Blog

7 Ways to Prevent Fraud and Identity Theft

According to the Federal Trade Commission, 9 million Americans suffer identity theft annually. We’ve compiled a brief list of safeguards that we welcome you to share with your clients.

Identity theft occurs when someone steals your personal information and uses it to commit fraud- whether it’s using your credit card, filing fraudulent tax returns or ruining your credit. Perhaps the worst part about identity theft is that it can plague you for years, as criminals are able to continuously exploit your sensitive information. While credit card numbers can be changed easily- your social security number, date of birth and medical records cannot.

How do you defend yourself from identity theft?

  1. Pay for online purchases with a credit card. Banks almost always favor the consumer in these situations and will refund your money. But once the money’s gone from your debit account- it’s gone. (This also holds true for physically stolen cards, FYI.)
  2. Clear your logins and passwords and never save these credentials on a public computer.
  3. Monitor your bank statements. If you don’t recognize a purchase, if it looks suspicious or if occurred somewhere you weren’t, call your bank.
  4. Monitor your credit report. You are legally entitled to a free report every year from each of the three bureaus (Equifax, Experian, and TransUnion)
  5. Shred sensitive documents.
  6. Fraud alerts and credit freezes. These are two measures you can take yourself, or you can pay a company to do it for you.
  7. If you’ve detected fraudulent activity, notify the financial institution where it occurred, so they can freeze your account. You might also need to contact the FTC and local police department.

The Value of Protected Health Information (PHI)

In our last blog, we discussed the importance of personally identifiable information (PII). This week our focus is PHI, or protected health information. PHI includes patient names, medical records, addresses, social security numbers and email addresses. While PHI is addressed by HIPAA and HITECH acts, breaches still occur. One such occurrence is the recent Anthem breach, which exposed 80 million client records. Anthem is the largest for-profit managed health care company in the Blue Cross and Blue Shield Association.

People who had previously been insured with Blue Cross decades ago received letters warning them their sensitive data had been exposed. Since then, stolen identities and fraudulently filed tax returns have been linked to this breach.

Due to the sensitive nature of medical records, breaches could diminish trust in doctor/patient confidentially. Some speculate patients could withhold health concerns or conditions for fear of the information going public. Anthem, and other breached companies, are now tasked with repairing brand damage and winning back lost clients.

In the case of a credit card breach, the financial institution can send a new card with different numbers. However, medical records cannot simply be reissued or changed. This is why some consider PHI to be 50 times more valuable to thieves than credit cards.

According to CNBC and Reuters, “Medical identity theft is often not immediately identified by patients or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.”

So how do we adequately safeguard this data from cyber thieves?

Tokenization has become the gold standard for protecting sensitive data. Tokenization takes a real value (SSN, date of birth, etc.) and replaces it with a surrogate value. Tokens cannot be reverse engineered and the data itself resides off site entirely. Paymetric’s tokenization solution, XiFlex™ powered by XiSecure™, gives organizations the adaptability necessary to protect any type of sensitive information residing within the enterprise. Read more about our proprietary solutions here.

To learn more about protecting sensitive data, you are welcome to join our upcoming webinars:

Securing Sensitive Data and PII within SAP® – Thursday, April 30th 2:00-3:00pm

Securing Sensitive Data and PII within Oracle®EBS – Tuesday, May 12th 2:00-3:00pm

The Impact of Storing PII (Personally Identifiable Information)

When we talk about PII, we often refer to data including names, social security numbers, dates of birth, email addresses, physical addresses, etc. However, even seemingly innocuous data can be valuable in the wrong hands.

British Airways recently experienced a data breach into their loyalty program. While the information exposed was not directly lucrative, like a credit card or social security number, hackers know many people use the same login credentials across other online mediums. This information has been described as a “golden ticket” to get into other more valuable accounts.

And the power of data doesn’t stop there. According to the US General Accounting Office, 87% of the US population can be uniquely identified using only gender, date of birth and zip code. In an age where data can reveal and compromise so much, cyber security is paramount.

So how can businesses safeguard their customer’s private information? An increasingly popular and effective solution is tokenization. Tokenization works by replacing a sensitive data value with a surrogate value, or token, ensuring sensitive data is no longer present but rather is represented by the token. The actual encrypted data is stored in a secure data vault, reducing the organization’s liability of protecting the information and the risk associated with doing so.

XiSecure® for Sensitive Data utilizes Paymetric’s XiFlex™ format-preserving tokenization technology, giving organizations the adaptability needed to protect multiple types of sensitive information. XiSecure maintains the original length and format of the data so organizations can leverage Paymetric’s tokenization technology to protect any type of sensitive information that resides within their enterprise. The original data is stored in Paymetric’s off-site, highly secure data vault.

Now your organization can employ a tokenization strategy with no impact to existing IT infrastructure and no added costs
for modifications. Learn more about Paymetric’s proprietary solution here.

To learn more about protecting PII, you can watch either (or both) of our webcasts:

The New Data Breach: Critical Factors to Consider for Securing PII and Sensitive Data within your SAP® environment

The New Data Breach: Critical Factors to Consider for Securing PII and Sensitive Data within Oracle® EBS

The Impact of Storing PII
(Personally Identifiable Information)

When we talk about PII, we often refer to data including names, social security numbers, dates of birth, email addresses, physical addresses, etc. However, even seemingly innocuous data can be valuable in the wrong hands.

British Airways recently experienced a data breach into their loyalty program. While the information exposed was not directly lucrative, like a credit card or social security number, hackers know many people use the same login credentials across other online mediums. This information has been described as a “golden ticket” to get into other more valuable accounts.

And the power of data doesn’t stop there. According to the US General Accounting Office, 87% of the US population can be uniquely identified using only gender, date of birth and zip code. In an age where data can reveal and compromise so much, cyber security is paramount.

So how can businesses safeguard their customer’s private information? An increasingly popular and effective solution is tokenization. Tokenization works by replacing a sensitive data value with a surrogate value, or token, ensuring sensitive data is no longer present but rather is represented by the token. The actual encrypted data is stored in a secure data vault, reducing the organization’s liability of protecting the information and the risk associated with doing so.

XiSecure® for Sensitive Data utilizes Paymetric’s XiFlex™ format-preserving tokenization technology, giving organizations the adaptability needed to protect multiple types of sensitive information. XiSecure maintains the original length and format of the data so organizations can leverage Paymetric’s tokenization technology to protect any type of sensitive information that resides within their enterprise. The original data is stored in Paymetric’s off-site, highly secure data vault.

Now your organization can employ a tokenization strategy with no impact to existing IT infrastructure and no added costs
for modifications. Learn more about Paymetric’s proprietary solution here.

To learn more about protecting PII, you can watch either (or both) of our webcasts:

The New Data Breach: Critical Factors to Consider for Securing PII and Sensitive Data within your SAP® environment

The New Data Breach: Critical Factors to Consider for Securing PII and Sensitive Data within Oracle® EBS

Join Us in Las Vegas for CRM 2015!

We are proud to announce that experts from Paymetric will be at SAPinsider’s CRM 2015, the premier event for SAP sales, marketing, e-commerce, service and interaction center management. The event takes place at the Mirage Resort and Casino in Las Vegas, March 30 through April 1, 2015.

Attend to learn best practices across sales, marketing, service and commerce and case studies on how successful companies are leveraging SAP solutions to better engage with their customers. You will also have countless opportunities to engage and network with your peers, SAP partners, and SAP experts.

Paymetric will be exhibiting at booth #120 in the expo hall – be sure to visit us to learn more about our best-in-class payment acceptance and data security solutions for SAP® merchants.

You can get full details on the agenda and more information about the event by visiting www.crm2015.com.

To schedule a one-on-one demo on-site at the show, please contact us.

As Big Banks Prep for EMV, Fraud Relief Remains Far Off

Large banks and card issuers are ready for the U.S. shift to chip-and-PIN technology, according to a report issued Wednesday. But the drop in fraud that is expected to result is unlikely to come any time soon.

The use of EMV-style chip cards is supposed to make retailers like Target less appealing targets for hackers because they will be storing less card data. However, the way the U.S. is implementing EMV leaves plenty of room for the continued use of fake cards. And there is a plethora of ways hackers can use stolen card information without using a physical card.

“EMV’s impact on fraud in 2015 could be pretty much a toss-up,” said Steve Mott, CEO of BetterBuyDesign, a consultancy based in Stamford, Conn.

According to a study released Wednesday by CardHub, all 10 of the largest credit card issuers are in the process of issuing chip-based credit and debit cards and expect the majority of their portfolios to be updated by the end of 2015. All the major banks are issuing chip-and-signature cards, with 40% also supporting PIN capabilities. About 65% of retailers plan to accept chip-and-PIN cards as well.

This means the major banks are in good shape to handle the October 2015 “liability shift” deadlines Visa, MasterCard and Discover have set to encourage U.S. issuers and merchants to migrate from magnetic stripe cards to EMV.

“Right now, issuers incur the cost of card-present counterfeit fraud in stores,” said Martin Ferenczi, president for North America at Oberthur Technologies, a manufacturer of chip cards. “After October 2015, the institution with the lesser technology will be liable for fraudulent charges.”

The CardHub study also shows that the major card issuers are all putting magnetic stripes on their chip cards. This provides convenience all around — the new cards consumers get in the mail will be usable on older point-of-sale terminals that are not yet EMV-ready as well as new devices. It also waters down the security promised by EMV.

As long as there are dual or hybrid payment terminals and ATMs that accept magnetic stripe cards, hackers will be able to use fake cards created with stolen credit and debit card data.

“Visa is projecting 29% of POS transactions to be chip-on-chip, but everyone I know believes the right number is more like 5% or less,” Mott said. “If it’s wildly successful, EMV chip-on-chip volume might hit a running rate of 10% by year-end, but only at the 200 top retailers.”

Mott expects merchants probably will have 30% to 40% of locations equipped with EMV-ready terminals by year end, but most of them will not have the software installed and certified to make them work.

“Many will choose to turn them off until they can figure out how to get around the user ‘gotchas,’ such as leaving cards in the dip slots and not dipping them long enough,” he said.

In some near-term scenarios, Mott said, EMV could actually increase fraud. For instance, EMV credentials sent “in the clear,” or unencrypted, could be intercepted and used online on websites that don’t require security codes.

Eventually, as the U.S. gradually shifts to EMV-only mode, fraudsters’ ability to use fake credit and debit cards on physical machines (this is also known as “card present” fraud) will fade, as it has in other countries like the U.K. and Canada. They will then take their stolen card data and inclination toward thievery elsewhere.

Card-Not-Present Fraud

EMV stands for Europay, MasterCard and Visa, a standard for chip-and-PIN cards that are considered far more secure than the magnetic stripe cards we use in the U.S. today. Card credentials will be tokenized, such that retailers will not receive the actual card number, but a temporary token generated by a card network. Hackers who break into a retailer’s network the way thieves compromised Target more than a year ago would find a stash of useless numbers. On top of that, EMV chip credit and debit cards are almost impossible to duplicate, which means counterfeit card fraud should decrease.

Many industry observers expect the migration to EMV will increase fraud in all the places where credit cards are used but not physically presented, such as on shopping websites, over the phone, over the mail, and over fax machines. This is called card-not-present fraud. Some experts include mobile app payments, such as Uber and Apple Pay transactions, in this category. Card-not-present fraud already accounted for 45% of U.S. card fraud in 2014, according to Aite Group.

When the U.K. shifted to EMV cards, counterfeit card fraud fell 56%, according to Aite, but card-not-present fraud rose 79% in the first three years after the country switched to chip cards. It more than doubled in Australia and Canada.

“The experience in the U.K. is very indicative of what we’ll see here,” said Joram Borenstein, vice president of marketing at Nice Actimize, a provider of fraud analytics. “Understanding how card-not-present fraud is likely to spike, we need to retrain fraud investigators.”

Read the full original article here.

Financials 2015

Join us at SAPinsider’s FINANCIALS 2015 in Las Vegas! Friends, colleagues of Paymetric save $200!

Paymetric is a proud sponsor, speaker and exhibitor at SAPinsider’s FINANCIALS 2015, the premier event for SAP financial accounting, control, planning, consolidation, closings, and reporting.

Taking place at the Wynn Hotel in Las Vegas, March 17-20, 2015, attendees will learn proven methods for continuously improving and transforming key financial processes. If you’re able to attend the event, please be sure to stop by our booth #210 in the exhibition hall, where Paymetric experts will be onsite discussing our best-in-class payment acceptance and data security solutions for SAP merchants. Scan your badge for a chance to win a PS4!

Our close collaboration with SAPinsider this year has made it possible for us to extend a special registration discount to all of our valued clients and colleagues who have not yet registered — $200 off the on-site price! Click here to get started and save!

Paymetric will also be speaking at the following session:

Session Topic: Optimize Your 2015 ePayments Strategy
Speaker: Jennifer Rossi, VP Channel Sales, Paymetric, Inc
Date: Tuesday, March 17
Time: 4:45 PM – 6:00 PM
Location: Palmer 2, Wynn Hotel Las Vegas

In this session, attendees will learn:

  • Risks and challenges around the ePayments landscape of today’s enterprise
  • A complete overview of the ePayments and data security solutions available to you today and how they work together for your benefit
  • The impact to your PCI DSS audit scope, based on the configuration of your infrastructure What to expect before, during, and after a solution implementation
  • Several client success stories about their journey through the process and the results gained from their solution

Click here to learn more and add this session to your agenda! For more information, or to schedule a one-on-one demo with a Paymetric expert at the show, contact us at sales@paymetric.com.

 

Natural Grocers investigates possible payment card breach

Natural Grocers Investigates Payment Card Data Breach

Natural Grocers is the latest US retailer to announce that it is investigating a possible data breach involving customer payment cards.

The seller of natural and organic foods, which has 93 stores in 15 states, said it is investigating a possible data breach involving an “unauthorized intrusion targeting limited customer payment data.”

The company claims that it hasn’t received reports of any fraudulent use of payment cards from any customer, credit card company or financial institution. However, sources in the financial industry have traced a pattern of fraud on customer credit and debit cards suggesting hackers have tapped into point of sales (POS) systems at Natural Grocers locations across the country, according to US investigative reporter Brian Krebs.

The company said there was no evidence card verification codes were accessed, and no personally identifiable information was involved.

Read the full original story here on computerweekly.com.

How much did the Target, Home Depot breaches really cost?

2014 was the year of breaches for Target and Home Depot.

Target’s breach costs, of course, were the result of a spillover from the attack that hit during the company’s 2013 fourth quarter. And the year of breaches only got worse when Home Depot got hit in September. Now, both companies have provided full-picture outlooks of just how much the breaches impacted the retailers as they reported on their Q4 earnings this week.

Home Depot reported Tuesday (Feb. 24) and reported that the net expenses of the data breach cost the company roughly $33 million. Home Depot CFO Carol Tomé shared briefly in the call with analysts about how the breach costs break down.

“In the fourth quarter, our gross data breach expenses were approximately $20 million. After estimating our insurance recovery, we recorded approximately $5 million of net data breach related expenses in the quarter. For the year, our gross data breach expenses were approximately $63 million, and after expected insurance recovery our net data breach expenses were approximately $33 million,” she said, later noting that the 2015 guidance for the company did not include any “expenses that we may incur in the future for data breach-related claims.”

As for Target, the company reported yesterday (Feb. 25) that the total breach expenses incurred from its massive data breach amounted to $162 million (2013 and 2014 figures combined). For Target’s fourth quarter, it incurred $4 million worth of breach-related expenses. Full-year net breach expenses were $145 million ($191 million offset by $46 million insurance receivable). As for fourth quarter in 2013, Target’s breach expenses hit $17 million ($61 million offset by $44 million insurance receivable).

“A year ago, we were in the recovery mode, working to repair guest relationships following the data breach while we undertook an assessment of the long-term prospects for our Canadian business,” Target CEO Brian Cornell said in the call with analysts. “Fast forward to today and we’ve ended the year with the data breached fully behind us and that we’ve made tough decision to execute the Canadian business.”

Click here to read the original article on PYMNTS.com.

Many attackers lurk undetected for months, study finds

According to CIO.com, attackers who penetrate company networks often pose as legitimate users for long periods of time, causing lengthy delays before victims figure out they’ve been hacked.

FireEye’s Mandiant forensics service found that it took a median of 205 days for an organization to detect a compromise, down slightly from 229 days in 2013, according to its 2015 Threat Report.

The drop is nearly insignificant. “I don’t think it’s enough to make a claim that people are getting better at this,” said Matt Hastings, a senior consultant with Mandiant who works on incident response.

One of the main problems is that attackers are moving away from using malware that can be quickly detected. Instead, they’re stealing authentication credentials and using them to log into systems remotely. In that way, they look like legitimate users logging into systems, which becomes difficult to detect.

In two of the largest payment card data breaches, affecting Target and Home Depot, attackers obtained credentials used by third-parties to access those retailers’ networks, allowing them to gain a foothold that eventually enabled attacks on their point-of-sale systems.

To be sure, attackers still use malware and backdoors, but more judiciously. In fact, victims will often find components and tools used for an attack and remove them, Hastings said, but still fail to understand fully what is going on.

As a result, the hackers—seeing that some of their intrusions have been detected—can change tactics to maintain their presence in a network.

Mandiant’s report said in 69 percent of breaches, an organization found out about an attack from another group, such as law enforcement. That’s up from 67 percent in 2013 and 63 percent in 2012.

One of the ways an attacker can appear to be an authorized user is by gaining VPN access. Mandiant saw attackers obtain login credentials for those systems more in 2014 than ever before.

Once they enter through a VPN, an attacker can often get access to other systems, Hastings said. That opens the possibility of using a tool such as Mimikatz, which can collect clear-text passwords of users currently logged in.

Windows will keep credentials in memory so they can be reused for single-sign on, and that can allow Mimikatz to grab them.

Windows Server 2012 R2 and Windows 8.1 have a defensive mechanism called “protected processes” to defend against this kind of attack, Hastings said. But most organizations use Windows Server 2008 functional domains and Windows 7 endpoints.

“Unfortunately, at this point, it’s very hard to mitigate this type of risk,” Hastings said.

To further blur their activity, attackers modify and recompile Mimikatz’s source code. Mandiant said it did not find a single instance in which an organization’s antivirus software detected or prevented Mimikatz from running, despite its reputation.

Click here to read the original story on CIO.com.