Editorial content organized by topic
Sponsored content from industry partners
Latest offerings by category 
Articles submitted by industry partners
Online Edition

Oct 22

Merchants weak link in cybercrime

Posted by John Ginovsky in Making Sense Of It All

This being National Cyber Security Awareness Month, it's appropriate to start off with some of the eye-popping statistics that various industry players put out recently:

· Every second, 18 adults around the world become victims of cybercrime. (Norton)
· Each cybercrime ends up costing $197 per victim, on average. (Norton)
· Nearly one in five Americans report being victim to a crime committed over the internet, including identity theft, data theft, bullying, and auction fraud. (McAfee)
· The top two concerns while using the internet are identity theft and theft of financial information. (McAfee)
· Nearly six out of ten small businesses do not have a contingency plan outlining procedures for responding to and reporting data breach losses. (Symantec)
· 86% of small businesses say they are satisfied with the amount of security they provide to protect customer or employee data, yet, according to Visa, small businesses represent more than 90% of the payment data breaches reported to the company. (Symantec)
The first four points are scary enough, but the last two points ought to make financial institutions really perk up. Like it or not, eventually every merchant-connected cybercrime affects the associated banking relationship. Which is why ABA's President and CEO, Frank Keating says, "Small businesses are a growing target for account takeover. Yet, a strong partnership with your financial institution will give you the tools needed to shield yourself from this attack."
Yet another survey, this one by SignatureLink, gives lukewarm news. The title on the press release says it all: "Merchants fighting fraud online-but not effectively."
The survey finds that 65% of small businesses attempt to address payment fraud through active verification systems like Verified by Visa and MasterCard SecureCode. "That's an admirable effort, but it's often a case of the cure being worse than the disease," says Greg Wooten, CEO, SignatureLink.
On the plus side, this survey finds that 52% of merchants perform prefraud screening such as geolocation of the customer's IP address. On the minus side, any fraudster with the most basic of skills can easily manipulate those screening efforts by spoofing the IP address.
"The merchant ends up with a false sense of security while remaining vulnerable to fraud," Wooten says.
Other than wringing one's hands, what can anybody do about this? Well, that's why there's a whole month dedicated to cyber security awareness, which is another way of saying that all the good guys need to keep talking to each other and sharing information on the latest trends, threats, and responses.
"There is a clearer view of the new risks facing the industry and there is an increase and new urgency in information sharing," says Tom Heiser, president, RSA. "Perimeter-centric approaches to security are being replaced by a more mature model that if done right can offer organizations confidence in their ability to defend today's open, hyper-connected, and distributed digital infrastructures."
Part of that means that there are new tools becoming available to take new approaches to reducing online vulnerability. First though, there's the information-sharing part. Here's a long list of advice to small businesses, again from various sources:
· Protect your online environment. Encrypt sensitive data and keep updated antivirus and antispyware protection on computers. (ABA)
· Partner with your bank for payment authentication, such as services that offer call backs, device authentication, multiperson approval processes, and batch limits. (ABA)
· Pay attention to suspicious activity and react quickly. Look out for strange network activity, do not open suspicious emails, and never share account information. (ABA)
· Understand your responsibilities and liabilities. The account agreement with your financial institution will detail what commercially reasonable security measures are required in your business. (ABA)
· Know what you need to protect, and where it is stored and used. (Symantec)
· Enforce strong password policies, ideally those with eight or more characters and combinations of letters, numbers, and symbols. (Symantec)
·  Map out a disaster preparedness plan today, archive important files, and test everything frequently. (Symantec)
· Collect the buyer's consent to your terms and conditions, including refund policies, through voice or signed consent. (SignatureLink)
· Use second-generation geolocation solutions that are harder for fraudsters to defeat. (SignatureLink)
· Delete without opening any suspicious email, tweets, posts, and online advertising. (McAfee)
· Limit the type of business conducted in wi-fi hotspots. (McAfee)
· When banking and shopping, check to be sure the site is security enabled, usually designated by web addresses marked "https://" or "shttp://"; "http://" is not secure. (McAfee).
· Be wary of communications that implore you to act immediately, offer something that sounds too good to be true, or ask for personal information. (McAfee)
· Report stolen finances or identities and other cybercrimes to the Internet Crime Complaint Center (www.ic3.gov) and local authorities as appropriate. (McAfee)
All great advice, to be sure. But where's the technology solutions to help out the beleaguered merchants and financial institutions that really would prefer to concentrate on legitimate business as well as serving their legitimate customers? Never fear. Security vendors are hard at word coming up with just such products. Here's a sampling, announced recently:
· RSA offers Distributed Credential Protection engineered to scramble, randomize, and split secrets and authentication credentials into two separate locations. Attackers would have to compromise two servers or data centers nearly simultaneously, without detection, in order to gain valuable information.
· Prolexic offers a variety of products designed to thwart distributed denial of service attacks, including those that target cloud-based applications.
· Bluepoint Solutions expanded its real-time, automated fraud prevention tools to accommodate its entire suite of remote deposit capture applications, including mobile deposit, ATM, merchant, and home capture points.
· Symantec and Wincor Nixdorf joined forces to make self-service banking solutions more secure by detecting anomalies in running applications and taking immediate action.
· ID Analytics partnered with iovation for advanced identity fraud mitigation, mainly by expanding the definition of identity beyond the traditional elements of Social Security number, name, address, phone number, date of birth, IP address, and email address, to include device identification and reputation intelligence for smart phones, PCs, tablets, and other internet access points.
RSA's Heiser pretty much puts the issue in perspective: "Customers, more executives, and more boards of directors are starting to understand that accepting the fact that intrusions will occur is not the same as accepting that losses of sensitive information, malicious vandalism, or other harm have to occur. They are adopting new tools and new tactics to balance broad, easy access to information with agile, effective security."
Sources for this article include:
2012 Norton Study: Consumer Cybercrime Estimated at $110 Billion Annually
New Survey Shows U.S. Small Business Owners Not Concerned About Cybersecurity; Majority Have No Policies or Contingency Plans
ID Analytics and iovation Partner to Fight Online Fraud
Merchants Fighting Fraud Online-But Not Effectively, Reveals Study by SignatureLink and CardNotPresent.com
National Cyber Security Alliance and McAfee Release New Cybercrime Data for National Cyber Security Awareness Month
ABA Offers Tips to Small Businesses for Combating Fraud
Symantec and Wincor Nixdorf: Joining forces to protect financial self-service systems worldwide from attacks
New RSA Innovation Helps Thwart "Smash-and-Grab" Credential Theft
RSA Executives Assert Security Budgets Require Better Alignment to Address New Threats and New Mindset
Bluepoint Solutions Expands Real-Time Check Fraud Prevention to Entire Suite of Remote Deposit Capture Technology
Prolexic Publishes New Executive Series White Paper: DDoS Denial of Service Protection and the Cloud


About the Author

John Ginovsky is contributing editor of ABA Banking Journal and editor of the publication's TechTopics e-newsletter. For more than two decades he has written about the commercial banking industry. In particular, he's specialized in the technological side of banking and how it relates to the actual business of banking. He previously was senior editor for Community Banker magazine (which merged with ABA Banking Journal) and was a staff writer for ABA's Bankers News. You can email him at jginovsky@sbpub.com  



Comments (0)add comment

Write comment
smaller | bigger

security image
Write the displayed characters


techglobe.jpg TechTopics Plus
WHAT APP, DOC? Banks cannot let mobility evolve without taking part
Alliance pairs web host with payment processor
Acquisition boosts core provider’s offerings
Quick-to-market cash management capabilities offered
ABA Bank Directors Briefing For the director who wants to stay on top of the job

ABA Bank Directors Briefing