The state of computer security

Posted on January 22, 2012 by Tom Mahoney

I monitor these sorts of things and I thought I’d share it with all of you. To Mac users, this will come as no surprise but those of you bemoaning all your PC problems, this should be of at least some mild interest.

Macintosh Malware

A company known as F_Secure, who watches the computer malware scene as a big part of what they do, just released the latest statistics on Macintosh malware. No surprise that there was a grand total of ZERO, NADDA, ZILCH viruses OR worms for the Mac in 2011. There were 58 attempts at Trojan horses or backdoor attacks.

By the way, according to the article, there does not seem to be a correlation between the amount of malware for Mac and the Mac’s market share. I found that interesting. Up until now I always considered it as a reasonable but weak rebuttal by the Windows crowd.

Full story can be found here

Windows Malware

On the other side, Windows attacks are still growing at an alarming rate. Compared to 1.5 million malware variants for Windows in 2009 and slightly over a million in the first half of 2010 alone, 58 doesn’t seem so bad. In fact, as the article above puts it, it’s “almost negligibly minuscule.” It almost makes you wonder why Norton and the others even bother to write protection for us Mac folks, but I’m glad they do. There could have been 60!

Breakdown of Windows, Unix and Java malware

Posted in credit card fraud | Tagged , , , | Leave a comment

Chip and PIN continues to shift fraud

Posted on January 12, 2012 by Tom Mahoney

As everyone predicted, Chip and PIN continues to shift fraud to the Card Not Present world. If you’ve been following this blog for a while, you’ve seen me predict it more than once. I discussed it several years ago when Europe was migrating to the cards and I said it in August of 2010 when Canada announced that it was migrating to Chip and PIN.

An article in this morning’s Banking Times in the UK not only verifies the predictions but tells us that it’s even worse than we thought.

Chip and PIN was designed to reduce counterfeit credit cards and those counterfeit cards are used in Card Present (CP) fraud. The technology has worked well. Counterfeit card fraud has dropped 60% between March of 2009 and March of 2011. The problem is that the bad guys had to go somewhere so, as expected, they went to the Card Not Present (CNP) world.

As recently as three years ago, CNP fraud accounted for only 30% of Europe’s credit card fraud. Today, it tops out at 72%. That’s a tremendous increase.

As I said all along, I believe the real goal of Chip and PIN was to drive fraud to the CNP world where the merchant is not only liable for the losses but charged fees as well. There is no doubt that this has happened. Huge losses have been shifted from the payment industry to the merchant.

I can’t believe that the card issuers didn’t see this coming. As recently as a year ago, the card brands, Visa® in particular, were saying that Chip and PIN in the US was not in the foreseeable future. Suddenly there was a shift and Visa announced a mandatory role-out. Kind of makes you wonder but I leave it to you to decide on their motive.

On a personal note, I’ve been quiet for quite a while. Admittedly too long. Lots of things have been going on in my world and blogging has had to take a back seat. Hopefully, I’m getting back in the saddle.

Posted in Chip and PIN, credit card fraud, fraud trends | Tagged , | 1 Comment

Mobile payments and new fraud strategies

Posted on September 7, 2011 by Tom Mahoney

Worldwide delivery of smartphones and tablets has risen.  In fact, shipments are now exceeding traditional desktop and laptop devices.  Merchants and consumers need to brace themselves for the new fraud channels.  Traditional fraud screening isn’t effective for the new generation of payment methods.

The mobile payment problem

Screening techniques like CVV, comparing billing and shipping addresses and IP Geolocation are essentially moot with mobile payments.  Even the more recent, and very effective methods of device fingerprinting are less effective in the mobile payment workflow. To make matters worse, consumer expectation of instant gratification will negate the possibility of the most effective method of screening questionable transactions – manual review of transaction details.  And just to make it all more interesting, at least 73,000 malware threats are released on a daily basis thanks to mobile device owners downloading mobile apps with wild abandon while ignoring malware protection apps.

The mobile payment solution

Fraud prevention strategies for mobile payment are emerging but balancing consumer convenience and speed against fraud prevention isn’t trivial. Fraud screening needs to be done in realtime or near realtime. There just isn’t any other solution. An article by Alisdair Faulkner in E-Commerce times presents five strategies for retailers. I won’t detail them here but I’d urge you to read the article but to summarize…

  • Current transaction mix review to assess vulnerabilities
  • Reliance on mobile Web for application authentication and authorizations especially for high-risk transactions
  • Centralization of fraud intelligence among the retailer’s departments
  • Behavior and location profiling using mobile device GPS technology
  • Layered fraud prevention which has always been the best approach

I would add one more – Data sharing among merchants and processors. Data sharing at Ethoca’s FraudStop has proven to be very effective.  When more data is available for making intelligent decisions, fraud rates will drop.  When will the industry stop resisting the data sharing concept?  I don’t know. But it would cut fraud significantly.

Posted in fraud trends | Leave a comment

My customer made me non-compliant

Posted on August 8, 2011 by Tom Mahoney

Your customer emails, Tweets, or Texts an order complete with card data. Are you still in compliance? Maybe not. You have no control over what a customer or potential customer does but you do have control over whether or not those actions maintain your PCI compliance or not. How you respond to the order is key.

We’ll assume here that you are an on-line merchant. You have a shopping cart and your normal business model is to accept and process orders through that on-line channel. You do not normally accept email orders – you said so in your PCI QSA to obtain your compliance. What do you do if an order comes in through another channel like email, Twitter, or yes, even FaceBook?

Delete the card information

First and foremost, delete the card information. Do it immediately with no hesitation. Delete the entire message if you need to but delete that card information. You are not allowed to store card data unencrypted and you are not allowed to store the security code at all.

Contact the customer

Contact the customer. This doesn’t mean hitting “Reply” and sending the card data back to the customer. You already deleted the card information, right? Advise the customer that you cannot and will not accept the order – not even this once. Explain to them how to place an order on your cart or by telephane and explain the danger of sending card information through insecure channels.

Do not process the order

Never, ever. Not even this one time. Processing the order will take you beyond the scope of your PCI Compliance. You will have given the whole PCI Compliance thing a loophole to say that you are not in compliance.

While you don’t have control over what is sent to you, you have full control over what you do with that information.

From what insecure channel have you gotten orders? Let me know in the Comments.

Posted in e-Commerce, PCI Compliance, Security Standard | Tagged , , | 1 Comment

Visa Outlines Plan to Recoup Revenue After Durbin

Posted on July 30, 2011 by Tom Mahoney

swipe.jpgspacer.gifThe card brands won’t let a little thing like Federal Legislation stand in the way of profit. If legislation takes it away on the grounds that it’s unfair, they just make it up somewhere else.

According to an article in Convenience Store News, at least one payment processor reports that Visa will be adding a Network Participation Fee to offset the revenue lost in the wake of the Durbin swipe fee regulations.

The article seems to indicate that the new fee will have most impact on convenience stores since they represent a huge class of retailers seeing debit cards. They’ve already seen their fees increase by 21 percent recently.

Personally, I doubt that the increase will only be felt by convenience stores. Visa will initiate the fee across the board and anyone accepting debit cards will feel it.

Posted in greed, Interchange Fees, Payment Processors | Tagged , , | Leave a comment