The Logic Group Blog

On Monday (12th November) I was alerted by a colleague to a You Tube video going viral; if you haven’t seen it already it’s titled ‘The Risk inside your credit card’ and suggests that fraudsters can electronically pick pocket your contactless cards - so it’s not surprising it’s had over 5.5 million hits.

The video stipulates that armed with a contactless card reader, fraudsters can gather sufficient card information to clone the card and use it at retailers to make purchases, which isn’t that compelling until the video shows it being done.

The new Annual Fraud Indicator from the National Fraud Authority (NFA) was published this morning and makes some interesting reading.

 

The headline figure which everyone will pick up on is that the loss to the UK economy to fraud each year is estimated to be £73Bn. Considering the previous estimate in 2011 was £38Bn has fraud really increased two fold? The answer, unsurprisingly, is that it hasn’t; what has changed is the inclusion of new areas of the economy not previously considered in the scope and a step change in the methodology in place.

 

So what are the interesting facts in the report?

The devil is in the details - an old adage I know, but just the other day I was struck by how accurate that phrase can be. In an online daily news service for Payments professionals there were 2 very different headlines on consecutive days. On day 1 the headline read “UK: Fraud reaches record levels in 2011”, followed the next day by “UK: Fraud losses on debit and credit cards reach the lowest level in 10 years”

 

How should a Retailer or other merchant respond to headlines like that? Should they increase investment in anti-fraud measures or re-allocate some of that spend to driving new marketing programmes as the risk of fraud is reduced? A more detailed investigation is required – I took a close look at each report, rather than relying on the headlines.
My first observation is that the reports were from two different sources and were talking about different sets of statistics. The “fraud is getting worse” one was from CIFAS, the UK’s Fraud Prevention Service, covering all fraud reported to the National Fraud Database, and the “fraud is reducing” one was from The UK Cards Association covering debit and credit card fraud only. So is that the reason? Well, no it isn’t.  The CIFAS report states that plastic card fraud has increased by 6.3% from 2010 to 2011 whereas the UK Cards Association says the overall rate has decreased by 7%.

I was recently sent a viral video of a baby who's used an iPad to such an extent, that she tried to use the same tablet UI gestures (swiping, clicking and pinch-zooming) when given a real (i.e. dead tree) magazine.

 

What struck me was how the video appeared to polarize opinion between the people who chastised the parents for 'ruining their child's future' and those who hailed this as a watershed moment in human evolution.

 

As with many things in life, I try to take the middle ground.

I returned from holiday to find another attack vector has raised its ugly head. Reading the latest news, at least two hundred fraudulent SSL certificates (and oossibly over five hundred) have been issued from a trusted root certificate authority (CA). In this case, it appears that Diginotar, the Dutch trusted third party has been breached and spoof certificates for common domain names including google.com have been issued. This follows on from a breach at Comodo earlier in the year.

 

What are the implications of this? Well the Diginotar root certificates are included within the trusted root authority stores of all common browsers, meaning that the fraudulent certificates would have been trusted when creating a SSL connection. These can be used to create encrypted tunnels to spoof sites where sensitive information could be transmitted, or leading to potential Man in the Middle attacks.

Last week, Apple withdrew an application that asked for a 4 digit pin on startup. Unbeknown to the user, the application was storing the passcodes and transmitting them back to the developer. Fortunately this time, it was not for malicious purposes, but more out of curiosity! The developer was amazed how the same passcode was used again and again, and that half of the codes would not have been difficult to guess.

Well looking at the latest news, Sony Corp. still remains in the spotlight. A new hacking group seem to have made Sony Corp. the focus of their current efforts. However I believe the most interesting incident from a security perspective is the attempted break in at Lockheed Martin and the recent announcement from RSA regarding the replacement of SecurID tokens.

I wonder what the Japanese is for “when you are in a hole it’s usually a good time to stop digging“?

 

I read the new Sony press release with some bemusement; the one with regard to the loss of 25 million further customer details from Sony Online Entertainment. The release had the following statement:

 

information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained.

 

I wonder if Sony are aware of the Payment Card Industry Data Security Standard (PCI DSS) since they are very effectively stating their non-compliance.

Today we hear confirmation about a breach of the Sony Playstation Network with the loss of millions of account names and personal details and potentially the loss of payment card details such as the payment card number and Expiry dates, but excluding the security code.

 

The type of data rumoured lost includes names, addresses, email addresses, account names, account passwords, relevant date of birth and answers to security questions. By security questions one presumes the questions would be of a similar type to: What is the name of your pet?

 

So should we be concerned?

Why is it; whenever there is a breach of a company’s security it is always attributed to the work of sophisticated cyber criminals? Is this because it really does take a sophisticated criminal to breach an environment these days or do victims prefer to characterise the cleverness of the criminal rather than the weakness of the security environment?

Every man and their dog has a smartphone these days.  Whether an Android, Apple or Blackberry device, today's mobiles are as powerful as desktop PCs were only a decade or so ago.  They can browse the internet and run a countless number of applications.  As such is it inevitable that more and more people are starting to use them like they do with their main PCs – keeping increasing amounts of sensitive personal information on them and using them to make purchases and do personal banking.  The problem is that unlike their PCs, most mobile phones are not currently adequately protected against viruses.  But how many smartphones are there and do people actually use them in sufficient numbers for this to be an issue?

It is estimated that 1 billion card transactions per year worth an estimated £40bn are processed by the UK’s 700,000 contact centre agents. Therefore it is not surprising that Card not Present fraud (stolen details over the phone, internet or mail order) accounts for 56% of all UK card fraud. With the vast majority of CNP fraud coming from contact centres, losses stem not only from fraudulent transactions, but also from cards that are leaked to the criminal fraternity by coerced call centre employees.

 

What can businesses that run contact centres do to prevent or stem this leak? After all they need to take payments, they need to provide effective customer relations and therefore they need their people to be on the phone to the customer.

You are a retail business. You have spent a small fortune in time and money to upgrade your systems and processes and a certified QSA has accredited you as PCI DSS compliant. Do you sit back and relax, safe in the knowledge that you have achieved security nirvana and that fraud will never show its ugly face in your business again? Well not quite.

In keeping with things at this time of year I’ve been thinking about a few predictions for 2011.

 

First off, I think we’ll see more coordinated fraud attacks. As the take-up of PCI DSS compliance continues, fraudsters will be forced to focus more strongly on specific targets. With PCI DSS compliant environments it is clearly harder for would be fraudsters to illicitly obtain card numbers and personal data, meaning would be fraudsters will have to take a more structured and planned approach to their activities, as a “scattergun” strategies will begin to pay less of a dividend.

Sometimes “it will never happen to me” should not be the corporate line!

 

Last year I discovered that my credit card had been used for a number of rogue transactions. My first thought was to blame the wife…but on second glance, they were clearly fraudulent. My mood changed as I thought about all the phone calls and letters it would take to clear up this mess.

Following recent news that more than two-thirds of companies have been hit by data breaches over the past year, the report featured in Computer Weekly is an interesting, if not alarming, confirmation that fraud is on the rise. Although person-present payments have improved security measures due to developments in global security standards like PCI DSS; cyber attacks still continue to be an area of vulnerability for businesses across the UK.

According to the January 2010 report from the National Fraud Authority, fraud now costs the UK an eye watering £30 billion a year. 58% of fraud is committed in the private sector with tax fraud hitting £15.2 billion, and, in the private sector, financial services companies and organisations are said to suffer yearly losses of £3.8 billion through crimes including mortgage and insurance fraud, online banking, cheque and card fraud.

100% security doesn’t exist.

 

The frustrating truth is that almost every organisation will suffer a security breach at some point. Whether it is the defacing of a website, loss of data through a Trojan horse or the corruption of a system by a virus or worm, most companies will experience some form of data breach. This includes merchants who have diligently put measures in place to prevent fraud by implementing the correct security processes and procedures, enlisted specialist third-party anti-fraud services, adhered to appropriate industry initiatives such as 3D Secure and CV2, and complied with PCI DSS to protect their infrastructure against attack.

In the past decade there has been a sharp increase in focus on the security of cardholder data held by third parties. High profile data breaches and the associated losses resulting from the fraudulent use of compromised cardholder data have made global headlines and have struck fear into consumers and merchants alike.

Contactless payment technology continues to develop; it is a hot topic of discussion as Barclaycard rolls out an update to its TV advert demonstrating the ease of contactless technology – but will its implementation become a rollercoaster ride for retailers and will hard currency become harder to find in the future?

What is casual fraud? It can be anything from fraud conducted on online shopping and auction websites – with products purchased but never received, and internal fraud by employees and employers, to online dating scams and the so-called ‘Sweetheart Fraud’ – a deception that refers to the collusion between an employee and a customer.