Are you a merchant, where Visa, MasterCard, American Express and Discover credit or debit card transactions occur with the card present at the transaction? Do you know that a major liability shift is coming in just a few weeks? On October 1, 2015, liability for fraudulent card-present transactions will shift to the merchant, if that merchant has not upgraded to the new Europay, Mastercard and Visa (EMV) card readers.“With this liability shift, the party that is the cause of a chip transaction not occurring (i.e., either the issuer or the merchant’s acquirer processor) will be held financially liable for any resulting card present counterfeit fraud losses.” Visa Merchant Chip Acceptance Readiness Guide
These new EMV standards require a chip on the card to help reduce fraud. They support contact cards, which you insert into a slot on the PIN pad device, or contactless cards, which you simply wave near the PIN pad device. Either way, the technology is a step above the old magnetic stripe, which has been in use - in some fashion - for nearly 60 years.
What this means for merchants is that the fraudulent transactions, which Visa and the other card brands have reimbursed consumers and merchants for in the past, will now come out of the merchants' pockets if they don’t upgrade to the new terminals. Think about this for a minute. This could end up being thousands of dollars per year, even for small single-store operations. Credit and debit card fraud costs billions each year. Do you really want to be on the hook for even a fraction of a percent of those losses?
There is only one way to avoid this shift of liability. You must upgrade to a card reader that supports the EMV standards. If a bank fails to issue an EMV card, you can still accept the old magnetic swipe with the new terminals. However, you will not be on the hook for fraudulent swipes of non-EMV cards, as long as the reader supports it. It’s that simple.
Every once in a while it’s good to review some information security basics. That’s why today we’re going to discuss how to prevent hackers from using ACH fraud to drain your accounts. Over the past few years, Automated Clearing House (ACH) transactions have become standard payment methods for things like payroll, accounts receivable, accounts payable, charitable donations and most other transfers to and from an organizations bank account. Because of this, risk of fraudulent transactions has grown significantly.
Because these transactions are partially automated, the risk of losing funds is significant. If you discover fraudulent ACH transactions you may only have 24-48 hours to attempt to reverse the transaction and recover the funds. Different procedures at different banks can make this window shorter, but rarely is it much longer. Once those funds are gone, they are gone. It is then up to you, your bank and both of your insurance companies to determine liability and if the loss is covered by insurance. In the meantime though, that money is gone and you have to operate your business without it.
It should be noted that the overall amount of ACH fraud is a fairly small percentage of the total fraudulent transactions in the payment system environment. Credit or debit card fraud far outpaces it in terms of total losses. However, the single loss expectancy of a fraudulent ACH transaction is much higher as most credit cards have predetermined spending limits, which are much lower than typical ACH transactions.
One of the easiest ways to prevent unauthorized ACH transactions is to use two factor authentication to initiate transfers. This means, something you know -- like a password, and something you have -- like a one-time token generator, are both required before a transaction can be approved. This helps ensure that the person initiating the transaction is truly authorized and not an imposter.
Strong procedures around push transactions, such as individual transaction limits or limits on total transaction amounts or volumes per day or week, can help thwart attacks as well. While it may not eliminate a hacker from getting funds, it may limit the amount stolen and therefore the overall impact.
Another method is to work with your bank to implement strict IP address restrictions, such as limiting the ability to create new users or initiate transactions based on a pre-approved location. This would force the hacker to impersonate someone on your network, which increases the complexity of the attack and improves your chances of detecting the malicious activity through your information security.
It is also important to tightly control the creation of new users in your ACH system. Two levels of approval should always be required to ensure that one compromised account can’t be used to create another account. If this is not prevented, those two accounts could be used to provide the dual control authorizations for large transfers.
Hackers are getting more creative. Social engineering attacks are being made against accounting departments in order to gain access to ACH environments. You must train your users on how to identify phishing and pre-texting attacks by hackers. As we transition to even more automated and real-time payment systems, the risk for fraud will continue to increase. We have to ensure the same diligence we’ve put into ACH fraud prevention and detection will be implemented in these new payment systems as well.
The FDIC and OCC have tightened information security controls for banks, and FFIEC examiners are closely monitoring how banks are protecting customer information and accounts. This infographic explains security concerns that are facing banks and ways to protect sensitive data.
SOCIAL ENGINEERING ATTACKS AGAINST BANKS
In an industry study, 90% of those successfully exploited during an unauthorized facility entry trusted the intruder because they thought she worked for their company. (CSO)
Over 28% of phishing attacks detected in 2014 were against banks, payments systems and e-commerce companies. (Kaspersky Lab)
Why banks need information security options
The FDIC and OCC have tightened information security controls for banks, and FFIEC examiners are closely monitoring how banks are protecting customer information and accounts. In addition to these increased compliance standards, banks are feeling added pressure from customers and competition. Information security threat awareness is at an all-time high, and the demand for protecting sensitive data is increasing every day. All eyes are on the banking industry, and one false step could ruin a bank’s reputation.
TIME IS OF THE ESSENCE: 50% of opened and clicked phishing emails happen within the first hour, leaving little time for an effective response. (DBIR 2015) A system is only as safe as the people controlling it.
$52,000 - $87,000 is the forecasted range of an average loss for a breach of 1,000 records. (DBIR 2015)
$259 is the average cost of each record exposed in the financial industry. (IBM)
Improving Your Information Security Program
IT Audit
An IT Audit should meet more than just your compliance requirements. It needs to review how your security controls are designed and implemented, while providing insights to potential gaps in your process or procedures. This practice improves the effectiveness and efficiency of your business security.
Vulnerability Scanning
A vulnerability scan is a tool used for finding the weaknesses in your computers, devices, networks and applications. Scans are often performed monthly to search for cracks in your security armor.
Penetration Testing
A penetration test is an ethical version of hacking your business. It is used to identify exploitable vulnerabilities, find potential data leakage and assess the effectiveness of your company’s security program.
Social Engineering
Social engineering relies profoundly on human interaction and often involves misleading employees into violating their own company’s security rules. Here are some social engineering tactics that threaten organizations.
Pretexting Phone Calls
Using a phone call to solicit information or setup an employee to be more receptive to a future attack.
Phishing Emails
Sending an authentic looking email in attempt to steal personal and/or financial information.
Unauthorized Facility Entry
Entering a facility without permission to discover what a non-employee has ability to access.
Dumpster Diving
Searching in a facility’s dumpster for private information that could be used in a malicious attack.
Security Information & Event Management
Security Information and Event Management, or SIEM, involves collecting network and device logs in a centralized environment in order to correlate, consolidate, identify, analyze, alert and report security incidents.
Breach Investigation & Incident Response
In a breach investigation, it’s imperative that expert guidance with experience in data recovery and preservation of evidence is provided to prevent spoliation of evidence.
Information Security Consulting
At Pratum we understand the unique demands of the banking industry. The members of our knowledgeable team have been providing information security services to banks for the past decade. We have served organizations ranging in size from the largest national banks to the smallest community banks across the country. Our services help banks fulfill IT compliance
regulations as well as strict information security goals.
The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.