Fraud & Identity Management

Apple held its annual developers conference last week to showcase its new features within iOS8. One area that still needs clarification is Apple’s intent for mobile payments. Cherian Abraham, Experian Decision Analytics mobile payments analyst, shares what he thinks Apple might look to do in the mobile payment space going forward. In my first post, I touched upon Apple’s program for third party hardware attachment market as being significant and likely to be a key aspect of its payments approach. In this post I discuss these three things: 1. How Apple’s new security paves the way for mobile payments 2. Bluetooth being secured enough where Payments is a use-case 3. Why the iPhone 6 will not have NFC Last week, 9to5mac reported that Apple has introduced a new specification for manufacturers in its MFi program (Made for iPad, iPhone and iPod) that allows them to create headphones that connect to iOS devices using a lightning connector instead of relying on the 3.5mm audio jack. Why is it important? Because as Apple looks to rid itself of any such remaining legacy vestiges, it’s also shedding any ambiguity around who is in control of the iOS hardware ecosystem and what it means to be a third party accessory maker – once reliant on open standards supported by all devices and now serving at Apple’s pleasure. It is a strategy that fits against the backdrop of an iOS ecosystem that is made up of software that is increasingly becoming more open, and hardware that is slowly being walled off – primarily in the name of security. The former is evident in how Apple has opened up third-party access to core authentication services like TouchID. What about the latter? Apple’s new security blanket Well, first let’s look at what Apple has publicly acknowledged about the MFi program. Every iOS device will initiate communication with a third-party accessory by asking it to prove sufficient authorization by Apple — to respond with an Apple-provided certificate, which iOS subsequently verifies. Further, the iOS device then issues a challenge, which is then answered by the third-party accessory by a signed response. These two steps require that a third-party accessory must have: • An Apple certificate • Requisite cryptographic capabilities — preferably in hardware to comply. That is precisely what Apple does by encapsulating all this in an Integrated Circuit that it controls – where the entire handshake is transparent to the accessory. With this – Apple’s role in the third-party accessory market becomes non-negotiable. You think you have a cool accessory that requires a trusted connection and intends to share data with an iOS device? Unless you inherit Apple’s controls you are relegated to speaking analog and conducting a limited set of user-driven operations — Start, Pause, Rewind (standard Serial UART audio playback controls) — usable only to headphones using the audio jack. Now, how about them apples? It’s important to note that these steps to validate whether an accessory is authorized to communicate with an iOS device can happen over the lightning connector, Bluetooth or WiFi. The advantage here is that this repels man-in-the-middle attacks because a malicious interceptor will not have the Apple IC to pass authorization, and subsequently will not have the negotiated key that encrypts all subsequent communication. The whole key negotiation occurs over Bluetooth. It is important because this approach can solve man-in-the-middle attacks for Bluetooth in scenarios including payments. A cynical view of the MFi program would be to consider it a toll that Apple is eager to extract from the third-party accessory makers building accessories authorized to communicate with an iOS device. A more pragmatic view would be to recognize Apple’s efforts as an ecosystem owner, whose primary intent is authenticating any and all devices within and in the periphery of the iOS ecosystem and secure all inbound and outbound data transfers. With more iOS device types, and a heterogeneous accessory market Apple is entirely justified in its role as the ecosystem owner to be at the front of the curve, to ensure security is not an afterthought - and instead to – mandate that data in transit or at rest is fully secured at all end-points. In fact, interest in Wearables, Home automation, Healthcare and Telematics are completely rewiring the rules of what it means to be an accessory anymore I believe this approach to security will be the mainstay of how Apple visualizes its role in enabling payments — regardless of channel. Anything it does to reduce payments friction will be counterbalanced by serious cryptographic measures that secure devices that have a need to communicate in payments — to authenticate, to encrypt and to subsequently transfer a payment token. With TouchID today it does so by verifying the fingerprint before authorizing the transmission of an authentication token from the Secure Enclave to an Apple server in the cloud. I don’t doubt that the authentication token being sent to the Apple server in the cloud is itself signed by the device’s unique ID – which is verified, before the server completes the purchase with a card on file. Thus, crypto pervades everything the iPhone does, touches or trusts. So how do the MFi program, Bluetooth, iOS Security fit in within Apple’s plan to tackle retail payments? For that, let’s start with NFC. With NFC anointed as the only way forward by networks and other stakeholders — every other approach was regarded as being less secure without much thought given to that classification by way of actual risk of fraud. You could build the best payments “whatchamacallit” and throw everything and the kitchen sink at it — and be still branded as ‘Card Not Present’ and inherit a higher cost. Understandably — merchants passed on it as they couldn’t scale with the costs that it confronted. No self-respecting merchant could afford to scale — unless they owned all of the risk (via decoupled debit, ACH or private label). All they could do was reject contactless and prevent themselves from being burdened by the network’s definition of a payments future. Thus the current NFC impasse was born. Now with merchants rolling out EMV-compliant terminals, many of which have contactless built in, they are desperately looking to Apple for clarity. If Apple does NFC then they have the entirety of a terminal refresh cycle (approximately 10 years) within which they hope that common sense may prevail (for example, debit as an acceptable payments choice via contactless) and correspondingly toggle the switch to begin accepting contactless payments. If Apple goes in a different direction, a merchant who has chosen an EMV-compliant terminal with or without contactless is locked out until the end of the current refresh cycle. But what if Apple went with Bluetooth? Two factors stand in the way: Bluetooth is not secure enough for payments today and terminal makers need to comply. Yet, with EMVCo publishing draft standards around tokenization one can argue that non-NFC modalities now are being given fair share, where proximity is not the only guarantee for security and other options such as Bluetooth can begin to address the challenge creatively. Where is the opportunity among all this for Bluetooth? Let’s tackle Bluetooth Range and Device Pairing that limit its utility in payments today. Range is as much a curse as it is a blessing for Bluetooth. If security via proximity was NFC’s raison d’être, then in contrast Bluetooth had to worry about man-in-the-middle attacks due to its range. Though Bluetooth communication is invariably always encrypted, the method in which two devices arrive at the encryption key is suboptimal. Since much of the early key negotiation between devices happens in the clear, brute forcing the shared secret that is key to encryption is a fairly easy and quick attack — and the range makes man-in-the-middle attacks easy to implement and harder to detect. The approach to device pairing also differs from Bluetooth to BLE. Needless to say, it is even less secure for BLE. Pairing in a payments context brings up further challenges, as it has to be silent, customer initiated and simple to execute. I am not going to pair my iPhone with a point-of-sale by punching in “000000” or another unique code each time I must pay Can NFC be of use here? It can. In fact, Bluetooth pairing is the only use case where I believe that Apple may feel there is utility for NFC so that an out-of-band key exchange can be possible (versus an in-band key exchange wholly over Bluetooth). This is far more secure than using Bluetooth alone and derives a much stronger encryption key. An out-of-band key exchange thus enables both devices to agree on a strong encryption key that can prevent malicious third parties from splicing themselves in the middle. BLE however does not allow for out-of-band key exchange and therefore is limited in its utility. This is another reason why if you are a BLE accessory maker Apple excludes you from having to participate in the MFi program. How can Apple secure Bluetooth and make it the standard of choice for a retail payment use case? The answer to that lies inside Apple’s specification for MFi participants — manifested in the form of the Integrated Circuit Apple provides to them so that these iOS accessories may authorize themselves to an iOS device and secure the communication that follows. This IC which encapsulates the initial setup including the certificate, mutual key negotiation and deriving the encryption key — can support Bluetooth. So if all that ails Bluetooth can be cured by including an IC – will point-of-sale manufacturers like Verifone and Ingenico line up to join Apple’s MFi program? The message is clear. You must curry favor with Apple if you want to be able to securely communicate with the iOS ecosystem. That is no tall barrier for terminal makers who would willingly sacrifice far more to be able to speak to 800M iOS devices and prevent being made irrelevant in an ever-changing retail environment. So why not include a single IC and instantaneously be able to authorize to that broad ecosystem of devices, and be capable of trusted communication? And if they do — or when they do — how will merchants, networks and issuers react? Today a point of sale is where everything comes together — payments, loyalty, couponing — and it’s also where everything falls apart. Will this be considered Card Present? Even with all the serious crypto that would become the underpinnings of such a system, unfairly or not the decision is entirely that of a few. Networks and issuers To answer how they may respond, we must ask how they may be impacted by what Apple builds. Is Apple really upending their role in the value chain? I believe Apple cares little about the funding source. Apple would instead defer to – the merchants who believe it should be debit, and the issuers who believe the customer should choose – and secretly hope that it is credit. I don’t think that Apple would want to get between those two factions. It wants to build simply the most secure, easy way to bring retail payments to iOS devices —  and allow all within the transaction flow to benefit. The rails do not change, but the end-points are now much more secured than they ever were, and they form a trusted bond and a far bigger pipe. A customer who authenticates via TouchID, a phone that announces to the point of sale that it’s ready to talk, a smart circuit that negotiates the strongest encryption possible while being invisible to all and a token that stands in for your payment credential that is understood by the point of sale. It is business as usual, and yet not. Will the iPhone6 have NFC? The presence of NFC in iPhone6 — if it’s announced — will not mean that NFC will be utilized in the same manner as it is today (for example, Isis). The radio will exist, but there will be no global platform secure element. Today the role of the radio is instrumental (in both secure element or HCE cases) in transmitting the PAN to the point of sale. When there are coupons that need to be presented and reconciled at the point of sale — things begin to get complex. Since the radio becomes the bottleneck, it requires longer than a quick tap for more data to be transmitted. Proximity is a good guarantee for device presence as well as the customer, but it’s a poor vehicle for information. So why wouldn’t one try to relegate it to the initial handshake to enable authentification of the device and therefore the customer with the point of sale? As I mentioned above, if Apple uses NFC, its role will be to facilitate an out-of-band key exchange to secure the subsequent Bluetooth communication so that an iOS device can trust the point of sale and securely transmit payment data. This data may include any and all tokenized payment credential along with loyalty, couponing and everything else. By using NFC for out-of-band authentication in conjunction with the authentication IC (provided by Apple) in the point of sale, Apple can run circles around the limitations imposed by a pure NFC approach — exceeding it on usability, security, adaptability and merchant utility. Yet, if NFC’s role is limited to the initial key negotiation, then the case can be made that NFC has very limited utility, it exists only to serve Apple’s security narrative, and utilizing NFC for the initial pairing strengthens the encryption and makes it harder to snoop. If it has only derived incremental value, would Apple care to put it on iPhone6 — and split its utility among customers using iPhone6 versus all others? With more than 400M iPhones out there that can support Bluetooth LE and iOS8, why ignore that advantage and create a self-induced dependency on a radio that has no subscribers today?  So where do I fall within this debate? I believe iPhone6 will not have NFC. Learn more about our Global Consulting Practice.  

There are some definite misunderstandings about the lifecycle of fraud. The very first phase is infection – and regardless of HOW it happens, the victim’s machine has been compromised. You may have no knowledge of this fact and no control. All of that compromised data is off in the ether and has been sold. The next phase is to make sure that the next set of fraudsters can validate those compromised accounts and make sure they got their money’s worth. It’s only at the last phase – theft – that any money movement occurs. We call this out because there are a lot of organizations out there who have built their entire solution on this last phase. We would say you are about two weeks too late as the crime actually began much earlier. So how can you protect your organization? Here are five take-aways to consider: User / device trust. Do this user and device share a history? Has this user seen of been associated with this device historically? It may not be fraud but it is something we watch for. User / device compatibility. Does the user align with devices they’ve used in the past? What are the attributes of the device with respect to user preferences, profile and so on. Device hostility. Look at its behavior across your ecosystem. How many identities has it been associating with? Is it associated with a number of personal attributes or focused on risky activities? Malware. Does this device configuration suggest malware? Because we have information about the device itself, we can show that it’s been infected. Device reputation. Has this device been associated with previous crimes? There are some organizations who have built their entire solution around device reputation. We believe this is interesting to include but it’s more important to look at everything in the context across your entire ecosystem rather that focus on just one area. Want to learn more? Listen to this on-demand webinar “Where the WWW..wild things are – when good data is exploited for fraudulent gain”.

FICO, a leading predictive analytics and decision management software company, has partnered with 41st Parameter®, a part of Experian® and a leader in securing online relationships, to fight fraud on card-not-present (CNP) transactions, the top source of payment card fraud today, while letting more genuine transactions proceed in real time. FICO is integrating 41st Parameter’s TrustInsight™ with the FICO® Falcon® Platform, which protects 2.5 billion card accounts and is used by more than 9,000 financial institutions worldwide. Authenticating the device being used in a transaction provides yet another layer of detection to the Falcon Platform, which includes proprietary analytics based on more than 30 patents. 41st Parameter’s TrustInsight™ solution provides a real-time analysis of a transaction, crowd-sourced from a network of merchants, that produces a TrustScore™ indicating whether the transaction is likely to be genuine and should be approved. TrustInsight helps reduce the number of “false positives,” or good transactions that are declined or investigated by the card issuer. The TrustScore, integrated with the FICO Falcon Fraud Manager Platform, provides a link between data the merchant knows and data the issuer knows to enable issuers to utilize additional information that is not currently available in their fraud detection process, including the identification of a cardholder’s “trusted devices.” Read the entire release here.

During last week’s live webinar, David Britton, online fraud industry expert and vice president, industry solutions at 41st Parameter said this: “At 41st Parameter, we begin our days somewhat differently. We believe that the internet was never built for security in mind. We also assume that all user data has been stolen. Every bit of consumer data has been compromised. Why? It puts us on a much more heightened state of awareness to help mitigate the type of environment we work in. We also believe that we are not just fighting against naturally evolving organisms. Rather, we are combating a very sophisticated and powerfully-motivated individuals who are highly creative.” During the 45-minute live webinar, Britton also provided five distinct actions that businesses can take to help protect their organizations as well as real-world strategies for preventing and detecting fraud online AND maintaining a positive online experience for valued customers. Want to learn more? Link to the on demand webinar here and stay tuned for next month’s panel where we will focus on the surveillance and validation of data prior to theft. Viewers will be armed with tactics that they can leverage in their own organizations.

Surag Patel, vice president of global product management for 41st Parameter, led a panel discussion on Digital Consumer Trust with experts from the merchant community and financial services industry at this week’s CNP Expo. During the hour-long session, the expert panel – which included Patel, Jeff Muschick of MasterCard and TJ Horan from FICO – discussed primary research explaining the $40 billion in revenue lost each year to unwarranted CNP credit-card declines and what businesses can do to avoid it. Patel began the Thursday morning session by asking the audience how many have bought something online—of course, everyone raised their hands. He then asked how many had been declined—about half the hands stayed up. “Of those with your hands still up,” he said, “how many of you are fraudsters?” The audience chuckled, but the reality of false positives and unnecessary declines is no laughing matter. Unnecessary declines cause lost revenue and damage the customer relationship with merchants, banks and card issuers. The panel cited a 41st Parameter survey of 1,000 consumers and described their responses to the question, what do you do after you get declined? While many would call the card issuer or try a different payment method, one in six would actually skip the purchase altogether, one in ten would purchase from a different online merchant, and one in twelve would go buy the item at a brick-and-mortar store. So regardless of who the customer blames, ultimately, when a good purchase is declined, everybody loses. Jeff Muschick, who works in fraud solutions for MasterCard, spoke about the need for a solid rules engine, and recommended embracing new tools as they emerge to enhance their fraud prevention strategy. He acknowledged that for smaller merchants, keeping up with fraudsters can be incredibly taxing, and often even at larger organizations, fraud departments are understaffed. For that reason, he highlighted a tool that many fraud prevention strategies are leaving on the table, and that’s cooperation: “We talk about collaboration, but it’s not as gregarious as we’d like it to be.” TJ Horan, who is responsible for fraud solutions at FICO, encouraged merchants, banks, and card issuers to mitigate the damage of good declines through customer education. He observed that “if there was a positive thing to come out of the Target breach (and that’s a big ‘if’), it is an increase in general consumer awareness of credit-card fraud and data protection.” This helps inform customers’ attitudes when they are declined, because they realize it is probably a measure being taken for their own protection, and they are likely to be more forgiving. Click here for more information about TrustInsight and how online merchants can increase sales by approving more trusted transactions.

Today, our TrustInsight division announced a major milestone at this year’s CNP Expo (CardNotPresent). TrustInsight provides reliable TrustScores for a significant portion of US digital consumers leveraging insights from150 of the top online retailers in the US. Now retailers, banks and credit card companies can confidently approve more legitimate CNP transactions. As Surag Patel, vice president, global product management, put it, “We have been working with some of the largest online merchants to help them determine the trustworthiness of a customer during a transaction to help let more good transactions through. The result has been a sharp increase in top-line revenue that can be measured in the tens of millions of dollars.” Patel is leading a panel discussion on Digital Consumer Trust at CNP Expo 2014 on Thursday, May 22 with experts from the merchant community and financial services industry. During the hour-long session, the expert panel will discuss primary research explaining the $40 billion in revenue lost each year to unwarranted CNP credit-card declines and what businesses can do to avoid it. Read the full release here.

Julie Conroy - Research Director, Aite Group Finding patterns indicative of money laundering and other financial crimes is akin to searching for a needle in a haystack. With the increasing pressure on banks’ anti-money laundering (AML) and fraud teams, many with this responsibility increasingly feel like they’re searching for those needles while a combine is bearing down on them at full speed. These pressures include: Regulatory scrutiny: The high-profile—and expensive—U.S. enforcement actions that took place during the last couple of years underscore the extent to which regulators are scrutinizing FIs and penalizing those who don’t pass muster. Payment volumes and types increasing: As the U.S. economy is gradually easing its way into a recovery, payment volumes are increasing. Not only are volumes rebounding to pre-recession levels, but there have also been a number of new financial products and payment formats introduced over the last few years, which further increases the workload for the teams who have to screen these payments for money-laundering, sanctions, and global anti-corruption-related exceptions. Constrained budgets: All of this is taking place during a time in which top line revenue growth is constrained and financial institutions are under pressure to reduce expenses and optimize efficiency. Illicit activity on the rise: Criminal activity continues to increase at a rapid pace. The array of activity that financial institutions’ AML units are responsible for detecting has also experienced a significant increase in scope over the last decade, when the USA PATRIOT Act expanded the mandate from pure money laundering to also encompass terrorist financing. financial institutions have had to transition from activity primarily focused on account-level monitoring to item-level monitoring, increasing by orders of magnitude the volumes of alerts they must work (Figure 1) Figure 1: U.S. FIs Are Swimming in Alerts   Source: Aite Group interviews with eight of the top 30 FIs by asset size, March to April 2013 There are technologies in market that can help. AML vendors continue to refine their analytic and matching capabilities in an effort to help financial insitutions reduce false positives while not adversely affecting detection rates. Hosted solutions are increasingly available, reducing total cost of ownership and making software upgrades easier. And many institutions are working on internal efficiency efforts, reducing vendors, streamlining processes, and eliminating the number of redundant efforts. How are institutions handling the increasing pressure cooker that is AML compliance?  Aite Group wants to know your thoughts.  We are conducting a survey of financial insitution executives to understand your pain points and proposed solutions.  Please take 20 minutes to share your thoughts, and in return, we’ll share a complimentary copy of the resulting report. This data can be used to compare your efforts to those of your peers as well as to glean new ideas and best practices.  All responses will be kept confidential and no institutions names will be mentioned anywhere in the report.  You can access the survey here: SURVEY    

As we discussed in our earlier Heartbleed post, there are several new vulnerabilities online and in the mobile space increasing the challenges that security professionals face. Fraud education is a necessity for companies to help mitigate future fraud occurrences and another critical component when assessing online and mobile fraud is device intelligence. In order to be fraud-ready, there are three areas within device intelligence that companies must understand and address: device recognition, device configuration and device behavior. Device recognition Online situational awareness starts with device recognition. In fraudulent activity there are no human users on online sites, only devices claiming to represent them. Companies need to be able to detect high-risk fraud events. A number of analytical capabilities are built on top of device recognition: Tracking the device’s history with the user and evaluating its trust level. ​Tracking the device across multiple users and evaluating whether the device is impersonating them. Maintaining a list of devices previously associated with confirmed fraud. Correlation of seemingly unrelated frauds to a common fraud ring and profiling its method of operation. Device configuration The next level of situational awareness is built around the ability to evaluate a device’s configuration in order to identify fraudulent access attempts. This analysis should include the following capabilities: Make sure the configuration is compatible with the user it claims to represent. Check out internal inconsistencies suggesting an attempt to deceive. Review whether there any indications of malware present. Device behavior Finally, online situational awareness should include robust capabilities for profiling a device’s behavior both within individual accounts and across multiple users: Validate that the device focus is not on activity types often associated with fraud staging. Confirm that the timing of the activities do not seem designed to avoid detection rules. By proactively managing online channel risk and combining device recognition with a powerful risk engine, organizations can uncover and prevent future fraud trends and potential attacks. Learn more about Experian fraud intelligence products and services from 41st Parameter, a part of Experian.

The discovery of Heartbleed earlier this year uncovered a large-scale threat that exploits security vulnerability in OpenSSL posing a serious security concern. This liability gave hackers access to servers for many Websites and put consumers’ credentials and private information at risk. Since the discovery, most organizations with an online presence have been trying to determine whether their servers incorporate the affected versions of OpenSSL. However, the impact will be felt even by organizations that do not use OpenSSL, as some consumers could reuse the same password across sites and their password may have been compromised elsewhere.  The new vulnerabilities online and in the mobile space increase the challenges that security professionals face, as fraud education is a necessity for companies. Our internal fraud experts share their recommendation in the wake of the Heartbleed bug and what companies can do to help mitigate future occurrences. Here are two suggestions on how to prevent compromised credentials from turning into compromised accounts: Authentication Adopting layered security strategy Authentication The importance of multidimensional and risk-based authentication cannot be overstated. Experian Decision Analytics and 41st Parameter® recommend a layered approach when it comes to responding to future threats like the recent Heartbleed bug. Such methods include combining comprehensive authentication processes at customer acquisition with proportionate measures to monitor user activities throughout the life cycle.  "Risk-based authentication is best defined and implemented in striking a balance between fraud risk mitigation and positive customer experience," said Keir Breitenfeld, Vice President of Fraud Product Management for Experian Decision Analytics. "Attacks such as the recent Heartbleed bug further highlight the foundational requirement of any online business or agency applications to adopt multifactor identity and device authentication and monitoring processes throughout their Customer Life Cycle."  Some new authentication technologies that do not rely on usernames and passwords could be part of the broader solution. This strategic change involves the incorporation of broader layered-security strategy. Using only authentication puts security strategists in a difficult position since they must balance: Market pressure for convenience (Note that some mobile banking applications now provide access to balances and recent transactions without requiring a formal login.) New automated scripts for large-scale account surveillance. The rapidly growing availability of compromised personal information. Layered security "Layered security through a continuously refined set of ‘locks’ that immediately identify fraudulent access attempts helps organizations to protect their invaluable customer relationships," said Mike Gross, Global Risk Strategy Director for 41st Parameter. "Top global sites should be extra vigilant for an expected rush of fraud-related activities and social engineering attempts through call centers as fraudsters try to take advantage of an elevated volume of password resets."  By layering security consistently through a continuously refined set of controls, organizations can identify fraudulent access attempts, unapproved contact information changes and suspicious transactions. Learn more about fraud intelligence products and services from 41st Parameter, a part of Experian.

By: Maria Moynihan In less than a year, my information has been compromised twice by a data breach.  The companies involved varied significantly by way of size and type, yet both reacted expeditiously to inform me of the incident.  As much as I appreciated the quick response and notification, I couldn’t help but wonder how well prepared we all are to handle these types of incidents within our own organizations. I recently read somewhere that data breaches are to be expected – like death and taxes. Can this be true? A recent Ponemon Institute Study, 2013 Cost of a Data Breach, highlighted alarming statistics around the typical impact a breach has on an organization. With costs amounting to approximately $5.4M and impact to brands ranging anywhere from $184M to $330M in losses, organizations cannot afford to pass breaches off as inevitable. Organizations must tighten their security standards, understand the evolving data breach environment and ensure their response plans are continuously enhanced to address emerging issues. To better understand what may lie ahead, Experian has developed six key predictions for how concerns about data breaches will evolve: 1.  Data breach cost will be down – but still impactful The cost per record of a data breach will continue to decline, however security incidents and other breaches may still cause significant business disruption if not properly managed. 2.  Will the Cloud and Big Data = Big International Breaches? With the rise of the cloud, data is now moving seamlessly across borders making the potential for complex, international breaches more possible. 3.  Healthcare Breaches: Opening the Floodgates With the addition of the Healthcare Insurance Exchanges, millions of individuals will be introduced into the healthcare system and as a result, will increase the vulnerability of the already susceptible healthcare industry. 4.  A Surge in Adoption of Cyber Insurance Many companies will look beyond investing in technology to protect against attacks and towards the insurance market to manage financial ramifications of breaches. 5.  Breach Fatigue – Rise in Consumer Fraud? As the number of reported breaches in the media increases and the frequency of notifications that consumers receive grow, they may become apathetic towards the subject, thereby exposing themselves to greater risk. 6.  Beyond the Regulatory Check Box State regulators and law enforcement will turn a new leaf this year, devoting significant attention to helping organizations better manage breaches. What is your organization doing to improve its data breach preparedness plan? Check out our 2014 Data Breach Industry Forecast and guide to handling data breach response. Check out other related content on data breach resolution.

By: Matt Sifferlen On January 17th, we celebrated the 308th birthday of one of America's most famous founding fathers, Ben Franklin. I've been a lifelong fan of his after reading his biography while in middle school, and each year when his birthday rolls around I'm inspired to research him a bit more since there is always something new to learn about his many meaningful contributions to this great nation. I find Ben a true inspiration for his capacity for knowledge, investigation, innovation, and of course for his many witty and memorable quotes.  I think Ben would have been an exceptional blogger back in his day, raising the bar even higher for Seth Godin (one of my personal favorites) and other uber bloggers of today.  And as a product manager, I highly respect Ben's lifelong devotion to improving society by finding practical solutions to complex problems.  Upon a closer examination of many of Ben's quotes, I now feel that Ben was also a pioneer in providing useful lessons in commercial fraud prevention. Below is just a small sampling of what I mean. “An ounce of prevention is worth a pound of cure” - Preventing commercial fraud before it happens is the key to saving your organization's profits and reputation from harmful damage. If you're focused on detecting fraud after the fact, you've already lost. “By failing to prepare, you are preparing to fail.” - Despite the high costs associated with commercial fraud losses, many organizations don't have a process in place to prevent it.  This is primarily due to the fact that commercial fraud happens at a much lower frequency than consumer fraud.  Are you one of those businesses that thinks "it'll never happen to me?" “When the well’s dry, we know the worth of water.” - So you didn't follow the advice of the first two quotes, and now you're feeling the pain and embarrassment that accompanies commercial fraud.  Have you learned your lesson yet? “After crosses and losses, men grow humbler and wiser.” Ah, no lender likes losses. Nothing like a little scar tissue from "bad deals" related to fraud to remind you of decisions and processes that need to be improved in order to avoid history repeating itself. “Honesty is the best policy.” - Lots of businesses stumble on this part, failing to communicate when they've been compromised by fraud or failing to describe the true scope of the damage.  Be honest (quickly!) and set expectations about what you're doing to limit the damage and prevent similar instances in the future. “Life’s tragedy is that we get old too soon and wise too late.” - Being too late is a big concern when it comes to fraud prevention. It's impossible to prevent 100% of all fraud, but that shouldn't stop you from making sure that you have adequate preventive processes in place at your organization. “Never leave that till tomorrow which you can do today.” - Get a plan together now to deal with fraud scenarios that your business might be exposed to.  Data breaches, online fraud and identity theft rates are higher than they've ever been.  Shame on those businesses that aren't getting prepared now. “Beer is living proof that God loves us and wants us to be happy.” - I highly doubt Ben actually said this, but some Internet sites attribute it to him.  If you already follow all of his advice above, then maybe you can reward yourself with a nice pale ale of your choice! So Ben can not only be considered the "First American," but he can also be considered one of the first fraud prevention visionaries.  Guess we'll need to add one more thing to his long list of accomplishments!    

In the days following the Target breach, both clarity and objectivity are in short supply. Everything that didn’t already exist became suddenly the cure-all – EMV being one. Retailers bristle, albeit in private – due to the asymmetry in blame they have come to share compared to banks – despite having equal ownership of the mess they have come to call payments. Issuers and Schemes scramble to find an empty deck chair on the Titanic, just to get a better view of the first of the lifeboats capsizing. Analogies aside, we may never fully eliminate breaches. Given an infinite amount of computing power and equal parts human gullibility – whether its via brute forcing encryption systems or through social engineering – a breach is only a matter of time. But we can shorten the half-life of what is stolen. And ensure that we are alerted when breaches occur – as fraudsters take care to leave little trace behind. Yet today our antiquated payments system offer up far too many attack vectors to a fraudster, that the sophistication in attempts of the likes of what we saw at Target, is the exception and not the norm. But are the retailers absolved of any responsibility? Hardly. Questions from a breach: According to Target, malware was found on Target’s PoS – presumably pushed by unauthorized outsiders or via compromised insiders. If so, how is it that unauthorized code managed to find its way to all or most of its PoS terminals? Could this have been uncovered by performing a binary or checksum comparison first, to ensure that files or packages are not tampered with, before they are deployed to the Point-of-Sale? Such a step could have certainly limited the attack vectors to a small group of people with administrative access – who would have the need to handle keys and checksums. Further, depending on the level of privilege accorded to every binary that gets deployed to the point of sale – Target could have prevented an unauthorized or remotely installed program from performing sensitive functions such as reading consumer data – either in transit or in RAM. That said – I am not sure if PoS manufacturers provide for such layered approach towards granting access and execution privileges to code that is deployed to their systems. If not, it should. Where DOES EMV come in? EMV helps to verify the card – indisputably. Beyond that, it offers no protection to either the consumer or the merchant. The risk of EMV, and it’s infallibility in the eyes of its true believers, is that it can lull the general public in to a sense of false security – much like what we have now under Reg E and Reg Z. With EMV, PAN and PIN continues to be passed in the clear, unencrypted. Retailers could deploy EMV terminals and still be riddled like cheese by fraudsters who can siphon off PANs in transit. Fraudsters who may find it nearly impossible to create counterfeit cards, instead will migrate online where inadequate fraud mitigation tools prevail – and those inadequacies will force both banks and retailers to be heavy handed when it comes to determining online fraud. Friction or Fraud should not be the only two choices. Solving Card Not Present Fraud: There are no silver bullets to solve Card Not Present fraud. Even with EMV Chip/Pin, there is an opportunity to put a different 16 digit PAN on the front of the card versus the one that is on the magstripe/chip. (I am told that Amex does this for its Chip/pin cards.) The advantage is that a fraudster using a fraudulently obtained PAN from the chip for an e-commerce purchase will standout to an card issuer compared to the legit customer using a different PAN on the front of the card for all her e-commerce purchases. This maybe one low tech way to address CNP fraud alongside of an EMV rollout. But if asking a consumer to enter his Zipcode or show his ID was enough for retail purchases, there exists equivalent friction-bound processes online. Authentication services like 3-D Secure are fraught with friction, and unfairly penalize the customer and indirectly – the retailer and issuer, for its blind attribution of trust in a user provided password or a token or a smart card reader. Where it may (in some cases) undeniably verifies consumer presence, it also overwhelms – and a customer who is frustrated with a multi-step verification will simply shop somewhere else or use Paypal instead. Ever had to input your Credit Card Verification code (CVV2 or CVC2) on an Amazon purchase? Me neither. Fraud in connected commerce: As connected devices outnumber us, there needs to be an approach that expands the notion of identity to look beyond the consumer and start including the device. At the core, that is what solutions like 41st Parameter – an Experian company, focuses on – which enables device attributes to collectively construct a more sophisticated indicator of fraud in an e-commerce transaction – using 100 or so anonymous device attributes. Further it allows for more nuanced policies for retailers and issuers, to mitigate fraud by not only looking at the consumer or device information in isolation – but in combination with transactional attributes. As a result, retailers and issuers can employ a frictionless, smarter, and more adaptive fraud mitigation strategy that relies less on what could be easily spoofed by a fraudster and more on what can be derived or implied. If you want to know more why this is a more sensible approach to fighting fraud, you should go here to read more about 41st Parameter. Remnants from a breach: Even though the material impact to Target is still being quantified, little doubt remains as to the harm done to its reputation. Target RED card remains largely unaffected, yet it is but a fleeting comfort. Though some, thus had been quick to call decoupled debit a more secure product, those claims choose to ignore the lack of any real consumer protection that is offered alongside of these products. Though Reg E and Reg Z have been largely instrumental in building consumer trust in credit and debit cards, they have also encouraged general public to care less about fraud and credit card security. And this affects more than any other – MCX, whose charter calls for reduction of payment acceptance costs first, and to whom – decoupled debit offered a tantalizing low cost alternative to credit. But when it launches this year, and plans to ask each customer to waive protections offered by Reg E and Reg Z and opt for ACH instead – those consumers will find that choice harder to stomach. Without offering consumers something equivalent, MCX Retailers will find it exceedingly difficult to convince customers to switch. Consumer loyalty to retailer brands was once given as the reason for creating a retailer friendly payment backbone, but with Target’s reputation in tatters – that is hardly something one can bank on these days – pun intended. Where does this leave us? To be completed…   This blog post was originally featured at: http://www.droplabs.co/?p=964

The growing cost and number of data breaches has spurred more interest in cyber insurance. While companies often increase investments in technology and training programs to reduce the likelihood of a breach, a recent Ponemon Institute survey of risk-management professionals found that 31 percent of companies surveyed have cyber insurance and 39 percent plan to purchase cyber insurance in the future. Learn how to outline your response plan with our data breach response guide. Source: Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age

Billions of dollars are being issued in fraudulent refunds at the state and federal level.  Most of the fraud can be categorized around identity theft.  An example of this type of fraud may include fraudsters acquiring the Personal Identifying Information (PII) from a deceased individual, buying it from someone not filing or otherwise stealing it from legitimate sources like a doctor’s office.  The PII is then used to fill out tax returns, add fraudulent income information and request bogus deductions. Additional forms of tax refund fraud may include: Direct consumer tax refund fraud using real PII of US Citizens to file fraudulent tax returns and claim bogus deductions thereby increasing refund amounts EITC (Earned Income Tax Credit)/ACC (Additional Childcare Credit) fraud which is usually perpetrated with the assistance of a tax preparer and claiming improper cash payments and/or deductions for non-existent children. Tax Preparer Fraud where tax preparers purposefully submit false information on tax returns or file false returns for clients. Under reporting of income on tax filings. Taking multiple Homestead Exemptions for tax credit. Since this Fraud more often occurs as an early filing using Fraudulent or stolen PII the individual consumer is at risk for long term Identity issues. Exacerbating the tax refund fraud problem: The majority of returns that request refunds are now filed online (83% of all federal filings in 2012 were online) -if you file online, there is no need to submit a W-2 form with that online filing.  If your employment information cannot be pulled into the forms by your tax software you can fill it in manually.  The accuracy of information regarding employer and wage information for which deductions are based, is only verified after the refund is issued.  Refunds directly deposited - filers now have the option to have their refunds deposited into a bank account for faster receipt.   Once these funds are deposited and withdrawn there is no way to trace where the funds have gone. Refunds provided on debit cards – filers can request their refund in the form of a debit card.  This is an even bigger problem than bank account deposits because once issued, there is no way to trace who uses a debit card and for what purpose. So what do you need to look for when reviewing tax fraud prevention tools? Look for a provider that has experience in working with state and federal government agencies.  Proven expertise in this domain is critical, and experience here means that the provider has cleared the disciplined review process that the government requires for businesses they do business with. Look for providers with relevant certifications for authentication services, such as the Kantara Identity Assurance Framework for levels of identity assurance.  Look for providers that can authenticate users by verifying the device they’re using to access your applications.  With over 80% of tax filings occurring online, it is critical that any identity proofing strategy also allows for the capability to verify the source or device used to access these applications. Since tax fraudsters don’t limit their use of stolen IDs to tax fraud and may also use them to perpetrate other financial crimes such as opening lines of credit – you need to be looking at all avenues of fraudulent activity If fraud is detected and stopped, consider using a provider that can offer post fraud mitigation processes for your customers/potential victims. Getting tax refunds and other government benefits into the right hands of their recipients is important to everyone involved.  Since tax refund fraud detection is a moving target, it’s buyer beware if you hitch your detection efforts to a provider that has not proven their expertise in this unique space.  

By: Matt Sifferlen I recently read interesting articles on the Knowledge@Wharton and CNNMoney sites covering the land grab that's taking place among financial services startups that are trying to use a consumer's social media activity and data to make lending decisions.  Each of these companies are looking at ways to take the mountains of social media data that sites such as Twitter, Facebook, and LinkedIn generate in order to create new and improved algorithms that will help lenders target potential creditworthy individuals.  What are they looking at specifically?  Some criteria could be: History of typing in ALL CAPS or all lower case letters Frequent usage of inappropriate comments Number of senior level connections on LinkedIn The quantity of posts containing cats or annoying  self-portraits (aka "selfies") Okay, I made that last one up. The point is that these companies are scouring through the data that individuals are creating on social sites and trying to find useful ways to slice and dice it in order to evaluate and target consumers better. On the consumer banking side of the house, there are benefits for tracking down individuals for marketing and collections purposes. A simple search could yield a person's Facebook, Twitter, or LinkedIn profile. The behaviorial information can then be leveraged as a part of more targeted multi-channel and contact strategies. On the commercial banking side, utilizing social site info can help to supplement any traditional underwriting practices. Reviewing the history of a company's reviews on Yelp or Angie's List could share some insight into how a business is perceived and reveal whether there is any meaningful trend in the level of negative feedback being posted or potential growth outlook of the company. There are some challenges involved with leveraging social media data for these purposes. 1. Easily manipulated information 2. Irrelevant information that doesn't represent actual likes, thoughts or relevant behaviors 3. Regulations From a Fraud perspective, most online information can easily and frequently be manipulated which can create a constantly moving target for these providers to monitor and link to the right customer.  Fake Facebook and Twitter pages, false connections and referrals on LinkedIn, and fabricated positive online reviews of a business can all be accomplished in a matter of minutes. And commercial fraudsters are likely creating false business social media accounts today for shelf company fraud schemes that they plan on hatching months or years down the road.  As B2B review websites continue to make it easier to get customers signed up to use their services, the downside is  there will be even more unusable information being created since there are less and less hurdles for commercial fraudsters to clear, particularly for sites that offer their services for free. For now, the larger lenders are more likely to utilize alternative data sources that are third party validated, like rent and utility payment histories, while continuing to rely on tools that can prevent against fraud schemes. It will be interesting to see what new credit and non credit data will be utilized as a common practice in the future as lenders continue their efforts to find more useful data to power their credit and marketing decisions.