Receive Our Newsletter


Important Information about protecting yourself as a consumer by Mark Pribish, colleague of Guardian Pro.

ISOs Watch Their Backs As Regulators Step Up Scrutiny of the Payments Industry
By Jim Daly

A growing feeling among independent sales organizations about more eyes looking over their shoulders came through Thursday at the annual conference of the MidWest Acquirers Association, a regional trade group. Jitters over the Federal Trade Commission’s lawsuits against ISOs that processed for allegedly fraudulent telemarketers to increasing worries about data protection surfaced during sessions at a Chicago hotel.

Of particular concern to some payments executives and their advisors in the wake of the FTC lawsuits is a perception that long-standing business practices, such as increasing reserves when a merchant starts to generate significant chargebacks, are no longer good enough. Attorney Holli Targan, a partner at Jaffe Raitt Heuer & Weiss in Southfield, Mich., noted that FTC officials have spoken at recent industry conferences and told ISOs that they need to do a better job of underwriting and monitoring potentially risky merchants, especially telemarketers subject to the federal Telemarketing Sales Rule.

“The FTC ... has not been not been shy about saying, ‘We are looking at the payment-processing business,’” said Targan, president-elect of the Electronic Transactions Association, the national merchant-acquiring trade group.

The government, the new thinking goes, is forcing ISOs and others in the acquiring industry to bear more responsibility when merchants, either through outright fraud or poor service, generate high levels of consumer complaints that in turn result in chargebacks. “They’re trying to choke it off at the money point, and they’re trying to make it, which is us, hurt,” said Deana Rich, chief executive of Los Angeles-based Rich Consulting, during a session that followed Targan's presentation.

While no processor wants dissatisfied customers or, worse, fraud, some attendees at the conference said the FTC’s recent lawsuits against Newtek Merchant Solutions (Newtek’s former president also is a defendant) and Independent Resources Network Corp. suggest something onerous. That is, the government may consider it illegal to continue to process for merchants after their chargeback rates raise flags, such as the merchant being put on a list maintained by MasterCard Inc., even if the processor has taken traditional mitigation steps such as raising reserves. “To me, these are things people in the industry do every single day,” said Targan.

Attendees also noted that other federal regulators, including those with direct authority over banks, are working with the FTC to crack down on fraud involving payment card charges. “This is the tip of the iceberg,” said one attendee in reference to the Newtek and IRN lawsuits, which are in the early stages of litigation.

The focus shifted to data security in another session, where panelists urged ISOs to do a better job protecting personal and financial data about their merchants. While countless news stories have dealt with thefts of sensitive consumer data from computers, leaving merchant-account applications, reports and other papers with information about merchants on desks or public areas in offices also creates the risk of data compromises, speakers said. “We need to treat it with the same regard as we treat cardholder data,” said Nicole Palella, chief risk officer at BluePay Processing LLC, an ISO based in Naperville, Ill.

ISOs also need to sharpen their policies about who gets to see sensitive data about merchants. “There needs to be a good review of who has access to this information,” said Elizabeth “Betsy” Bohlen, vice president of sponsorship services at Pueblo Bank and Trust Co., Pueblo, Colo.

Most states now have laws requiring the reporting of data breaches, and 14 have laws requiring companies to protect personally identifiable information that they own or have custody of, Targan said. She urged ISOs to review what data they store and purge what they no longer need.

“Your big takeaway is we are responsible for everything we touch,” said Rich.
National Cybersecurity and Communications Integration Center U.S. Secret Service
31 December 2013
Point of Sale System Targeting
This advisory was prepared in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC) and United States Secret Service (USSS).

Point of Sale (POS) Systems
When consumers purchase goods or services from a retailer, the transaction is processed through what are commonly referred to as Point of Sale (POS) systems. POS systems consist of the hardware (e.g. the equipment used to swipe a credit or debit card and the computer or mobile device attached to it) as well as the software that tells the hardware what to do with the information it captures.
When consumers use a credit or debit card at a POS system, the information stored on the magnetic stripe of the card is collected and processed by the attached computer or device. The data stored on the magnetic stripe is referred to as Track 1 and Track 2 data. Track 1 data is information associated with the actual account; it includes items such as the cardholder’s name as well as the account number. Track 2 data contains information such as the credit card number and expiration date.

POS Targeting
For quite some time, cyber criminals have been targeting consumer data entered in POS systems. In some circumstances, criminals attach a physical device to the POS system to collect card data, which is referred to as skimming. In other cases, cyber criminals deliver malware which acquires card data as it passes through a POS system, eventually exfiltrating the desired data back to the criminal. Once the cybercriminal receives the data, it is often trafficked to other suspects who use the data to create fraudulent credit and debit cards.

There are several types of POS malware in use, many of which use a memory scrapping technique to locate specific card data. Dexter, for example, parses memory dumps of specific POS software related processes looking for Track 1 and Track 2 data. Stardust, a variant of Dexter not only extracts the same track data from system memory, it also extracts the same type of information from internal network traffic. Researchers surmise that Dexter and some of its variants could be delivered to the POS systems via phishing emails or the malicious actors could be taking advantage of default credentials to access the systems remotely, both of which are common infection vectors. Network and host based vulnerabilities, such as weak credentials accessible over Remote Desktop, open wireless networks that include a POS machine and physical access (unauthorized or misuse) are all also candidates for infection.

Threat of the Week: Experts Predict ATM Fraud Explosion
1 January, 2014 (15:40) | Blog | By: admin

By Robert McGarvey

Call it a nasty byproduct of the coming rollout of EMV (aka chip-and-PIN) debit cards but the frightening news is that many ATM experts now predict a 2014 explosion in old-fashioned magnetic stripe card fraud at ATMs as criminals enjoy a last robbing frenzy.

“The United States is now the weak point. We are the last major market to convert to EMV cards,” said Mike Urban, a financial crime expert with Brookfield, Wis.-based Fiserv. He ominously added that Canada had a “serious” skimming problem but now that it has largely converted to EMV cards, “those criminals are coming across the border.”

“The U.S. is one of the last bastions for criminals to skim. I think it will be a feeding frenzy,” said John Buzzard, a fraud expert at FICO.

“The future will have reduced ATM fraud,” predicted Cyndie Martini, CEO of Member Access Pacific, which provides card processing services to credit unions. She pointed to the coming of EMV, as well as multiple biometric login technologies, as paths to a more secure tomorrow.

But that’s the future and, as for now, Martini, too, is in the pessimistic camp: “Criminals will probably see this short window (before EMV implementation) as an opportunity to step up mag stripe fraud – but it will be short lived.”

There may be some good news for credit unions amid the gloom – hold on for that – but the key issue today is that criminals, with 20-plus years of experience perpetrating fraud with mag stripe cards, are good at this.

Buzzard, for instance, estimated that a skilled criminal could attach a skimmer to an ATM “in a minute or less.” High-quality skimmers fit snugly and are difficult for any but trained professionals to detect with a quick look.

It only stands to reason that that criminals will put their skills to use before the rollout of EMV debit cards, which most experts see gathering steam in 2015 when liability shifts await non-EMV compliant terminal operators per Visa and MasterCard edicts.

Note however that ATMs have their own later deadlines. Visa’s deadline for ATMs is October 2017. With MasterCard the deadline is 2016.

However, there is some wiggle in those timelines, noted Dean Nolan, a vice president at payments solutions company Saylent. “Another point to consider is that fraud will not be reduced until ATM machines in the US stop accepting mag-stripe cards,” he said. “As it’s likely that U.S. ATM acquirers will continue to accept both EMV and mag stripe cards until the majority of U.S.-issued ATM and debit cards are EMV-enabled, it’s possible that an actual decline in ATM fraud rates will not occur until sometime later.”

That means criminals may in fact be entering a multi-year thieving binge, said Nolan.

Just when you thought a sense of doom had become pervasive, know that Gary Walston, an executive vice president at Dolphin Debit, which supplies and manages ATMs for many credit unions, is in fact optimistic that credit unions, for the most part, will dodge this bullet.

He said, “We are not expecting a surge in theft. We definitely are not in panic mode.”

Walston’s reasoning: Credit union ATMs, at branches or in sponsor organizations, generally are well protected. “Criminals will seek out the easy targets, the ATMs in the back of retailers,” said Walston.

Many credit union ATMs, said Walston, are under 24/7 video surveillance and at least some machines are equipped with state-of-the-art anti-skimming controls. They also are routinely physically inspected by trained personnel. That makes them tougher targets than many ATMs found in more casual settings.

At Dolphin Debit, Walston acknowledged that “we are taking additional precautions” to keep their ATMs safe. He was taciturn about detailed specifics but did note, “We are increasing the number of physical inspections.”
Why ATM Fraud Losses Will Surge
Even Nations With EMV to Experience Uptick

By Tracy Kitten, December 2, 2013.Follow Tracy @FraudBloggerFor months, experts have warned about upticks in global card fraud as U.S. banking institutions gear up for rollout of EMV chip cards. That's a key step toward the eventual worldwide elimination of the easy-to-compromise magnetic stripes on cards.

And it seems the predictions of a fraud surge have come true, as attackers focus more effort toward capitalizing on current magnetic-stripe vulnerabilities while they can.

More fraud will be pushed to the U.S. It's the fraudsters' last market, and the crime world's most profitable.

Skimming at ATMs was reported by 20 European countries in the third quarter, with attacks increasing from the previous quarter in eight of them, according to the European ATM Security Team, a not-for-profit group that collects security and fraud information about ATMs, networks and payment terminals.

Experts expect skimming schemes to increase worldwide over the next 18 to 24 months as the United States' migration toward enhanced payments technology that complies with the Europay, MasterCard, Visa standard for chip cards ramps up, moving the world a step closer to the elimination of magnetic stripes (see ATM Skimming Arrests: Sign of the Times?).

In the meantime, banking institutions should brace for more financial losses related to skimming and take steps now to shore up their cross-channel fraud detection strategies (see How to Fight Cross-Border ATM Fraud).

"The U.S. will continue to see skimming until the majority of ATMs and POS devices in this country are protected [by EMV]," says Jerry Silva, who oversees the global retail banking practice at the advisory firm International Data Corp.

Julie Conroy, a fraud expert and analyst for the consultancy Aite, tells me that the strikes against U.S. banks will be the most damaging in the next several months.

"When I did the research for my EMV report earlier this year, most of the large issuers I spoke with told me that they are seeing 30 percent to 50 percent year-over-year increases in counterfeit [card] fraud, thanks to the fact that we are still mag-stripe dependent," she says.

EAST's Findings
In November, the European ATM Security Team noted that skimming attacks and fraud losses linked to skimmed card data continue to plague European banks. But some European banks are taking action to reduce their losses by blocking mag-stripe transactions - the only types of transactions that can be conducted at ATMs with counterfeited mag-stripe cards.

Why? Because fraudulent withdrawals linked to skimmed card data have continued to adversely impact European cardholders, even in markets where EMV technology is now the standard. Attackers have continued to drain those accounts by using counterfeit cards at ATMs in non-EMV compliant countries, such as the U.S.

Card transactions that conform to EMV rely on a micro-processing chip, not a mag-stripe. Data saved to that chip cannot be skimmed.

Until worldwide conformance with the EMV standard for chip cards is complete, card readers on ATMs and POS devices have to continue to accept mag-stripe transactions, and EMV cards also have to retain mag-stripes. And any card with a mag-stripe runs the risk of having data skimmed.

Lingering mag-stripe technology is why European card data can still be skimmed and copied, and it's becoming an increasingly touchy subject for European banks. It's also why more and more banks in European nations are fully blocking mag-stripe transactions.

EAST reports that the U.S. holds the leading position for ATM-related skimming losses, followed by Thailand, Colombia and India. In European markets, more attention is being paid to counter-measures such as geo-blocking (not accepting cards from non-EMV compliant markets) and enhancements to fraud monitoring and detection, EAST states.

It's safe to assume that in the near future, few European banks will accept U.S. mag-stripe transactions. Until the world is fully EMV compliant, it's the best option these markets can pursue to ensure fraud loss reduction.

But what about the U.S.? Well, as more EMV countries implement geo-blocking, more fraud will be pushed here. It's the fraudsters' last market, and the crime world's most profitable.

Until the U.S. fully implements EMV, U.S. institutions need to invest in cross-channel fraud detection now, to ensure they are detecting ATM schemes.

Latest Article Headline Date, Month 2013