Trends & Tactics: Fraudsters’ New Targets

E-commerce, better malware, and mobile devices are on the minds of fraudsters, according to Trustwave Holdings Inc.’s latest annual data-breach study.

Chicago-based Trustwave, a leading data-forensics investigator and security vendor, based its report on 450 data breaches it investigated last year around the world. Hackers targeted payment card data in 98% of the breaches studied.

For the first time, e-commerce sites edged out point-of-sale systems, 48% versus 47%, as targeted assets. The other breaches involved data centers and corporate infrastructure, 4%, and ATMs, 1%.

Hackers’ targets vary across the world based on what’s available and what’s vulnerable. Some 73% of the breach victims were U.S.-based. “We’ve got the most retailers … we’re the commerce capital of the world,” says Christopher Pogue, director of digital forensics and incident response at Trustwave’s SpiderLabs unit.

The U.S. also is the last major bastion of the magnetic-stripe credit and debit card, which is more vulnerable to counterfeiting than the EMV (Europay-MasterCard-Visa) chip cards now common in much of the world. Hackers typically sell the card data they steal to other criminals who make counterfeit cards.

If the data are harder to steal from stores using EMV terminals, thieves will turn their attention to e-commerce sites or merchants still accepting mag-stripe cards at the point of sale.

Attacks originated from 29 countries, but Romania accounted for 34% of them to take over from 2011’s leader, Russia.

Some 45% of Trustwave’s investigations involved retailers, which, with a 15% increase in breaches, reclaimed the No. 1 spot as the most-hacked merchant category from 2011’s leader, the food-and-beverage industry. Retailer and restaurant breaches in recent years have run fairly closely, and Pogue doesn’t see any trend in the latest numbers.

“They’re kind of populated with the same point-of-sale systems,” he says. “It’s the same stuff, it’s the same hardware.”

The vast majority of breached merchants, 80% to 85%, were small ones, known in industry lingo as Level 4 merchants. These merchants typically do not have information-security departments and often outsource the operation of their data-processing systems to third parties. Sixty-three percent of breach victims used a third party for system administration while 37% handled such tasks themselves.

As it has reported in previous studies, Trustwave says easily guessed default passwords or other preventable security lapses played roles in many data breaches last year. Trustwave analyzed 3 million user passwords and found that 50% of businesses are still using weak passwords.

Meanwhile, Trustwave noted that the malicious software, or malware, that hackers use to find, collect, and export data made incremental improvements even though no fearsome new strain burst onto the scene last year. (Trustwave’s report documented about 40 variations used by six criminal groups.)

For example, new malware technology exploits so-called Dynamic Linked Libraries, which are chunks of reusable code that computers use to perform many different functions, including keyboard input and memory usage, says Pogue.

Malware also is getting better at hiding itself and at hiding data. Some 25% of the data in Trustwave’s breaches were encrypted, and the average time from breach to detection rose to 210 days, 35 days longer than in 2011.

Trustwave also says the incidence of mobile malware exploded by 400% in 2012. None of the mobile-malware cases Trustwave investigated compromised payment card data, Pogue says, but hackers seem unlikely to resist going after smart phones and tablet computers as more merchants employ such devices to accept payment cards.

“You’re going to have an obvious target,” says Pogue. “Mobile malware is going to get more complex, it’s going to get more sophisticated.”

Real-Time P2P Payments Gain Momentum

Fidelity National Information Services Inc. (FIS) last month rolled out its entry in the person-to-person payments sweepstakes and, as with other providers in recent months, its service offers real-time settlement.

Indeed, People Pay—the name FIS has given its new P2P service—is built on the PayNet network the company introduced last fall to offer real-time settlement for various non-card payments.

Using PayNet, People Pay can process transactions through NYCE, the Secaucus, N.J.-based electronic funds transfer switch owned by FIS that links financial institutions including those that aren’t otherwise FIS clients. It can also rely on core-banking connections in cases where the banks involved are FIS clients. Users send payments through their bank’s online-banking system using the recipient’s e-mail address or mobile-phone number.

Five client institutions were in a pilot and are now moving into production, FIS says, adding that while People Pay is the name it has given the service, each institution will brand the product in its own way.

The key to consumer adoption is faster settlement, FIS says. Currently, P2P services mostly rely on the automated clearing house network, which offers next-day settlement. “The real-time [processing] piece is very important,” says Nancy Langer, division executive for e-payments at Jacksonville, Fla.-based FIS. “Most [P2P] solutions are [based on] the ACH.”

Equally important for adoption will be a mobile version of People Pay that will appear in May or June, Langer says. Some time in the latter half of the year, presumably before the holiday shopping season, a virtual gift card version of People Pay is likely to emerge, as well, to work on mobile devices.

FIS has found growing demand for a P2P application that would allow a user to fund and send a downloadable gift code from a merchant to another person as a gift, Langer says. “Gen Y users like this better than a gift card,” she says. “Once [People Pay] is on a mobile device, that [gift code] will be one of the most meaningful use cases. It’s a big priority.”

FIS’s People Pay entry is the latest in a P2P market that has been revived in part by the promise of faster payments. Bank of America Corp., JPMorgan Chase & Co., and Wells Fargo & Co. last year launched clearXchange, a P2P network that switches funds among customers of the three sponsor banks.

FIS rival Fiserv Inc. offers Popmoney, a service Fiserv acquired in 2011 and combined with a P2P service it had started called Zashpay. ClearXchange and Popmoney reach roughly three-quarters of all U.S. online banking users, according to estimates that emerged last year. For credit unions, processor Co-Op Financial Services last month unveiled a digital wallet called Sprig that includes real-time P2P capablity.

At the same time, technology players have been pushing to speed up transaction times, stressing the need for real-time or near-real-time settlement to appeal to younger mobile users accustomed to instant results. A key player in this movement is Dwolla Inc., a Des Moines, Iowa-based startup that last year introduced a service called FiSync that allows users to instantly fund Dwolla accounts from their bank accounts.

Experts see potential in People Pay because of FIS’s backing but question whether its P2P orientation will prove to be a lucrative market and whether banks will respond in significant numbers. “It’s an optional service for financial institutions, they don’t have to do it,” says George Peabody, an independent payments analyst. “It’s a classic problem for any network provider, can I get issuers to participate? These are your distribution partners essentially.”

Aaron McPherson, practice director for worldwide payment strategies at IDC Financial Insights, argues FIS will ultimately have to add a point-of-sale capability to build adoption and volume. Says he: “Domestic P2P is pretty much friends and family, but if you can use it for brick-and-mortar [retail] payments it becomes more interesting.”

Langer will not go into detail about FIS’s pricing to banks initiating transactions, but says there will be a setup fee and likely either a transaction fee or user fee. Pricing to consumers for People Pay will be left to individual financial institutions, though Langer says most are considering not charging.

Digital Wallets: Not Looming Large

So familiar in Silicon Valley and the insular world of electronic payments, the concept of the digital wallet has yet to catch on with the general public. New research from comScore Inc. shows that many consumers don’t understand what a digital wallet is and few have used one, the major exception being PayPal Inc.

The November study by the Reston, Va.-based Internet data-measurement firm found that only 51% of Americans are aware of digital wallets other than PayPal’s.

“There’s so many differences out there that it becomes a little confusing,” says Andrea Jacob, payments practice leader at comScore.

Some of the wallets, such as the phone-company-backed Isis, are available only in a few test cities, notes Jacob. And those based on near-field communication technology, including Isis and Google Inc.’s Google Wallet, are accepted at comparatively few merchants and usable only on a limited number of smart phones so far.

Add to that the fact that, apart from the vague notion that a digital wallet is the electronic equivalent of the cash and credit and debit cards in one’s wallet that can be accessed through a smart phone, there’s no standard definition of a digital wallet.

“It’s something that’s going to be difficult for a user to grasp on to when there’s not a unified voice in the market,” Jacob says.

Knowing that digital wallets do not loom large in the minds of consumers, comScore used survey methodology to reduce the awareness gap, Jacob says. The company typically draws on its opt-in panel of 1 million U.S. online consumers for its research. For the November study, comScore picked a representative sample of 2,823 adults with smart phones and asked them about a specific digital wallet. Each respondent was asked to review the Web site of a provider and become familiar with its product and how it works, and then answer about 30 questions.

A separate but similar sample of 2,304 adults with smart phones was given general information about digital wallets, but nothing specific about any brand. Then they answered about 35 questions about their perceptions and hypothetical digital-wallet preferences.

Among the group that had reviewed individual wallets, 72% of respondents were aware of PayPal and 48% had used it. That was no surprise to comScore since the PayPal brand has been around since 1998 (though its digital wallet is much newer) and has benefited from exposure to the huge customer base of its parent company, eBay Inc., Jacob notes. PayPal processed nearly $14 billion in mobile-payments volume in 2012, $4 billion more than it had expected and up from $4 billion in 2011, according to eBay.

After PayPal, awareness and usage of mobile wallets dropped way off. Only 12% of consumers claimed to have used any wallet other than PayPal’s, and some used multiple wallets.

ComScore also said that while consumers rated security as a major concern, many were unaware of the locking features on digital wallets designed to prevent them from being used by unauthorized persons. The average respondent awareness of the feature across all brands was 57%. Lemon led with 71% and LevelUp trailed with 42%. Awareness of locking features probably is a result of the play the brands give to security on their Web sites, according to Jacob.

Letter: Not All Online PIN Debit Is Created Equal

To the Editor:

The recent article highlighting the challenges and opportunities of PIN debit for e-commerce [“A Tangled Web for PIN Debit,” February] was well written, thorough, and very enlightening. I would like to provide you with additional insights and facts that will promote even greater clarity.

Acculynk’s PaySecure PIN-debit product is currently benefiting and has been selected for implementation by top-tier merchants such as Sears, Kmart, and Home Depot among many other highly recognizable merchants in the near-term pipeline. In addition to the lower cost, minimal fraud, and reduction in chargebacks afforded by PIN-debit transactions, there are additional highly compelling benefits for merchants worth noting:

Only Acculynk offers “true” PIN debit, meaning that the exact same process consumers use to check out in-store or at an ATM applies to e-commerce sites or mobile apps as well. Customers only have to enter their PIN—no passwords, no phone calls, and no enrollment steps. Asking customers to do something different greatly increases the possibility of shopping-cart abandonment. It’s all about low friction and high consumer acceptance. In fact, when presented the PIN pad online, branded with their bank’s logo, up to 75% of consumers enter their PIN on their PC. They recognize the PIN pad and trust their bank.

On the international front, the actual stakes are higher than may have been apparent from the article. Most emerging markets are PIN-debit-only, as signature debit is not usually an option. Enabling PIN-debit transactions online opens the door for in-country and cross-border e-commerce on an unprecedented scale. To give you an idea, we have enabled ATH cards in Puerto Rico, which brings 2.5 million cardholders online. India’s RuPay holders total over 250 million, and our program with China UnionPay will enable a staggering 3 billion cards for e-commerce later this year.

Additionally, it’s important to keep in mind the difference between card authentication and user authentication. We often use a term called 2FA, or 2-factor authentication. The idea is simple: something you have (the card) and something you know (the PIN). Without the PIN, a stolen debit card is useless. With signature debit, a crook can enter the card data and commit fraud. Many alternative solutions do an admirable job authenticating the card but not the person. And if there are user-authentication steps in place, they are always cumbersome.

One final thought I would like to share is how applicable our PIN-pad solution is to issuers and merchants for Web and mobile EMV applications, especially face-to face mobile card acceptance. It’s simple, straightforward and low cost. And speaking of EMV, U.S. merchants and issuers will need to double down on their online fraud strategy as EMV at the point of sale will push fraud to even higher levels online. Rather than declining, issuer interest is higher than ever. Internet PIN debit enabled by Acculynk has huge potential here given that EMV was never designed to solve for e-commerce.

Sincerely,

Ashish Bahl

Chairman and CEO, Acculynk

Atlanta