity strategies

500 European Business Leaders attend the PCI Security Standards Council Community Meeting

This week business leaders and security professionals gathered in Nice, France to discuss payment based security and especially PCI DSS and P2Pe. 

Jeremy King PCI Security Standards Council International Director said, The new European Commission Payment Services Directive 2 along with the European Banking Authority Guidelines for Securing Internet Payments have clear and detailed requirements for organisations in protecting cardholder data. Add to that the soon to be released General Data Protection Regulation which covers all data security, and you have a massive increase in data security, which when implemented will impact all organisations in Europe and beyond, 

These regulations will force organisations to take security seriously, and PCI provides the most complete set of data security standards available globally. Establishing good data security takes time and effort. Organisations need to know these regulations are coming and put a plan in place now for ongoing security

With 70% of all card fraud coming from Card-Not-Present (CNP), a figure that surpasses the previous 2008 record which was set during the EMV chip migration, it is a critical time for the industry. 

A significant amount of the conference was spent on new and developing technologies including::

  • Cloud – Daniel Fritsche of Coalfire presented on Virtualisation and the Cloud
  • Mobile – several presentations including the Smart Payments Association
  • Point to Point Encryption (P2PE) – Andrew Barratt of Coalfire delivered a panel discussion
  • Tokenisation – A presentation by Lufthansa Systems 

Jeremy King added. PCI is committed to helping organisations globally improve their data security. Our range of standards, and especially our supporting documents, are designed to help all companies improve and protect their data security. The annual Community Meeting is a big part of our efforts to engage with companies from all sectors, sharing and exchanging information to ensure they have the very best level of security 

We must work together to tackle card-not-present fraud with technologies such as point-to-point encryption and tokenisation that devalue data and make it useless if stolen by criminals.

Attendees included experts from Accor Hotels, , British Telecommunications, Capita, Coalfire Systems Limited, Accor Hotels, Lufthansa, Virgin Trains, Vodat International and hundreds of others.

29% of Consumers Don’t Trust Retailers With Securing Their Data

Global Consumers: Concerned and Willing to Engage in the Battle Against Fraud,” is the second in a two-part series conducted by ACI Worldwide and Aite Group. Among other findings, only slightly more than 50% of consumers feel stores where they shop use security systems that adequately protect their financial data against hackers and data breaches

  • 29% do not trust retailers (e.g., stores, online shopping sites, restaurants, etc.) to protect stored personal and financial data against hacking attempts and data breaches.    
  • 58% think financial institutions (large multinational institutions, community banks and credit unions) do a better job of protecting their data than do retailers, or for that matter, government agencies and law enforcement.  
  • Only 55% feel stores where they shop use security systems that adequately protect their financial data against hackers and data breaches, compared to 62% who believe that online shopping websites adequately protect this information.  

Mobile Customer Engagement

  • 77% are “very interested” in being contacted about suspicious activity on their cards or accounts via a phone call, email or text message.  
  • 73% prefer that their banks not post transactions to their cards until they respond to fraud alerts. 

Consumer Awareness

  • 42% do not recall receiving any anti-fraud information from their financial institution.
  • 32% think theft by a computer hacker is the greatest fraud risk. 

Prepaid Card Implications

  • In many countries, prepaid card usage and the rate of fraud on such cards correlates. China and India have the highest rates of prepaid card fraud at 17% and 18%, respectively, and very high consumer use rates at 93% and 91%, respectively. 
  • Conversely, in countries with use rates of 70% or less, such as Australia, Canada, New Zealand and the United States, fraud rates are 4% or less, indicating that the fraud rate may rise as more consumers use prepaid cards.  

Consumer distrust is exacerbated by the widely publicized retail data breaches over the past year,” Mike Braatz, senior vice president, Payments Risk Management Solutions, ACI Worldwide.

Retailers have their work cut out for them – to change consumer perception that shopping, be it online or in-store, is unsafe,” Mike Braatz, senior vice president, Payments Risk Management Solutions, ACI Worldwide.

Consumers want to engage in the battle against fraud. Financial institutions must take a proactive role in not only engaging customers in fraud-alerting activities, but educating them on preventative measures to take to most effectively combat it,” Shirley Inscoe, analyst, Aite Group. 

Communication is key when it comes to financial institutions making customers aware of the tools available to fight fraud. This can have a big impact in customer satisfaction and loyalty,” Shirley Inscoe, senior analyst, Aite Group. 

Most Americans feel EMV chip cards make their debit or credit card transactions more secure

NXP Semiconductors has announced the results of its ‘Security Matters: Americans on EMV Chip Cards’ survey.

To gain further understanding of how confident Americans are in the security of EMV chip card technology and debit/credit card purchases in general, NXP polled more than 1,000 American adults on credit card usage, behavioural trends and consumer sentiment toward the electronic and cashless movement.

Attitudes towards Breaches and Retail Hacks
Overall sentiment reveals that while consumer confidence in credit card technologies remains high, Americans continue to demand better solutions that protect identity, personal information and financial data. With recent reports of compromises in security at Target, Neiman Marcus, PF Chang’s and other retailers, Americans are more likely to pay in cash following a security breach at large retailers, with 37% of the millennial age group (18 to 34 years of age) being the most likely to convert to cash. For example, 80% of Americans are confident in their financial institution and the security of their financial accounts, as well as the security and protection of their credit/debit cards (73%).

However, once a security breach at a major store occurs, consumers automatically turn to less convenient forms of payment (64%) – such as cash – to complete a purchase.

Credit Card Protection Technology
Respondents were asked a number of questions pertaining to security, confidence in financial institutions and credit cards, purchasing habits, geographic location, gender and general understanding of current magnetic strip and EMV technology. When asked specifically about the underlying technologies of a credit or debit card, Americans responded favourably, with 69% stating that EMV chip cards are making their debit and credit card transactions more secure, with only 5% feeling chip cards make their transactions less secure. When asked about the tap and pay feature available on some EMV chip cards, the most common concern expressed was an increased risk of theft (61%), followed by 37% expressing concerns about being charged incorrectly for purchases.

Security and Personal Information

  • 69% of Americans feel EMV chip cards make their debit or credit card transactions more secure
  • 28% believe they are much more secure
  • 31% of men believe they are much more secure compared to 24% of women

Security of finances

  • 73% of Americans are confident in the security of their credit/debit cards or their financial accounts (80%) with their primary financial institution
  • 33% are very confident in the security of their accounts, compared to 26% feeling very confident in the security of their credit/debit cards
  • 64% of Americans say they are more likely to pay in cash after hearing about security breaches at large retailers
  • 36% say they are not more likely to pay in cash
  • 37% of 18 to 34 year olds say they are much more likely compared to 27% of 35 to 54 year olds and 23% of those 55+
  • 5% believe chip cards make their transactions less secure

From this survey, we see a high consumer awareness of EMV chip card security and readiness to adopt secure technologies that protect credit and debit card purchases,” said Brintha Koether, Director Payments at NXP Semiconductors. “We recognize the sensitivity and loss of trust consumers immediately feel after learning of a major security breach. We have seen how secure chip technology employed outside the U.S. drastically reduces fraud as well as builds consumer confidence in card transactions, financial institutions and retailers

For full NXP Retail Hacks survey click NXP Study.

Hidden Dangers of a Data Breach an Infographic

A third of Canadians are victims of financial fraud

Canadians are taking steps to protect themselves against fraud, according to a survey by the Chartered Professional Accountants of Canada.

The group’s annual look at this issue found:

  • 72% of Canadians shred their banking and credit card statements;
  • 68% are very uncomfortable giving out personal or financial information through email;
  • 61% are very uncomfortable giving out this information on the phone;
  • 59% cover the keypad when entering their PIN number at a retailer or a bank machine;
  • 56% are very uncomfortable logging in to their banking or investment website using a public Wifi network;
  • 51% notify their bank and credit card company when they travel abroad.

The survey also reveals that, despite these efforts:

  • 29% of respondents report being victims of some form of financial fraud
  • 43% know someone who has been a fraud victim

The most common types of fraud reported by victims surveyed were credit and debit card fraud.

The CPAC is an umbrella group for the Canadian accounting profession. Reprinted from the Toronto Star.

Increasing Security and Reducing Fraud with EMV Chip and PCI Standards an Infographic

When data is exposed, it puts your customers and your reputation as a business at serious risk. EMV chip technology combined with PCI Security Standards offer a powerful combination for increasing card data security and reducing fraud.

EMV – The perspective of a QSA who has worked on both sides of the Atlantic

With the spate of cyber attackers on US retailers recently Coalfire’s European MD, Andrew Barratt considers how the attacks on retailers differ outside the US and what the potential impact of similar attacks is in a world where Chip and Pin technology is more widely deployed.

Working in both the US and Europe gives us a good perspective on the payment security landscape.  The US has a much higher rate of credit card usage than most European countries, loyalty schemes and reward incentives are much more mature and embedded in consumer culture.  In Europe card usage is increasing but the type of card varies by country.  In the UK credit card use is moving in a similar direction to the US and includes a high rate of debit card usage; cards are quickly replacing cash. The UK now has lots of innovative mobile tech trying to disrupt the card market as well.   Germany is very different, credit card usage is very low (consumer culture is quite averse to borrowing) and the debit scheme is a closed system.  However both of Europe’s large economies moved away from using the magnetic stripe years ago.

EMV or Chip and Pin as it is more commonly referred to in the UK has been in heavy use since 2006 which has helped lower the impact of brick and mortar retail breaches significantly.  It doesn’t rely on sending the full track information to the payment processor meaning that the data is easier to secure.

With retailers adopting more of the security controls detailed in the Payment card industry data security standard and with widespread adoption of Chip and Pin for authenticating customers huge losses from face to face retailers are less common.

Large US retailers are being targeted for smash and grab style payment card data breaches because the data is easier to use fraudulently.  If a cyber-attack steals a lot of magnetic stripe data, this can be used to clone cards, which can then be used in stores to make fraudulent purchases.

Where transactions are authenticated using EMV’s Chip and Pin verification method less data is transmitted to the processor.  If this data is stolen it is harder to be used fraudulently.  It’s not impossible but a lot harder.  EMV is not without its flaws and a number of attacks have been demonstrated by Professor Ross Anderson’s research team at Cambridge University.  These typically attack the card reader and try to grab the Pin as it is sent to the smart card on the Chip for verification.

For US retailers minimizing exfiltration possibilities should be a high priority, lock down and monitor the outbound connections.

The fraud bubble has been squeezed attackers focus on e-commerce operations in the UK, service providers and other businesses that handle lots of cardholder not present transactions.  As the cost of implementing attacks against the smart card declines Europe serves to be a good learning ground for the US.  If the US adopts a future EMV model adoption can be considered with lessons learned overseas for more consumer protection.

Article written by Andrew Barratt

Twitter:     @Andrew_barratt

LinkedIn:  http://www.linkedin.com/in/andrewbarratt

Blog at WordPress.com.

Up ↑

%d bloggers like this: